OK... both you Michael and Xavier are freakishly paranoid and apparently have too much time on your hands today.
The hack that was used was a simple way to change the index.php file. The hackers did not actually break into the server and no security is compromised.
This is due to a simple postnuke security hole, and I am going to patch it as soon as I finish this email.
The site is already back to normal (just switched the php file with a backup).
I obviously have full access to the servers balug is hosted on, and I have no intention of adding anyone else. If you guys want full access to the servers then I would recommend the site and mailing list be moved and hosted elsewhere...
On Sat, September 3, 2005 11:43 am, Michael Paoli said:
I did also drop dreamhost a pair of notes. Since I don't have "customer" level access, it just went in on their general form, and they seem to only "promise"/imply they'll read it within 24 hours ... and I don't know if that would be even that "timely" and applicable over a 3 day holiday weekend.
Anyway, this is what I sent to their "Abuse Department" and "Public Relations":
Subject: cracked site - please pull
Can you please effectively pull (at least block port 80) until the person(s) legitimately responsible for the site can repair it.
It is quite apparently cracked: http://www.balug.org/
Thanks.
Quoting Michael Paoli:
Michael Hubbard michael@offroadgeek.com - can you do anything about this?
Thanks.
Quoting Michael Paoli:
Can you try contacting dreamhost, and have them at least temporariliy (virtually) pull the plug on at balug.org. TCP port 80 (pointing out
to
them that it's apparently quite obviously cracked, if necessary), at least until it can get fixed. Have you also tried contacting Hubbard?
Better (temporarily) no page than a cracked one (and presumably site,
etc.)
*So far* Google cache has the uncracked page ... but that could change
at
any time.
It *seems* the lists are okay, ... but never know for sure (or who
might be
watching their messages/content). Of course most of the info. that's
sent
there is public or semi-public anyway.
Quoting Xavier balug-talk@xav.to:
Michael Paoli wrote:
This doesn't look good: http://www.balug.org/ "H4ck3rsBr um passrinho que naum tinha cu foi caga e explodiu"
Who's got the access to get in and clean stuff up ASAP?
Also, time to change all the site passwords (at least all the
content
change access passwords), and to also ensure they only go across
secure
communications channels, etc.
Postnuke is once again nuked, only person I know with a reasonable
level
of access is Hubbard. At this point my admin pass on Postnuked is
worth
about the same as if I had scribbled "$1000" onto a sheet of toilet
paper.
If the lists are down then this is a fine mess.