Server Update
Posted: Thu Apr 01, 2004 12:34 pm
Last around 2:00am the server went down.It was not a hack attempt,just indirectly related to our recent attacks.I posted before that this could or will happen for the next week or so.Because we are live it is taking longer to get the new OS they way we like it.So please bare with us,as we are working to keep Storm2k up and running.
All security measures are in place and tested.We are as secure as we can be.Although our security measures did not fail us during the attacks,I did.Our security protocol is to have telnet shut down and monitoring software installed.I had a very basic monitor on the system and I had left telenet open after working on a software upgrade.I had no idea that we were being "sniffed"
Investigation Report:
We had 3 attacks all 3 used the FTP port(sniffers) to get user names and passwords from domain owners on the server.2 attacks used a brute force program to gain access to all passwords on the server including all members of storm2k.1 attack vandalized files on NHCWX and Usweatherwatchers and changed permissions for root on all other accounts.All 3 attacks used Telnet to gain access to the server.on March 28th 2 IP(intruders) tried to gain access to the file they left on the fist attack.(This was a setup)It confirmed the IP's and they have been traced.The offending IP's come from Lithuania and they have been blocked from the server and datacenter.The intruder who vandalized file systems is still being pursued and we could be close to an arrest in a few days.As for the Lithuania hackers,at this time all we can do is monitor and block them.(they have done this to hurdreds of servers in many datcenters in the U.S.)They have never caused damage,but they steal passwords and what they do with them it is hard to tell.
Again I am sorry for the outages.We should be 100% within the week.
Remember to change your passwords!!
Thank you,
Steve O.
All security measures are in place and tested.We are as secure as we can be.Although our security measures did not fail us during the attacks,I did.Our security protocol is to have telnet shut down and monitoring software installed.I had a very basic monitor on the system and I had left telenet open after working on a software upgrade.I had no idea that we were being "sniffed"
Investigation Report:
We had 3 attacks all 3 used the FTP port(sniffers) to get user names and passwords from domain owners on the server.2 attacks used a brute force program to gain access to all passwords on the server including all members of storm2k.1 attack vandalized files on NHCWX and Usweatherwatchers and changed permissions for root on all other accounts.All 3 attacks used Telnet to gain access to the server.on March 28th 2 IP(intruders) tried to gain access to the file they left on the fist attack.(This was a setup)It confirmed the IP's and they have been traced.The offending IP's come from Lithuania and they have been blocked from the server and datacenter.The intruder who vandalized file systems is still being pursued and we could be close to an arrest in a few days.As for the Lithuania hackers,at this time all we can do is monitor and block them.(they have done this to hurdreds of servers in many datcenters in the U.S.)They have never caused damage,but they steal passwords and what they do with them it is hard to tell.
Again I am sorry for the outages.We should be 100% within the week.
Remember to change your passwords!!
Thank you,
Steve O.
