Since Andrea did the horses yesterday and let me sleep, I got up and did the horses today so that she could. It was hard, as it was raining nicely and it was a great morning to stay inside and sleep.
But chores are chores, and when I came back in I was not sleepy anymore. I was, however, curious about how much rain we had received, so I went to Pittsboro Weather. But I didn’t see the page I was expecting, instead I saw something like this.
It seems that the server that hosts Pittsboro Weather and a number of other sites had been hacked.
I had, of course, heard of servers getting hacked before, but never really experienced it first hand. It’s a problem inherent in any “server”, as the only 100% safe machine is one that is off the network, and it can’t really “serve” then can it?
This attack seemed to follow
one I found on Google (while attempting to help Matt G. and Donnie fix it). Once the attacker had root access, they installed a “rootkit”, i.e. they replaced a number of system commands with special ones, including login (so that they could always get back in), ls (so you couldn’t see certain files that were added), etc.
They had added the xntps Trojan, but because the ps command was still valid, we could see it and shut it down. Eventually, the whole system was shut down.
Even though we could figure out what had been changed, there was no telling if we would get all the changes, and as far as I know we still don’t know how they got in. I guess the system will be restored from backup, and then perhaps some tools can be run against it to look for vulnerabilities. Still makes for a crappy Sunday.
This looks like the work of a script kiddie since a truly malicious attacker would have kept a much lower profile. Instead, the rootkit was installed about 8:26 and the logs directory deleted about 9:12. I saw the weather site defaced around 9:45.
I looked up the registrar of DataH0use.org, and it’s registered to a David “D” Patterson in Omaha Nebraska (the “D” could be Diablolax). It’s a fairly new registration, May of 2004, which is probably the hallmark of a script kiddie. I doubt the registration information will yield a valid address or phone number. Perhaps the FBI can figure it out.