Jump to content

sebrown

Active Members
  • Posts

    14
  • Joined

  • Last visited

Recent Profile Visitors

879 profile views

sebrown's Achievements

Newbie

Newbie (1/14)

  1. The CC #s were all 3DES encrypted blobs so that will help, but I'm looking to be a little more pro active as opposed to pulling the plug and giving up. My company will deal with any legal issues, my objective is to find out exactly what happend and how to prevent it in the future.
  2. Hello all, Most of you are much more skilled then I when it comes to forensics and security, so please do me a favor and help me out here so I can better understand the processes and procedures I should follow and implement. Short summary: I have a dedicated server running centOS and hosting a website, there is also a custom member management software I've been using for 2 years now that handles a few thousand CC numbers and all account billing related issues. A few days ago, I enlisted the help of the authors of this Membership Management software (OSS5) to complete some custom modifications. The company is US based, but they use Russian programmers (yea i know what your thinking) but I've never had a problem with them, before this week. So, I create a FTP user account for the programmer to use, and give them the credentials as they requested. After a few days of not hearing back from them, I contact them to see whats going on and they say the credentials i provided are not valid. I plug them in myself, they work fine, so I decide to check my logs to see whats up. Come to find out, not only do the credentials I provided work, but they are being used by a IP address which is in UKRAINE. 78.30.193.208 The log shows this IP uploaded a zip file, unpacked it, deleted it, also they looked at my sql.php files and config.php files and modified some other misc files. I contact them back, tell them about the logs I have and ask them whats going on. They continue to deny their involvement in whats going on, despite the fact that the IP address and have only given that login to them. A day later, I go to login to the Admin panel of this software, to find out all admin accounts have been deleted, and I have no access to the software. Fortunately, I had a browser open that still had a valid session cookie which allowed me to look at the CP for this software, and sure enough all admin accounts are gone. All exept one account which I did not create and have no Idea where it came from. I immediately change all my passwords (Cpanel, FTP, SSH, etc) and begin pooring through the log files to see WTF is really going on. I find out that a PHP file had been compromised that contained my CPanel username and password, and this file has been duplicated, renamed and moved off of the server. My question is, where do I go from here? How would one go about gathering more information about the breach so I can restrict further access, or prevent this type of thing from happening again. Please help me to understand the basics of forensic analysis so I can better understand WTF is going on. Thank You in advance. Steve
  3. i like how its not anything technical, just send the guy a post card lol
  4. That reminds me of an apple commercial for some reason, its so smooth and 'edgie'. Great tag line "Linux....Swich to...uh...whatever the hell you want"
  5. Good point! Certifications are worth the time and money...
  6. I understand that PEN testing will do no good unless you know the ins and out's of sys like the back of your hand, my reasoning for wanting to learn the skills is like I said, im a web programmer and I already have a great career with that. If I'm able to to incorporate the Web design and sysadmin i fell I would be much more valuable to company's that do everything in house. When we talk about OS's, where do you guys suggest I begin to put my time into R&D on both sides of the isle? Windows Server 2003 -2008? are they similar? should i start with one, move up to the other, or stay with the current 2008? Free BSD - Linux Redhat - Ubuntu? - As im very noobish with unix platforms, is it best to start with a GUI type hand holder like Ubuntu to start learning the ins and outs, or do I focus on learning and OS from command line script? I know everyone has there own method of how the prefer to learn such things, im just interested in what yall would do if you were in my shoes. Then I can get a feel for each and choose whats best, I just don't want to wast time on something like Ubuntu if really its going to be useless unless i know command line anyway. And of coarse im going to be Googling my brains out for the next week trying to piece together resources and so on, but any thing you guys can recommended (books, tuts, pod casts, forums) would be greatly appreciated. Thanks again all!
  7. Hello all, Sorry if this might be in the wrong section, the "Questions" seemed to be more for technical based questions where as this is more of a general how to about become a 'sysadmin' I've been around computers all my life and a web designer now for 5 years, mostly front end stuff with some php/javascript background. Recently the past year I've started to become more interested in the Networking technology and administration aspect of the web. Listening everyday to countless podcast like Security Now, PaulDOTcom, and especially Hak5 really gets me in the mood to put down my shiny Mac Book Pro, dust of my 3ghz P4 box and get down with some SHELL/UNIX commands or get root access some foreign server, but then Im quickly reminded im just a noob and I don't know any of this cool shit. I guess the question Im trying to pose is: where do I start with all this? Id love to have the ability to run a basic web server, maybe learn some Shell or do some PEN testing, but its all so overwhelming at this point I don't know where to start. Deep packet inspection, PEN testing, Root scripting are all things I'm interested in, how can I get better understanding of such things without dragging my ass back to college? Any and all advice would be greatly appreciated.
×
×
  • Create New...