sebrown
-
Posts
14 -
Joined
-
Last visited
Posts posted by sebrown
-
-
Hello all,
Most of you are much more skilled then I when it comes to forensics and security, so please do me a favor and help me out here so I can better understand the processes and procedures I should follow and implement.
Short summary:
I have a dedicated server running centOS and hosting a website, there is also a custom member management
software I've been using for 2 years now that handles a few thousand CC numbers and all account billing related issues.
A few days ago, I enlisted the help of the authors of this Membership Management software (OSS5) to complete some custom modifications. The company is US based, but they use Russian programmers (yea i know what your thinking) but I've never had a problem with them, before this week.
So, I create a FTP user account for the programmer to use, and give them the credentials as they requested. After a few days of not hearing back from them, I contact them to see whats going on and they say the credentials i provided are not valid. I plug them in myself, they work fine, so I decide to check my logs to see whats up. Come to find out, not only do the credentials I provided work, but they are being used by a IP address which is in UKRAINE. 78.30.193.208
The log shows this IP uploaded a zip file, unpacked it, deleted it, also they looked at my sql.php files and config.php files and modified some other misc files. I contact them back, tell them about the logs I have and ask them whats going on. They continue to deny their involvement in whats going on, despite the fact that the IP address and have only given that login to them.
A day later, I go to login to the Admin panel of this software, to find out all admin accounts have been deleted, and I have no access to the software. Fortunately, I had a browser open that still had a valid session cookie which allowed me to look at the CP for this software, and sure enough all admin accounts are gone. All exept one account which I did not create and have no Idea where it came from.
I immediately change all my passwords (Cpanel, FTP, SSH, etc) and begin pooring through the log files to see WTF is really going on. I find out that a PHP file had been compromised that contained my CPanel username and password, and this file has been duplicated, renamed and moved off of the server.
My question is, where do I go from here? How would one go about gathering more information about the breach so I can restrict further access, or prevent this type of thing from happening again. Please help me to understand the basics of forensic analysis so I can better understand WTF is going on.
Thank You in advance.
Steve
-
War Games II was the worst!
-
Episode 5x13
in Hak5
Great Episode.
Though minor, Shannon says "NHTCA" , as opposed to NHTSA I think twice in her PSA, no biggie. Love the wiretap seg, Eighty really knows his shit. I'll need to go over the segment again though, some things were a bit obscure for this n00b.
The performance was great, Im a real hip hop head so trust when I say he's got some MC skills.
Lost and Found, i see what you did there lol
-
Episode 5x11
in Hak5
Great episode, you got right down to business and cut the frills. The password generator was meh, but tcp dump is awesome, hopefully you'll do more of it. Matt's VMware segment was kind of mind boggling, but gave great insight as to its scalability.
Also I like the concept of the new site, but the design is a bit blah IMO
-
Episode 5x04
in Hak5
excuse me for being a total n00b but, what purpose does the .com name play? is the is there a way to use a free domain name to archive the same goal? Im having trouble understanding, were the sub domains made a head of times 'ihaztunnel.room362.com' or is it arbitrary?
:edit:
now that I think about it, I think im gettin confused because mubix used a .com in the Hak5 segment, and a free DYNDns name on his website tutorial, both are just dns servers lol oops
-
Episode 5x02
in Hak5
Once again, hak5 stepped it up a notch and delivered a great episode. I love how you focused on the 'HAK' this time and streamlined the transitions, it reminds me of sort of MTV Style editing (a good thing) and pacing.
I was particularly interested in the RC tank segment, but curiose as to the future implementation of RFID? Id like to see maybe an mashup of RC Vehicle/FON Mobil sniffer or like a Bluetooth sniffer of some sort. :D
Anyway, GREAT episode and keep up the good work!
-
Episode 4x19
in Hak5
Wow.
I just thought this episode was great. So much more professional and clean IMO, looks like you put a ton of work in.
Hacking in the kitchen, with Kitchen (<--see what I did there, lol) was great. I love how you set up the shot with the counter top and bottles, the angles were great. I also like how you gave snubs a real technical segment, and although she seemed a bit nervous, it was actualy kinda cute but overall very informative.
Every week the show gets better, keep it up!
-Steve
-
i like how its not anything technical, just send the guy a post card lol
-
That reminds me of an apple commercial for some reason, its so smooth and 'edgie'.
Great tag line
"Linux....Swich to...uh...whatever the hell you want"
-
Episode 4x17
in Hak5
I like the new setup, it feels more open with a big desk as opposed to your old set with the glass table barley big enough for 2 laptops. The audio sync issue really detracts from the show about half way through an carry's on for quite sometime though.
Also, this show was packed with goodies. In particular I enjoyed the treepie segment as I've had the same problems as Matt. In VMware, sometimes when you click drag a file from the desktop to the into the VM (especial large files) they can become 'lost' and you have NO idea where they go, eating up tones of space you don't even know about.
This show is evolving nicely. I think if you can go HD and work out the audio sync issues you might just have something there.
-Steve
-
I too agree with Vako. In order to actually hack things (other than scrip kiddy shit), you have to understand the networking world before. Play around with Windows server, if you have the time/money look into CCNA/MCSA to get you started.
Good point!
Certifications are worth the time and money...
-
I understand that PEN testing will do no good unless you know the ins and out's of sys like the back of your hand, my reasoning for wanting to learn the skills is like I said, im a web programmer and I already have a great career with that. If I'm able to to incorporate the Web design and sysadmin i fell I would be much more valuable to company's that do everything in house.
When we talk about OS's, where do you guys suggest I begin to put my time into R&D on both sides of the isle?
Windows Server 2003 -2008? are they similar? should i start with one, move up to the other, or stay with the current 2008?
Free BSD - Linux Redhat - Ubuntu? - As im very noobish with unix platforms, is it best to start with a GUI type hand holder like Ubuntu to start learning the ins and outs, or do I focus on learning and OS from command line script?
I know everyone has there own method of how the prefer to learn such things, im just interested in what yall would do if you were in my shoes. Then I can get a feel for each and choose whats best, I just don't want to wast time on something like Ubuntu if really its going to be useless unless i know command line anyway.
And of coarse im going to be Googling my brains out for the next week trying to piece together resources and so on, but any thing you guys can recommended (books, tuts, pod casts, forums) would be greatly appreciated.
Thanks again all!
-
Hello all,
Sorry if this might be in the wrong section, the "Questions" seemed to be more for technical based questions where as this is more of a general how to about become a 'sysadmin'
I've been around computers all my life and a web designer now for 5 years, mostly front end stuff with some php/javascript background. Recently the past year I've started to become more interested in the Networking technology and administration aspect of the web. Listening everyday to countless podcast like Security Now, PaulDOTcom, and especially Hak5 really gets me in the mood to put down my shiny Mac Book Pro, dust of my 3ghz P4 box and get down with some SHELL/UNIX commands or get root access some foreign server, but then Im quickly reminded im just a noob and I don't know any of this cool shit.
I guess the question Im trying to pose is: where do I start with all this? Id love to have the ability to run a basic web server, maybe learn some Shell or do some PEN testing, but its all so overwhelming at this point I don't know where to start. Deep packet inspection, PEN testing, Root scripting are all things I'm interested in, how can I get better understanding of such things without dragging my ass back to college?
Any and all advice would be greatly appreciated.
My server was comprimised, please help
in Security
Posted
The CC #s were all 3DES encrypted blobs so that will help, but I'm looking to be a little more pro active as opposed to pulling the plug and giving up. My company will deal with any legal issues, my objective is to find out exactly what happend and how to prevent it in the future.