[SGVLUG] sgvlug.org site hacked

[Emerson, Tom (*IC)]

> -----Original Message----- Of Dan Kegel
>
> The reason a wipe-and-reinstall is in order is:
> you have no idea what the hackers did.  They might
> have installed a rootkit.  Better play it safe!

Understood, and as I said, I generally agree, but I know neither I nor Mike has the time or energy to do this "right this second" [and actually, it would have to be Mike anyway, I don't have root nor physical access to his system to actually do that in the first place]

> Everybody who has ever logged in to other systems
> from that system should change all their passwords
> (though who knows, might be too late).

I believe this is an "end of the line" system - i.e., the people who use it (which, as far as I know, is only Mike and myself) only log into the system - we don't then "hop out" to other systems (well, I don't log into other systems from there - in fact, I haven't even "logged on" to the shell since we first set it up, I only use the CMS's admin page to maintain the website)

I don't know about Mike thogh, since it is his system.  "everyone else" that uses this system does so by proxy - either via a browser or by virtue of the fact they receive e-mail "pushed" from this sytem to their respective ISP or designated e-mail host.  Even at that, there are only two cases where a user would actually need to use a password: for the CMS's admin page [already noted] or if they actually "registered" with the site/CMS (though we've tried to set things up so this isn't necessary for everyday use of the site - there are some issues, related to the version we have in place, that "require" a validated login, but essentially nobody uses the features that "need" a login anyway.

> Outgoing ssh should be also disabled from the server
> after reinstall to protect people from keylogging rootkits.

I'll let Mike address that - as I said, though, I don't expect there is any "pass-thru" traffic going to other hosts, so this may be a non-issue.