Story of a website being hacked
Hosting a website at home is one thing, but hosting one on the live internet is a whole different ballgame. Yesterday, I decided to expose one of my Xen virtual machines at home to the internet just to see if it works. I wasn't expecting to be hacked in less than an hour though with just 2 ports open. It brought down my jboss server(did a security no-no by running as root- hey, I was running it on XP before! :-), no ssh access etc.
It helped that it was a Xen guest, I deleted the disk image and restored my backup. I just had to have more control if someone did attempt to break in again.
So, put the machine back live again with more security tools & help from Google. Eg. apache with mod_jk instead of jboss, host FW rules in addition to h/w firewall rules, snort with upto-date rules, did a portscan with nmap, chkrootkit, backed up the system profile with tripwire and checks running every hour with automatic emails to me. I thought this was a good start, comments welcome?
It was less than 12hrs before I spotted attacks again, Frontpage seems to be the favorite of hackers. There were continuous scans for fp30reg.dll. There were also attempts to utilize known vulnerabilities using extra long SEARCH requests etc. No more portscans though. Is that out of fashion now? Atleast,this time I was happy to watch than be a victim.
Hosting a website at home is one thing, but hosting one on the live internet is a whole different ballgame. Yesterday, I decided to expose one of my Xen virtual machines at home to the internet just to see if it works. I wasn't expecting to be hacked in less than an hour though with just 2 ports open. It brought down my jboss server(did a security no-no by running as root- hey, I was running it on XP before! :-), no ssh access etc.
It helped that it was a Xen guest, I deleted the disk image and restored my backup. I just had to have more control if someone did attempt to break in again.
So, put the machine back live again with more security tools & help from Google. Eg. apache with mod_jk instead of jboss, host FW rules in addition to h/w firewall rules, snort with upto-date rules, did a portscan with nmap, chkrootkit, backed up the system profile with tripwire and checks running every hour with automatic emails to me. I thought this was a good start, comments welcome?
It was less than 12hrs before I spotted attacks again, Frontpage seems to be the favorite of hackers. There were continuous scans for fp30reg.dll. There were also attempts to utilize known vulnerabilities using extra long SEARCH requests etc. No more portscans though. Is that out of fashion now? Atleast,this time I was happy to watch than be a victim.
Comments