My server was breached by a fuckin Russian - GoFuckYourself.com

pradaboy · 01-24-2007, 02:17 PM

So I noticed one of my pages was down, turns out some dirtbag hacked my account somehow and inserted iframe redirects into some of my pages.

Checked the whois for the domain he was redirecting to:

Registrant Name: Boriskin Gleb
Registrant Organization: Boriskin Gleb
Registrant Address1: vesekaya 4-155
Registrant City: Novosibirsk
Registrant State/Province: Novosibirsk
Registrant Postal Code: 109880
Registrant Country: Russian Federation
Registrant Country Code: RU
Registrant Phone Number: +7.3098098911
Registrant Facsimile Number: +7.3098098911

Hope he freezes his bitch ass off.

fris · 01-24-2007, 02:18 PM

should limit the connections per ip, i block off everyone except my ip to ssh/ftp in.

pradaboy · 01-24-2007, 02:21 PM

Quote:

Originally Posted by Fris

should limit the connections per ip, i block off everyone except my ip to ssh/ftp in.

Excellent idea, thanks

Phoenix · 01-24-2007, 02:24 PM

Privet.all your domains are belonging to Us
Spassibo

thunder99 · 01-24-2007, 02:35 PM

Russians go crazy for Prada, change your nick to discountboy and they'll leave you alone.

bizarredollars · 01-24-2007, 02:53 PM

What kind of server is it (without giving too much away)... A lot of security packs are available that could save you a shit load of work.

pradaboy · 01-24-2007, 03:05 PM

Quote:

Originally Posted by bizarredollars

What kind of server is it (without giving too much away)... A lot of security packs are available that could save you a shit load of work.

what specs do you need?

Star 69 · 01-24-2007, 04:50 PM

Quote:

Originally Posted by Fris

should limit the connections per ip, i block off everyone except my ip to ssh/ftp in.

That's sounds smart

directfiesta · 01-24-2007, 04:56 PM

install their free firewall :

http://www.configserver.com/

you can then config all your accesses ...

It is pretty good, I myself got blocked by it for entering wrtong password ...

And also make sure to :

- delete all php install folders
- chmod your files to a security safe level, mainly the phpconfig files. :2 cents

thonglife · 01-24-2007, 05:29 PM

deny from .ru
deny from .cn

MicDoohan · 01-24-2007, 05:38 PM

Quote:

Originally Posted by thunder99

Russians go crazy for Prada, change your nick to discountboy and they'll leave you alone.

haha that made me laugh

_Rush_ · 01-24-2007, 05:52 PM

Quote:

Originally Posted by thonglife

deny from .ru
deny from .cn

Rather than a blacklist, I'd use a whitelist, especially for stuff like SSH and FTP.

Also, you can set your server to email you immediately when any user logs in via SSH or FTP, that way you're alerted instantly that something is going on.

Quote:

At command prompt type:
pico .bash_profile

Scroll down to the end of the file and add the following line:

echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" [email protected]

Save and exit.

Make sure to disable Telnet as well.

Also, turn off Apache ID by editing httpd.conf and change ServerSignature to OFF.

Thats pretty much the main stuff I do on a new box. There are several others too, but this should do unless you're specifically targeted.

thonglife · 01-24-2007, 06:02 PM

PHP Code:


			
At command prompt type:

pico .bash_profile



Scroll down to the end of the file and add the following line:



echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com



Save and exit.

That is good stuff man.. Thanks!!!

Scott McD · 01-24-2007, 06:13 PM

Damn Russians...

_Rush_ · 01-24-2007, 06:17 PM

Quote:

Originally Posted by thonglife

PHP Code:


			
At command prompt type:

pico .bash_profile



Scroll down to the end of the file and add the following line:



echo 'ALERT - Root Shell Access on:' `date` `who` | mail -s "Alert: Root Access from `who | awk '{print $6}'`" your@email.com



Save and exit.

That is good stuff man.. Thanks!!!

np...

Please note that that's only for root.

01-24-2007, 02:17 PM	#1
pradaboy sell me your banners Industry Role: Join Date: Dec 2003 Location: on the tubes Posts: 12,931	My server was breached by a fuckin Russian So I noticed one of my pages was down, turns out some dirtbag hacked my account somehow and inserted iframe redirects into some of my pages. Checked the whois for the domain he was redirecting to: Registrant Name: Boriskin Gleb Registrant Organization: Boriskin Gleb Registrant Address1: vesekaya 4-155 Registrant City: Novosibirsk Registrant State/Province: Novosibirsk Registrant Postal Code: 109880 Registrant Country: Russian Federation Registrant Country Code: RU Registrant Phone Number: +7.3098098911 Registrant Facsimile Number: +7.3098098911 Hope he freezes his bitch ass off. __________________ Media Buyer - Sell me your traffic! FREE to register domains... Better than 99% of the crap sold here!

01-24-2007, 02:18 PM	#2
fris Too lazy to set a custom title Industry Role: Join Date: Aug 2002 Posts: 55,359	should limit the connections per ip, i block off everyone except my ip to ssh/ftp in. __________________ Since 1999: 69 Adult Industry awards for Best Hosting Company and professional excellence. WP Stuff

01-24-2007, 02:24 PM	#4
Phoenix BACON BACON BACON Industry Role: Join Date: Nov 2002 Location: Poems everybody, the laddie fancies himself a poet Posts: 35,457	Privet.all your domains are belonging to Us Spassibo __________________ Skype Phoenixskype1 Telegram PhoenixBrad https://quantads.io

01-24-2007, 02:35 PM	#5
thunder99 Confirmed User Industry Role: Join Date: Nov 2003 Location: Budapest Posts: 503	Russians go crazy for Prada, change your nick to discountboy and they'll leave you alone. __________________ yeah, yeah

01-24-2007, 02:53 PM	#6
bizarredollars Confirmed User Join Date: Mar 2006 Location: bizarredollars.com Posts: 1,582	What kind of server is it (without giving too much away)... A lot of security packs are available that could save you a shit load of work. __________________ [email protected] icq: 205-252-550

01-24-2007, 04:56 PM	#9
directfiesta Too lazy to set a custom title Industry Role: Join Date: Oct 2002 Location: Punta Cana, DR Posts: 29,591	install their free firewall : http://www.configserver.com/ you can then config all your accesses ... It is pretty good, I myself got blocked by it for entering wrtong password ... And also make sure to : - delete all php install folders - chmod your files to a security safe level, mainly the phpconfig files. :2 cents __________________ I know that Asspimple is stoopid ... As he says, it is a FACT ! But I can't figure out how he can breathe or type , at the same time ....

01-24-2007, 05:29 PM	#10
thonglife So Fucking Banned Join Date: Oct 2004 Location: Midwest, US Posts: 1,566	deny from .ru deny from .cn

01-24-2007, 06:02 PM	#13
thonglife So Fucking Banned Join Date: Oct 2004 Location: Midwest, US Posts: 1,566	PHP Code: At command prompt type: pico .bash_profile Scroll down to the end of the file and add the following line: echo 'ALERT - Root Shell Access on:' `date` `who` \| mail -s "Alert: Root Access from `who \| awk '{print $6}'`" your@email.com Save and exit. That is good stuff man.. Thanks!!!

01-24-2007, 06:13 PM	#14
Scott McD Too lazy to set a custom title Join Date: Nov 2002 Location: Glasgow, Scotland Posts: 67,795	Damn Russians... __________________ I Buy My High Quality Traffic Here, You Should Too!