Haha, I got Hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Haha, I got Hacked

Post by Ambush Commander »

Haha, I got Hacked. Fortunantely, it was done by a friend of mine, so a month later they notified me about their exploits. The problem? A password written on a post-it note. :oops:

However, this does pose some very important problems. Because my manager is no-where near tech savvy enough to remember these sorts of things, I was forced to write down the password myself onto the post-it, thinking that no one else would be tech-savvy enough to interpret what it meant.

This, as you can understandably see, causes some troubles. Any recommendations?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Use disappearing ink?
(#10850)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Doesn't seem very viable. Someone's bound to throw out a blank piece of paper.

Maybe I should force him to remember it? I even gave detailed instructions on how to log onto the server. >.>

Also, I'm not relishing the fact that now I have to check everything on the server to make sure he didn't add anything else that he didn't tell me about (he's not exactly a White Hat and has no qualms about penetration testing).
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

frontal lobotomy of manager. He won't miss much.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Well, I suppose he won't notice if I quietly phase out FTP and SSH access on his account. (I bet he doesn't even know what SSH is >.>)
I'm guessing you don't check your access logs very often, because I uploaded that ftp file about a month ago *evil grin* =] when I noticed the password on his monitor.
What does he mean by access logs? Is there really some FTP transfer log I can access on the server?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

Seriously, the only way to maintain security with with people like that is to force them to call you when they forget. The upside is that you can expire and regenerate new passwords whenever and they won't notice.
(#10850)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Seriously, the only way to maintain security with with people like that is to force them to call you when they forget.
Sounds good. Still would like to know about ftp logs though...
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

grep -i ftp /var/log/messages
(#10850)
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Query's been running for a few minutes now... no results. I also tried `find` for FTP in the filename, but no such luck.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

If i hacked your server, i'd unset $HISTORY :p (and remove all the parts in the logfiles where i'm tracked...)

If your system has been penetrated, take it offline, find out which data has not been modified (otherwise you'll have to digg through backups to find the most recent version).. and reinstall.

I prefer to use private/public keys in order to logon remotely... This way i don't have to remember the credentials on the host.. (Well, i do have to remember the passphrase of my private key)... Just generate a random, long enough root password, print it out, put it in a letter, close the letter, and place it somewhere central... This way, you'll notice if the password is gone :p
tarnus
Forum Newbie
Posts: 6
Joined: Wed Jan 14, 2004 10:09 am

Post by tarnus »

If he's not using ssh you might move ssh to a non-standard port where most people do not know where to look for it. Also if your the only one accessing root on the server (it sounds like thats the it should be) As Tim mentioned setup a public/private key for ssh.

I've had hacker problems off and on over the past 10 plus years, they are like ants, ya get rid of em once, eventually they figure a way to get back in.

Best protection from being hacked is your power button ;)
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

However, this does pose some very important problems. Because my manager is no-where near tech savvy enough to remember these sorts of things, I was forced to write down the password myself onto the post-it, thinking that no one else would be tech-savvy enough to interpret what it meant.
Inform your manager he/she is a security risk. It's the truth afterall.

I know complex passwords can be horrendously difficult to remember but the only other solution is to reduce the password strength (pretty common in large organisations) so its more easily recalled or have a system for resetting it when forgotten or both. Writing it down physically on paper is just a no-no.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If your system has been penetrated, take it offline, find out which data has not been modified (otherwise you'll have to digg through backups to find the most recent version).. and reinstall.
Root was not compromised since the site was on a shared server. Furthermore, I doubt that he figured out that SSH login was the same as the FTP login.
I prefer to use private/public keys in order to logon remotely... This way i don't have to remember the credentials on the host..
I was slightly surprised that Dreamhost's SSH didn't have this by default: two other servers which at one time or another I had access to mandated PP logins. I'll investigate (or if anyone wants to throw me a bone. ;-) I don't have root access)
Inform your manager he/she is a security risk. It's the truth afterall.
I don't think that would be the most judicious course of action. Just quietly phase out the dangerous parts, and if he notices they're gone, then I'll explain.
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

All you should have to do, is create the key's on the client machine and append the public key onto ~/.ssh/authorized_keys

Can't help you generate the key for a windows box, but on Linux it's

Code: Select all

ssh-keygen -t [rsa|dsa]
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I got it working using Putty's `puttygen`. Slight snag due to incorrect permissions, but it's fine now.
Post Reply