My Dream

N

Neal

Yes, this is on topic. (And crossposted to both alt.html and
alt.www.webmaster for a greater field of response.)

I had a dream last night that I was working on a webpage when all of a
sudden I was noticing things in the source I hadn't added. Someone had
access somehow. As I corrected things, I found new things suddenly changed
- someone was in there at that moment!

I thought, what to do now? I started going to my host's page to login and
change my password, but was thinking if the hacker was logged in, maybe it
wouldn't immediately boot them. Well, that's when I woke up, and
thankfully it was all a dream. But it made me think - I really don't know
for sure all I'd need to do in such a situation.

Now, how would you handle this scenario in real life? What's the best
approach to follow?

What will my host need from me to track down these hackers? And would
changing the password to something random effectively stop an active
hacker?
 
S

SpaceGirl

Neal said:
Yes, this is on topic. (And crossposted to both alt.html and
alt.www.webmaster for a greater field of response.)

I had a dream last night that I was working on a webpage when all of a
sudden I was noticing things in the source I hadn't added. Someone had
access somehow. As I corrected things, I found new things suddenly
changed - someone was in there at that moment!

I thought, what to do now? I started going to my host's page to login
and change my password, but was thinking if the hacker was logged in,
maybe it wouldn't immediately boot them. Well, that's when I woke up,
and thankfully it was all a dream. But it made me think - I really don't
know for sure all I'd need to do in such a situation.

Now, how would you handle this scenario in real life? What's the best
approach to follow?

What will my host need from me to track down these hackers? And would
changing the password to something random effectively stop an active
hacker?

I'd unplug my machine immediatly from our network, scoot over to my
linux laptop, telnet to my server and change the passwords.

--


x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
 
N

Neal

SpaceGirl:
(regarding handling a hacker)
I'd unplug my machine immediatly from our network

Right, if one had access to the machine that would be the first thing to
do. But for those who use a host, that might not be possible in a timely
fashion. You'd have to wait till someone was on hand and available to do
that...
 
S

SpaceGirl

Neal said:
SpaceGirl:



Right, if one had access to the machine that would be the first thing to
do. But for those who use a host, that might not be possible in a timely
fashion. You'd have to wait till someone was on hand and available to do
that...

So if my HOST was compromised? Not sure what I'd do then. Call my lawyer? :)

I can access my sites from anywhere (for admin), so if my own network
was totally compromised, I'd stop off at EasyEverything (a cybercafe for
those who don't know) and remote from there, change the passwords again.

I also have a shut-down "switch" on a couple of my sites. I can sign
into the site from any Internet connection and disable the site just by
passing a switch to a page... but of course if someone has access to the
files they could easily get around that.

But to be honest... I just try be vigilant, protect myself and my
clients in any way I can, and really hope nothing bad happens!


--


x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
 
H

http://www.probertencyclopaedia.com

Once upon a time, far far away, the king summoned Neal
Now, how would you handle this scenario in real life? What's the best
approach to follow?

How likely is it that anyone is going to care enough to hack one of
the millions of micro-web sites?

The hackers I have known all went for more exciting fish, newspapers
would be a good target, or a news service like the BBC, can you
imagine the hoot if a fake (hacked) news story appeared in the Wall
Street Journal online edition? or The Times ???

Matt
 
D

DoobieDo

Yes, this is on topic. (And crossposted to both alt.html and
alt.www.webmaster for a greater field of response.)

I had a dream last night that I was working on a webpage

you've been eating too much cheese before bedtime again ;p
 
S

SpaceGirl

http://www.probertencyclopaedia.com said:
How likely is it that anyone is going to care enough to hack one of
the millions of micro-web sites?

The hackers I have known all went for more exciting fish, newspapers
would be a good target, or a news service like the BBC, can you
imagine the hoot if a fake (hacked) news story appeared in the Wall
Street Journal online edition? or The Times ???

Matt


or how about the ticker tapes on 24 hour news? They're all flash movies
run from customer software... it's all served from SOMEWHERE...

--


x theSpaceGirl (miranda)

# lead designer @ http://www.dhnewmedia.com #
# remove NO SPAM to email, or use form on website #
 
K

Karl Core

Neal said:
Yes, this is on topic. (And crossposted to both alt.html and
alt.www.webmaster for a greater field of response.)

I had a dream last night that I was working on a webpage when all of a
sudden I was noticing things in the source I hadn't added. Someone had
access somehow. As I corrected things, I found new things suddenly
changed - someone was in there at that moment!

I thought, what to do now? I started going to my host's page to login and
change my password, but was thinking if the hacker was logged in, maybe it
wouldn't immediately boot them. Well, that's when I woke up, and
thankfully it was all a dream. But it made me think - I really don't know
for sure all I'd need to do in such a situation.

Now, how would you handle this scenario in real life? What's the best
approach to follow?

What will my host need from me to track down these hackers? And would
changing the password to something random effectively stop an active
hacker?

For my personal site, I'd leave it alone and wait until t3h haX0r got bored
and moved on to more interesting exploits.
For my work stuff, I'd scream like a little girl, call my company's
uber-g33k, Mike, and have him squash t3h pUnk like a bug.
 
G

GreyWyvern

[snip]

And just *where* have *you* been, mister!?! Do you have any idea what
time it is??????

Grey
 
A

Augustus

Neal said:
Now, how would you handle this scenario in real life? What's the best
approach to follow?

What will my host need from me to track down these hackers? And would
changing the password to something random effectively stop an active
hacker?

Changing the password: this will most likely have no effect, since usually
the password is just checked for once, when a person logs in... and not
repeatedly checked while they are logged in.

As far as how to handle it: this will depend on alot of specifics to the
person in question... what software they have available to handle a hacker,
are they physically near the server, how the person is hacking the site,
etc.

Overall I wouldn't worry too much about it...
- Unless your site is really big/popular/well known then its not a high risk
target for hackers (that doesn't mean it would never be hacked, but just
that there probably isn't some kid in taiwan at this moment trying to break
through your security so he can put "Hi Mom" on your site).
- If somebody hacked your site its likely that they aren't going to go in
there and change a bunch of text on different pages... they would just
upload a new page or an image to your site and then move on.
- If your site was hacked as above (the home page changed or something) then
its easier to just restore it from a backup, take a look at what security
you have in place and how you might improve it, and then just move on.
- If you don't have a backup of your site, or make periodic archives of your
site/data then you should... because, if your site is hacked and you don't
have a backup then the one that is really at fault here is you.
 
J

Jeffrey Silverman

I had a dream last night that I was working on a webpage when all of a
sudden I was noticing things in the source I hadn't added. Someone had
access somehow. As I corrected things, I found new things suddenly changed
- someone was in there at that moment!

I had a dream that I was stuck in some sort of weird prison and it was
winter and cold and icy and I had been there a long time, like a
count-of-monte-cristo-long time, and I was trying to break out but there
was this ocean and waves and other people hindering me and this long
bridge or catwalk thing I had to crawl over and at that point the cat and
the pirate tried to knock me off the bridge thing but they got swept away
by the tidal wave and somehow there was this crazy blender thing that was
pureeing people if you fell into it and some other stuff that, believe it
or not, was actually kinda strange.

but i'm not too sure you really have anything to worry about as far as
hacking is concerned. It was only a dream, after all.

could you sue your ISP if their negligence created a problem? I dunno...
<http://www.google.com/search?q=sue+...ient=firefox-a&rls=org.mozilla:en-US:official>

Could you sue the hacker, presuming they are caught?
etc...

This is still a big fat gray area as far as law is concerned. Best bet,
of course, is to keep local back ups of everything you do on a remotely
hosted server of any kind. You *do* back everything up yourself, don't
you??
 
A

Art Sackett

[F'ups trimmed because I don't read a.w.w. and my newsreader will
puke on it...]

In alt.html Neal said:
Now, how would you handle this scenario in real life? What's the best
approach to follow?

I've actually seen a similar thing.

A client of mine bought a server for co-lo, so we moved their sites to
it from a web hosting provider who was once popular with the esteeemed
folks of this very newsgroup but who shall remain nameless. The former
web host started out by port scanning the new box, but didn't find
anything too exciting or exploitable, and went away. I had hoped that
the port scan would be the end of it.

Some weeks or months later one of my applications on the new server
emailed me several times in a short time, which I took to indicate that
the client was having trouble with something he was doing, so I logged
in on the server and initiated a 'talk' session with him to see if he
needed some help. He was pretty sure that he had it under control, knew
what was wrong with the data he was trying to feed to the app, so I
just hung around for a bit. He came up with a "what if I wanted to do
this?" kind of question, to which I replied he'd have to have root
access to accomplish it. Next thing we know, on both of our terminals,
is the question:

What is the root password?

I KNEW that there was no way this particular guy was going to ask for
it. He's rightfully afraid of being root, because he doesn't have a
clue about administering a Linux machine. So, while I typed out, "You
know I'm not going to give that to you" I picked up the phone and
dialed the guy's home number. His first words were, "I didn't type
that!"

So, while we continued chatting via talk, I did all of the appropriate
checks on the server while I talked him through the installation of
Zone Alarm on the laptop he was using. We quickly discovered that his
laptop had been compromised, and the unauthorized remote host belonged
to that former web hosting provider.

I have no use at all for that former web hosting provider, but I
believe they're smart enough to prevent their own machines from being
cracked. At that time, all of their machines were located on their
premises, so physical access was restricted. I drew the simplest
conclusion... it could be the wrong conclusion, but there have been
other incidents involving other of my clients and different servers
that tend to support it.
What will my host need from me to track down these hackers?

Hopefully, just the time at which you observed evidence of a
compromise. Most compromises are initiated by script kiddies who don't
know quite enough about their targets to effectively cover their
tracks, so there will be evidence of their activity left behind.

A truly skillful cracker will leave no evidence whatsoever, and will
have bounced through so many remote hosts that rooting him out would be
nearly impossible. In a case like that, the system administrator has to
just pull the ethernet cable and start doing forensics to discover the
hole that let the cracker in.

In the end, tracking them down is almost always a pointless exercise,
anyway.
And would
changing the password to something random effectively stop an active
hacker?

It depends upon how the cracker got in, and if he's logged in at the
time. Just changing your password doesn't generally terminate any
active sessions, so if he's logged in at the time when you change your
password, he'll remain logged in. If your system administrator is
involved, he can kill all of the processes running under your user name
to boot the cracker, but that doesn't mean he won't be back.

If your web hosting provider offers you FTP, POP3, a web-based control
panel via HTTP (rather than SSL), or any other service that
authenticates in the clear, then anyone who can sniff the interface can
get into that service. If all of them happen to authenticate against
the same database, or your authentication credentials are the same for
all of them via some other mechanism, anyone who can sniff the
interface can get into all of them. So changing your password will just
make them wait until you use one of those services.

And, finally, if it's your machine that's compromised, nothing your
hosting provider can do will help you. Personally, when I see evidence
that a user's machine is compromised, I firewall it out until it's
fixed, and keep an eye on it for a while after letting it back in.
 
T

Toby Inkster

Neal said:
And would changing the password to something random effectively stop an
active hacker?

Once the hacker has been on your system and installed whatever backdoors
he likes, what makes you think he *cares* what your password is?
 
M

Mark Parnell

Previously in alt.html said:
I had a dream last night that I was working on a webpage when all of a
sudden I was noticing things in the source I hadn't added.
Now, how would you handle this scenario in real life? What's the best
approach to follow?

Slow down on the martinis.
 
A

Average_Joe

thankfully it was all a dream. But it made me think - I really don't know
for sure all I'd need to do in such a situation.

Now, how would you handle this scenario in real life? What's the best
approach to follow?

What will my host need from me to track down these hackers? And would
changing the password to something random effectively stop an active
hacker?

No, it would not stop an active hacker. Changing a password won't 'take'
until Mrs hacker logs in again.

Matter of fact, a hacker might have changed the password right away to
prevent you from doing just that.

If you've got physical access, you're in luck, just pull the network
cable.

If I had shell access (Hosted machine) I'd change the password and then
quickly kill the attackers login process ID.

A lot of folks don't realize this, but plain FTP sends the password
plain-text, as does POP. Kill off those services if you're using
them and replace them with something based on SSL.

Jamie
 
K

Karl Core

GreyWyvern said:
[snip]

And just *where* have *you* been, mister!?! Do you have any idea what
time it is??????

Grey

I've been hiding out on alt.html. Lower signal-to-noise ratio than you
crazy kids on AWW
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,743
Messages
2,569,478
Members
44,898
Latest member
BlairH7607

Latest Threads

Top