This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.
The active forums are here.
September 05, 2007 10:58am
Subscribe [1]#1 / Sep 05, 2007 10:58am
hello everyone
we’re using rimu to host some sites, one of which is a an EE 1.4.2 site
the server has been hacked and the techinicans are trying to find out how at the moment.
on their page for help they state
Examples of webapps that have had some bad security holes include phpbb, awstats, anything that uses xmlrpc and formmail.
Can you tell me if ee 1.4.2 uses any of those prgorams?
thanks in advance
going to be busy for the next week or so now
#2 / Sep 05, 2007 11:16am
EE has it’s own xmlrpc class- but there’s nothing inherent in the spec itself that’s a security breach- more a matter of how it’s used/implemented. (See here for an overview of what xmlrpc is.) Have they given any details as to how the hackers gained access beyond the above?
Security is top priority for EE, and I’ll give the crew a ‘heads up’ on this thread. If your host has any more information on how security was compromised, let us know and we can take a closer look at those particulars.
#3 / Sep 05, 2007 11:24am
Hi Robin
Another technician is now telling me it’s not hacked, even though rkhunter is giving back bad results and chkrootkit is
I’ll come back to you with any news, it’s driving me mental to be honest.
#4 / Sep 05, 2007 11:34am
It would drive me mental as well. Hold tight- it can take them a bit to track things down. Is this a shared server?
#5 / Sep 05, 2007 3:06pm
Wow
This has been fun, but useful nevertheless.
The techinician who told me the system was hacked was relying on information he was getting back from using rkhunter.
What he had forgotten to do was update rkhunter prior to running the check, doh!
Another technician and myself got on gmailchat and worked it all out. They didn’t have to do that, and I’ve only had good expreiences from Rimu in the past, so Rimu get 8 out of 10, got to take 2 off for telling me it was hacked:-(
We also looked at some other problems, namely the server getting hammered by akamai servers from nowhere and the bandwidth flying through the roof, which was our initial indication of an intrusion. I’m waiting for an explanation from akamai about that.
The techinician then applied some iptables rules for me and the akamai stuff seemed to disappear.
In the 20 mins we had of thinking about how to rebuild I put together a plan of rsync’ing all the data to another host, hotcopy the datatbase and use pound to switch back and for if the sh*t goes down.
A simple human error not helped by some crazy stuff going on in akamai.
If I was a chinese hacker, akamai servers seem like a perfect place to start. I’m not by the way FBI man 😊
Akamai have replied to my 5 phone calls and 3 forms that I sent to the web with an email from someone saying they’d look at what’s happening. That’s after I spent 40 minutes on a transatlantic phone call explaing the problem to a first level of support geezer, who sounded like he was listening, and then passed me over to recorded message telling you to email them as there was no telehpone support. 😊 I was so chuffed. 0 out of 10 for akami so far, 10 out of 10 for EE, 8 out of 10 for Rimu.
Robin, cheers mate, as always your assistance has proved to be swift and accurate.
I’m sorry to bother you.