All Sorts of Stuff
First and foremost, I'd like to wish netnerds.net a happy birthday!
"NetNerds.net" turned 10 years old on October 22, 2007. I wanted to post that day but I got hacked and didn't want to post again until I fixed the problem. So how did I end up with the name netnerds.net? Well, I called my best friend Jenny and asked for name suggestions for a new computer company I was starting. Almost immediately, she came up with the name "netnerds" and I thought it was fantastic. Netnerds.com was taken and I was "stuck" with .net but as it turns out, I ended up strongly preferring netnerds.net anyway; it just makes more sense.
Being a poor/broke student, I phoned my dad and asked for $70 to register the domain at Internic. He obliged and I jumped on it. Three days later, I kid you not, I had an offer from someone else who wanted to buy the domain name. I refused and he wasn't happy at all -- he bought a similar domain and proceeded to DOS me over the course of the next few years. Recently, I actually found the Conceal Firewall (remember that?) logs for his attacks in 99.
Over the years, I've done so many different things with netnerds. It's been running a combination of SuSE and Windows since 98 or so. Before that, it was hosted at random places but when I moved to California on December 23, 1997, I brought it home with me where it stayed till I started colocating it in 2004. I got an @Home cable modem in early January '98 and started hosting my own DNS, mail, and websites and haven't stopped since. The guy who taught me about running DNS eventually ended up giving himself a rootshell and a backdoor on my little server. As soon as I figured it out, I shut down my crappy 486 Linux machine and purchased the book Practical Unix and Internet Security.
Disk path: /static/images/unix-sec.gif
Using Page Bundles: false
I dove head first in learning all about protecting myself. It's worked decently well; I'm even planning to get my CISSP in January.
So 10 years later, I got hacked again. I don't think it was anything too drastic on the system itself but the web and mySQL passwords seem to be compromised. Like most exploits, it happened because I was running outdated software. I didn't know Wordpress 2.0.2 was so exploitable.
The first strange thing I noticed was that someone created a Wordpress account, even though I explicitly disabled allowing users to create accounts. I logged into my admin panel to find out wtf but I kept getting a "database is out of date" error. Oh poo! So I checked my logs and found some unusual behavior. Dang, Gina. Now I know I'm hacked so what about backups? Well, I had a backup of my entire blog VM from days earlier but for some reason unknown to me, decided to delete it so restoring recent backups were not an option.
I wanted to find out more about the compromise so I replaced my hacked admin files with some old backups and was able to login. I immediately noticed that someone posted a secret entry titled "ris.jpg." I did a locate to find ris.jpg on the filesystem but nothing came up. Eventually, I would find it in /tmp and it looked really nasty. You can see a copy of it here: ris.txt. Notice the password upload calls to nst.void.ru. Ugh. In researching the guy's IP, it turns out it's likely a linkbot from Estonia. This guy got hit by him/it/her too.
I don't like to take any chances so I created a whole new VM from scratch. I exported only the comments and posts from my 3 hosted blogs and recreated everything else. This is why it took 14 or so days to bring the blog back to life. It would have been earlier but I'm still dealing with my RSI shoulder injury that recently and seemingly magically turned into a torn rotator cuff injury. It's going to require surgery so I'll be out of commission in December after I graduate from the University of San Francisco with a BS in IS Yay :D. Hopefully I can study for the CISSP during my downtime.
So the lesson I learned, Corey? Keep my stuff up to date, even on Linux. I've now got automatic updates setup in SuSE and I'm signing up for the Wordpress update mailing list. Oh and h0bbel, I did attempt to find a new blogging platform (including Habari) as you know but none were as mature, targeted and functional as WP. Plus, I kind of have to use WordPress, Matt Mullenweg has eateth my chicken-n-shrimp gumbo and stocked my fridge with Pumpkin flavored beer. It's only right ;)