OVH Community, your new community space.

Help me secure my 'hacked' server?


fozl
24-08-2010, 09:37
I'm locking this thread, because so far by the tone I honestly don't think anyone is going to be helped by it, except perhaps as a case study of how not to behave on the forums.

Thelen
23-08-2010, 12:10
*claps hands derisively* well done you managed to troll a troll of a serious point.

Funny how there hasn't been any updates or security vulnerabilities for lighty in donkeys ages, nor if there is, then wonder how half a million using the apt version aren't hacked.

******************

LawsHosting
23-08-2010, 09:43
Quote Originally Posted by Thelen
I subscribe to debian security updates list, every new email automatically goes through a script that checks my packages and flags servers that need updating (usually all of them). Given there were no updates for more than 5 days (the history I've gone back through), unless it was a 0day then nothing I could have done.
You said it was LightHTTPD, so unless you compiled from source, sometimes apt-get only has a specific version. I run Apahe and have to compile from source to get the most recent version.

Besides, as you (were) "hacked" via LightHTTPD, you already said how they got in, didn't you? So, it must've been a configuration problem or a mass vulnerability, or some customer taking you for a ride.

Besides, your drivel is boring me, so, I'm out of this thread

jonlewi5
23-08-2010, 09:23
Quote Originally Posted by Thelen
none of you are even remotely decent humans nor sysadmins,
Well iv not had any of my machines hacked........

Thelen
23-08-2010, 02:23
Quote Originally Posted by LawsHosting
OVH only cares about the impact on other clients, not your security..... thats why they put it in rescue mode/etc.

If you rent a dedicated server, then you have to know how to admin it with security and patches - that is not OVH's job, if the hardware and network are faulty, then, thats where OVH steps in....

You shouldn't need your bum wiped.
I never said they care about security, I said they care about my server being 'hacked'. I didn't even imply the security, everyone here knows OVH is unmanaged, so how could that be an implication....

Also, failing to read what I've already said for the umpteenth time, it was up to date 100%. I subscribe to debian security updates list, every new email automatically goes through a script that checks my packages and flags servers that need updating (usually all of them). Given there were no updates for more than 5 days (the history I've gone back through), unless it was a 0day then nothing I could have done.

****************

Euan
22-08-2010, 13:12
The reason why no one does, or should care is the because of the stupidity in your other thread. You have burned any interest that anyone had in helping you secure it.

zydron
22-08-2010, 12:27
I agree, you rented an UNMANAGED server, which means that you or your clients are the administrator and no one else!
you are responsible to keep it secure. That include that you must be sure that your clients don't do funny things.

If you can't secure it, maybe think about a managed contract from OVH (they sell it )

LawsHosting
22-08-2010, 11:04
Quote Originally Posted by Thelen
Yes, they did. They shut it down for 48 hours. They most certainly care, you'll see above and in other threads the official position of OVH.
OVH only cares about the impact on other clients, not your security..... thats why they put it in rescue mode/etc.

If you rent a dedicated server, then you have to know how to admin it with security and patches - that is not OVH's job, if the hardware and network are faulty, then, thats where OVH steps in....

You shouldn't need your bum wiped.

Thelen
22-08-2010, 10:43
Quote Originally Posted by olliegooch
Evidently your more intrested in playing silly buggers on a forum than manning up, accepting you got hacked and actually dealing with the problem.
I did man up, I thought that was what this thread was about.

How do you suggest I deal with the problem, aside from asking for help????????????????

Quote Originally Posted by zydron
OVH doesn't care
if OVH does, they didn't shut down servers.

We don't know your configuration and don't want to either.

Security is something you must do ON YOUR OWN, else you have a leak in your security because somewhere you have discussed it.
everyone can read this forum, your crackers too!
Yes, they did. They shut it down for 48 hours. They most certainly care, you'll see above and in other threads the official position of OVH.

If my server is already hacked, how could it be any worse posting on a public forum? What more do I have to loose?

zydron
21-08-2010, 23:39
Quote Originally Posted by Thelen
OVH does, they shut down my server for 48 hours.

xxxxxxxx
OVH doesn't care
if OVH does, they didn't shut down servers.

We don't know your configuration and don't want to either.

Security is something you must do ON YOUR OWN, else you have a leak in your security because somewhere you have discussed it.
everyone can read this forum, your crackers too!

Andy
21-08-2010, 21:19
I don't care either, and I don't troll. Thank you goodbye.

olliegooch
21-08-2010, 18:11
Evidently your more intrested in playing silly buggers on a forum than manning up, accepting you got hacked and actually dealing with the problem.

Thelen
21-08-2010, 17:27
OVH does, they shut down my server for 48 hours.

xxxxxxxxx

Euan
21-08-2010, 17:21
No, no one cares.

Thelen
21-08-2010, 16:48
Funny, for all the people that are supposedly utterly convinced I am hacked, there seems to be 31 reads but no suggestions...

Thelen
21-08-2010, 09:51
Perhaps I should have been more clear with:
Thelen, what you seem to fail to grasp is that LIGHTHTTPD DOES NOT SUPPORT .htaccess FILES (see their FAQ why).
It wasn't .htaccess, it was:
Code:
auth.backend = "htpasswd"
auth.backend.htpasswd.userfile = "/etc/lighttpd/.htpasswd"
auth.require = ( "/" =>
  (
I accept your proviso it could have been in a tmpfs, however I'm using vhost:
Code:
 $HTTP["host"] =~ "XXXXXXX.customseedbox.com" {
    server.document-root = "/home/XXXXXXX/www/"
in which case why did they use a vhost for the attack vs the default www... (perhaps it was the said user of the box that did the attack himself).

Anyway, apparently since you all think I've been 'hacked', since I have not done anything to the server, can anyone help me 'unhack' it.

Oh and also advice on how to secure about 59 other servers running identical setup.