feedback requested

[Geoff]

Can I have some feedback on what is going on. I have seen reports and explanations in the last few days involving hacking, denial of service attacks, software upgrades, hardware failures, mistakes in making changes to servers.

Could we have a clear analysis of what is going on, what problems are related and whether some of these explanations are no longer correct. I understand that sometimes you see a problem as one thing but in reality it is something else you work out later. I know that there are periods where everything goes wrong too.

I know this is stressful for support ... I'd just like to have a better idea about what is going on so I can pass this on to my clients.

[dkadave]

Me too...

[Vin DSL]

Originally posted by Geoff
Can I have some feedback on what is going on. I have seen reports and explanations in the last few days involving hacking, denial of service attacks, software upgrades, hardware failures, mistakes in making changes to servers...

You didn't mention the mass defacements. Other than that, I think you got it pegged...

[Geoff]

Any feedback on this post from the moderators would be appreciated. I'd just like a clearer analysis of the problems than I can get from separate posts in the forums. It is a bit confusing with separate posts about separate servers what is actually going on. It isnt that I doubt that there have been hackers or DOS attacks ... it is just I want an overall (brief) explanation for the downtime of late.

[JPC-Greg]

Im not sure I can offer a summary, so many issues in such a short time frame. the posts and news updates will tell it best.
First came some comprimiused servers . Then came a slew of updates and maintenance to try to protect other servers once we identified the issues.

Then came some server doubts where we could not safely say 100% that a server was not comprimised so rather than risk your passwords and sensitive data we formatted many machines and restored them. Follow by more updates.


Some hardware issues were indentified during these mass updates and so we had to deal with those.

All compounded by the recent Dos yesterday.

Most lingering issues now come from post restore problems, restores that had to be done due to the attacks that started. They are still being attempted and probably always will, but there is better protection in place now.

[Vin DSL]

Originally posted by Jag
...Then came some server doubts where we could not safely say 100% that a server was not comprimised so rather than risk your passwords and sensitive data we formatted many machines and restored them...

Hey, Chief, I don't know if you realize this (I'm probably preaching to the choir) but hackers don't have to get on 'our' servers in order to obtain passwords and user names. Packet sniffers and so forth aside, all they have to do is get ahold of someone's admin cookie and they're in.

I've noticed that the cookie on the Cpanel has a relatively short life, which is good. Let's say you log in and it sends you a cookie that expires in 10 minutes. If someone sends you a kiddie script in your eMail and gets that cookie, they've obviously got less than 10 minutes to do their thing.

However, let's say someone is running a CMS like PHP-Nuke or one of its many forks, and the admin cookie is set to infinity (never expires) which it often is. If they get ahold of that cookie, then they can play havoc to their heart's content.

Many proggies supply cookies with infinite persistence --- this web board being one of them.

All I am saying is, wiping the slate clean isn't necessarily going to do squat. While it's a noble gesture, I'm afraid it isn't going to make much difference. The security holes in all these user installed proggies are the problem and there is no way you're going to curtail that...

[lookout]

Originally posted by Jag
Then came some server doubts where we could not safely say 100% that a server was not comprimised so rather than risk your passwords and sensitive data we formatted many machines and restored them.

Jag, though I already know the answer to this is likely "yes, it would be prudent", are you suggesting that Jaguar clients change their various account passwords ASAP? What's do you think the likelihood that the security on our individual accounts actually has been compromised? Just looking for a straightforward, reasonable answer here, rather than a c.y.a. one.

[JPC-Greg]

Its unlikely your users passes were comprimised but yes a change is recommended. Thats nothing new though, I recommend you change your passwords frequently regardless of the situation.

Vin, sniffers are a constant thread and a format wont do anything to fight a remote sniffer. Formats were done on machines where we could not be certain the machine was safe 100%. All it takes is one infected binary file to give a person a foot back in the door. Once a machine is suspect, the only safe thing to do is format.

[Vin DSL]

Originally posted by Jag
...All it takes is one infected binary file to give a person a foot back in the door. Once a machine is suspect, the only safe thing to do is format...

When you put it like that, I have to agree. Someone got into one of my computers, at the house, and was using it as a ghost machine. After several hours of trying to figure out how they did it, I finally gave up and did a fresh install.

My only question is --- if you are doing a format and restore, how do you know the backups don't contain the same infected files?

[dwannall]

Well, when he says "restore", at least on hydrogen, support didn't restore any customer files at all. I'm still having issues with my eMail (not storing on the server).

[Geoff]

thanks Greg.

[snowcreative]

Hey, you're right. The cookie for this forum is set to last a full year in my browser. Sounds like it's a good idea to change my settings to limit the life of cookies to a very short time (like 1 day), or even to go all the way and make them all expire when I quit my browser. Does that make sense?

[Defender]

Originally posted by Vin DSL
I've noticed that the cookie on the Cpanel has a relatively short life, which is good. Let's say you log in and it sends you a cookie that expires in 10 minutes. If someone sends you a kiddie script in your eMail and gets that cookie, they've obviously got less than 10 minutes to do their thing.

I thought stuff like cpanel used sessions? Sure sessions use cookies, but they're deleted when all the browsers are closed, or when the session is set to expire (whichever happens first).

[Vin DSL]

Originally posted by Defender
I thought stuff like cpanel used sessions?

You thought wisely!