Re: [cobalt-security] RaQ2 Hacked within 1 day of being online

["Kevin D" <kdlists@xxxxxxxxxxxxxxx>]

From: "Patrick Agee" <pagee@xxxxxxxxxxxxxx>

> KD - Consider the possibility that this is an inside job. Could one of
your
> customers / employees / former employees be doing this?
> PA - Probably not inside job as I am the only one here with my company,
> also the ISP where it's co-located has not hired/fired/ anybody new in
last
> 8-10 months. IP's show the hits to mine are from Canada and one of my
ISP's
> Cobalt's have been hit and IP for theirs shows Europe.

In light of this and other recent posts, my guess would be that the same
hacker is responsible for both attacks. Since your ISP's box was cracked
first, the attacker probably sniffed your password from this neighboring
box, and connected to your server from a completely different server. The
attacker probably owns both the box in canada and in the one in europe. The
speed of the attack suggests that the attacker was running a sniffer on the
neighboring server. Generally, when a hacker sets up a sniffer, he will save
a bunch of data from the sniffer into a file and come back to check it
periodically. He probably noticed your login among the sniffer logs
relatively soon after you connected the machine and telnetted to it. At that
point, your server was the next prime target.

If you are really interested in tracing the attack, you need to find out how
the ISP's box was cracked, and show the appropriate logs to the
organizations that run the cracked servers. If those organizations are
feeling cooperative, you may get somewhere (those organizations would have
to trace how their boxes have been hacked, and the cycle continues). Oh, and
by the way, you'll have to get all of that done ASAP, because most admins
don't keep logs past a month or so.

Kevin