FA+
Shop
"MyFur Network" / "Babyfur.ME" Servers Status
14 years ago
MyFur network ("server") was recently hacked ("rooted") due to a security hole ("exploit") in it's Web Hosting Manager ("WHM" or "cpanel") software. This was done some hours before it was discovered. I discovered that the server as it happened on Tuesday night at ~10PM via an SMS sent to myself from the server, basically stating that "a new user was created", so of course I hurried home, leaving the normal Tuesday night furmeet I was attending without saying good bye to anyone (mostly because I had no idea where they went of to, ha). Anyway.. so here's what happened:
First thing first: I removed the user. But it was already too late. Then a minute later I got an email from cpanel again (SMS Failed, was too big) that told me that some code was executed @ the root level. This code wasn't so bad, and I was able to clean it up and stop the user (the script had added added one of my legit users to the wheel, in order to execute this code via php under that user's www directory, and pulled that off by making a change to the global php.ini.).
So next: I executed my backup scripts in this order:
all mysql databases, then all files (only as far as www level).
I kept an eye on the files, but more importantly on the databases.
Surprisingly MySql remained untouched through this whole thing. But as I tried to combat the hacker (a "Bot")[1], it got nasty.
Up until this time (about 18 hrs in)[2] MyFur, AZFurs, and all other sites remained untouched. I think what triggered it was my use of the command "shh" and "ftp" and "passwd", which had been rewritten to "something else", this is where it got bad.
Long story short[2]: I hit the trigger to melt MySQL and then the files shortly after.
The good news is, we're moving to a new server! This time a fully dedicated server, and away from GoDaddy! *this is exciting btw*
The ETA on the move is 3-5 days (prob much sooner, just wanna get the security right the first time around this time). But everything in [2] will be explained in more detail later.. I have to get going now >.<
First thing first: I removed the user. But it was already too late. Then a minute later I got an email from cpanel again (SMS Failed, was too big) that told me that some code was executed @ the root level. This code wasn't so bad, and I was able to clean it up and stop the user (the script had added added one of my legit users to the wheel, in order to execute this code via php under that user's www directory, and pulled that off by making a change to the global php.ini.).
So next: I executed my backup scripts in this order:
all mysql databases, then all files (only as far as www level).
I kept an eye on the files, but more importantly on the databases.
Surprisingly MySql remained untouched through this whole thing. But as I tried to combat the hacker (a "Bot")[1], it got nasty.
Up until this time (about 18 hrs in)[2] MyFur, AZFurs, and all other sites remained untouched. I think what triggered it was my use of the command "shh" and "ftp" and "passwd", which had been rewritten to "something else", this is where it got bad.
Long story short[2]: I hit the trigger to melt MySQL and then the files shortly after.
The good news is, we're moving to a new server! This time a fully dedicated server, and away from GoDaddy! *this is exciting btw*
The ETA on the move is 3-5 days (prob much sooner, just wanna get the security right the first time around this time). But everything in [2] will be explained in more detail later.. I have to get going now >.<
Thanks for the information, Fuzzy. I was worried when I couldn't get on the site and then when it seemed to disappear.
Glad to hear it's going to come back. :)