Xania.org attack

Well, that wasn’t much fun at all. I’ve just reinstalled xania.org from scratch as a result of some git hacking it. Luckily I happened to spot the hacking attempt as it happened, but sadly not before my intruder had gotten halfway into installing a root kit.

The intruder got in through a GeekLog vulnerability, then was able to use a 2.6 kernel /proc race condition exploit to get root. After that the intruder started covering his tracks with a utmp and log wiper, and was in the process of installing a root kit (replacing ifconfig and netstat) when I kicked him off and locked down the site.

In its new guise, xania.org has the latest patches all installed, latest kernel and some increased compromisation detection tools installed. I do hope this time I’m more secure. After 7 years of being up, this is the first time someone’s gotten in – though my luck is more due to obscurity than security, I might add.

Filed under: Blog
Posted at 20:07:40 BST on 20th July 2006.

About Matt Godbolt

Matt Godbolt is a C++ developer working in Chicago in the finance industry.