Jump to content

  • Log In with Google      Sign In   
  • Create Account






Code Leak Update

Posted by riuthamus, 23 November 2012 · 992 views

So, we found a log that they did not know about that detailed very clearly what the person did! We even have some information about the origin of the hacker as well ( whether they were router bouncing or not is undetermined yet ). Long story short, they found out that our

'git' user has a blank password ( big no no.... I know but we had passwords disabled and SSH auth. only, or so we thought )

We found out that our system was setup to use SSH but that if the SSH failed enough it would revert back to letting them use a password. At that time they gained access and installed the rootkits and scripts. We found they got more or less nothing of importance and that it most likely was a test to see if it worked. Good news is this little setback taught us alot about security and how to control our important assets. Im not saying we are hacker proof ( trust me, we are not ) but we are certainly more aware and conscious of the effects of leaving things up to chance.

If you are not using a hosted server remember the following:

1) Change all default passwords
2) Disable or delete accounts not in use
3) Change all passwords regularly, ensure they are 14 characters or longer
4) Perform routine checks on all systems to ensure that everything is on the up and up.
5) lastly, study up. Knowing the most common way hackers hack will help you defend against them.
6) Ensure any software running on your server is kept up-to-date. It's unfortunately very common for hacks -- especially the automated or semi-automated variety -- to take advantage of vulnerabilities in out-dated software that have actually been fixed in more recent versions. Unless it's marked as "critical" I don't normally like to install updates immediately after release in case they are found to cause additional problems, but allowing your software to get out of date is really just inviting easily avoidable trouble

And for those wondering, the offending IP? ( least one of them we found )

62.33.244.158 - Damn russians!




RBN is attacking you? =)
Probably bouncing of a Russian-controlled proxy. [/random-uneducated-guess]

Awesome that you found concrete records of what they did - being unsure that "maybe we are missing something" would be very annoying.

On item #4, you said "Perform routine checks on all systems to ensure that everything is on the up and up." - what kind of 'routine checks' do you suggest? Manually checking dozens of log files?

Could you give your work and home computers static IP addresses, and give your important servers whitelists of those addresses, to block anything not on the list? Or just auto-flag and auto-block anything that looks like it's coming outside of your USA state?

On item #4, you said "Perform routine checks on all systems to ensure that everything is on the up and up." - what kind of 'routine checks' do you suggest? Manually checking dozens of log files?


This would be checking your basic logs, looking for unknown ip addresses that might have accessed the system or keep attacking it month after month. You can go through all the regional security procedures to make sure all your software is up to date ( as old software often leads to holes they can use ) and I would take the time to go through and ensure all the security measures you put in place ( when you started ) are still relevant and the best practices. Hacking is a side of coding we do not normally pay attention to so we must ensure we are making time to think of it and ensure we guard ourselves from it. I am not saying my game is even close to finished to be "hack" worthy, but who knows if an early release came from our current code what would happen. If we got bigger and it happened it would mean even more possible issues.... anyway just figured I would pass on the lessons learned so that others may not fall privy to the failures of my own team.
Just want to be clear this is featured to hopefully be helpful in case anyone else hasn't thought closely about their own repository security. Not trying to shame you guys or anything!
Oh no worries, if i was shamed I wouldnt have shared. I def wanted to get some exposure for this to ensure people are aware. Security is key, specially if what you are doing has potential. Thanks Gaiiden for the help.
Thanks for sharing the experience, hopefully it helps raise some additional awareness.

If I might suggest one more item for your list:
6) Ensure any software running on your server is kept up-to-date. It's unfortunately very common for hacks -- especially the automated or semi-automated variety -- to take advantage of vulnerabilities in out-dated software that have actually been fixed in more recent versions. Unless it's marked as "critical" I don't normally like to install updates immediately after release in case they are found to cause additional problems, but allowing your software to get out of date is really just inviting easily avoidable trouble. :-)
Haha, damn Russians.
jbadams, great addition! Ill make sure and put that up there.

Recent Entries

Recent Comments

Latest Visitors

PARTNERS