Remote Attack!

Xenerox · #1 11-06-2009, 10:35 PM

Hello, My Server Is Tunare Reborn I Put This Warning On The Forums For ANY Other Server Owners, Someone Remotly Attacked My Server Computer And Added Himself As GM Level 255 In My DB Also Removed My Servers Maps Folder, What He Planned To Accomplish By This I Dont Know.

Tho I Don't Know Who He Is Being He Made Like 50 Players ALL Rank 255

Lucky For Me I Always Keep Backups Of My Files So Shove It Hacker!

ChaosSlayerZ · #2 11-06-2009, 11:06 PM

did you took a note of his account name/ip of anything of sort?

also, if he could do it once... he may come back...

pfyon · #3 11-06-2009, 11:47 PM

Yeah, best start locking down accounts/changing passwords.

So_1337 · #4 11-07-2009, 09:59 AM

And share whatever LS accounts he's on, so other server operators can be aware.

Xenerox · #5 11-07-2009, 11:56 AM

I Couldnt Get His Acct Info Or IP Cause He Made Like 50 People On My Server Admins So i Dont know whitch one he is

pfyon · #6 11-07-2009, 04:11 PM

Well, depending on how he compromised your server, there might be some evidence.

Xenerox · #7 11-07-2009, 04:50 PM

i looked, he made sure no to leave ANY evidence behind

pfyon · #8 11-07-2009, 06:30 PM

Quote:

Originally Posted by Xenerox

i looked, he made sure no to leave ANY evidence behind

Did he/she get root access to your server? That's the only way I can see that they'd be able to remove all traces of their actions.

Forgive me if you have already done this, but I assume that since your server was compromised in the first place, that you didn't know this before. Also, I'm assuming you're running a linux server if your's is a dedicated server. There's a few things you can do to lock it down:

Disable SSHd. If this isn't possible, you can limit the usernames that are allowed to log into the server in your sshd_config.
Disable remote access to MySQL in your my.cnf file. Make it listen on 127.0.0.1 and set up a tunnel through ssh so you're required to be logged in with an ssh client before you can access mysql.
Disable your web administration interface (the eq one). Do whatever changes you need through ssh or a remote desktop interface.
Make sure telnet is disabled in your eqemu_config.xml file.
Make sure your disablecommandline is set to 0 in your variables table. (not sure if this still exists)
Ensure your eqemu processes are being run by a non-root user, possibly one that doesn't have access to sudo, or a very limited set.
Disable the root account (possible with ubuntu at least, possibly with other flavours of linux too I think).
Ensure your server's operating system is updated.
Install DenyHosts to reduce the likelihood of a brute force attack.
Ensure your webserver's up to date and secure if it's running on the same machine. I won't go into the details here for that.
Finally, beef up the security on your passwords. If there are multiple accounts that can log into the server, you can force them to change their passwords periodically.

I'll also add that I'm not a professional server admin, it's just a hobby, so I know there are at least a few more things you can do to secure it, I just don't know how to do it (ie chroot).

Kobaz · #9 11-07-2009, 08:11 PM

sshd is pretty safe as long as passwords are disabled, so it only uses public-key encryption, and as long as you have decent passphrases, and the machine you login from has no keylogger on it. ssh with passwords is asking for trouble.

pfyon · #10 11-07-2009, 08:44 PM

Quote:

Originally Posted by Kobaz

sshd is pretty safe as long as passwords are disabled, so it only uses public-key encryption, and as long as you have decent passphrases, and the machine you login from has no keylogger on it. ssh with passwords is asking for trouble.

I guess I should have said, disable sshd if you aren't using it.

Xenerox · #11 11-07-2009, 10:40 PM

My Server Computer Uses Windows 7 64 Bit 8 GB RAM Intel Quad Core and how he did it was he used navicat to get access to the DB i have it set up so all u have to do is open navicat and ur in the DB

**Rogean** · #12 11-07-2009, 11:19 PM

So what your saying is, the problem lies between the chair and the keyboard.

**Shin Noir** · #13 11-07-2009, 11:59 PM

http://www.securityfocus.com/infocus/1726

Yeah, i'm not even sure how you set up your mysql user accounts, but it's pretty obvious you didn't 1) disable the ability of users to remotely access your database, 2) using a generic easy to guess password.

Navicat is just a MySQL query tool, your problem lies within how you configured MySQL, not in any program. May want to read up security practices in MySQL to understand your folly, and review all your configurations. Then top it off with reading how to disable other means of connection except for what you use (remote desktop, etc)

But did you seriously think you WOULDN'T GET remotely attacked when you simply connect to navicat and you have full access to your SQL database? :o
/scared

As Rogean said, user error.

Secrets · #14 11-08-2009, 08:02 AM

This sounds like a layer 8 problem for sure. I advise you use the OSI Model to solve this issue.

Quote:

Step 1, Physical Layer. Is your computer plugged in? Yes, it must be, someone got access to it. This must not be an issue.

Step 2, Data Link Layer. Is the attacker on my local network? Yes, because they got to:

Step 3, Network Layer. Is the attacker remotely attacking us? Yes. Let's check the layers to make sure this is the problem.

Step 4, Transport Layer. Is the port open? Yes, MySQL is open to the public. This could be a problem, especially if you have no password for MySQL.

Step 5, Session Layer. Is there a session opened for the communication? Yes, because with the information provided, they attacked you.

Step 6, Presentation Layer. Any encryption, etc? What file format was the attack in? Probably plain text, and you had no password to begin with. Oops.

Step 7, Application Layer. They got to MySQL on the other side, and you probably had a service running that allowed access to your computer from Windows. Or they used Navicat to start services. Either or, this leads us to:

Step 8 (?), User or Political Layer, "I HAD NO PASSWORD, NO SECURITY, NO NOTHING AND YET I GOT HACKED WTF?! WHAT IS THIS I DONT EVEN"

I hope that was informative to you for securing your server next time.

Roguish · #15 11-11-2009, 04:57 PM

Some people have certain expertise in different areas. I'm almost positive at least on of us is capable of tracking a hacker as long as they had access to your database and log files. I suggest using a phone and a screen sharing program. I'll bet a phone and a screen sharing program would help lots of people with lots of different problems. The more people we get using EQEmu the more community-rich our servers can become.