Haikuware is hacked.
Hopefully the site will start working as soon as possible...
Sorry for my english.
yea looking into it. will come online when we figure out the vulnerability. might take a while.
you beat me to posting this =)
I guess using an old Linux OS released in 2006 is not a good idea!!!
"Linux server.haikuware.com 2.6.18-194.17.4.el5 #1 SMP Mon Oct 25 15:50:53 EDT 2010 x86_64 x86_64 x86_64 GNU/Linux"
Latest Linux kernel is 18.104.22.168. version 2.6.18 was released in 2006. Shows how old the OS on that server is.
To avoid getting hacked have to upgrade to latest OS version and install updates. ie, OS should never be more than 1 year old. On Linux distros, support for older versions gets dropped so you have to upgrade to newer version.
as far as I know, I was using the latest CentOS release (5.6) and the associated kernel. i know centos is used on a lot of webservers. they use an older patched kernel for stability reasons - the latest isn't always the best.
Bah, why can't these script kiddies do something useful instead... so insanely pointless. Hope it's up soon again.
Thanks Rox. I might scrap the whole server now, reinstall/update everything; don't trust it anymore. have backups. will be a huge PITA! Will try to be back soon. I guess any site can be hacked if the hacker wants it bad enough.
So, if anyone is good with security and could lend a hand, I'd appreciate it.
Yes, using the latest means it could be unstable but using a kernel that was released Sept 2006 tells you that other packages on the OS maybe "old" too. Over time there are security issues that get patched.
To compare to Debian. Etch 4.0 was using 2.6.18 April 2007. Lenny 5.0 Feb 2009 - 2.6.26. Squeeze 6.0 Feb 2011 - 2.6.32.
CentOS 5.6 April 2011 - 2.6.18. Redhat also used 2.6.18 but just switched to 2.6.32 with 6.1 release. Wait, isn't that the same kernel now being used by Debian in 6.0?
CentOS/Redhat are nice looking distros but I would rather go with Debian. Debian focuses on 1) being fairly up to date but not using latest packages and 2) very stable. Debian makes sure to use only the stable and latest packages.
No wonder so many distros are based off Debian. =)
You are better off switching to Debian or BSD. Just my advice.
You can check package versions for CentOS (& other distros) here with the latest versions listed on the left side:
CentOS "bind" looks pretty old version and I believe he may have used a hack to get control from there.
A Linux forum is best to get proper support and information. Later.
OS should never be more than 1 year old On Linux distros, support for older versions gets dropped so you have to upgrade to newer version.
Red Hat Enterprise Linux 5 (that's what the el5 indicates) is supported for 7 years from General Availability, with an extra 3 years of support as a payable extra taking it to 2017.
But most likely the black hats got in through third party software like a web forum anyway.
Yes, it's difficult to track down where the vulnerability is, but I'm pretty certain it's not OS related, rather a Joomla component/module/plugin.
Ok I see what you mean. Makes sense and very likely what happened here.
Yes, maybe true but they use lots of older packages/parts to create their Linux distro. There also are security vulnerabilities by using these older parts. Software and OSes are updated for bug fixes, close security holes and add newer features otherwise people would not upgrade things like their browsers or OSes or install "Windows" updates.
I quickly looked at BIND and seems some security issues affect the newer versions and others affect the older versions and some affect many versions. Hard to know what which version is best to use.
Once an issue is found they should work on fixing it rather than just keep on adding more and more features and making newer and newer releases. What good is it to release newer versions with the same issues???
Karl, you will need to either find out security issues in Joomla version you're using or try upgrading to newer version if you have not already. Both will help you out.
Might be able to find the perps, they uplioaded the image to herosh.com ... http://img102.herosh.com/2011/01/20/482692461.gif I bet they logged the ip.
Yes, maybe true but they use lots of older packages/parts to create their Linux distro. There also are security vulnerabilities by using these older parts.
As part of Red Hat's ten year support programme they backport fixes, especially security fixes. This provides stability without compromising security. For example a few weeks ago they delivered kernel-2.6.18-238.12.1.el5. As you observed earlier the 2.6.18 kernel was released several years ago, but this version includes hundreds of subsequent fixes while otherwise behaving exactly the same, providing customers with a system they can rely on.
They don't release newer versions with the same issues. Because BIND is important infrastructure software they maintain several branches in parallel. If a problem is found which affects the root of some or all of these branches, all the affected branches must be updated with a fix.
You are confusing version numbering with age, bind 9.8.0 isn't newer than 9.7.3-P3 or 9.6-ESV-R4-P3, and it doesn't somehow "reintroduce" bugs fixed in those versions, instead it is older than they are, and they are from branches which subsequently backported fixes for bugs also discovered in the 9.8 branch
As part of Red Hat's ten year support programme they backport fixes, especially security fixes. This provides stability without compromising security. For example a few weeks ago they delivered kernel-2.6.18-238.12.1.el5.
Ok, I see this. The subsequent numbering is confusing. I guess the 238 is # of patches. el5 = (RedHat) Enterprise Linux version 5. Not sure what the 12 & 1 are. I have to assume they backport fixes for their packages too if long term support. I was thinking more of regular distros that stop supporting an older version, ie, Debian Lenny where they stop providing newer packages & updates after certain amount of time.
Ok, never said they reintroduce bugs just that they have security issues that span through multiple versions of BIND. Like this one where it affects 9.4.3, 9.5.0, 9.5.1, 9.6.0 and earlier
I expect 9.5.0 to come before 9.6.0 but the issue was carried forward to 9.6.0 branch. Maybe they missed finding it till then?
Their summary page gives a better listing:
9.0 (all versions), 9.1 (all versions), 9.2 (all versions), 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.3.5, 9.3.6, 9.4.0, 9.4.1, 9.4.2, 9.4.3, 9.5.0, 9.5.1, 9.6.0
Maybe they never saw this issue till later on? Or maybe they never got around to fixing it? Without looking more into it I cannot say. I see this for multiple security issues.
Another example: CVE-2008-1447
8 (all versions) 9.0 (all versions) 9.1 (all versions) 9.2 (all versions) 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4 9.4.0, 9.4.1, 9.4.2 9.5.0a1, 9.5.0a2, 9.5.0a3, 9.5.0a4, 9.5.0a5, 9.5.0a6, 9.5.0a7, 9.5.0b1
Seems these issues tend to affect many versions. Either they find them much later or do not get around to fixing them for a couple of releases. I cannot say which without looking further into it.
oddly this page is still accessible
I now realize that CentOS kernel was updated with security fixes and Karl was running a version from Oct 2010 (2.6.18-194.17.4.el5) which is not as bad as I thought.
Checking CentOS 5.6 updates I can see the latest version available is:
2.6.18-238.9.1 (April 2011)
The 238 would be number of patches applied but still do not know what the 9 & 1 stand for.
You might consider running on top of Xen which adds a bit of additional difficulty in hackinng servers... and you get some nice features too.
You could look into doing some pen-testing with backtrack as well I think metasploit would be the main program you would want to used to do that.
I believe I was in Haikuware as this happened, ...here: while reading the last comments posted on WindowDresser;
The date on the ImageShack .png above seems misleading. But I was faced with that same 'Qnas Damar' notice too as I returned back to Homepage. The last cached Google page I can find on this indicates that path, but also shows a more recent time & date instead: 05 Jul 2011 18:27:15 GMT. - at least that must be when I was in there but could not get back to homepage from there again - or since..
This could be the actual time it took place on Tuesday. ... if that might be of any help.
Subsequently now, after any attempt I make to approach Haikuware from any angle at all, (including that 'Dell' forum page), I'm now met by the LiteSpeed server request for "Authentication Required: Enter username and password for "Admin" at http://haikuware.com" - Is this the way of closing off the site to limit access for now? ..find no problem logging in to BeBits..
Think I was in there under R1a3, but may have also been testing a new install of an old R5.0.3 build of XbeoX freshly downloaded then.. not sure.. Took me til now to trace any mention of this to here! - so I assume everyone must be locked out in this same way ??
Yes, i'm looking into the problem as I want to make sure it doesn't happen again. I've temporarily locked the public out until I get things sorted out. I'm about 60% done, but don't have too much time in the next couple days, as I'm off to Europe. Haikuware should be up, at the absolute latest, mid-next week :)
Thanks for your patience.