Server breached UPDATE (tl;dr: false alarm)
- MrStonedOne
- Host
- Joined: Mon Apr 14, 2014 10:56 pm
- Byond Username: MrStonedOne
- Github Username: MrStonedOne
Server breached UPDATE (tl;dr: false alarm)
So this weekend I found out that my VPS provider is stupid.
Tech speak incoming, scroll down for the non-tech inclined version
When I woke up last weekend to discover the server was down, First thing I did was log into ssh, only to get a can not authenticate error (I'll later find out that this isn't the same as a authentication denied error). Panicking I log into the VPS control panel, and had it reset the ssh password. Still nothing. I open the web based console, and it auths me into my server just fine.
First thing i did was check the auth logs, and discovered it only had a few lines, all from the same few minutes. It was at this point i assumed the server had been breached, and what i was seeing was what was logged after the intruder cleared the logs to hide their tracks.
What I knew at that time was the following: Site was down, remote shell wasn't letting me in, authentication logs were gone.
What I didn't know at that time: Server had no free memory, This was what was causing both the website, and the server remote shell from doing anything, and that the log files were never getting wrote.
Turns out the disk image my VPS provider (VPS == virtual private server, think VmWare based servers.) used, had a poorly configured syslogd, so it wasn't even running. None of the syslog controlled logfiles had anything other than from the boot from when they were setting up the image.
In short, Server wasn't hacked.
Non techy version
Server wasn't hacked, I thought it was because the site was down, remote login wasn't working and log files relating to people logging in to the server were too short to be complete looking as if they had been modified.
Turned out that the initial configuration from my hosting provider had an error, so the program that made the log files wasn't writing them, and the only logs i was seeing was from when the hosting provider logged in to set up the master image they clone all the servers from.
Also turned out that the site keeps going down because my server needs more mem/ram. So I'll be working on that.
You may now return to your panicing
Tech speak incoming, scroll down for the non-tech inclined version
When I woke up last weekend to discover the server was down, First thing I did was log into ssh, only to get a can not authenticate error (I'll later find out that this isn't the same as a authentication denied error). Panicking I log into the VPS control panel, and had it reset the ssh password. Still nothing. I open the web based console, and it auths me into my server just fine.
First thing i did was check the auth logs, and discovered it only had a few lines, all from the same few minutes. It was at this point i assumed the server had been breached, and what i was seeing was what was logged after the intruder cleared the logs to hide their tracks.
What I knew at that time was the following: Site was down, remote shell wasn't letting me in, authentication logs were gone.
What I didn't know at that time: Server had no free memory, This was what was causing both the website, and the server remote shell from doing anything, and that the log files were never getting wrote.
Turns out the disk image my VPS provider (VPS == virtual private server, think VmWare based servers.) used, had a poorly configured syslogd, so it wasn't even running. None of the syslog controlled logfiles had anything other than from the boot from when they were setting up the image.
In short, Server wasn't hacked.
Non techy version
Server wasn't hacked, I thought it was because the site was down, remote login wasn't working and log files relating to people logging in to the server were too short to be complete looking as if they had been modified.
Turned out that the initial configuration from my hosting provider had an error, so the program that made the log files wasn't writing them, and the only logs i was seeing was from when the hosting provider logged in to set up the master image they clone all the servers from.
Also turned out that the site keeps going down because my server needs more mem/ram. So I'll be working on that.
You may now return to your panicing
- danno
- Joined: Wed Apr 16, 2014 5:07 pm
- Byond Username: Dannno
- Location: e-mail me if you want a pizza roll
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
so what you're saying is all our steam games are stolen
-
- Joined: Fri Apr 18, 2014 9:02 am
- Byond Username: Miggles
- Contact:
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
no you idiot the NSA hacked all our passwords and they're gonna steal all the porn off of our hard drives
dezzmont wrote:I am one of sawrge's alt accounts
dezzmont wrote:sawrge has it right.
Connor wrote:miggles is correct though
- MisterPerson
- Board Moderator
- Joined: Tue Apr 15, 2014 4:26 pm
- Byond Username: MisterPerson
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
Quick, install gentoo a couple dozen more times
I code for the code project and moderate the code sections of the forums.
Feedback is dumb and it doesn't matter
Feedback is dumb and it doesn't matter
-
- Joined: Fri Apr 18, 2014 9:02 am
- Byond Username: Miggles
- Contact:
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
/g/entoo
dezzmont wrote:I am one of sawrge's alt accounts
dezzmont wrote:sawrge has it right.
Connor wrote:miggles is correct though
- Stickymayhem
- Joined: Mon Apr 28, 2014 6:13 pm
- Byond Username: Stickymayhem
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
Phew. For a moment there I thought they were going to catch me.
Boris wrote:Sticky is a jackass who has worms where his brain should be, but he also gets exactly what SS13 should be
- Jeb
- Joined: Thu Apr 17, 2014 4:01 pm
- Byond Username: Stapler2025
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
What are the spec's of the VPS? If I can run a xenforo forum, MySQL, apache/php on 1024mb of ram and a single 3.2ghz core, somethings wrong with your setup.
- MrStonedOne
- Host
- Joined: Mon Apr 14, 2014 10:56 pm
- Byond Username: MrStonedOne
- Github Username: MrStonedOne
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
256mb of ram.Jeb wrote:What are the spec's of the VPS? If I can run a xenforo forum, MySQL, apache/php on 1024mb of ram and a single 3.2ghz core, somethings wrong with your setup.
256mb of swap(ssh)
and for me its shared access to a 2.6ghz core.
Note: I only pay 30 a year for this setup.
I used to run a tf2 server on this setup actually.
- Jordie0608
- Site Admin
- Joined: Tue Apr 15, 2014 1:33 pm
- Byond Username: Jordie0608
- Github Username: Jordie0608
- Location: Spiderland, Australia
Re: [GLOBAL]Server breached UPDATE (tl;dr: false alarm)
De-globalling topic.
Forum Admin
Send me a PM if you have any issues, concerns or praise of fishfood to express about the forums.
Send me a PM if you have any issues, concerns or praise of fishfood to express about the forums.
Who is online
Users browsing this forum: No registered users