OMG, I've been hax0red!

So, after 4 years of running my own mail/web server, I've finally been hacked. And, as is usually the case, the cause was my own stupidity rather than some exploit in the software.

I'm generally pretty good about keeping my server locked down - I have my DSL modem NATing for me, with a hardware firewall inside that, with only a few ports open (SMTP, HTTP). And then...I decided to start a blog. Ironically, my desire to be as secure as possible is what let the hackers in.

Blogger.com has a nice feature where they'll host your blog, but if you give them FTP credentials, they'll copy the HTML pages to your server so you can host it too. Being a security-minded fellow, I didn't like the thought of FTP credentials floating around in cleartext on the internet every time I published my blog, so I setup Blogger.com to use SFTP, which is encrypted (although since there's no authentication of the server key, it's theoretically vulnerable to a man-in-the-middle attack, at least during the initial key exchange).

SFTP runs over SSH, so allowing Blogger.com to use SFTP required me to open the SSH port on my firewall. Well, no big deal, I thought - I'll just make sure I've fully patched up my server against any known exploits, and so having the SSH port open won't matter.

What I'd forgotten was that I'd setup an alternate account on the server as a catch-all for incoming junk mail. And I'd picked a pretty obvious name for this account, and an obvious password. Which is not a big deal when the only access for this account was via POP3, but now...

The first sign of trouble was when I was checking one of my mail accounts, and Outlook gave me a credentials error on this junkmail account. I figured that was weird, so I tried to log in to the server with that account, and got the same problem.

Piecing it together after the fact from the system logs, the .bash_history on that account, and some files the hacker left in a difficult to access directory called "/tmp/.: ", it looks like someone started doing a good old-fashioned dictionary attack on my server a few days ago. They finally guessed the password of my junkmail account, and logged in. The first thing they did was identify the OS, then try to download an exploit, first from Lycos (no surprise there), then from a hospital in Thailand. As far as I can tell the exploit failed, so they finally downloaded a script from a hacked server at prohosting.com. This script ("yahoo.sh") was scanning ebay for email accounts, either for phishing purposes or more likely to send spam. And I don't think they were even able to run the script, because I don't have any of the necessary executables installed.

So I don't know for sure that they did anything to the machine, but to be safe, I'm rebuilding my server from scratch right now. Debian makes it pretty easy to bootstrap a machine (download a 150MB CD-ROM image, burn it to a CD, boot it, it auto-configures the machine to use DHCP then downloads whatever packages you want over the net) - the only painful thing is that I have to re-configure my mail and HTTP servers, which is going to take a while (I need my mail server to support multiple domains and to route undeliverable mail to my junkmail account, and that always takes time to get right). On the bright side, I get to clean house a bit on the server, which is nice.

I think that this time, I'll let Blogger.com use plaintext FTP - at least FTP is a less inviting target for hackers than an open SSH port.

I wonder why the hacker decided to change the password on my account? And I wonder how long it would've taken me to notice if he hadn't changed it? Have you checked your server logs lately?