Skip to content

Cracked!

Gad Zooks!  We’re going old school with “cracked” instead of “hacked” but the bottom line is that the wiki got defaced.  Looking back I now see four clues that I should have heeded.  Not all are related but they are all clues.

May 31: I start with our DLS provider to get the reverse DNS settings straightened out for some of the mail servers.  One of our sister machines here is the mail server for our local LUG and those guys don’t seem to miss much.  This takes two weeks to complete and likely doesn’t have anything to do with any of these issues.

June 9: mail from bugtraq starts timing out. Well, they recently changed mail servers and I’ve got rDNS issues so I’m not sure where this falls.  I’m concerned that one of my milters is peeved about the names moving.

June 10: Logwatch reports a seg fault in one of the daemons.

June 12: Logwatch reports an attempt to use a known hack on the apache daemon.

June 18: STARTTLS posts a strange error.

June 20: I notice that the wiki is defaced.

So I’ve upgraded mediawiki, changed the creds, and restored from backup so it looks good.  I’m not paranoid but I am cautious so I’ve alerted my users, set some traps, and am waiting patiently in the bushes to see what crops up.

June 22 update: It appears that this may have just been a small misunderstanding, specifically the kind of misunderstanding that comes from not reading all of the docs.  I _may_ have allowed anonymous posting (default) and just confused defacing with bot editing.  Oops.

Post a Comment

Your email is never published nor shared. Required fields are marked *