How hard is it to actually hack a website?

Printable View

02-15-2009, 02:02 PM
DEAR _JOHN

My computer knowledge goes back to the 70's (fortran, rpg, cobol, assembler programming in high school, some on college) so I am not much into the computer things that are going on in this day and time. I'm not totally illiterate in the computer world, but not advanced either.

This being stated, how hard is it to hack into a website? Is it simply guessing a password and going from there? I have heard things about back door this and that (saw the movies Hackers and Wargames), but don't really know. Can't they use just one really complex password to protect the system?

Just curious is all.

Just also glad we have another site to post on, but can't hardly wait to get back to the regular site.
02-15-2009, 03:37 PM
GneissGuy

I have no inside info on how ASPD was hacked. However, there have been a number of web sites lately hijacked through "SQL injection" attacks. Some of these were very corporate, professionally run web sites.

Gross simplifications follow:

Web sites can be hacked many ways.

It can be a password attack, but there are other ways.

A very common way is to find a program that runs on the server that has a high level of authority to change things on the server. Then find a way to make that program do something that lets you take over the computer.

One very common example is a "buffer overflow." A program takes information from the internet as input. It takes that information and stores it in buffer in memory. The program uses a buffer that is, for instance, 100 bytes long. You feed it 1000 bytes instead. A properly written program would only read 100 characters and then stop reading. A bad program may keep reading characters and writing them into memory. If the extra 900 bytes in memory include an area where a program is stored, the attacker has now changed the program running on the server. In some cases, this allows the attacker to do things he shouldn't be able to.

It sounds stupid, but buffer overflows are very common causes of security holes.

An SQL injection attack goes as follows. You have a database running on the computer. The database program reads data from the internet, formats it, and then runs commands against it. If there are some bugs in the database program, or in the instructions you wrote for the database, the attacker may be able to make your database execute commands he included in the data he sent you.

Imagine it's something like this. You post a thread that contains: "Hello, here I am, %FORMAT C: " The database program sees, the "%" and does a format command. This assumes the "%" character is something recognized by the database program as an "escape" character that tells it to execute the rest of the string as a command.

The actual attack would usually be considerably more complicated, but that's the idea. Obviously, I wouldn't post anything that actually works.

There are many other techniques that will allow an attacker to take over a program through the internet, if the programs on your computer have security holes.

Any modern server probably has dozens of programs that talk to the internet directly. Many of these programs process the data and pass some of it to other programs. Each of these steps has the possibility of corrupting one of these programs. If one of these programs has high enough authority, it may be able to do bad things, including corrupting other programs, or adding new programs.

Depending on which program you manage to corrupt, you get the ability to do varying levels of bad things. You may be able to change posts. You may be able to change web pages. You may only be able to change avatars. You may be able to take over the apache program that serves web pages. You may be able to take over the base operating system on the computer and do everything.

Most of these techniques don't care about passwords, because the program that gets corrupted is already "logged in" to the system.

Because there are so many programs running on the computer, it's difficult for the server administrator to be sure they're all secure. Many of the programs are written by other people, so you don't know for sure how secure they are, even if the author is entirely honest. Remember that Microsoft, a $100+ billion company, produces buggy code all the time. An honest Linux/GNU software producer is bound to make some errors, too.

As I said, I have no inside information on the ASPD attack.
02-15-2009, 03:51 PM
The Proper Stranger

And then there's social engineering. Basically tricking people into giving you the key instead of trying to pick the lock. Pretending to be an administrator who forgot a password, a customer with questions about their bill, tech support asking to troubleshoot your computer, etc.
02-15-2009, 05:40 PM
Mokoa

There are a lot of sites that continue to run old outdated releases of software. Over time hackers figure out what weaknesses these old releases have and share them among themselves. They know that the old releases are still around in many places so those places become easy targets. The release of vBulletin that ASPD runs is 2.2.8, that release is about ten years old and has weaknesses that are well known in the hacker community.
02-15-2009, 06:18 PM
DEAR _JOHN

It's ashame these hackers can't take their intelligence and do good with it instead of creating problems.
02-15-2009, 06:37 PM
Texas Passion

<div class='quotetop'>QUOTE (DEAR _JOHN @ Feb 15 2009, 05:18 PM) <{POST_SNAPBACK}></div>

Quote:

It's ashame these hackers can't take their intelligence and do good with it instead of creating problems.[/b]

Like changing red-lights during high traffic or busting the jerks that hack into bank accounts & Sperm banks!

Seriously help save our planet and global peace for all is the best anyone could possibly do.
02-15-2009, 07:53 PM
TexTushHog

Some would argue that some hackers do a useful social service by finding and exploiting holes in software. When they publicized them, it requires makers of the software to address the issue. In the case of ASPD, the hackers were obviously malicious, not just finding vulnerabilities and leaving a benign calling card.

However, and I'm relying on what has been reported and not on personal knowledge, by running wildly outdated and vulnerable software, ASPD was asking for it. That certainly doesn't excuse the criminals who perpetrated the hack, but much of the blame, at least in my mind, lies at the feet of ASPD. It's like living in a high crime area and leaving your door unlocked, open, and advertising that you're gone and have expensive stereo equipment and lots of new flat screen TVs with no security lights around your house (after you've had a previous burglary). If my law firm treated our computer security like ASPD treated theirs, I'd be out of business. And I have far less valuable proprietary information that ASPD does and don't directly derive any of my income from computer data. I doubt my firm is hack proof, but we have daily updates of software, hardware and software firewalls, daily backup of data, VPN only outside access, etc.
02-16-2009, 02:41 AM
GneissGuy

<div class='quotetop'>QUOTE (TexTushHog @ Feb 15 2009, 06:53 PM) <{POST_SNAPBACK}></div>

Quote:

Some would argue that some hackers do a useful social service by finding and exploiting holes in software. When they publicized them, it requires makers of the software to address the issue. In the case of ASPD, the hackers were obviously malicious, not just finding vulnerabilities and leaving a benign calling card.[/b]

Would you argue that Bernie Madoff did a service by pointing out the inadequacy of the financial regulators?
Would you argue that a car thief does a service by exposing inadequate security systems for cars?
Muggers exposing people's carelessness in where they walk?
Burglars showing that people don't secure their homes well enough?

<div class='quotetop'>QUOTE (TexTushHog @ Feb 15 2009, 06:53 PM) <{POST_SNAPBACK}></div>

Quote:

...
However, and I'm relying on what has been reported and not on personal knowledge, by running wildly outdated and vulnerable software, ASPD was asking for it. That certainly doesn't excuse the criminals who perpetrated the hack, but much of the blame, at least in my mind, lies at the feet of ASPD. It's like living in a high crime area and leaving your door unlocked, open, and advertising that you're gone and have expensive stereo equipment and lots of new flat screen TVs with no security lights around your house (after you've had a previous burglary). If my law firm treated our computer security like ASPD treated theirs, I'd be out of business. And I have far less valuable proprietary information that ASPD does and don't directly derive any of my income from computer data. I doubt my firm is hack proof, but we have daily updates of software, hardware and software firewalls, daily backup of data, VPN only outside access, etc.[/b]

1) Do you know that ASPD was hacked because of old software?
2) People have a higher reasonable expectation of privacy and security dealing with a law firm than they do dealing with a site like ASPD.

I can guarantee that your computers are vulnerable to something. The question is whether a fix will be published and applied to your computers before some criminal hacker uses it to attack you.

For instance, Windows XP was released in 2001. At the end of 2005, a "WMF" vulnerability was found. A specially crafted "WMF" graphics file could be embedded in a web site, e-mail, etc.. If you browsed such a page with an unpatched version of Windows XP or Windows 2000, the WMF file could compromise your system. You did not have to click on a link. ASPD or any web site that allows you to post pictures, possibly even avatars, could be used to hack your computer. Everyone's XP or Win2k machines were susceptible during this time. If a criminal hacker knew about the exploit, he could hack you. Luckily, the fix was published pretty quickly after the vulnerability became widely known. No one is really sure that some smart criminal didn't figure this out in 2001, and quietly hack computers for 4 years without being noticed.

I can almost guarantee you that there are similar bugs in some of the software you're running now. Microsoft and Linux discover security holes all the time and issue patches. Most of these security holes sit silently on your computer for years before the criminals or the good guys discover them.
02-16-2009, 09:15 AM
yardape

I've lost count of the number of popular, popularly-used, and high-visibility web sites and web-based network facilities that have been successfully hacked since, say, 9-11. There must be tens of thousands. You have targets of opportunity - e.g., credit card processors and banks, high value targets to terrorists and political nemeses - e.g., military and defense contractors, business targets - e.g., a competitor's trade secrets, and targets that offend somebody's sensibilities or social obsessions - e.g., ASPD or, some of you will recall, Ogrish, which carried beheading videos and Abu Ghraib photos a few years ago. It's so common that Congress and most of the states have passed "computer fraud and abuse" laws with stiff prison time, fines, forfeitures, and civil damages to vindicate and compensate proprietors of information technology harmed by a perp's unauthorized access. The economic costs have grown exponentially, to the point that insurance companies don't want to cover them in, say, your general business property damage policy. It's a wonder, a miracle, that all the largest global financial institutions, the IRS and the Social Security Administration haven't been totally plundered by hackers. Governments and the largest corporations can spend whatever it takes to keep their web-based networks relatively secure. But everybody else is whistling past the graveyard. Hackers who want in badly enough will get in. Someone among them already knows what you did to secure your web site and your server before you did it. It's just a matter of underworld networking + trial-and-error. If the users of a facility like ASPD wanted it walled off like it were, say, Exxon, sure, it's do-able. But would anybody come? Therein, I think, lies the dilemma.
02-16-2009, 09:29 AM
ck1942

Let's put it this way, and I am citing common knowledge that has been widely reported:

Top secret U.S. government websites, computer systems, etc. have been infiltrated, compromised, copied.

If the U.S. military cannot keep hacktoids out, can we expect any civilian site to do much better?

That said, in the case of aspd, it's not so much about the loss of data, but the loss of control, the loss of format, and the regaining and the restoring of same.

Regaining control was easy enough. Locking out the whoevers is "apparent," but then the chore is to to make sure they are locked out and that the entire system is protected from further intrusions to the best of our ability, and then...

...improvement of the site and restoration of the data bases can begin, which it has.

The important thing to remember, and trust me, I know what I am about to say is true, the entire existing data base as we know it was backed up and will be made available as soon as the programmers determine no "timebombs" or "surprises" were left behind.

Cannot promise much more than that, and cannot at this point offer a firm time-table, but I do know that we appear to be closing in an announcement. (OK, I sound like a broken record, but I do know progress is being made, even if only inch-by-inch or is that MegaByte by MegaByte?)

Meanwhile, for those who are here at home2, life goes on, and more are here every day.

Feel free to spread the word to those you know to be genuine providers or bcd members at aspd.
02-16-2009, 12:02 PM
Ghostface147

It's not hard at all. Social engineering is a valid and useful way of hacking, but I can hack any moderate site in less than a day. I agree with what Texastushhog says, ASPD brought it upon themselves by using outdated software. However there was no need to hack it as bad as they did. Most hackers get in to just poke around and say they did it. The select few are the destructive ones. Regardless, good thing we have this board.
02-16-2009, 08:14 PM
devo

Yeah, well, I saw this documentary last year, and these bad guys crashed the whole US financial market, so they could steal a bunch of money, and get this....It was Bruce Willis that killed all those bad guys because they had his daughter kidnapped, and he set everything right.

A Hollywood actor, and he saved the world.

I'll bet he doesn't even have any computer skills..... :o
02-17-2009, 01:16 PM
geniusman

Thank you so much for all the updates ck. I think that we should all be patient as I need to learn how to be LOL
02-19-2009, 04:51 PM
sunfish

wow !!!!
02-20-2009, 06:15 PM
713hobbyman

CK- Thank you for all of your hard work to keep us updated and as informed as you can.
02-21-2009, 03:59 PM
bbkid

CK, thanks for keeping us up to date on what is going on. We appreciate all the efforts that are being made to get the site back going again.
02-24-2009, 09:44 PM
johnny_porn_star

In regards to this subject I am a professional. Original Big Three.

If ASPD where my client I would have simply done to following if true backups existed: (by 'true' I mean valid data that is NOT compromised)

1. I would have the board software vendor on the phone and decide upon the best most up to date board version that supports my existing backups.

2. I would discuss with board software vendor which Operating Systems are available for my chosen platform which again support my existing backups. I would also discuss HTTP server change.

3. If at all possible, I would change the OS, perhaps even platform if money is not an issue. Quite simple: Completely re-image existing hacked server. Examples: Change Linux vendor versions. Buy a nice little Sun or IBM pizza box.

4. With fresh OS installed, I would have next installed latest board software. Perform all required processes and change management updates.

5. Restore databases. Done.

The point of the above is that IF the backups are valid, there is no need to mess around with a compromised OS. Wipe the OS, install new board software, update board, perform restore, done.

I realize with #4 if no change management processes existed, there could be A LOT of work before a restore could take place.

Why # 3?
Because, if truly hacked by those suspected, they are waiting and WILL RETURN.
Platform and OS change will allow at least some time to monitor site activity.
Come back up with the same OS that was hacked..... forget it.
Come back up with a freshly installed OS, but not an upgraded or different version.... forget it, unless patching and updates where not being practiced, the hackers will know exactly where to hit next.

Since the site runs an Apache HTTP server based upon a RedHat Linux platform, if the OS is not completely re-installed, it is just gonna be a time bomb.
Not a fault of RedHat, but a fault of running ten year old board software.
02-25-2009, 02:37 AM
GneissGuy

I'm not on ASPD staff any more. I have no serious inside information here, just what's been made public.

Your solution simply wouldn't work well. The board software is heavily customized. Things like BCD access, BCD credit, review counts, credit, warning points, etc. are unique or heavily customized. All these customizations have to be redone if the board software is updated.

You may argue that the right solution is to update all this stuff up to the new version of the board software. I won't say you're wrong. I will say that that's not likely to happen quickly.

You are also implying that the board was hacked due to obsolete software. You don't know that, but it's fun for us to get on our high horses and act superior like we know everything. It's entirely possible that the attack that was used would have worked even if everything was up to current patch level.

Remember that high dollar corporate web sites with up-to-date software get hacked all the time. The corporate guys have enough staff to quickly rebuild things from scratch. ASPD doesn't have hordes of high dollar IT staff to pop up and change things willy-nilly overnight. Perhaps if we were a big-time subscription-only web site, but we're a user-service-oriented web site.

You're offering a million-dollar solution. We're not a million-dollar corporation. We're a community of people with like interests helping each other.

The idea that one should blindly change bulletin board software, web server, OS and platform "just because" is also silly. You need to determine how the board was hacked, why you had the vulnerability, and whether there is a fix.

If, for instance, you found out that there was a security hole in the pbl demon on XYZ Linux that was used, fix that security hole. Changing to GHI Unix just to make a change would be foolish, unless you know that GHI Unix is, in general, more secure. It may very well be that XYZ Linux with the pbl patch is much more secure than GHI Unix.

If the security hole used was in, for instance, the apache server, changing the platform, hardware, and board software wouldn't do anything to help prevent another hack, unless you fix the security hole in the apache server.

I won't say the site was maintained correctly. I think we could do better. I hope we do better in the future. Yes, maybe the board was hacked because the board software was old. I don't know. I just don't like having people speak up assuming the worst about the way the board was run when they don't know the details.

I'll also agree that if I had a multi-million dollar corporate client, I'd do many of the things you suggest. Not because it would necessarily make the company more secure, but because it give the appearance of security and gives you a good level of plausible deniability. "Your honor, we spent $3 million fixing and upgrading the web server." Never mind that you didn't really fix anything related to what went wrong. As the CIO, you have to look good to the board, stockholders, and Wall Street.

I also agree, long term, that we should migrate to a much later version of bulletin board software, and keep the rest of the software up to date. Actually, forget "long term." It needs to be soon. I just don't think we necessarily have to do all that stuff before we bring ASPD back to life.

Note: Yes, I say "we" a lot. I'm part of the community, not part of the management or volunteer staff.
02-25-2009, 11:31 PM
Yak_Man

<div class='quotetop'>QUOTE (johnny_porn_star @ Feb 24 2009, 08:44 PM) <{POST_SNAPBACK}></div>

Quote:

In regards to this subject I am a professional. Original Big Three.

If ASPD where my client I would have simply done to following if true backups existed: (by 'true' I mean valid data that is NOT compromised)

1. I would have the board software vendor on the phone and decide upon the best most up to date board version that supports my existing backups.

Assuming that you have an extended support agreement (aspd is 10 years out of date, right?) and /or market leverage. Barring that, the best you'll get is "upgrade to current release and call us back if you still have problems." Been there, done that, usually in the middle of the night with Trillions (honest, I'm not making that up - if the public only knew how money flows!!) of dollars at stake, with EVPs of MS, IBM, SUN, etc.

2. I would discuss with board software vendor which Operating Systems are available for my chosen platform which again support my existing backups. I would also discuss HTTP server change.

Hmm, was it the OS that was hacked? Was it HTTP? Was it some middleware? Was it SQL security? I don't know and I am not asking. I won't assume facts not in evidence. Perhaps the evidence is elsewhere and I've not seen it. The initial symptom on 2/7 was IMO, not usually indicative of OS issues, but application layer security issues.

3. If at all possible, I would change the OS, perhaps even platform if money is not an issue. Quite simple: Completely re-image existing hacked server. Examples: Change Linux vendor versions. Buy a nice little Sun or IBM pizza box.

That's a great plan if it was the OS that was hacked.

4. With fresh OS installed, I would have next installed latest board software. Perform all required processes and change management updates.

And how many testing iterations must be done to determine a stable platform? If aspd's software is as far out of date as has been mentioned in this thread, it will take MULTIPLE iterations to determine the software works, the security is sound and the databases are in tact for the new front end. Is it possible that this is EXACTLY what is happening during this outage?

5. Restore databases. Done.

The point of the above is that IF the backups are valid, there is no need to mess around with a compromised OS. Wipe the OS, install new board software, update board, perform restore, done.

Not if upgrades are in the plan, especially if the "bad" software is multiple revisions old.

I realize with #4 if no change management processes existed, there could be A LOT of work before a restore could take place.

Why # 3?
Because, if truly hacked by those suspected, they are waiting and WILL RETURN. AGREED!!!
Platform and OS change will allow at least some time to monitor site activity.
Come back up with the same OS that was hacked..... forget it. Was it the OS or was it SQL?
Come back up with a freshly installed OS, but not an upgraded or different version.... forget it, unless patching and updates where not being practiced, the hackers will know exactly where to hit next.

<span style="color:#4169E1">Agreed again if that was the point of attack. If the point of attack was elsewhere, say the middleware security, "fixing" the OS won't have great effect.</span>

Since the site runs an Apache HTTP server based upon a RedHat Linux platform, if the OS is not completely re-installed, it is just gonna be a time bomb.
Not a fault of RedHat, but a fault of running ten year old board software.[/b]

If it's not a fault of RedHat, why worry about reinstalling the OS? (Honest question, not rhetorical.)

I've been a multi-user OS operations manager for 25 years....everything from TSO to VM to OS/2 (I hate to admit that) to Novell to Windows to AIX to Sun to Linux. I hear what you're saying and there's a strong ring of technical truth to it. Unfortunately, there are business issues that interfere with a truly technical solution and I doubt either of us truly understand the exact situation faced by the staff.

They're working hard and I'm sure they're doing everything they can do professionally to take care of this situation and the business at hand. I for one won't be second guessing them.
02-25-2009, 11:57 PM
Sysiphus

<div class='quotetop'>QUOTE (Yak_Man @ Feb 25 2009, 10:31 PM) <{POST_SNAPBACK}></div>

Quote:

I've been a multi-user OS operations manager for 25 years....everything from TSO to VM to OS/2 (I hate to admit that) to Novell to Windows to AIX to Sun to Linux. [/b]

Hey, hey, hey!!! There was nothing inherently "wrong" with OS/2. It was more a case of IBM being out-maneuvered & turned every-which-way-but-loose by more savvy corporate entities... :lol:
02-26-2009, 12:29 AM
GneissGuy

<div class='quotetop'>QUOTE (Sisyphus @ Feb 25 2009, 10:57 PM) <{POST_SNAPBACK}></div>

Quote:

Hey, hey, hey!!! There was nothing inherently "wrong" with OS/2. It was more a case of IBM being out-maneuvered & turned every-which-way-but-loose by more savvy corporate entities... :lol:[/b]

He's probably hating to admit he's old enough to know VM, TSO, and OS/2. Sometimes you don't want to admit knowing something like TSO, because then someone will want you to fix a problem on some dinosaur system with no documentation, but the company dies without the program. With the CEO breathing down your neck. You get no particular credit for fixing the problem, because it's ancient, unimportant, software. Then you own the program (officially or unofficially) for the rest of your career. They won't give you a budget to fix it because you made it work last time, and it's worked for the last 10 years with only one major crash.
02-26-2009, 03:30 AM
TexTushHog

I'd have a much better feeling about things if Yak Man and Sisyphus were the ones working on getting things fixed.
02-26-2009, 09:18 AM
yardape

GG makes a good point that, I've come to believe, is common to nearly every technical or professional field. The moral of the story seems to be, "Careful what you did well, did right, still works, for somebody 10 or even 20 years ago." Confronted with the slightest threat today, they'll expect you to fix it or patch it for free, or at ancient rates.
02-26-2009, 12:48 PM
nuglet

LOL; Ain't it funny how the "new guy" always knows ALL the answers.. never fails.. TFF
02-26-2009, 03:49 PM
Mokoa

VM? TSO?

Ah yes, the old IBM Mainframe days...

http://www.computermuseum.org.uk/pic...web%20site.jpg

http://www.techsystemsps.com/images/...IBM370-155.jpg

:)

VM is the best mainframe software out there.
03-03-2009, 02:02 PM
laserface

<div class='quotetop'>QUOTE (Mokoa @ Feb 26 2009, 03:49 PM) <{POST_SNAPBACK}></div>

Quote:

VM is the best mainframe software out there.[/b]

I have a test system that I run an old, old version of VM on, under Hercules...

But honestly, I am and always will be an old OS/1100 (or EXEC-8, for people who are even older than I am...) guy at heart... :)
03-03-2009, 02:59 PM
Texas Passion

<div class='quotetop'>QUOTE (laserface @ Mar 3 2009, 01:02 PM) <{POST_SNAPBACK}></div>

Quote:

But honestly, I am and always will be an old OS/1100 (or EXEC-8, for people who are even older than I am...) guy at heart... :)[/b]

:) Laserface,
Sorry sweetie I just couldn't resist....
laserface
Newbie
Age Unknown years old
Gender Not Set
Location Unknown
Birthday Unknown
...lol as long as we know what we are and that we do have a heart of gold, nothing else really matters right? Are you just being discreet...lol
As to being old with knowledge that should come with life be proud of your age! As to you youngens are getting smarter & smart & thats a good thing as long as you use it to do good things.
Yes we learn some valuable info on this thread.
People create programs and back in the day no one was thinking of hacking into systems. People make mistakes & learn from it. We are humans therefor we could only be 99.99 percent perfect.
Just because something or some one is vonurable does not give anyone the right to cause one harm. This is all fantasy guys & you know how fantasy becomes reality right? Its not always good!
So is people involved of just systems hacking systems with no operator? Scary?
Have any of you noticed your credit cards being attacked since Aspd was hacked or weird phone calls or emails?
You all now should know when paying for such type of activities Hobby related you should all by now have replaced any private info and try hard not to leave paper trails.
You think this could possible some form of Terrorism? L.E. investigations? Some prankster? Or just a sad sad case of one Jerk with out any respect for even himself?
03-03-2009, 04:20 PM
laserface

<div class='quotetop'>QUOTE (Texas Passion @ Mar 3 2009, 02:59 PM) <{POST_SNAPBACK}></div>

Quote:

...lol as long as we know what we are and that we do have a heart of gold, nothing else really matters right? Are you just being discreet...lol[/b]

Heh ... partly discreet, and partly lazy. I never bothered to update my profile with my gender and location (now fixed). I never put my age or birthday in a message board profile... :)
03-21-2009, 10:48 PM
CyberProf

As someone who "hacks" for a living - let me put a few cards on the table:

1) We will probably never know who did this or why - it takes a lot of time (and that means money) to trace this down - we are still working the Estonia hack and have only discovered three seperate cases of "guilty parties"

2) Answer to #1 doesn't really matter - what matters is how you recover. And for recovery, the most important thing is backup, backup, backup.

3) You can't really recover until you understand how you were hacked, or the bad guy can do it all over again right away. You have to close the door before you go back on line.

4) If this person was good, they might well have left other goodies behind when hacking (ie backdoors, agents to call out past security, keyloggers, etc.) The only path is a complete reinstall, from OS up, including all patches. If you have a known clean backup, then you can use that, but you still have to deal with #3.

Lastly - I am assuming that the recovery is including a complete site update. This may be necessary because of item #3, or this may simply be the best time. Either way - it takes time and money to get this stuff done, so our best actions is to thank CK for updates, thank CK and others for making this solution work and remember

Be careful out there in everything you do. Not paranoid, just careful. Criminals exist - we saw what they did to aspd - don't let a criminal take advantage of you.
03-26-2009, 11:30 PM
Meiji

<div class='quotetop'>QUOTE (Yak_Man @ Feb 25 2009, 09:31 PM) <{POST_SNAPBACK}></div>

Quote:

If it's not a fault of RedHat, why worry about reinstalling the OS? (Honest question, not rhetorical.)

[/b]

As Cyberprof said, if there's reason to suspect that the exploit was through the OS or that the hacker gained administrative access to the system, wiping the OS and installing from original media is the easiest and most thorough way to be sure no exploits/backdoors remain.
03-26-2009, 11:57 PM
GneissGuy

<div class='quotetop'>QUOTE (Yak_Man @ Feb 25 2009, 11:31 PM) <{POST_SNAPBACK}></div>

Quote:

If it's not a fault of RedHat, why worry about reinstalling the OS? (Honest question, not rhetorical.)
[/b]

Maybe a clean, updated RedHat install was a good idea, whether it had anything to do with the hack or not. Why not do all the maintenance that makes sense while the board is down?