Server Hacked

Brian C brianwc at ocf.berkeley.edu
Fri Aug 19 07:29:24 UTC 2005


Hi,

Jeffrey W. Baker wrote:
> On Thu, 2005-08-18 at 23:17 -0700, Brian C wrote:
> 
>>ADB wrote:
>>
>>>I doubt it. What services were/are you running? Did you use grsecurity
>>>or SELinux?
>>
>>I wasn't using either of those. I did run ... phpbb ... and probably
>>some other things.
>  
> phpbb is probably the single most dangerous thing you can install on a
> computer.  They should rename it "defaced".
> 
> Quite a leap to blame tor, although I can see how it might have
> attracted attention.  It's much more likely that they found your phpbb
> via Google.

Actually, I wasn't blaming tor. I just wondered out loud if publishing
my ip address in a relatively small list (what, about 300 now?) of
servers might raise the profile of my server and motivate someone to try
to deface it. (It's been running for over a year with little notice and
certainly no defacements.)

Also, the phpbb installation was not publicized. That is, that site
isn't linked to from anywhere really because I wasn't ready for it to
"go live". So, they didn't get there from Google. I agree though that
phpbb is notorious for security vulnerabilities and that it is a likely
suspect for my problem.

I'm still anxious for any recovery advice people have. What is the best
process for determining the source of the vulnerability and the
perpetrators' identities?

Brian



More information about the tor-talk mailing list