Re: [bitfolk] Proposal: Security incidents postings

Hi, On Fri, Dec 07, 2012 at 02:19:42AM +0000, Andy Smith wrote: Someone asked off-list how many security incidents there had been in the last year. It's a little difficult to answer because I haven't been keeping a structured record. There are support tickets for each one that we know of, but they aren't in a standard format so are a little difficult to search for. After a quick search with terms that immediately spring to mind I can see: - 1 Customer VPS doing FTP dictionary attacks. Source of compromise as-yet unknown (customer has allowed me to take a look but I haven't yet got around to it). - 5 customer VPSes doing SSH dictionary attacks, which were themselves compromised by SSH dictionary attacks. One of these was a root account. In all cases the customer was running sshd on port 22 with password authentication enabled. - 2 cases of customer VPSes engaged in direct denial of service attacks (packeting). One was broken into through an insecure Joomla template. The other was cause unknown since the customer never responded, but was probably fraudulently purchased from the beginning since the PayPal transaction was also disputed. - 2 customers participating in a DDoS through their open DNS resolvers: http://bitfolk.com/orns.html - 4 customers hosting bank phishing sites (i.e. they're hosting pages that are made to look like bank sites which people are directed to, and then after their info is filled in, the info is sent to the attacker). Cause as-yet unknown for one of these because it happened only last night. Cause for one was a Wordpress exploit that allowed the attacker to upload a page of their own content. Not sure whether that was a case of an out of date Wordpress install or a bad plugin. Cause for one was an unknown CMS which customer left admin unpassworded. Cause for last one was never determined and customer did not give permission for us to examine. VPS was reinstalled. - At least 20 reports of drones connecting to their C&C¹ channels through Tor exit nodes hosted by BitFolk customers. It's still abuse but there's nothing that can be done since it's Tor. There'll probably be a couple more that I was unable to find, but that's the gist of it. Cheers, Andy ¹ Command and Control - http://www.shadowserver.org/wiki/pmwiki.php/Information/Botnets#commandandc… -- http://bitfolk.com/ -- No-nonsense VPS hosting "I'd be happy to buy all variations of sex to ensure I got what I wanted." — Gary Coates (talking about cabling)