someone hacked my ircd and get netadmin and gline all user including myself. they claim there is a bug in Unreal ircd and they used this bug to obtain oper. is it true? is there any patch?
also is there a way to protect netadmin from being glined by other oper, co-admin?
irc.malaysia-edu.net
My IRCd being hacked.
who = hackers.
currently i only have 1 co-admin and one-global oper.
netadmin = myself (own HUB and 2 leaf)
Co-admin = close friends (Owning 2 leaf)
global = close friends (Owning 1 leaf).
all oper can be trusted and have no relation to attacker. i also had change their oper password several times and now using md5 encripted with > 15 character+numbers
some server i have physical access and some server i controll remotely. all server base on Windows OS which some Win2K SP4 with latest patch and other Windows 2003 SP1 with latest patch.
all user account in all server has been denied to log in to terminal server, only myself have an access to terminal server and I am Administrator on those server.
unreal version = Unreal3.2.3 ( created Sun Mar 13 21:40:50 2005 )
Precompiled downloaded from unreal website with no patch.
please let me know if you need more information including conf, i can supply it. i really need help to solve this since it already more than 10 times this person hack to my ircd, get netadmin and gline everybody including my-self.
I had reconfig my ircd several times, and also strengthen my server2 configuration. at first i tought they hacking my server using exploit and from there they gain information related to my network, but my server using all latest patch from microsoft.
you are welcome to visite my network and monitor it to gain more info related to my problems.
thanks in advance.
currently i only have 1 co-admin and one-global oper.
netadmin = myself (own HUB and 2 leaf)
Co-admin = close friends (Owning 2 leaf)
global = close friends (Owning 1 leaf).
all oper can be trusted and have no relation to attacker. i also had change their oper password several times and now using md5 encripted with > 15 character+numbers
some server i have physical access and some server i controll remotely. all server base on Windows OS which some Win2K SP4 with latest patch and other Windows 2003 SP1 with latest patch.
all user account in all server has been denied to log in to terminal server, only myself have an access to terminal server and I am Administrator on those server.
unreal version = Unreal3.2.3 ( created Sun Mar 13 21:40:50 2005 )
Precompiled downloaded from unreal website with no patch.
please let me know if you need more information including conf, i can supply it. i really need help to solve this since it already more than 10 times this person hack to my ircd, get netadmin and gline everybody including my-self.
I had reconfig my ircd several times, and also strengthen my server2 configuration. at first i tought they hacking my server using exploit and from there they gain information related to my network, but my server using all latest patch from microsoft.
you are welcome to visite my network and monitor it to gain more info related to my problems.
thanks in advance.
99% (if not 100%) of the time, it has nothing to do with an "ircd exploit" but you are simply being hacked in some other way... tons of options here (as to how to hack someone), of course... I don't even know where to start :P.
Any of the (probably.. tons) of services the box has open, sniffing (hint: use ssl), another very common one: one of your opers could be compromised (having drone/backdoor software [bit like a virus] on their computer, logging all their keystrokes and things like that), a vulnerable client used by an ircop, etc etc...
Now, did they ever touch any files from your UnrealIRCd? (assuming you don't have oper::options::can_addline, they should not be able to.. apart from adding text to motd via /addmotd etc, but that aside)... I mean, did they manage to change your config file or remove the whole ircd, or something?
Did you check your ircd.log to see what happened the past few hours - or whatever - before the "takeover" (you DO have a log block with all the logging enabled after 4 hack attempts huh? ;p).
etc etc...
Any of the (probably.. tons) of services the box has open, sniffing (hint: use ssl), another very common one: one of your opers could be compromised (having drone/backdoor software [bit like a virus] on their computer, logging all their keystrokes and things like that), a vulnerable client used by an ircop, etc etc...
Now, did they ever touch any files from your UnrealIRCd? (assuming you don't have oper::options::can_addline, they should not be able to.. apart from adding text to motd via /addmotd etc, but that aside)... I mean, did they manage to change your config file or remove the whole ircd, or something?
Did you check your ircd.log to see what happened the past few hours - or whatever - before the "takeover" (you DO have a log block with all the logging enabled after 4 hack attempts huh? ;p).
etc etc...
This is log from latest attact and he manage to flood all 1 HUB + 3 LEAF.
[19:24] <CyberSans> supporter la
[19:24] <CyberSans> coadmin la
[19:24] <CyberSans> butohadmin la
[19:24] <CyberSans> tapi pakai irc client lama pun dah goyang
[19:24] * CyberSans slaps mus3na around a bit with a large trout
[19:24] <CyberSans> apsal diam oi
[19:24] <CyberSans> nak perang ka
[19:24] <CyberSans> boleh saja
[19:24] <CyberSans> ingat ircd ko kuat sangat ka
[19:25] <CyberSans> tu ha NETADMIN ko TU
[19:25] <CyberSans> ingat dah cukup terer la main kill kill aku
[19:25] <CyberSans> bila masa pulak aku kaco?
[19:25] <CyberSans> ada bukti ka?
[19:25] <CyberSans> ha ni lagi sorang
[19:25] <CyberSans> bila masa aku kacau?
[19:26] <CyberSans> kang aku kacau bebetul kang
[19:26] <CyberSans> tak senang tido kang
[19:30] * Quits: CyberSans (~[email protected]) (Irc.UiTM.Malaysia-Edu.Net Irc.UM.Malaysia-Edu.Net)
[19:30] * Quits: Malaysia-Edu ([email protected]) (Irc.UiTM.Malaysia-Edu.Net Irc.UM.Malaysia-Edu.Net)
[19:30] * Quits: fitri_yazid ([email protected]) (Connection reset by peer)
.
.
.
-
[19:29] -Irc.UiTM.Malaysia-Edu.Net- Lost connection to Irc.UKM.Malaysia-Edu.Net[IP]:Connection reset by peer
-
[19:30] -Irc.UiTM.Malaysia-Edu.Net- Lost connection to Irc.UM.Malaysia-Edu.Net[IP]:Connection reset by peer
.
.
.
19:36] * Joins: Malaysia-Edu ([email protected])
[19:36] <CyberSans> itu sebagai contoh amaran!
[19:36] <CyberSans> beware!
.
[19:24] <CyberSans> supporter la
[19:24] <CyberSans> coadmin la
[19:24] <CyberSans> butohadmin la
[19:24] <CyberSans> tapi pakai irc client lama pun dah goyang
[19:24] * CyberSans slaps mus3na around a bit with a large trout
[19:24] <CyberSans> apsal diam oi
[19:24] <CyberSans> nak perang ka
[19:24] <CyberSans> boleh saja
[19:24] <CyberSans> ingat ircd ko kuat sangat ka
[19:25] <CyberSans> tu ha NETADMIN ko TU
[19:25] <CyberSans> ingat dah cukup terer la main kill kill aku
[19:25] <CyberSans> bila masa pulak aku kaco?
[19:25] <CyberSans> ada bukti ka?
[19:25] <CyberSans> ha ni lagi sorang
[19:25] <CyberSans> bila masa aku kacau?
[19:26] <CyberSans> kang aku kacau bebetul kang
[19:26] <CyberSans> tak senang tido kang
[19:30] * Quits: CyberSans (~[email protected]) (Irc.UiTM.Malaysia-Edu.Net Irc.UM.Malaysia-Edu.Net)
[19:30] * Quits: Malaysia-Edu ([email protected]) (Irc.UiTM.Malaysia-Edu.Net Irc.UM.Malaysia-Edu.Net)
[19:30] * Quits: fitri_yazid ([email protected]) (Connection reset by peer)
.
.
.
-
[19:29] -Irc.UiTM.Malaysia-Edu.Net- Lost connection to Irc.UKM.Malaysia-Edu.Net[IP]:Connection reset by peer
-
[19:30] -Irc.UiTM.Malaysia-Edu.Net- Lost connection to Irc.UM.Malaysia-Edu.Net[IP]:Connection reset by peer
.
.
.
19:36] * Joins: Malaysia-Edu ([email protected])
[19:36] <CyberSans> itu sebagai contoh amaran!
[19:36] <CyberSans> beware!
.
There is no way that "flood" could have anything to do with the server squitting. The only remote possibility is the server either coincidentally had a connection burp or you have a shell with a very very lame bandwidth limit :P .
As has been said, I think you should really first consider the security of the actual systems involved (the ircd box and/or shell account, your own PC, etc).
Also, easily guessed passwords can lead to "takeovers" - try using limited hostmasks and better password(s). :)
As has been said, I think you should really first consider the security of the actual systems involved (the ircd box and/or shell account, your own PC, etc).
Also, easily guessed passwords can lead to "takeovers" - try using limited hostmasks and better password(s). :)