mailing list archives
From: Fyodor <fyodor () nmap org>
Date: Sat, 13 Apr 2013 18:35:14 -0700
Hi Folks. I'm sorry for the downtime over the last week, but
someone compromised our hosting provider (Linode) and used that access to
break into some of our virtual private server (VPS) systems. So we spent
the last week doing investigation and recovery work. I guess we've seen
the dark side of cloud hosting. The good news is that we have reverted to
pre-breakin (3/31) backups and pretty much all of our sites and services
are up and running again.. Meanwhile, Linode says they have identified and
fixed the flaws in their systems which allowed this to happen, and they
have expelled the attackers. Linode put out their own release at .
There are still a couple issues outstanding:
1) The svn server may give you an error when you update since we reverted
to a known good backup and manually re-applied all the commits since then
(after verifying them by hand). You may need to blow away your working
directory and check out from scratch. Also, we have disabled all comitter
accounts until we can reissue them with new passwords.
2) seclists.org is currently missing mail between 3/31 and 4/12. We're
working on migrating that over.
Interestingly, our web referrer logs show that the attacker first
visited us by following a link on this Quora page listing Linode's
most prominent customers:
I guess they hacked Linode and then went looking for well-known sites to go
after. Perhaps we should be flattered to have made the list, but we're
not. Linode says the intruder messed around with our account, but left
their other customers alone.
Thanks for your patience this week. We think everything is cleaned up,
but, as always, please let me know if you see something suspicious or
broken or amiss. I'd like to thank David for staying up with me past
midnight multiple times doing recovery. Linode's CEO (Chris Aker) and COO
(Tom Asaro) were also helpful and prompt in investigating. Let's hope this
doesn't happen again!
Sent through the dev mailing list
Archived at http://seclists.org/nmap-dev/
- Hack Attack Fyodor (Apr 14)