Signs of trouble? Time to use the VPS advantage and pull the plug. Someone defaced my wiki with 1 x 1 divs with porn links — too bad that doesn’t actually do much for one’s Google PageRank. I logged in to investigate that and discovered someone ssh’d into the system from a machine in France. I couldn’t find any evidence besides the connection from the remote machine and didn’t have known-good system utilities handy, so I deep-sixed the installation. No sense in taking stupid risks.
So what’s next? Re-installed CentOS 5.1, uninstalled pretty much everythingg that isn’t a dependency of something I use, and I won’t be bothering with a wiki any more. I’d sooner do it by hand that worrying about whether someone or another decides to try to pump their porn site.
As for how the intruder (if there was one) got in — no clue. I didn’t have a known-good set of tools handy, and I wasn’t in the mood to do a whole lot of forensic work that would likely turn up nothing. He (I’m assuming that women can figure out more useful things to do) was probably logged in from a similarly broken-into machine, and those trails don’t lead anywhere unless you’ve got the cooperation of pretty much the whole
world, and that doesn’t happen.
There are also too many unknowns for me to make too many guesses — could it be a violation of Xen paritioning? Could it be a bug in Xen itself that showed me something that wasn’t really there (in my instance, at least)? The connection was to one of my spare IP addresses, and those don’t fall into any sort of order that I can make out. Indeed, the address he was connected to is in a different class A than the rest of the IPs on my instance.
Oh well — there’s naught that can be done about it. I took SHA-256 sums of every file that matters and will be installing a little thing or two to keep an eye on the system for me. I’m also going to follow the KISS principle when I get more dynamic web stuff up. No big wikis (as much as I do like TWiki), and I’m probably going to have a bad case of “if it’s not Apache and not Perl and
NIH, then screw it” for a while.
My girlfriend asked what was going on and I explained it to her. I likened it to going to your cottage and finding out that someone had broken in and shit on your couch. In a lot of ways it’s true — my next job was to change the locks, clean up some stuff, take pictures of my tools to make sure they stay as I left them, and a bunch of other things that one shouldn’t have to do but has to do because there are still people out there who get a rush out of breaking into peoples’ cottages and shitting on the couch.
And that, my friend, is sad indeed.