February
12
The Alumnae Association recently suffered a crashed file server. It was not due to a failed hard drive, an overheated processor or dead power supply. Instead it was the victim of being hacked, or in more polite terms, "compromised". It was infiltrated not by any virus, worm or trojan, but by a rootkit which basically makes itself literally invisible to the system. In addition, the rootkit can be embedded into the system so deeply that attempts to remove it can essentially cripple the server which is what happened in my case. The only sure way to rid the server of the rootkit is to format the hard drive.
It does not appear that the hackers were necessarily after any data, but were using the server as a slave as part of a distributed FTP server (drftpd) used to distribute mp3's and video files. I found log files that listed songs from the Dreamgirls soundtrack and a French version of The Simpsons.
Instead of reinstalling the Windows 2003 server software which has numerous security issue and frequent patches, I switched to a more secure operating system: Linux. In particular, a distribution called ClarkConnect which is a features everything I wanted in a server in a easy to install package. It includes the following:
- Web based administration
- Active Firewall
- Instrusion Dectection and Prevention
- Print and File Server for Windows and Mac clients
- Web ServerAntivirus
- Web Proxy and Content Filter
- Windows Domain Authenication
- Data Backup
- And More
The community version is free and is even ideal for home use. I recommend using it in a old PC as a firewall and intrusion detector. There are a couple different commercial versions that offer email notifications, security audits and regular software updates. If you need a secure reliable server, check it out.
What we learned the hard way is that "if it isn't broken, don't fix it" does not apply to servers. You need to continually monitor it, update your virus definitions, apply patches and upgrades and keep a tight firewall. Also, as I noted in a previous post, strong passwords are essential. ComputerWorld has a recent article about a test performed by the University of Maryland where 4 computers were hit by 270,000 attackers within 24 hours. The Association server is constantly being hit, which I now know thanks to the new Linux firewall. A little inconvenience now can save a lot of embarrassment and down time later on.