Beware of hackers

  1. ‹ Older
  2. 3 months ago

    Neil B

    Jun 3 Pre-Release Testers

    By having full access to the PosgreSQL database server, does that mean they had access to the machine? To be clear, I had the port 5432 forwarded so it was publicly accessible. So the hacker connected to the db as an admin user, with full access to all the databases on the server.

  3. Tomas J

    Jun 3 Pre-Release Testers, Xojo Pro Europe (Germany)
    Edited 3 months ago

    .. and with full access to the DB somebody could implant a reverse shell and execute it at least as db user.
    As Greg said, forget the host and whole subnet. Restore from backup and enforce Security by Design and Default.

  4. Daniel T

    Jun 3 Pre-Release Testers, Xojo Pro

    @Greg OLone ...and use virtual machines from now on. They’re a lot easier to deal with in these situations.

    But they also introduce additional risk thanks to the processor exploits which keep appearing and which range from difficult to impossible to mitigate.

  5. Thom M

    Jun 3 Pre-Release Testers Greater Hartford Area, CT

    @Tomas J It is a very optimistic assumption that a user will have a unique IP. How many employees are concealed behind a nationwide or international corporate gateway? How does it look like with mobile carriers, that operate their IPv6 devices behind an IPv4 proxy? A server would be open to all mobile telephone subscribers at once.

    Sorry for being rude, but the concept is junk!

    Don’t get me wrong, I’m not advocating for it. There’s a reason “nothing” supports it. The same reason I chose not to use it. It’s just not good enough.

    But it’s not a large attack surface for somebody to have the same address AND attempt to connect at just the right time. The firewall should allow a single connection, then close off again, retaining the established connection. So it’s not like you’d be exposed to the whole network while one person is connected.

    It’s not a terrible concept, but there are better options out there. Much better. It would take much less time to learn how to setup an SSH tunnel than it would to learn how to code the firewall accordingly, AND be more secure as a result. There’s no reason to select port knocking instead of SSH or a VPN.

  6. Anthony M

    Jun 3 Pre-Release Testers, Xojo Pro

    @Tomas J It is a very optimistic assumption that a user will have a unique IP. How many employees are concealed behind a nationwide or international corporate gateway? How does it look like with mobile carriers, that operate their IPv6 devices behind an IPv4 proxy? A server would be open to all mobile telephone subscribers at once.

    Sorry for being rude, but the concept is junk!

    What does any of what I said have to do with whether or not a user is behind a NAT or shared IP??? I'm speaking about protecting the server from external attacks which will almost certainly have a static IP or, at a minimum, ports forwarded to it. Where the client is located is absolutely irrelevant to this discussion.

  7. Neil B

    Jun 3 Pre-Release Testers

    I wonder if restoring to a recent restore point would be safe? (Windows 10). I hate to think of the work it would take to do a total wipe, need to re-install everything.

  8. Norman P

    Jun 3 Pre-Release Testers, Xojo Pro great-white-software.com/blog

    Um ... no
    At the very least wipe the machine as you cant be 100% sure that the hacker has not used a compromise to gain full access to the machine & install something else like Greg said

  9. Neil B

    Jun 3 Pre-Release Testers

    @Norman Palardy Um ... no

    OK I guess sometimes the truth isn't the answer you would like to hear :(

  10. Norman P

    Jun 3 Pre-Release Testers, Xojo Pro great-white-software.com/blog

    @Neil B OK I guess sometimes the truth isn't the answer you would like to hear :(

    sometimes it hurts
    but its better than not doing it and finding out later that your machine was compromised way back and has been the whole time

  11. Julian S

    Jun 3 Pre-Release Testers, Xojo Pro UK
    Edited 3 months ago

    Best case scenario, they were a script kiddy with an automated DB finder that would do nothing more than grab the data and drop the ransom note.

    Worst case, they got code across, and set up control software internally potentially compromising all connected machines. Depending on how the server was set up, you might be able to find out if this happened but not many people go to the effort to block all unused outgoing ports on a server before they connect it to the net.

    Nightmare scenario if you have a lot of machines on the network.

  12. @Julian S — So your "best case scenario" is something hackable by any kid/teen? That reminds me of the "Wargame" movie :-)

  13. Norman P

    Jun 3 Pre-Release Testers, Xojo Pro great-white-software.com/blog

    More or less

  14. Julian S

    Jun 3 Pre-Release Testers, Xojo Pro UK
    Edited 3 months ago

    No Professor Falken, the best case scenario is in terms of how far they got in, not how they got in.

    Best case as in how much work you need to do to clean up house :)

  15. Sascha S

    Jun 3 Pre-Release Testers, Xojo Pro Germany, Lower Saxonary

    @Norman P More or less

    More less ;)

    @John AKnight, Jr When I implemented that, I still ended up with logs full of password attacks, sometimes several thousand a day.

    I always recommend to just log successfull access (logins f.e.). It's of little interest to know how they try to gain access. Why? Because even if you know how they try to gain access and try to do counter this, they can at anytime try it with very different techniques. "Just" try to avoid any possible kind of entrypoint as good as you can and log successfull logins to reveal unwanted access. ;)

  16. Norman P

    Jun 3 Pre-Release Testers, Xojo Pro great-white-software.com/blog

    @SaschaSchneppmueller More less ;)

    A script kiddy could easily have found the right software to perform this attack and nothing more sophisticated like Julian mentioned
    Thats not that unusual

    Its unlikely to be anyone more sophisticated - but not impossible

    @SaschaSchneppmueller I always recommend to just log successfull access (logins f.e.). It's of little interest to know how they try to gain access. Why? Because even if you know how they try to gain access and try to do counter this, they can at anytime try it with very different techniques. "Just" try to avoid any possible kind of entrypoint as good as you can and log successfull logins to reveal unwanted access. ;)

    I would expect @Travis H and @Greg OLone would disagree as Xojo Cloud gets hammered all day every day and knowing the attacks that are tried helps them mitigate them

  17. Neil B

    Jun 3 Pre-Release Testers

    @Julian S Nightmare scenario if you have a lot of machines on the network.

    Great. So I might as well do nothing and hope for the best.
    I've got about a dozen machines and wiping them all would not be trivial!

  18. Thom M

    Jun 3 Pre-Release Testers Greater Hartford Area, CT

    The "easier said than done" technique I use is a fully automated setup script. Files are stored in a cloud provider and merely cached on the production server. The database uses both daily full backups and live hot backups. Website source files are stored in GitHub. The script sets up every piece, including creating user accounts, securing, recovering the database using the hot backups, getting certificates from let's encrypt... everything. A server can be restored in about 15 minutes with no loss of data. And we test this process every six months.

    The challenge is remembering to keep your setup script up to date with changes made to the server.

  19. John A

    Jun 3 Pre-Release Testers Las Vegas, Nevada

    @Norman P I would expect @Travis H and @Greg OLone would disagree as Xojo Cloud gets hammered all day every day and knowing the attacks that are tried helps them mitigate them

    Hammered is right. I've had a couple of bot-farms trying passwords on my systems, sometimes upwards of 100 per second.
    It may be a simple 'failed login', but it still takes a small amount of CPU to log.
    Small amount done 100s per second results in a noticeable lag in response time.
    When that happens, I'll blacklist the IPs involved.
    Since my VPS 'servers' are minimal cpu/ram, I'd rather they be busy doing their job instead of logging some knuckleheads.

  20. Norman P

    Jun 3 Pre-Release Testers, Xojo Pro great-white-software.com/blog

    Oh sure it sucks up some resources - nothings free
    Not knowing the attack vectors being tried means that you dont know until they succeed and by then its too late.
    Like going out and locking your front door and leaving all your windows open thinking "well my doors are locked" and the burglar comes in the window.
    If you know the burglars are trying windows then you'd lock those too.

  21. Julian S

    Jun 3 Pre-Release Testers, Xojo Pro UK
    Edited 3 months ago

    @Neil B Great. So I might as well do nothing and hope for the best.
    I've got about a dozen machines and wiping them all would not be trivial!

    "roll the dice and take your chances"

    https://blogs.quickheal.com/apt-27-like-newcore-rat-virut-exploiting-mysql-targeted-attacks-enterprise/

    Not nice.

or Sign Up to reply!