Well yesterday I got an email from some russian address, and he said somehow he had found a big security bug in one of my websites, and had gained access to my account (on my website), sent me my username and password. And stupid me, I used the password for a couple other things on that server. So went and changed them pretty fast. I'm not going to be rude to the guy because I'd rather not have my site/reputation destroyed, but at the same token I'm not going to pay money for his guidence. Woke up and got this email this morning:


Hello Rob.
It's very good that you decide to protect you system. You are enough
clever admin. Unfortunately you decide only one problem(URL bag). Do you
think about DoS attacks or about data access on your server? If you want
I will give you some information how to protect you server very good. Of
course this informaton isn't free but it will be sold at a low price for
you (I think $100 is not a very high price). Also I will help you in
future for free($0) to protect anything you want and I wil send
information about fresh bugs. Please answer as soon as possible.
*Sig excluded*



Any one have experience with things of this nature? If so what is your recommendation?

Check your server logs and figure out what IP Address he came from. Drop that IP Address (possibly the entire netblock) into an IPTables deny rule.

There is not a whole lot you can do to prevent DoS attacks, but make your upstream provider aware of these threats so they can be prepared to act quickly in the event the guy does follow through.

Finally, if you don't already do it run nmap against your server and make sure there are no open ports that you don't know about. If the guy has been in your server he may have left you a little present, so he can get back in any time he wants.

Legally, there isn't crap you can do -- if the guy really is in Russia, you will just have to defend your server against him.

Originally posted by allan:

Check your server logs and figure out what IP Address he came from. Drop that IP Address (possibly the entire netblock) into an IPTables deny rule.

There is not a whole lot you can do to prevent DoS attacks, but make your upstream provider aware of these threats so they can be prepared to act quickly in the event the guy does follow through.

Finally, if you don't already do it run nmap against your server and make sure there are no open ports that you don't know about. If the guy has been in your server he may have left you a little present, so he can get back in any time he wants.

Legally, there isn't crap you can do -- if the guy really is in Russia, you will just have to defend your server against him.

Thanks for the post. I'm going to go through the logs later tonight, as they are pretty long (upwards of 2-3gbs). I don't want to piss him off and find out the hard way that he has access to somethings such as ssh access or the likes. I've dealth with numerous DoS attacks before so there's really no problem there. Although I will send them an email about the issue. Thanks for suggesting running nmap. After I ran it I only found 1 weird port 113 that is "closed" and it says that the service is auth?

Always keep this list handy:

http://www.iana.org/assignments/port-numbers

I don't know that there are any common services that REQUIRE this port to be open -- however it may slow some services down.

Thanks for the link.

Search google a little and dug this up:

Port 113 is used by identd. This is a protocol by which a server can look up
a client's username via it's source and destination tcp ports.

So, when you connect to (for example) an irc server, expect to get an ident
request back. If your machine doesn't answer the request (because you have
it firewalled off or commented out in inetd.conf) then you may be denied
access to the IRC server or you may just get a ~ by the front of your name,
indicating your username was not validated.

And no, it's not worth anything w.r.t. security, since people aren't using
centrally-administered UNIX shells anymore :)


Source: http://www.ssc.com/pipermail/linux-list/1999-November/014063.html

Looks like its nothing to be worried about.

I wouldn't pay him.

Mind sharing what the bug was?

Well it was my own stupidity but basicly I was having problems with cookies/sessions so I went to sort of a session system that was stored in the url (as a session id). Well I originally planned it so that it would check to make sure the IP met the ip that the user logged in as, but forgot to do that. Guess that's the easiest way to explain it.

But I said I "would bring it up at our next board meeting" (which never happens ;)), this will buy me some time till the next version of my site is finished (sometime before July 1st).

His tactics remind me of movie mafiosos selling "protection".

Ask if he has any relatives named Guido or Nunzio...or the Russian equivalent. :D

Originally posted by Living Media:

His tactics remind me of movie mafiosos selling "protection".

Ask if he has any relatives named Guido or Nunzio...or the Russian equivalent. :D

I remember there was like another case of this happening to some financial company. Although they have quiet a bit more than I do hanging on the line.