Followup of the hacking situation

Am updating all scripts on my servers as I type along in this blog post, there is quite much updating to go, I guess I just sneak an update here. After much investigation of the previous hacking attempt in my last blog post, it seems that the DoS problem narrows down to a vulnerability in the roundcube webmail program, so if you have that running on versions before 0.2.1, please do an update.

In layman’s terms, what the hackers did is to exploit a code injection vulnerability in Roundcube towards Apache which causes it to eat up so much resources that it forces Apache run a safety shutdown to terminate the script, thus explaining those sudden SIGTERM disabling all your server’s webservice. But once that happens, it will unable to start itself up again as a Apache is “still” running the service and using the ports, thus resulting in a denial of service.

I’ve updated all my servers and did a full rootkit scan, currently all is running fine and A-OK. (Keeps fingers crossed). Oh yes, do note that roundcube-0.2 requires PHP 5 to run.

I guess, the cool thing about being your system administrator is that you get you get to learn all kinds of shit which comes thrown at your server.

Mmm don’t know should I try to install PHP 6 on my development server, I am sooo liking their new date functions.