Tuesday, March 03, 2009
Romanians, Toolkit 3.0 & Alabama Slammers
Back up a few weeks. Craziness ensues! So I was not even back from Montreal for a whole day before the crapola hits lots of different fans. :( We had some typical SPAM problems, although 350,000 SPAM messages from a single source is not really "typical". Yeah that took like 4 hours to clear up. Added some extra postfix options, but they still need a policy server to control the connection / bandwidth limits properly. Or something else entirely. Nothing heard since, so I am guessing it's all good.
Immediately following that debacle. I ended up dealing with a compromise. A pretty nasty one at that. I was shown some of what was going on after the fact. Some nasty passwords recording in clear text. Box was completely owned. Someone else was tracking them down outside the box, following them in IRC channels etc. Turned out to be some Romanians (not that I have anything against Romania ... that's just where they were from). Translate the IRC chats, and they are talking about Bank accounts, and Credit Cards. Some nasty folks. Box is since rebuilt, and deployed.
Right around this time is when I discovered OSSEC. Sweet IDS. Easy to install, nothing to configure, but insanely extensible. XML configs, and crazy options. it alerted me the other day when the # of log entries in mail.log, increased over the average entries for a time span. WOW ... that's what I like to see from an IDS. The active response to block IPs under certain conditions is really nice to see as well. Brute force on SSH ... See Ya!
So during, and after all of that craziness. We released the first Toolkit 3.0. Kevin and I were there all Sunday until the afternoon Monday. Do what you gotta do. It went exceptionally well considering the gravity of the changes. Of course there is some small noise from things, but nothing major. We were all quite pleased. So now we are onto 3.1 development. We have moved to roughly 2 month release cycles. So Early May is planned for 3.1. We are adding the "Opportunities", "Power Broker Data Integration", and some distribution changes. There's soo much needed to be done, and some things are simply going to be pushed back to 3.2
...
time passes
...
Looks like I forgot I had started a draft. :S oops.
I'll sum up this blog with my recolection that Jack Ass sized Alabama Slammers @ Jack Astors are super yummy, they taste like cool-aid, and when you pound back like 4 or 5 in the time the rest of your party has 1 drink ... you tend to get a little smashed. I'll just end on that note. ΒΆ 9:24:00 AM
Immediately following that debacle. I ended up dealing with a compromise. A pretty nasty one at that. I was shown some of what was going on after the fact. Some nasty passwords recording in clear text. Box was completely owned. Someone else was tracking them down outside the box, following them in IRC channels etc. Turned out to be some Romanians (not that I have anything against Romania ... that's just where they were from). Translate the IRC chats, and they are talking about Bank accounts, and Credit Cards. Some nasty folks. Box is since rebuilt, and deployed.
Right around this time is when I discovered OSSEC. Sweet IDS. Easy to install, nothing to configure, but insanely extensible. XML configs, and crazy options. it alerted me the other day when the # of log entries in mail.log, increased over the average entries for a time span. WOW ... that's what I like to see from an IDS. The active response to block IPs under certain conditions is really nice to see as well. Brute force on SSH ... See Ya!
So during, and after all of that craziness. We released the first Toolkit 3.0. Kevin and I were there all Sunday until the afternoon Monday. Do what you gotta do. It went exceptionally well considering the gravity of the changes. Of course there is some small noise from things, but nothing major. We were all quite pleased. So now we are onto 3.1 development. We have moved to roughly 2 month release cycles. So Early May is planned for 3.1. We are adding the "Opportunities", "Power Broker Data Integration", and some distribution changes. There's soo much needed to be done, and some things are simply going to be pushed back to 3.2
...
time passes
...
Looks like I forgot I had started a draft. :S oops.
I'll sum up this blog with my recolection that Jack Ass sized Alabama Slammers @ Jack Astors are super yummy, they taste like cool-aid, and when you pound back like 4 or 5 in the time the rest of your party has 1 drink ... you tend to get a little smashed. I'll just end on that note. ΒΆ 9:24:00 AM
