From 4d49889082f99008ea0a921add224dbd247dd4db Mon Sep 17 00:00:00 2001 From: david Date: Sun, 19 Mar 2017 20:31:37 +0100 Subject: [PATCH] added falcon shutdown post and removed link --- _data/websites.yml | 3 --- _posts/2017-03-18-falcon_shutdown.md | 16 ++++++++++++++++ 2 files changed, 16 insertions(+), 3 deletions(-) create mode 100644 _posts/2017-03-18-falcon_shutdown.md diff --git a/_data/websites.yml b/_data/websites.yml index b68b895..ceb28c2 100644 --- a/_data/websites.yml +++ b/_data/websites.yml @@ -9,6 +9,3 @@ - name: "Mumble server - gmur.ml" url: https://gmur.ml - -- name: "Minecraft server - falcon.socialnerds.org" - url: https://falcon.socialnerds.org diff --git a/_posts/2017-03-18-falcon_shutdown.md b/_posts/2017-03-18-falcon_shutdown.md new file mode 100644 index 0000000..2168eac --- /dev/null +++ b/_posts/2017-03-18-falcon_shutdown.md @@ -0,0 +1,16 @@ +--- +layout: post +title: Gameserver hack (the falcon has fallen) +--- + +Hello friends, + +our beloved game server (*falcon.socialnerds.org*) has been compromised by a hacker. I learned about it when network access was blocked by the hosting provider today. We don't know exactly how this came to pass but *falcon* was infected by malware which installed the so called **Bill Gates Botnet** ([here](https://www.akamai.com/fr/fr/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf) is a very detailed report about it). + +Usually these attacks try to brute-force their way into the root account. Though i cannot see how this was possible since we had password authentication and root login disabled right from the beginning. + +In the end i was able to clean out the malware and recover all game server data. Though since the attacker could have left more mailicious code i decided to get rid of *falcon* and setup a brand new server at [endeavour.socialnerds.org](https://endeavour.socialnerds.org). + +Also i hardened the ssh config of all other machines and implemented stronger passwords (i'm also thinking fail2ban). + +Cheers!