Hello all!
I'm seeing to much talk and people confused with all the disruption that is being made by evil ppl taking advantage of the situation, and also people saying this and that without knowing the facts and with hands of the situation.
As i posted before in the 3A forum, I was contacted last Friday and i toke control of the server trying to protect the forum from threats of people willing to shout it down.
Since then, lots of things have happened. This is is a brief description, and may help you understanding what happened. But be wise and don't say things like "i would set another server up and restore a backup in 30 mins", or "PHPbb can be easily restored" , or this or that. I'm not perfect but I know very well what i'm doing and i wish most of the problems i have solved in servers until today were critical like this one. Remember there's things like budgets, actions depending on third parties, time, availability, etc...
I'll tell the story by topics, but remember, i'm not giving all details, no time for that. I could also avoid pointing my finger at nbrado which i never had nothing against him, however some of his action were disgusting, including the will to bring the forum down, but if not with respect to others, at least with respect for Madeleine that we seek justice for.
Here it goes, read slow and carefully:
- Yesterday was everything under control apart from the discussions between some ppl that i didn't want to be part of.
- First i did all the basic things like knowing the server OS structure, did some basic security checkings, including passwords change, etc.
- I also checked and scanned for rootkits, backdoors and trojans that nbrado was widely advertising he planted in the server but i couldn't find nothing to worry about. However there are some rootkits extremely hard to find and fix, but i could see by the way that the server was managed that nbrado's knowledge was not that high to plant a good one. He never did an ssh access, and even Cpanel and WHM that makes things easier were really messed up. So... shouldn't i question his knowledge?
- I also managed the IP tables to restrict multiple login attempts through ssh to avoid brute force attacks, installed apache mod_security, checked all logs for suspicious accesses, and checked all the running services confs. Everything got under control, server up, forum running, everybody happy.
- By the end of the day, i logged in to install a shell script to notify me through sms if there was any successful root loguin. As an habit i typed the "w" command and saw that there was somebody else logged in as root. That couldn't be the Data center staff because i changed the password and i only gave it to bjr that told me that she didnt give it to anybody else. Quickly saved the IP address which was from a ADSL connection in Romenia that i reported and holding for more info. Also checked what he was doing and i was running a script. Killed its processes and looked for the script but believe it was deleted during the execution.
- Checked the logs, and i could see that is access was made with only 1 attempt, that leads to only one conclusion: The person logged in had the root password. But how if i have changed it? What happened was that somebody might got the root password when i gave it to bjr through MSN (maybe she has a
spyware or a trojan), and I'm not 100% sure but i believe i sent her an email with the password as well and maybe somebody has access to her email without her knowing of it, and she migh shared her email with nbrado when dealing with things related to forum and server. I could have predicted that and ask her to change her passwords, but it was already late when i thought about that. And i questioned my self if this attacker wasn't a hacker hired by nbrado to commit the threats he was advertising? How many chances it could be somebody else that got the root pass and decided to do something?
- After everything i said above, i did again an intensive check, and everything was normal, i did also backup of the forum, and after a few minutes the server was shut down. after 5 minutes was not accessible yet, 10 minutes... and when i was about to contact the datacenter, bjr told me about the incident there, the explosion in the power transformers that affected us too. I waited... and latter i could ping the IP. However i was not able to access the server through any service.
- Since i have no physical access to the server, and no KVM over IP, i had to contact the tech support on the server provider to reboot and monitor the boot up of the server. i was more then 6 hours waiting for updates, chatting with the tech support, and finally i got a reply from a level2 tech that told me the boot was giving errors that made me reach the conclusion that the core system was damaged.
- Asked them to reload the OS, and asked bjr to give me a call in case we receive any email from the tech support saying that the OS was already installed, and I went to sleep at 5am. At 10:20 i was called and informed that the tech support sent an email saying that the server would be up in about 1hour. Woke up again 2 hours latter and the server was still down and no emails from the tech support. Contacted them through the live chat, but they didn't want to transfer to level 2 or 3 since they were too busy with the fire incident.
- Minutes latter a mod said on MSN chat that the forum was up. Strange, i didn't get any email saying that the server was ready, and i didn't even ask to restore any backup not even Cpanel and WHM but just a fresh OS, so how come the forum was up?? They restored a backup quite old, and with nbrado as forum admin, and with all the old passwords (not including root). And the worst, i haven't receive yet the new root password from the tech support. I called the host provider, did a live chat with them a couple times, everything, but they were only doing things through a queue of email due the high work load. It took 2 hours for them to send me the new password which should have been sent immediately after the new OS install, and during this time that was when the forum was up with nbrado as admin due the old backup, he deleted bjr admin permissions in the forum and had his short moment of glory.
- When i got the root password i shut down the httpd service to stop the forum, and replaced the index page with the message that many of you have noticed. Since i was busy with other things I stopped also the FTP service to change or delete the FTP accounts latter. However i didn't stop the service "chkservd" which is a CPanel demon that starts certain services that are stopped, i forgot that because i'm not used to work with CPanel, and it started the FTP service again, and that was when he accessed to the main page and disrrupted the message i left there. Some people came up saying it could be somebody else, but i have logs of everything and IP reported to ISPs for further info.
- I could have the forum on-line already, but there's a few things i prefer to do first, and we also agreed it would be better to activate it when the mods are available to control the trolls invasion.
I'm a person sometimes with a short temper whens stressed out, but i always try to solve the things in a pacific way, we can show our intelligence as humans when solving social problems in a civilized and polite manner, never recurring to violence. But sometimes some people chose the violence showing their short distance from their human's animal origin.
I believe nbrado could show more credibility and support if he didn't behave and showed other attitude. But no matter what his reasons, it doesn't justify most of his actions.
I'm still waiting for him to stop calling us thief and come upfront and tell me what software he coded and installed in the server. I'll be more then happy to remove his work that he doesn't want to share. However i couldn't find any software developed by him in the server, and since he doesn't say what it is, I assume he's lying. To be honest i have serious doubts he ever coded any software, and judging by his behavior i believe deeply inside he has a infriority complex that he's trying to overpass talking nonsense IT things to people that doesn't understand it to make himself feel like he's something. Why he doesn't talk to me about it?
My advice for him is to stop the all his circus, take a rest and relax. He has gone too far and have made enough to get himself in trouble. Don't make the snow ball get bigger.
About the forum, as you can see this is a run against time and circumstances, and i'm doing all i can when I'm already a busy person. Speculation does nothing more then making me lose more time to come here and explain the things, I like to explain but time is not something the i can stop through a computer's command line.
I'll not give up no matter what happens, and I'm doing it so we can get our forum back and seek justice for Madeleine.
Cheers.
Filipe
(no... i dont fear giving out my name, you don't need to expose it in blogs nbrado. Remember i even have a picture of my face as my avatar in the forum. What else you wanna know about me so you can post somewhere and say you know it because you are a computers hacker?)