AmigaWorld.Net hacked

[Karlos]

Let's be clear about one thing. There's nothing friendly about taking over someone's account and using it to post comments that could directly hurt their business. Trevor is a decent chap and has taken a significant risk in trying to bring a new machine to market.

[Karlos]

It responds to pings and can be tracerouted to without any problem. Seems like apache might be stopped.

[Karlos]

Hmm port 80 connects, but nothing happens after that. Perhaps squid or some other reverse proxy is in the front is up but the apache on the background is down.

I don't think they are using squid or any sort of front-end cache, unless it's for static site assets only.

[Karlos]

I still can't access amigaworld.net. Anyone that knows more about their issues?

BR
JJ

Not at this time. It's been at least 18 hours, possibly longer, since I last saw it up and running. Hopefully one of their staff can fill us in on what is going on.

[Karlos]

Not much yet.
About 5 days ago irc lost services.
Then came the account hacking.
Yesterday there were mixed results from attempting to use the site.
(1)slow (2)blank front page (3)error messages in browsers like "failure to connect"

#6

If I recall clearly, it's a dedicated server. It still pings promptly enough which suggests at least it isn't being DDoS'ed. Again, port 80 can be connected to, but it seems there's nothing listening on it.

Aside from hacking, it could be a broken/misconfigured update, disk failure or a number of other issues. One downside of a dedicated server is that the machine is basically yours to destroy and fix (unless you pay for support). Without any word from the admin, we can't know for sure.

[Karlos]

I consider the 3 separate issues listed in my prior post above to be merely coincidental, but we'll see.

#6

It seems the problem has expanded to include DNS resolution; the name no longer resolves here (was fine earlier), but that could be just me.

-edit-

Pinging the address it was resolved to earlier no longer works (100% packet loss) :-/

[Karlos]

Not only is AmigaWorld.net down, so is Aros-Exec.org.  I wonder if this has something to do with Xoops since both of those boards run it.

Hmm, aros-exec.org still resolves OK but it seems there's nobody at home there, either (no ping response, port 80 closed).

[Karlos]

Confirmed. Aminet also appears to be down.

[Karlos]

We had three separate threads about this now, so I've combined them.

I have been in touch with some of the staff from the site last last night. I don't know what the exact situation is now, but at around 1am GMT the then available information implied the site and potentially the server on which it is hosted have been been subjected to a concerted attack.

The issues with aminet and aros-exec were coincidental and not part of a wider attack pattern.

Since then, DNS is also been affected. The domain no longer points to the IP address of the server. There are a number of possible scenarios ranging from deliberate DNS cache poisoning to configuration issues or the result of measures taken to mitigate an ongoing DDoS.

I believe the site had a sound data backup policy, so once the immediate problems are fixed and any necessary post-mortem security fixes are in place, hopefully the site should be back up again.