GoFuckYourself.com - Adult Webmaster Forum - View Single Post

carrion1928 · 10-17-2010, 02:55 AM

Quote:

Originally Posted by tg989

One logical explanation is the following:

Somebody got ahold of the root ssh key, likely an ex employee or current employee.

They logged into all the machines, changed the root pass/keys or replaced the ssh server with a custom one and then systematically disabled apache/lighttpd/nginx/mysql/pgsql etc (you'll notice that the sites running apache show forbidden but the ones that were running lighttpd just time out), then they gave rcn an ultimatum, effectively holding them hostage for a calculated sum of money (somebody who knows what is at stake, again, likely an employee/ex-employee). They probably also had the insight to make sure backups were affected as this really don't seem like a heat-of-the-moment thing. This is premeditated. The servers are still online, they are still 'running' the dns is still working... nothing was 'corrupted' or trashed, RCN just doesn't have access any more, holding them in a tight position as the servers are spread out in multiple locations and they don't have anyone 'infront' of them to use the console or do mass operating system re-installs+backup recoveries.

This is the only situation that really makes sense, there is NO gain to be made from hacking RCN and deleting everything. There is always motive involved, almost always monetary. As such, I assume somebody is doing this for financial gain and they are likely holding it hostage until they get the money, which if it is a wire, would be quite a few days. :\ I know of a registrar that was in a very similar situation recently. This registrar was being ddosed by a disgruntled ex-customer who had their domains deleted or blocked and they basically kept ddossing the domain servers until the registrar finally gave in.

I really don't want this to turn into an epass drama thread/situation and incite pandemonium or mass exodus, but this is really the most probable situation as it stands now.

A DDOS is clearly not what's happening here and is a TOTALLY different situation.

No one is holding anything hostage. A common phrase in the networking world is there's no security without physical security. In other words, if you can access a box, you can't lock someone out of it. A company hosting as many large sites as RCN has physical access to the machine, either personally, or through their data center. You can reset the root password of a box in 5 minutes if you can actually get to it. So unless you're implying that their data centers are literally being held hostage, IE: with guns, then your just fear mongering.

Also, anger and revenge are plenty of motive. In fact, their some of the best motives and pretty damn common. It's definitely possible (even likely) that the hacker is a current or ex employee, though.