Quote:
Originally Posted by kichi
i thought rcn had monitors and file alteration monitors and shit like that in place. I was under the impression something like this would have been impossible. I mean isnt there something monitoring the servers for mass deletions or injections or shit like that? how is it even possible that an exploit can come out and wipe out 1,000 servers in 2010 on a managed hosting situation like RCN. I am telling you this was preventable and they just got complacent after all these years. You live, you learn RCN. I am sure we have all learned valuable leasons from this.
|
As rcn posted, they basically had one single box that had access to every server that they manage. I'm not exactly sure how they set this up, but there are two likely scenarios: this was a linux box with an ssh key setup, and accessing every server they manage was as easy as knowing a single ssh key's authentication passphrase.
Or it could have possibly been a single windows webserver that never logged out of it's own account, and always had pageant open with it's ssh key loaded in so that the attacker wouldn't even need to know the ssh key pass.
Or it could have been a single server with a text file that contained every root password for every box.
Regardless, I don't think any 'fully managed' host is actually secure, as each employee workstation will usually have access to a shit load of of boxes via a single ssh key phrase. Ideally, I would have each server setup with a unique ssh key, and have the 'management box' have a new user account for each box they manage, and from there have an unique ssh key & ssh key passphrase.
Let this be a lesson in liability.