Disgruntled VA changed root password

[SirKonstantine]

On the 11th, I left a 3 star review for a VA on oDesk.

On the 12th, he logged into cPanel and changed the account email as well as password for root and a user account.

WTF man. I've reported him to oDesk with all the evidence saying it was him. I told oDesk to ban this mother fucker but, god damn it, I'm paranoid that the next time something like this would happen, the dude's gonna be smarter and SSH into the server as root and rm -R /

Is this a freak occurrence or is security with VAs something that's worth looking into?

 

[Fatbat]

That's what happens when you give the peasants the keys to the castle.

 

[golan]

LOL



.

 

[SeoReborn]

Next time change cpanel password THEN give truthful review.

 

[scum bag]

shit like this happens all the time

similar thing happened to me except the VA added me from a different skype pretending to be a hacker who had root to the specific project he had access to
demanded $1000 BTC in broken ass india english or else it'd all be gone

skype resolver showed that my VA and the "hacker" were sharing the same IP address, i just booted in to safe mode, changed root pw and removed his key and then told him to fuck off

ever since i've only ever handed out very strict perms that can't be elevated to do anything serious

 

[King.]

LOL that is hilarious.

 

[Jameel]

Change your sshd conf settings so that it does not allow cleartext password logins. This way you can only login using an ssh key.

PasswordAuthentication no
ChallengeResponseAuthentication no
PermitRootLogin no

Install fail2ban so it blocks all of his IP's when he tries to login with a password

Create a tar backup of your server Full Hard-Drive Backup with Linux Tar

Add iptables rules to only accept SSH connections from YOUR ip

Most importantly: What other people already said, lock your shit down then give the review, lol

 

[ayzo]

 

[AngryFiver]

I'd really like to learn more about this stuff to prevent this from happening, but I want to also understand what I'm doing.

Is there a site that explains all of this techno mumbo jumbo and what a disgruntled worker can do to your server with the access you've given him?

 

[slayerment]

Unless you're pretty technical yourself I don't think there is a way to know how completely locked down your stack is other than to trust somebody who is technical.

Anybody you give access to something you should assume that they can do the worst. Anybody you give access to you should give them the least amount of access for the task they are doing. And after you are done giving them access you should change the passwords.

 

[(O_o)]

Who's payment info is the hosting account under?

If its yours just hit up support and verify ownership and they should be able to fix it for you.

 

[Fatbat]

Holy like jackpot!

Seriously though, cPanel is a piece of piss. When you're giving one of your hirees access to your server, you create them a user account that doesn't have root access. You can restrict it to just one domain if that's all they're working on, make them a unique FTP account, etc. etc. You don't just give them wholesale access to the whole lot. If you do, obviously you change the password before you fire them and leave them a bad review :eek7: Derp.

Or hire skilled workers that have a good reputation that you can trust, like our friend BlogHue, for example.

 

[tomaszjot]

That's what happens when you give the peasants the keys to the castle.

I'm gonna write this one down.

Then I'm going to use it once my daughter is 27 and loses her virginity to some first class asshole.

 

[Jameel]

I doubt sanjeep was crafty enough to do more than change the passwords. You should also check your crontab to make sure he didn't schedule stuff to be deleted or schedule an account to be created for him daily/weekly.

 

[Kiopa_Matt]

How well does this guy know his way around a server? If it's at all decent, you should really wipe your server and start fresh, eh? It's pretty much your only option. If he knows what he's doing, then you probably have trojans and rootkits all over the place, some of which the standard detection tools won't even pick up.

Once you do get a fresh box, get someone to configure AIDE for you (Advanced Intrusion Detection Environment). It's free software, widely available to all distros, and with it you'd be able to easily see EXACTLY which files were modified / added / deleted by him. It hashes and monitors all files on the server, so if anyone ever modifies anything without your permission, you're going to know about it.

 

[Fatbat]

Or hire skilled workers that have a good reputation that you can trust, like our friend BlogHue, for example.

Sorry, didn't mean to make BlogHue sound like one of your average hires off of Odesk. He's a heck of a lot more talented and business savvy than that and someone I would call a friend!

(please don't root my server!)

 

[Jameel]

I'd really like to learn more about this stuff to prevent this from happening, but I want to also understand what I'm doing.

Is there a site that explains all of this techno mumbo jumbo and what a disgruntled worker can do to your server with the access you've given him?

I don't have any single site link that would explain everything. As an overview it boils down to

Securing the way they connect to the server.
Restricting permissions and access on their user account
Intrusion detection and blocking people from access
Logging and keeping records of what they do if you need to reverse something
Understanding that root access can do anything to the server, so don't give root access out lightly

Each topic can easily get complicated and lengthy depending on how far you want to go.

A great solution is to use a script that sets all of this up for you. Figure out what you want, how
you want your box locked down, and just use a script to deploy those programs and settings for you.
This gives you reliability and accountability. This pays for itself once you use it on a second or even a third
server. Installing all this crap by hand is tedious, and getting configurations right is also boring. Automation
is key.

To make the point clearer, let's say you just setup a digital ocean server. Do you really want to install
15 packages, and configure each one of them manually? Are you sure you got all the settings? Did
you forget something? Did you say fuck it half way through? Did you just end up giving your VA root
access because you didn't know how to setup an account or configure sudo? Are you okay running
your business on a sever that is running old software and has GayDaddies defaults?

You could have your script setup all your packages, configure your SSH, OpenVPN server, firewall settings,
logging utilities, email reports, security settings, intrusion programs, and whatever else you need. You know
what your server can and can't do. You have account types for each type of worker, the ones you trust and don't
trust.


If you want to know for yourself start googling stuff.

Here are some topics to look into
How to secure SSH
How to configure fail2ban
How does OpenVPN work
How does Iptableswork
Bash scripting
Chef or Puppet tutorials (if you have a lot of servers)
How does sudo work

If you just want to be easy and painless just hire someone who can just write a script that you can re-use.

 

[atrendyname]

I'd really like to learn more about this stuff to prevent this from happening, but I want to also understand what I'm doing.

Is there a site that explains all of this techno mumbo jumbo and what a disgruntled worker can do to your server with the access you've given him?

I recently wanted to do this and ended up following this guy. Not sure how much techno stuff you know but it was pretty good in breaking down everything.

https://www.digitalocean.com/community/tutorials/an-introduction-to-securing-your-linux-vps

 

[SirKonstantine]

On the 11th, after I gave him the 3 star review, he begged me over oDesk PM to change it, stating that oDesk was his only source of income and that he has a wife and two small children.

Today, the 15th, I receive an email from oDesk saying that his account is suspended until me and him have resolved things. Not happening.

Now, dude, dude's wife, and dude's two small children are hopefully hungry and homeless. What a little fucker. Why would you do some dumb shit like that when you have kids.

I did a further inspection and found out the dude changed my WP logins as well. It took another VA 2 hours to change all the passwords via SQL.

This shit was fucking retarded.

 

[Fatbat]

On the 11th, after I gave him the 3 star review, he begged me over oDesk PM to change it, stating that oDesk was his only source of income and that he has a wife and two small children.

Today, the 15th, I receive an email from oDesk saying that his account is suspended until me and him have resolved things. Not happening.

Now, dude, dude's wife, and dude's two small children are hopefully hungry and homeless. What a little fucker. Why would you do some dumb shit like that when you have kids.

I did a further inspection and found out the dude changed my WP logins as well. It took another VA 2 hours to change all the passwords via SQL.

This shit was fucking retarded.

Make sure you follow up your review with that information about him changing all your passwords because of the bad review. Let's anyone else thinking of hiring the guy know what kind of a tool bag he is. It's possible oDesk will eventually reopen his account, I've seen it happen before, so it's good to make sure all this is documented.