Outsourced programmer installs brute force program on server

[snguyen]

So I hired a programmer on Odesk and randomly the VPS that I bought strictly for development of this script gets shut down.

I get an email saying that there was a program installed on my VPS that was brute forcing servers.


How would I go about finding this brute force program?

Also, the programmer has done great work so far. Would you guys still pay him in this position? How bout keeping him for further development?

 

[Lord B]

How about confronting your programmer? Another thing being that he could be creating shitty software for you that gets hacked pretty easily?

 

[justo_tx]

So I hired a programmer on Odesk and randomly the VPS that I bought strictly for development of this script gets shut down.

I get an email saying that there was a program installed on my VPS that was brute forcing servers.


How would I go about finding this brute force program?

If it's a virtual machine how about backing up your data and having the provider provision a new instance with a fresh OS image? Restore your data and go about your business without having to worry about if there are other programs or back doors you missed.

Also, the programmer has done great work so far. Would you guys still pay him in this position? How bout keeping him for further development?

Are you fucking retarded?

 

[gene303]

its a bit premature to blame the developer for a brute-force program on the vps. you need more info before you can decide that it was the developers fault. and even if he had written injectable/exploitable code, do keep in mind that he is not necessarily a security expert. if you want air-tight security you need to hire a specialist to audit the code. List to lord b.

 

[Drake]

Look for hacked type files. Look at the modification dates of folders and files. Look into the folders some and check them out.

htaccess been changed? Any new FTP users or other nonsense?

 

[patrick24601]

"brute forcing servers." is a huge statement. Get more details. What program was doing the brute forcing ?

It could be completely unrelated to your dev effort. When I bring new machines online they are being poked and prodded within 60 minutes with people looking for holes.

 

[VisBits]

It could be completely unrelated to your dev effort. When I bring new machines online they are being poked and prodded within 60 minutes with people looking for holes.

Its damn nearly a requirement to run firewalls on EVERYTHING now days, I've seen VPS get rooted with secure passwords in a matter of minutes just because the massive amounts of bots hammering.

Checkout CSF, it will run MD5 test on your files and detect when things change an email you about it, of course it won't help you that much seeing as your already infected.

 

[shawnhag]

what kind of server is it? it is most likely running some version of windows server or unix/linux. if you are the server admin, you should know how to find a running process and kill it.

i also agree that "brute forcing servers" does not really make sense. password file hashes get brute forced, prompts, etc get brute forced. how is this happening. either way like i said, as a server admin you should be knowledgeble of every process running on your system and know how to kill it.

also agree with the md5 cheksum statement made ^

 

[shawnhag]

its a bit premature to blame the developer for a brute-force program on the vps. you need more info before you can decide that it was the developers fault. and even if he had written injectable/exploitable code, do keep in mind that he is not necessarily a security expert. if you want air-tight security you need to hire a specialist to audit the code. List to lord b.

true, or make sure you programmer has security in mind whilst writing the code. so many scripters/programmers are just concerned with getting their program to work right rather than worrying about injectable code

 

[Rexibit]

its a bit premature to blame the developer for a brute-force program on the vps. you need more info before you can decide that it was the developers fault. and even if he had written injectable/exploitable code, do keep in mind that he is not necessarily a security expert. if you want air-tight security you need to hire a specialist to audit the code. List to lord b.

Oh really? It's pretty common knowledge that your programs, wherever the user is going to enter data, needs to be escaped so that code injection doesn't happen. If a developer doesn't do that, then they need to be canned.

Also, if the developer doesn't know, or recognize, that file permissions for CHMOD for files should be 644; then they need to be canned as well.

That's just basic stuff.

 

[Benji49]

Its damn nearly a requirement to run firewalls on EVERYTHING now days, I've seen VPS get rooted with secure passwords in a matter of minutes just because the massive amounts of bots hammering.

Checkout CSF, it will run MD5 test on your files and detect when things change an email you about it, of course it won't help you that much seeing as your already infected.

When I buy a VPS from one of my two favorite vendors, both come pre-configured so that five failed login attempts within 300 results in an IP block.

Knock on wood, not one hacked yet. But I buy from liquid web and canadianwebhosting, and pass on the cheap stuff

 

[subigo]

I've seen VPS get rooted with secure passwords in a matter of minutes just because the massive amounts of bots hammering.

lolololol

If the shit gets rooted from bots, it's not using a secure password.

 

[dably]

Its damn nearly a requirement to run firewalls on EVERYTHING now days, I've seen VPS get rooted with secure passwords in a matter of minutes just because the massive amounts of bots hammering.

It is more likely that an administrator account on the host OS was hacked or the there is a leak at the hosting company itself. Brute forcing a secure password is very time consuming unless the hosting company provides the same or similar version of the "secure" password to everyone.

 

[danny]

All it really takes is for a bot to hit something on your server before it's patched. If the software the programmers writing is insecure, how would anyone really know?

Your provider isn't going to accept blame. I had to argue with a host when a clients site got defaced years back because they were saying I had to be running insecure scripts.. on a static site. Then it was my fault because I had chmod'd the directory to be writable by root. OK, well who's responsible for letting some muslim extremist haxer get root on the server?

OK I'm calmed down now.