Brooke rules! This morning she battled her way through congested phone lines and unresponsive servers and came up good with two prime tickets to see Kylie at the Burswood Dome.

Last time Kylie was here (which was about 4 or 5 years ago) I had a nasty girlfriend who said I couldn't go because it was a "girls night out." Then she went with her mum, sister and two other guys who were here from the UK. They didn't count because they were gay. Yeah, whatever.

I'm not bitter. Atleast I don't have kids and will be able to afford it ;)

Adam's just switched to Ubuntu and I used this to list all the packages on my system:

dpkg --get-selections | grep '\<install\>' | cut -f1 | sort > packages

And he can use this to install those packages on his system:

sudo apt-get install `cat packages`

I think the output of dpkg --get-selections can be piped directly back into dpkg --set-selections but this works.

At around 4:00AM this morning Prime was attacked.

We traced the source of the attack to a bug in awstats. We use(d) awstats to display usage statistics for our customers.

The exploit was used to install this root kit. Because of the firewall we have in place, nothing too bad has resulted. We are treating the machine as tainted, and will be replacing it over the coming days.

I expect that a web crawler first searched for domains that had awstats installed on them (by checking for http://domain.com/cgi-bin/awstats.pl). Once a target machine was found, the command was passed to awstats to download and install the root kit. It also appears that the perl file (awstats.pl) was removed from the system, which has prevented anyone else getting into the machine the same way. How thoughtful...

The NetFlow data that Jono collects from his Cisco router may tell us where the attack came from, but only if it was outside of WAIX. He uses this for billing purposes, and WAIX traffic is free. My bet is that it was a hacked machine in China or Russia that was being used as a zombie to attack others.

I'm glad that it wasn't a personal attack, because we could have had much more dangerous repercussions (lost client data, locked out of our own machine, stolen passwords).

If you have awstats on your machines, you'd better make sure that it's v6.3 or later!

Edit: 30/01/2005 - 4:02PM
Things we learnt:

• The attack happened at 4:03AM, but as chance would have it, Jono's syslog server ran out of diskspace around that time, so the NetFlow data was lost! Argh.

• Remote syslogging is a good idea. syslog-ng is what I need to investigate.
• chkrootkit is great. It checks for root kits, as the name would suggest, and helped us uncover a few files that we didn't know were messed with.
• Having a backup copy of your system and data is essential. Whilst we haven't bare-metal restored, we could get known good copies of /bin/ls and the like.
• chattr and lsattr are good for finding more out about a file's attributes.

I'm glad the lessons haven't been too expensive; it's meant that we've needed to fast-track some of the plans we had for moving services off to other machines, and getting some equipment out at Steve's.

A few of you might remember back to the old IRC server (irc.comowireless.net) we had running in Como when I lived next to Adam. It was good because at the time we were all kind of dispersed, with Adam and I living in Como, Mark, Em and Rich, and Hale were all in South Perth; Steve was in Doubleview with his brother; Carrie, Radford and Jack were in the hills and undoubtably others were elsewhere.

The server got shut down when Adam and I moved into Sandgate along with Steve. Around that time we also got our laptops, and found that it was a pain (we're lazy, I know) to have to remember to fire up IRC each time we went either to or from the office. It died a natural death.

Carrie and I were reminiscing the other day about how it was cool having a place you could "drop in" and there was a good chance that you'd find someone to chat with. As she said, many a movie night was organised through the IRC server. I have suspend working fine on my laptop, and XChat will automatically connect if I leave it open - when I go to work or come home and connect to the network it will resume my IRC session.

This got me thinking, and installing. I'm running an new IRC server on Falcon, my Sun Ultra 5. You can connect to it at irc.lambie.org if you want to join in. The channel #yoyoma is where I'll be.

I have reservations about how stable my ADSL link will be, so if it does prove popular, I'll move the service onto Prime, our webserver for work. This is more of an experiment to see if anyone actually thinks it's worthwhile. It may be that now we've all grown up and gotten real jobs we don't have time to sit on IRC during the day. For me it was more of a window in the background that I'd check every hour or so - people could leave messages there.

If you need a decent Windows IRC client, check out mIRC. I used to use this when I was a Windows pleb ;)

These are definately wicked.

They come in pink, blue, orange and red. Frills are optional. Maggie looks quite the delight in her pink pair ;)

Check them out.