I had a hacker on one of my sites over the weekend. Found a root kit hidden away which I removed but not after he found a way to add some text to one of my webpages.
So I started by adding his IP address to my block list, but apparently that’s easier said than done with the ‘cloud’. In the cloud sometimes the server isn’t really sure where the actual request is coming from, apparently.
But fear not, I got this nugget back from Mosso support (after 48 hours or so–come on guys, security issues should be answered immediately)
]]>Unfortunately there are some issues with being able to block by IP
address on the cloud using the standard methods. Because of our load
balancer and clustered environment the IP address in the REMOTE_ADDR
will not be the end users.You can however use the following:
SetEnvIf X-Cluster-Client-Ip 11.11.11.11 block
Deny from env=blockin your .htaccess to block access to your site via IP. Just replace
11.11.11.11 with the IP address you want to block.
Hi,
I’m curious how you found the root kit on the cloud, and what the attacker’s ip address was? was it in the rootkit?
Hi,
I’m curious how you found the root kit on the cloud, and what the attacker’s ip address was? was it in the rootkit?
It was c99madshell and another variant, which isn’t necessarily a rootkit but a nasty file manipulation program. Saw hits on it in the raw log files which I enabled and viewed following the hit.
It was c99madshell and another variant, which isn’t necessarily a rootkit but a nasty file manipulation program. Saw hits on it in the raw log files which I enabled and viewed following the hit.