This was a rough week for the JMSNews site. The trouble began on Monday when I received notice that the serverÆs port had been shut off due to violations of the hostÆs acceptable use policy. I sent mail and opened a service ticket with the host to find out the nature of the problem. Despite many attempts to contact technical support I did not receive an update until Tuesday morning. At that point they informed me that the machine had been the source of attacks on other machines in their data center. This meant that a hacker had rooted the box and was using it as an intermediary to carry out malicious activity. They were correct to remove the server from the network but I wish they had done a better job at informing of the situation in a timely fashion. At that point I began the process of recovering the machine configuration and site.

After a system has been compromised the only way to be sure it is clean of any backdoors is to flatten it and rebuild. I couldnÆt trust the files from the compromised system or even recent backups because it was unknown how far back the system had been compromised. The process of recovering the server involved reinstalling the components from trusted sources and carefully evaluating the security each step of the way. The only data that I carefully moved over from the old server was the message archive and vBulletin database. Along the way I identified what I believe was the vulnerability that allowed the malicious user to get a foothold on the machine. I corrected that problem and have taken a number of measures to further lockdown the server. This was the first security issue in the site's 4+ year history and hopefully it will be the last.

Thank you for your patience this week.

-DougO