My server is back up, after having been vandalized by some hackers using something called a "Romanian Rootkit". There are apparently some unemployed kids in Bucharest who have nothing better to do than to break into and cause havoc to random computers in other countries. They exploit a flaw in the system and plant trojan horse code that is then supposed to send passwords and other sensitive data to the hacker over an IRC network. The hacker monitors this traffic with a "bot" and when they get an actual password they come back through the front door and cause some real damage. In spite of all the wonderful things about IRC, The people who operate CAIS.net and undernet.org should be held accountable for their liability in creating a public nuisance.

This is the first time my public server has been broken into in the nearly 3 years that it's been up. I'm pretty good about security, but I made a mistake when changing a security configuration file on Saturday and inadvertently left a gaping hole. It only took a few hours for the flies to come to the honeypot. Fortunately, I caught the attack before they could cause more trouble than they did. None of my business data was compromised, but it took my entire Sunday to get everything back to normal. Everything seems fine now. I turned on email just a few minutes ago and I already received an ad for Herbal Viagra.

I'm no longer convinced that Linux is substantially more secure than Windows. While researching my "rootkit" problem I learned about a zillion ways in which the Linux kernel is vulnerable, and it would be a full-time job to stay ahead of all of them. The Windows viruses and worms seem to be a bigger problem, I suspect, simply because there are so many more Windows machines out there. Still, I have much more knowledge about Linux than I do about Windows, so I'm staying with the Penguin. I also think that server vandalism is going to continue to be bigger problem as time goes on, so the best defense is not only preventative (which will never be perfect) but restorative. i.e. expect an attack at any time and always have all your ducks in a row to rebuild a working system as quickly as possible.

In the meantime, if anybody happens to know the guy who was dialed in from Bucharest at IP address 213.233.111.47 at 1242GMT on Sunday, please slit his throat for me.