edin.no-ip.com

Well.. Too bad that my server is being hacked by someone, and inject some zombie code to attack other servers. I found that on last night, clean those zombie code, change admin password and so on. BTW, it is still too late that No-IP have already block my user account... I should check my server more often.

Anyway, just create another new account, and temporary move the site as http://edin.no-ip.info/. Whenever the problem solved, I will move back to http://edin.no-ip.com/. Sorry for any inconvenience due to the server down and migration :-(

Update (2008-05-14): Thanks for the help from Adam LaForge, the Manager of No-IP Technical Support, domain name is now back. As No-IP Support Ticket System promise for a response within 24hrs, after I provide a detail report about my site illegal traffic and what I have done as follow up action, Adam give me a fast and kindly warning, active my No-IP user account once again.

As a repair action, I have upgrade the latest Debian packages with:

Also install tripwire for system monitoring (I may write a detail instruction for tripwire soon):

The most possible reason of system hijack that I am able to figure out is the critical bug of Debian's OpenSSH package (http://www.debian.org/security/2008/dsa-1571). This announcement published on 2008-05-13, affect MOST Debian based system since 2006-09-17. As my server was being hacked on 2008-05-12 night, with hacker running as root from remote host, I may only guess this is a unluckily 0-day attack (http://en.wikipedia.org/wiki/Zero-Day_Attack).

I first notice this critical problem when there is an abnormal update of OpenSSH package during system upgrade: it ask me to regenerate ALL SSH certificate if possible; on the other hand, when double check my archived Debian Security mailing list record, finally I realize how complicated and critical of this problem... Again, I should check my email message more often and detail...