WELCOME!

The CMS database is the heart of any content management system. It's loss or damage will result in the loss and or damage of all of your hard work, and that of your commentators, posters, and contributors. Below, are two scripts that complement each other, one backs up the database into a SQL file, the other restores it from a SQL file.

This script also allows porting between a testing server and the on-line site. In the script is a test for a folder called testing.server, discussed in the first page of this series, which differentiates between the server on-line and the testing server.

backup_db.sh

Unusually so, actually. Some of the methods may be working. Attack vectors cycle through periodically, some brute forcing the root, some brute forcing non-existent accounts. I still haven't figured out how to trap the password strings coming in on the brute forcing. Majority of attacks last week from CN, then US.

The activity has changed to the on-line servers, where I occasionally get DOS attacks. The GoDaddy servers throttle down if they sense one going on, but sometimes mistake valid activity for a DOS attack. All that takes latency to a 3-7 second level, which is OK as long as it stays on the lower end.

A new tool that I'm learning is Metasploit. An excellent penetration testing tool, but with a fairly steep learning curve. Maybe one of these days I'll make enough money to buy the pro version…

Attacks have ceased pretty much on the testing server, but I must have pissed somebody off last night. WOOT!

DDOS attacks started in the late evening, starting probably around 21:00 through at least probably midnight. Can't actually tell because I can't access the httpd logs. The positive note is this lead to me asking GoDaddy where the httpd logs are, something I wasn't aware of (in FTP Manager). Bluehost allow access to the server logs, but Yahoo did not when I used them. It's a virtual machine so the logs don't compromize any hosting provider confidential data...

The offending IP addresses were:

• 91.121.170.124 - FR, I know the bot-net there, and they have been getting inverse “Pavolovian Dog” training. I am almost willing to bet the control node resides in this general IP area,

Today's memorable entry is from Trivandrum Kerala, India, in the State of Delhi: 117.243.250.249

They are memorable because for some reason fail2ban didn't trap them. So they got to attack the shell 495 times instead on the nominal five. Zenmap indicates an unusual setup, with some open ports that are normally filtered, and things not normally seen, such as ipp, wpgs, route, and sip. An unknown port is open at 20717.

Openvas reports 14 low level weaknesses,  with a server running at port 631. The interpretation of that is that the hacking is intentional, because without weakness present, it somewhat eliminates unintentional bots, as with the Church last week. Most of the systems examined so far have certain weaknesses present, such as http TRACE. This IP is clean of even moderate weaknesses.

Makes one wonder why they waste their