ACK! -- CONTINUED

Lucas Peet sirsky at lucastek.com
Sun Apr 20 21:39:38 CDT 2003 

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net] On Behalf Of Jonathan Hutchins
Sent: Sunday, April 20, 2003 3:18 PM
To: Bradley Miller
Cc: kclug at kclug.org
Subject: Re: ACK! -- CONTINUED

>Look, I know people get all excited and angry and want to form a lynch
mob >when they get hacked, but the truth is you didn't loose anything
except >some time.  

>You can count the time spent as a valuable lesson in disaster recovery,
and >a penalty for failing to keep the system adequately secured.  But
calling >the cops?  "Hey, officer, I left my kitchen door open and
someone came in >and drank a glass of water!  Call the FBI!"

Jonathan is absolutely right here.

About 6-8 months ago, I had my default Apache vhost site defaced.  They
completely replaced the text of the HTML document with something to the
effect of "You've been owned by ...".  Because I don't regularly visit
my own website, it took me a few days to notice it.  By then, it was
logged on some website that keeps track of hacked websites, and everyone
knew it.

How embarrassing!  But as a sysadmin, and a hacker (true meaning, not
cracker!) at heart, as upset and embarrassed as I was, I was intrigued
as to how they managed it, since I *thought* my system was pretty well
hardened and secured.  Finding nothing unusual in the logs, and no
changes to critical binaries or files (thanks, tripwire!), I simply
replaced the file from a recent backup, and upgraded my Apache and PHP,
hoping to patch whatever hole was open (I'd heard there was a PHP upload
vulnerability, which I thought was the culprit).

Two weeks later...they did it again - double whammy, insult to injury,
and another slap in the face!!  This time I was very angry, and felt
somewhat helpless, since I could find no point of entry, nothing else
was touched (no other vhost sites, files, etc...) I started googling for
the text they replaced my index.php with.  Came up with LOADS of hits,
they'd been hitting up hundreds of sites.  Upon visiting some of the
links, I found they'd left on someone else's defaced site the name of an
IRC channel and server where the group hung out.

So I went there, and started talking.  I told them they'd hacked my
site, gave the site name, and IP, and asked them how they did it so I
could fix my server from future attacks.  They apparently kept a
database of sites they hacked, and the vulnerabilities they used to get
in, or something, and simply told me to upgrade my OpenSSL packages.  I
remembered hearing something about that, but since I wasn't running any
sites that required SSL, I didn't pay much attention to it.

In the end, I upgraded my OpenSSL packages, and it's never happened
again.  But I did learn a few things.  One, I now upgrade any package
that's installed on my system with a known vulnerability - whether I'm
running/using it or not. And two, I learned that sometimes, getting
hacked can be made into a good thing, by really lighting a fire under a
sysadmin's ass and MAKING him be more security minded, less lazy, and
all in all a better sysadmin because of it.

Note of clarification - they never did actually gain shell access to my
server, they were simply able to overwrite the default index page of the
default virtual host, which happened to be my personal site, so no real
damage was done, other than to my own ego.

This is the text they replaced my index.php page with, if anyone's
interested... http://www.eccod.com/index.hacked.php

-Lucas

More information about the Kclug mailing list