Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
What to do when you find a hole in a big site?

By evro in Internet
Wed Dec 13, 2000 at 08:44:14 PM EST
Tags: Security (all tags)
Security

This morning I got an email from root@(myhostingcompany) saying that I had done some bad thing and I was no longer allowed to login, and any further replies would be sent to the FBI. I then got in IM from a friend of mine who said "ha ha ha." I said, how did you do that? Guess how he did it? He logged into the system as root. There was NO ROOT PASSWORD.


He apparently thought the computer was mine and he was just like "ha ha ha, you don't know how to secure a linux box!!!" But when I told him it was a major hosting company, he got kind of scared and said that everything was probably being logged, etc. and he got pretty nervous. Anyway I changed the password to something other than nothing and sent the company an email berating them for their terrible security. I know they have thousands of sites hosted, and they also resell space through other people. One of the reasons I wanted hosting through somebody rather than setting up my own server is so that I wouldn't have to worry about things like security and keeping up with the patches, etc. Now I do not know what to do. The company has not responded to my email, and I have not yet given them the root pw, so I assume they will. Either that or the FBI will come knocking on my door pretty soon and confiscate all my stuff, as they are wont to do.

This was also a site that bragged about having https for secure credit-card transactions and stuff, which makes it even worse. They touted their security as being so great and now I find they have done something that even I would NEVER do, and I'm a newbie.

Anyway, what, if anything, should I do? Was I right to email them? Should I tell their other customers that they should definitely NOT be taking credit card #s? I have really no idea, I am sort of nervous too.

Or could this be like a "fake" root account? I didn't try deleting anything so I don't know, I've heard of people doing things like that to dupe hackers into thinking they have some kind of power... I dunno. What do you think?

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Related Links
o Also by evro


Display: Sort:
What to do when you find a hole in a big site? | 120 comments (114 topical, 6 editorial, 1 hidden)
Fake root? (3.27 / 11) (#5)
by Elendale on Wed Dec 13, 2000 at 06:23:13 PM EST

I like this article. I bet we'll see some good discussion on it :) The company should be thankful for your efforts, but the sysadmins probably had a fit the next morning (I can just hear the "we've been hacked! help!" when they can't login as root without a password) and i would be willing to bet you are going to end up with some trouble for it. It is quite possible that it was a 'fake' root account, though. I seem to remember being able to set up a 'hollow' root account that actually links to some other account.

-Elendale
---

When free speech is outlawed, only criminals will complain.


Now that i read more closely (2.92 / 14) (#7)
by Elendale on Wed Dec 13, 2000 at 06:45:58 PM EST

Give them the root password. I assume they don't need it by now, but at least as a sign of good will you should tell them. Keeping the root password from them (should have been included in the first mail to them) is just juvenile, IMHO.

-Elendale (Of course, they might be laughing at you for setting the password to a fake root account also)
---

When free speech is outlawed, only criminals will complain.


[ Parent ]
I'm assuming he's just being secure (4.42 / 7) (#12)
by error 404 on Wed Dec 13, 2000 at 08:05:10 PM EST

I agree it would be pretty juvenile to not give them the password, but it is not good security practice to send someone a root password without verifying the email address and encrypting the password. Particularly when the recipient isn't expecting it.

I assume he's just trying to follow good security practices.


..................................
Electrical banana is bound to be the very next phase
- Donovan

[ Parent ]

Agreed... (3.57 / 7) (#21)
by nstenz on Wed Dec 13, 2000 at 10:14:03 PM EST

I wouldn't send ANY password plaintext through e-mail, except some trivial things like, oh say, the password for my Kuro5hin account.... =)

[ Parent ]
Me neither. (3.00 / 1) (#83)
by kwsNI on Fri Dec 15, 2000 at 05:09:40 PM EST

If this site is as large as he says it is, I'd never be sending an e-mail to them with their password.

PS. The most likely answer to your sig is that you're talking to a female.

kwsNI
I can picture in my mind a world without war, a world without hate. And I can picture us attacking that world, because they'd never expect it. -Jack Handy
[ Parent ]

My sig... (none / 0) (#120)
by nstenz on Thu Jan 18, 2001 at 11:13:46 AM EST

I wish I'd seen your reply back when I posted this comment... You're absolutely right- pretty much all of my friends are female. =)

[ Parent ]
Ok (3.75 / 4) (#27)
by Elendale on Thu Dec 14, 2000 at 01:48:47 AM EST

I suppose so. Still, if they were on top of things (well, if the really were on top of things this wouldn't be happening) it wouldn't be an issue because the password would be recieved and changed promptly. Its a bit messier than it should be...

-Elendale
---

When free speech is outlawed, only criminals will complain.


[ Parent ]
If they change it promptly... (3.00 / 1) (#77)
by nstenz on Fri Dec 15, 2000 at 02:38:54 PM EST

As long as they would change it immediately before anyone else had a chance to, I suppose it'd be ok. I felt somewhat safe sending my buddy his password to my server over ICQ, but I made sure to wait until he was at the computer and could change it immediately. I don't like it when other people take over accounts and randomly delete stuff. It's not very nice.

[ Parent ]
Re: I'm assuming he's just being secure (none / 0) (#104)
by strawser on Sun Dec 17, 2000 at 07:43:37 AM EST

>I agree it would be pretty juvenile to not give them the password,

I'd assume that by now they've changed it. He didn't mention what kind of *nix it was, but I've never seen one that you can't break into if you have physical access to the box.

E

"Traveler, there is no path. You make the path as you walk." -- Antonio Machado
[ Parent ]
Unfair Rating Alert! (2.00 / 3) (#95)
by unfair_rating_alert! on Sat Dec 16, 2000 at 06:11:44 PM EST

Poster gives honest good faith advice in reply and receives a 1.57 rating in return! Now is that fair?

---- Begin Canned Text ----

This comment was provided by unfair_rating_alert!, a troll account created strictly to look for intelligent comments unfairly rated below 2.00. Many readers may not agree with the content of the previous post, however, this account holder believes that most fair users should find that it didn't deserve such a low rating.

The purpose of this account is strictly to discern and then publicly show bias within the rating system in order to affect change by the general readership. Therefore, this account will not post topical or editorial content, rebuttals, story submissions, rate comments, or vote on story submissions. Readers are encouraged to reconsider a rating and act according to their conscience.

While the comment to which this unfair_rating_alert! refers remains blatently unfair, Trusted Users are encouraged to rate this comment up above a 1.00 if found hidden. Regular users are encouraged to rate this comment below 2.00 if found above that threshold. The natural rating for this comment should be unrated or 1.00 as it offers no substance relevant to the story or thread in which it resides. Once the unfairly rated comment achieves a reasonably fair rating, then Trusted Users are requested to hide this unfair_rating_alert! so as to clean up the clutter.

---- End Canned Text ----

[ Parent ]

Fake root. (5.00 / 1) (#74)
by NullStream on Fri Dec 15, 2000 at 04:08:24 AM EST

The only thing that makes root... root is that it's uid and gid are 0. All you have to do is change the name of root to something like jim or even nothing at all then create an account with the username of root and chroot the login to a filesystem which only looks like a viable filesystem. Maybe this is the same idea as others have illuded to but if I'm wrong please let me know.

P.S. I am no expert and I just theorize for fun.

[ Parent ]
Change it back or give them the password (3.57 / 14) (#6)
by duxup on Wed Dec 13, 2000 at 06:31:04 PM EST

Well this whole story seems a little simple so I'm taking it with a salt lick of salt.

In the meantime the first thing I'd suggest is: Give them the password or change it back to no password! Even if I were that dumb I'd be pissed as hell if someone changed the password and not given it to me. Your e-mail wanring them, but not divluging the password might even be seen as a vailed threat. Sure it could be fake but if it's real and you impact them in some financially detrimental way I can imagine any friendly understanding would go out the door. I would not contact their customers, again that would very likely eliminate any good will they might have toward you.

Personally I would have just chosen to anonymously a-mail them about the problem but made no changes.

re: whatever you wrote (4.22 / 9) (#8)
by evro on Wed Dec 13, 2000 at 07:29:52 PM EST

Well this whole story seems a little simple so I'm taking it with a salt lick of salt

I assure you that this story is completely true, I would not waste my time coming up with some fake story for no reason.

Your e-mail wanring them, but not divluging the password might even be seen as a vailed threat.

Here is what I wrote them regarding the password:

I do not know what to do right now, I do not want to include the root password in an email. If you have PGP I will send it to you encrypted.

As for your suggestion that I "do nothing," MY SITE was on that server, and I don't know about you, but I don't want some joe schmoe deleting my stuff.
---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]

Still at risk (3.90 / 10) (#20)
by duxup on Wed Dec 13, 2000 at 10:10:48 PM EST

I understand your concern in keeping your data safe. However, since it is not your server I'd suggest always keeping things backed up regardless of how secure you think they may be. Also, if they have no password on root I'm sure you haven't cleaned up their only security problem and your still at risk.

[ Parent ]
Email the root password unencrypted?? (3.33 / 9) (#15)
by mystic on Wed Dec 13, 2000 at 09:23:17 PM EST

I really don't think one should send the root password by plain unencrypted email. I think the way the evro has handles it is ok. If they have a PGP key, let them get it. Now don't tell me they don't know what PGP is!

[ Parent ]
PGP (2.91 / 12) (#22)
by Devil Ducky on Wed Dec 13, 2000 at 10:18:03 PM EST

They know what PGP is, but they can't get it to start correctly... It always prompts for a password and they don't know what to do.

Devil Ducky

Immune to the Forces of Duct Tape
Day trading at it's Funnest
[ Parent ]
The email I sent them (4.54 / 22) (#11)
by evro on Wed Dec 13, 2000 at 07:37:55 PM EST

Here is the email (edited somewhat to takeout references to the hosting company):

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just noticed that there is NO ROOT PASSWORD to my domain. Since my
site is hosted on the same system as many other sites, all these
sites are also completely vulnerable. I have changed the root
password so that nobody else can sign on since leaving it blank is
about the worst security breach I have ever seen. Anybody could just
log in and see -- or delete -- the entire contents of any of the
sites on the server ([server name deleted]). I don't understand how a web hosting
company can be as careless as this, it invites hackers to come do
their worst.

I purchased one year of web hosting from [hosting company name deleted] because I assumed you
would take care of things like security for me. I did not want to
have to worry about things like keeping up with security patches and
things like that. But now I see that you have left a gaping hole in
the system and I am VERY concerned about this.

I do not know what to do right now, I do not want to include the root
password in an email. If you have PGP I will send it to you
encrypted.

Please note that I have not done anything bad to the system while
logged in as root. But since there is no root password and anybody
can log in, I can't say the system is fine.

Sincerely,
Evan Hoffman

---
"Asking me who to follow -- don't ask me, I don't know!"
Hmm (3.57 / 7) (#24)
by atom on Wed Dec 13, 2000 at 10:47:02 PM EST

Just out of curiousity, why did you take such careful precautions to remove references to your webhost, but leave your web address, clearly indicates your provider, in your signature? If you want to keep the secrecy, you might want to change that sig asap. That is, if I'm assuming correctly that it is your page.

On the other hand, I'm not sure why, exactly, you want to be so secretive. This is clearly a flawed company, and if they're going to get a mild amount of bad publicity from this, then they deserve it. I'm assuming that you won't be continuing to use their service, so you have no reason to be so cautious.

dotcomma.org - Resource for programmers
[ Parent ]
not my site (3.71 / 7) (#25)
by evro on Thu Dec 14, 2000 at 12:41:34 AM EST

no, it isn't my site ;-)

And I don't have a problem with them getting bad publicity, but I do have a problem with them getting hacked because of me. Because in that event, I have DEFINITELY done something wrong. I don't know what the status is of their other servers, if one has the same problem, I don't want to be responsible for it. Or if this one ahs the problem again in the future, same deal.


---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
legal repricussion (2.00 / 1) (#66)
by CAIMLAS on Thu Dec 14, 2000 at 07:38:40 PM EST

it's possible that the company might chose to press charges for bad press. granted, that's fine... but they could sue for false bad press. and I'm guessing the company has a bit more money.
--

Socialism and communism better explained by a psychologist than a political theorist.
[ Parent ]

Not enough... (3.33 / 6) (#26)
by chewie on Thu Dec 14, 2000 at 01:22:41 AM EST

I certainly don't envy your position, but I believe you took the right steps. I'm not sure if you've included enough information with your initial report, but it was a well written letter. The tone was appropriate and not too accusational. You sound like you're genuinely trying to be helpful and that you have security and liability at the forefront of your mind. Although, I think you should have included a bit more information. It's very difficult to paint the picture of a "kid hacker" upon someone who actively and fully discloses any information pertaining to contact or background and your relationship to the hosting company in question. I would have included such information as my full name, title and position at my place of employment, a day-time telephone number.

If in doubt, talk to a lawyer.


assert(expired(knowledge)); /* core dump */
[ Parent ]
What to do (4.44 / 9) (#29)
by Potsy on Thu Dec 14, 2000 at 02:20:43 AM EST

...leaving it blank is about the worst security breach I have ever seen...

I would have said "lapse" rather than "breach". Since you are obviously worried about being falsely accused of "hacking", you need to be careful about what you say and do. "Breach" implies someone broke into their system (which didn't happen), while "lapse" implies that they were careless and left their doors unlocked (which did happen). Bad choice of words there. I wouldn't worry about it too much, but be more careful in the future. You don't want to have any misunderstandings.

Since they didn't respond to your e-mail, you should immediately call them on the telephone about it. When you get them on the phone, speak slowly and clearly, and phrase your sentences as though you were talking to a 6-year-old. Again, you don't want to have any misunderstandings. Make double, triple sure that they know it is their screwup, and not something you did which is making their machine insecure. Do not mention your friend's joke e-mail unless they bring it up first, as it will only confuse them and make them suspicious. You're dealing with unbelievably stupid, incompetent people here, so you need to be as careful as you possibly can when talking to them.

After you get done explaining their security hole to them, you should immediately cancel your service with them and ask for a full refund of all the money you've spent on them so far. If they balk at the idea of giving you your money back (which they probably will) start talking about getting an attorney. Threaten to take them to court. Remind them of how they bragged about their security, and explain to them the meanings of the terms "fraud" and "false advertising". Mention the Better Business Bureau for added effect.

Don't bother mentioning BugTraq and institutions like it, because these people obviously don't respect them (if they did, they would read up on proper security and implement it). Stick with the traditional means of dealing with a shady or incompetent company: lawyers and the BBB.

[ Parent ]

Why not call them on the phone? (3.50 / 10) (#30)
by Signal 12 on Thu Dec 14, 2000 at 02:33:41 AM EST

I would have given them a ring. If you had just called them up, you could have given them the password right there, and there would have been less room for misunderstanding.

I've found that email is a horrible method of communication for any thing of importance. I doubt they would have called the FBI if you had a dialog with them as opposed to a pointed email (although they deserved it).

[ Parent ]

one more thing.... (2.50 / 8) (#31)
by Signal 12 on Thu Dec 14, 2000 at 02:45:04 AM EST

While I certainly don't think you did anything wrong, I think the most prudent thing to do in these situations is to talk to the owners of the hardware *before* changing anything.

Not having a password for root is simply fucking ridiculous, and I think they realized that. To save face, they decided to call the FBI to take attention away from their unbelievable fuck up.

Had you taken your site offline momentarily and called them saying "Are you guys INSANE?!? Where's your root password?!? I'm not trusting my site to idiots, am I?" the blame would have stayed where it belonged, since you simply observed instead of altered.

[ Parent ]

other possibilities (3.85 / 7) (#38)
by SEAL on Thu Dec 14, 2000 at 06:29:07 AM EST

First, a quick comment: even allowing remote root logins WITH a password over telnet is pretty risky. Considering the way the company was described, it seems very unusual that this would be enabled.

I have to throw out a couple other possibilities, since I find it hard to believe something that blatant would go unnoticed:

- Someone else might have hacked them and cleared the root password and made remote root logins available. Or this may have been done by an ex-employee. If this is the case, they may have contacted the FBI to investigate the initial breach. Yes that's unlikely, since any type of security auditing whatsoever should have revealed this hole. Still, it's something to consider.

- That root login may have been a honeypot. If that's true, then the whole purpose of that box is to nab "hackers", and law enforcement will probably be notified. As someone else pointed out, a telephone call to this hosting firm might be the best way to clear things up. Of course with the root login wide open this would be more of a box to nab kidz as opposed to actual hackers.

The poster may get a little heat but when push comes to shove, the only thing that can really be used against him are the logfiles. They will show that he didn't do anything to create that hole, and he didn't do anything destructive. The downside is that if the company is a bunch of asses and brings law enforcement into the picture, confiscations could occur during the investigation :/

Good luck,

SEAL

It's only after we've lost everything that we're free to do anything.
[ Parent ]
Hacker is the _wrong_ word (2.50 / 6) (#42)
by OddWeapon on Thu Dec 14, 2000 at 09:09:07 AM EST

I thought k5 was a techie hangout. The people you are referring to are _not_ called hackers. Maybe cracker is what you want or something like that.

[ Parent ]
Between ourselves, yes, but... (4.20 / 5) (#53)
by Kunstwerk on Thu Dec 14, 2000 at 01:08:14 PM EST

Aarg! Nitpicking alert! :P

To us, a hacker is someone who shares the hacker spirit and a cracker is someone who likes to breach security.

However, in the vast majority of media and in the world outside of Jargon File cognoscenti, a hacker is someone who likes to breach security, while a cracker is some sort of crunchy biscuit.

When sending an e-mail to the complaints dept. of a company which can't be bothered to secure the root account, what are you going to assume? That you're talking to someone who knows, or cares, about the hacker/cracker difference, or that you're talking to someone who thinks "cracker==biscuit?"

I thought k5 was a techie hangout

But evro's e-mail was sent to a non-K5'er! His idea was to make himself understood, not to be Jargon-compliant.

--KW [Diary] /* Do all humans pass the Turing Test? */
[ Parent ]

Shitty security. (2.69 / 13) (#13)
by buzzbomb on Wed Dec 13, 2000 at 08:49:14 PM EST

What a surprise. Most of the shit you read on services' webpages is nothing but marketing hype. "Best security anywhere", etc. It's not surprising to me really. (Well, I guess a little surprising that there was NO password...I expected "password", "drowssap", "r00t", "god", etc.) This is the biggest fear of ANYONE using online shopping. Secure web connections are pretty damn useless, IMO. Anyone realize the high-level systems that have to be cracked to sniff that shit out? The biggest problem that we've seen is lousy services running insecurely that get their DB cracked wide-ass open...not the "sniffers". I personally would take my business elsewhere and do a complete audit if you are selling shit online and ahve had credit cards come to you. I would even do the right thing and call/e-mail everyone that has bought from you and explain the situation in an idiot-proof fashion. You may lose some customers, but I would imagine that a large percentage of them would apprieciate you being upfront and alerting them to the possibility of fraud. I know I would. Shit happens...I think most reasonable people understand that.

I don't know what to say. (3.07 / 13) (#14)
by pb on Wed Dec 13, 2000 at 09:03:15 PM EST

That's amazingly stupid.

I worked at a web hosting provider, and they were very concerned about security. We locked those boxes down pretty tightly, and I learned a thing or three while I was there.

Since the boxes were pretty much just for serving web pages, a lot of stuff was missing or disabled from a user perspective. Those boxes generally don't get X installed on them, for instance.

So if you're going to sign up with a little fly-by-night hosting provider, make sure you pick the right one. :)
---
"See what the drooling, ravening, flesh-eating hordes^W^W^W^WKuro5hin.org readers have to say."
-- pwhysall
Do nothing. (2.58 / 17) (#16)
by Signal 11 on Wed Dec 13, 2000 at 09:25:18 PM EST

I'd do nothing at all. Why stick your neck out and be arrested by the FBI for trying to help? Let the system blow itself to pieces, and then be sure that when all the angry "normal" people come asking who's responsible to kindly finger the politicians.


--
Society needs therapy. It's having
trouble accepting itself.
Unnacceptable (4.00 / 2) (#56)
by Jim Dabell on Thu Dec 14, 2000 at 02:07:55 PM EST

What if his business is relying on their hosting? If the system "blows itself to pieces", then it takes his business with it. It would be pretty damn irresponsible of somebody to not change the password immediately, if they realised absolutely anybody could log in and destroy their business.



[ Parent ]
The cost of doing business (3.00 / 2) (#57)
by Signal 11 on Thu Dec 14, 2000 at 02:47:53 PM EST

That's the cost of doing business, I guess. He could find himself without a job if he goes poking around on someone else's systems. Got a problem with it? Take it up with the politicians.


--
Society needs therapy. It's having
trouble accepting itself.
[ Parent ]
Evil Webhosts (4.42 / 14) (#17)
by atom on Wed Dec 13, 2000 at 09:39:00 PM EST

I had a similar situation with a previous webhost. Not nearly as serious, but someone pointed out to me a security bug on my site which was a problem with the host computer.

When I sent them an E-Mail about it, they immediately suspended my accounts, no questions asked. After a few failed emails, I called them up. When I was forwarded to a vice president, he started talking to me as if I were a criminal; his first words were, "how old are you?" followed by "have you ever been to prison?"

I soon left that company for that reason and other disgusting business practices.

So my advice to you is be cautious - clearly these people aren't technologically brilliant. As was the case with me, they may misunderstand your intentions. It's usually considered an act of goodwill to hack a site merely to help the admins fix holes, but people who don't understand geek culture might misinterpret your actions.

As a solution, do what I did - dedicated server :]


dotcomma.org - Resource for programmers
You don't do it the right way (3.33 / 12) (#19)
by (void *)0x00000000UL on Wed Dec 13, 2000 at 10:07:06 PM EST

You should first send them an email that you care about security, that you don't want to create trouble, that you won't tell other people. Then tell them you found a security hole.

Wait until they reply then send them the description of the problem, and the fix if you know about it. Then let them fix the hole.

Act like a gentleman, not like a teenage script kiddy.

If you think they may be hostile to you, you might want to send the email trough an anonymous remailer.

[ Parent ]

Well.... (4.33 / 9) (#23)
by atom on Wed Dec 13, 2000 at 10:38:16 PM EST

I didn't act like a teenage script kiddy, I'm not sure how you got the impression that I did. I don't think withholding the information from them until I have their go-ahead would help anything. I had no reason to believe detailing exactly what happened - someone else had informed me of the hole, and I wished to pass it along to the admins - would be offensive or make them "hostile" to me. Clearly I was misunderstood. It was blown out of proportion due to the lack of competence on the webhosting end.
dotcomma.org - Resource for programmers
[ Parent ]
I hope you got your lesson (1.90 / 21) (#18)
by (void *)0x00000000UL on Wed Dec 13, 2000 at 10:02:10 PM EST

You don't mess with that kind of stuff. Even if you did nothing wrong, you don't log in where you should not because it will get you in trouble.

Your friend is probably going to get in trouble

Why do companies react this way? (3.64 / 14) (#28)
by Spinoza on Thu Dec 14, 2000 at 02:06:18 AM EST

Perhaps it's because they're far more terrified that the story will make it to the press with their name in it, than they are that an intruder will gain access to their systems. Bad publicity is worse than bad security for these companies. As a result, they treat everyone who finds a security flaw as a threat, because to them the flaw is a minor problem, but someone knowing about it is a huge problem, even if that someone is only interested in helping.

If someone steals an entire credit card database and nobody ever finds out, the company loses no revenue. If a security flaw is publicised, with or without damage having occurred, the company's profits can be decimated.

Maybe they haven't replied yet..... (3.75 / 20) (#32)
by 0x00 on Thu Dec 14, 2000 at 02:59:25 AM EST

because the e-mail was sent to root and you have the password. :)

--
0x00

root Clowns.

A bug in Scoop (2.61 / 18) (#33)
by DigDug on Thu Dec 14, 2000 at 03:08:42 AM EST

A bug in Scoop.

--
Yavista - if you haven't found a nice homepage yet.

test (4.50 / 8) (#34)
by rusty on Thu Dec 14, 2000 at 03:28:48 AM EST

<a href="http://kuro5hin.org/"style="font-size: 24pt; font-family: times; background-color: red">A bug in Scoop no longer.

____
Not the real rusty
[ Parent ]
Hey! (3.85 / 7) (#35)
by fvw on Thu Dec 14, 2000 at 04:21:22 AM EST

Hey, I wanted to see that! Stop fixing things. :-)..

What went wrong?

[ Parent ]
quotes (4.50 / 6) (#37)
by rusty on Thu Dec 14, 2000 at 06:27:34 AM EST

We weren't counting quotes, so if you didn't put a space between the link and the style stuff, the filter would assume everything between the first quote and the last quote in the tag was part of the url. D'oh.

____
Not the real rusty
[ Parent ]
curious-is that what nailed MacSlash? (3.50 / 4) (#64)
by ehintz on Thu Dec 14, 2000 at 05:32:50 PM EST

MacSlash got nailed by some similar looking stuff a few weeks back. In true MacOS fashion, they simply dumped the offending posts and fixed the bug, but never said a word about the fact it had happened. Been curious ever since. Anybody know if this is the same bug? (I know they don't use scoop, but the manifestation seems quite similar, and I would not be at all suprised to find Slashcode containing the same bug.)

Regards,
Ed Hintz
[ Parent ]
No idea (3.50 / 2) (#68)
by rusty on Thu Dec 14, 2000 at 07:49:53 PM EST

But we have from time to time been known to independently re-implement the same bugs. In a way, HTML filtering is HTML filtering-- no matter what app you're writing, there's a limited number of ways to do it. I wouldn't be surprised if they had made the same mistake we did (or vice-versa, as it were).

____
Not the real rusty
[ Parent ]
umm (2.50 / 4) (#62)
by Milk-Boy on Thu Dec 14, 2000 at 05:19:43 PM EST

um.. i can still see it.. ie 5.01


---
/me falls over
[ Parent ]
Yuck (3.00 / 1) (#93)
by CYwolf on Sat Dec 16, 2000 at 03:18:06 PM EST

I had no idea IE and Mozilla (tested both) allowed you to remove the space between tag arguments. I'll have to remember that.

[ Parent ]
Bug or not, it's offtopic (1.00 / 1) (#96)
by THEWeirdo on Sat Dec 16, 2000 at 10:43:52 PM EST

It might have been more appropriate to create a diary entry displaying this bug. If you were worried about rusty not seeing it, you could've E-mail him about it.

But at least it got fixed, and that's what mattered.

  - THEWeirdo

"Better paranoid than sorry" -- Me
[ Parent ]

drw.net? (3.63 / 11) (#36)
by fvw on Thu Dec 14, 2000 at 04:25:23 AM EST

was the hoster drw.net by chance? :-). I've had a site there a while ago, and their security policy consists of 'chmod o-x /bin/ps'..., putting threatening messages in /etc/motd (You are not allowed to cd out of your homedir (what, chroot? too hard, just threaten to go to the police...)), etc..

no (5.00 / 1) (#73)
by evro on Fri Dec 15, 2000 at 02:36:47 AM EST

<i>was the hoster drw.net by chance<i>
<P>
no, it wasn't.
---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
hosting (3.00 / 8) (#39)
by mstevens on Thu Dec 14, 2000 at 07:49:34 AM EST

My experience with hosting is that the only way to get good, secure hosting is to do it yourself.

Hardly anyone cares about security, and it's very hard to spot the few who do.



The problem, as I see it... (3.62 / 8) (#40)
by Armaphine on Thu Dec 14, 2000 at 08:43:47 AM EST

...is that these sites should be welcoming something like this. As in the case of the Navy's Infosec site, a few years back, they were testing a new secure type of server. To make sure that thing was "hacker-proof", they put in on the internet, and offered a prize to the first person/team to hack into it. (I don't if anyone ever did get in.)

But this is a good way of doing this. You manage to get in, drop the sysadmins an e-mail, and you, for example, get to come out to the corporate headquarters, or some office in a nice location, get put up in a posh hotel, and get a "finder's fee" for showing the staff how you got in. Seeing as I'm guessing that the majority of these hackers tend to be of a younger age (Gross generalization there, but bear with me.), the experience could be such a big event to them that slipping a non-disclosure agreement under their nose would be no big deal.

I don't know about everyone else, but getting that kind of deal would still impress me. (It'd be worth hacking Microsoft if only I could see their main server room. I hear they need golf carts to get around in there.) But a couple grand to the hacker, the sysadmins patch the hole, and non-disclosure agreements all around. Seems like everyone wins.

Question authority. Don't ask why, just do it.

Why security contests prove nothing. (4.00 / 9) (#46)
by inspire on Thu Dec 14, 2000 at 09:45:38 AM EST

Imagine that I am an evil cracker. Now, some company / agency has offered a reward for breaking into their site. If I were determined to break into the site, would I want to crack it during the contest period, or sometime afterwards, when the company proudly announces that "even all the hackers on the Internet could not defeat this security?"

All the people capable of doing the most damage will inflict it when it is most valuable: not during public contest periods. I remember a firewall manufacturer had done exactly this: run a contest online, and announce their product as unbreakable, only to find themselves embarassed not much later when their product was broken.

Cracking challenges attract only the most harmless, glory-driven people who want the attention of having broken a product, whilst the real villians out there wait until the public is lulled by the sense of security before striking.
--
What is the helix?
[ Parent ]

Money is good (none / 0) (#97)
by THEWeirdo on Sat Dec 16, 2000 at 11:06:52 PM EST

I completely disagree about money only attracting `the most harmless, glory-driven people'. The `bad crackers' are after glory, aren't they? That's indicated in your own comment's text: `All the people capable of doing the most damage will inflict it when it is most valuable [...] run a contest online, and announce their product as unbreakable, only to find themselves embarassed not much later when their product was broken.'

A couple thousand dollars is a pretty good incentive to break into a system. If the `good crackers' can't get into a system with a thousand dollar incentive, the `bad crackers' shouldn't be able to do much better. Would you rather seriously show up Microsoft, or show them up not-as-much but get some dough?

  - THEWeirdo

"Better paranoid than sorry" -- Me
[ Parent ]

The usual argument goes like this: (none / 0) (#113)
by inspire on Tue Dec 19, 2000 at 07:26:41 AM EST

Evil hacker finds bug in product claimed secure.

Companies start using "secure" product after assurances that the product is unbreakable.

Weeks or months later, it appears that sensitive company information has been stolen.

What I was saying in that paragraph was that a sponsored contest will attract the glory-seekers. The hardcore criminals would prefer a stealth approach. The best crack is one where the victim does not even realise they've been cracked.
--
What is the helix?
[ Parent ]

Why are the evil more clever than the good? (none / 0) (#118)
by THEWeirdo on Fri Dec 22, 2000 at 07:04:57 PM EST

I suppose this does not apply as well to specific software products as it does an entire server, but here is how I look at it: since there are system administrators who do set up secure servers, those same administrators ought to be able to find holes in badly setup servers. And, optimistically, I do not think there are any crackers who are much more clever than the cleverest of the benevolent hackers. After all, why should they be? (Hence this comment's subject.)

When I wrote the comment you are replying to, I wasn't thinking of specific software products, but servers. I had not heard of any contest to crack a software product before I read this thread. Still, I do believe that, even here, the benevolent hackers will be able to do as well as the malevolent crackers. Feel free to prove me wrong.

  - THEWeirdo

"Better paranoid than sorry" -- Me
[ Parent ]

Thank you, oh thank you... (5.00 / 1) (#119)
by inspire on Sat Dec 23, 2000 at 11:55:35 AM EST

For letting me use one of my all time favourite quotes:

"Evil will always triumph over good because good - is - dumb."
-- Dark Helmet, Spaceballs

Anyway, Bruce Schneier and Gene Spafford can explain why cracking contests don't really work better than I can (and these guys are paid professionals).

The relevant MLP:

The Fallacy of Cracking Contests
Hacker Challenges: Boon or Bane?

Basically, good security testing (and in the case of the article, crypto testing) does not come cheap. Barring any ethics or morals (and I'll let you make up your own mind about the morals of a cracker), a potential cracker has a lot more to gain by staying silent about a particular hole than to report it.

Crypto and other security software (e.g. firewalls) cracking contests, especially, have some fairly brain-dead restrictions that make the contest fairly meaningless. One example I can think of in recent history would be the hack SDMI contest. Initially boycotted, then several cracks were found, but SDMI wouldn't admit one of them under a narrow definition of what a crack was.

I await the torrent of SDMI-watermark-disabling products as soon as the protection comes into widespread use.
--
What is the helix?
[ Parent ]

agreed, but... (4.50 / 2) (#67)
by CAIMLAS on Thu Dec 14, 2000 at 07:39:57 PM EST

...that would make it inceasingly difficult for the sysadmin(s) of the world to make sure their box is secure, if they constantly have teenagers essentially attacking their box, trying to get in, in order to get a prize. It would be like a big game. And I'm sure it'd not be much different a motivator than the "let's hack boxen because it's cool and we can see things other people can't". To make it 'legal' or encouraged would only increase the chances of a malicous hacker getting in.

That, and what if you were the sysadmin? It's your job to keep tbat/those babies locked down solid. It some punk kid gets in, it makes you look like you're negligent of your job, and not make you look good with the Boss. Anyone in that situation would much rather have 'some zitty, dilinquent teenage druggie' trying to get into their systems than a 'valiant liberator and fighter for better security.' It's in the sysadmin's best interest to stomp the kid out and report it as an attempt to breach security - something he foiled and caught - than let management think the kid/adult/etc helped the company out. The sysadmin hides it, he gets patted on the back, and possibly a raise, and the corporate business people are happy with their investment in a good sysadmin, having never heard the full story.

Just my view on the situation, from this viewpoint. Also why the individual, who Isuspect is a teen, has never gotten contacted, for whatever reasons the 'company (read, sysadmins) may have. If indeed it's not a honeypot.
--

Socialism and communism better explained by a psychologist than a political theorist.
[ Parent ]

Malicious == illegal, benevolent == legal (none / 0) (#98)
by THEWeirdo on Sat Dec 16, 2000 at 11:49:26 PM EST

If the problem was reported immediately, and no damage was done, the company could award the cracker. However, if the problem was not immediately reported, and/or there was damage done, the cracker could be not awarded the prize, and perhaps could even be prosecuted (depending on the damage done). This would be the same as it is current common modal of sue every one, except you would get well-meaning people pointing out your security problems. No body said that you had to award people just for getting in.

Your argument that prizes for reporting problems will result in servers that `constantly have teenagers essentially attacking their box' is flawed. Teenagers (and people of other ages, too, you agist pig!) attack servers any way. Prizes would incite people to report their findings rather than wreak havoc.

I may be wrong, but with a spot of work and some know-how, I think it's possible to set up a server secure enough to thwart the attacks of your stereotypical "teenagers". Eventually, security would go up, and companies would not get many paying customers by running servers with passwordless root accounts.

  - THEWeirdo

"Better paranoid than sorry" -- Me
[ Parent ]

This is really stupid... (2.45 / 11) (#41)
by ignatiusst on Thu Dec 14, 2000 at 09:06:08 AM EST

Wait a minute. Your friend thought the box was yours? Do you have several boxes serving pages out to the internet, or is your friend just stupid? I find it hard to believe that anyone who knows how to hack a system would confuse a commercial server serving (supposedly) hundreds of sites with a friend's server serving (at most) a two or three sites.

Maybe I am outta line here (because I don't see a whole lot of other people here yelling at you), but what were you thinking!!!? Of all the things you could have done in this situation, it is almost as if you sat down and asked yourself, "Now what is the dumbest thing I could do here...?"

You discovered that their root had no password, so you changed it without their permission and/or knowledge and then emailed them to (in their eyes) gloat: "I locked you out of your system.. If you want back in, come beg me for the password."

I hope they have a sense of humor...

When a true genius appears in the world, you may know him by this sign, that the dunces are all in confederacy against him. -- Jonathan Swift

Virtual hosting. . . (3.25 / 8) (#44)
by eskimoses on Thu Dec 14, 2000 at 09:39:38 AM EST

Actually, from the sound of it his site is one of many virtual hosts on one of this company's servers. So if someone telnets in to "myvirtualhost.org" or "someotherhostonthisserver.com" they in both cases log in to "serverfifteen.hostingcompany.com".

I do agree with you in that it was very unwise to change the root password but withold the new password from them. A telephone call would have been a much wiser move.



[ Parent ]
Confusing xterm windows (4.33 / 3) (#60)
by Misagon on Thu Dec 14, 2000 at 04:22:42 PM EST

I find it hard to believe that anyone who knows how to hack a system would confuse a commercial server serving (supposedly) hundreds of sites with a friend's server serving (at most) a two or three sites.

It is easy to confuse say, two identical xterm windows or two virtual consoles with one-another? I have done it more than once, run programs as the wrong user, run a command on the wrong machine etc. These things happen, and it happens more often if you are inexperienced.

The poster admits to being a newbie, and obviously he trusted his friend (maybe someone less a newbie) with his system. The fact that he changed the ISP:s password and tells the ISP about it just shows that he is a responsible person. Apparently, he did not try to hide his identity to the ISP in any way, as a cracker would have - that could maybe be beneficial to him if this becomes a legal case as it shows that he did have good intentions. (but OTOH, IANAL)
--
Don't Allow Yourself To Be Programmed!
[ Parent ]

Re: Confusing xterm windows (none / 0) (#103)
by strawser on Sun Dec 17, 2000 at 07:20:56 AM EST

> I have done it more than once, run programs as the wrong user, run a command on the wrong machine etc.

Been there, done that. Kind of helps to do something like:

export PS1='
$WHO\@'"`uname -n`"' $PWD
\$ '

Course, you have to do it on every box. Doesn't hurt to have different forground/background colors in your xterms to prevent it either.

As far as changing the root password and emailing them, I think that was the best thing he could have done. I have to assume that the blank root password was an oversight. he fixed it and let them know. If they actually wanted it blank, and are upset that he set it, I'd say it's time for a new hosting service.

Just MHO
Eric


"Traveler, there is no path. You make the path as you walk." -- Antonio Machado
[ Parent ]
he didn't "hack" anything (5.00 / 1) (#72)
by evro on Fri Dec 15, 2000 at 02:31:35 AM EST

It's a long story but he accidentally connected to my site because it was "bookmarked" in his ssh program, and I guess he figured "what the hell" and tried root/nothing and it worked.
---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
Don't touch lest ye be touched... (3.12 / 8) (#43)
by ejbst25 on Thu Dec 14, 2000 at 09:34:08 AM EST

Or something like that...

To stay safe..I think it is universally stupid to touch the root password..and do anything but email them to let them know that it is like that...

I understand that you were concerned because your site was on there..after all..someone might delete all your shit..but there are two aspects to that.
--You should have backups. If they aren't backing up your stuff then you should be.
--If your stuff does get deleted and you had something crucial or worth money...they can be made to compensate you for that. That is, unless you have a bad hosting agreement.

I just think that if this is a true story...well..nm. I just look at it like this...the only way I figure your friend could have gotten in as root is if they allowed root logins on telnet or he used ssh. Unless, he has an account also...which wouldn't make sense. I can't imagine anyone is stupid enough to allow root logins over telnet with no password..you would almost have to do this on purpose. And anyone who is smart enough to install ssh would hopefully be smart enough to have a password for their root account. I guess I just have trouble believing that a "major hosting company" is anywhere close to this stupid. Did 'your friend' get root another way?

That was wrong ... (3.77 / 18) (#45)
by kostya on Thu Dec 14, 2000 at 09:40:22 AM EST

... along with incredibly stupid.

Here's why:

  1. You are hosted with them. Which means you have their phone number and contact information. Why the heck didn't you call them? You should have contacted them first. It is THEIR machine, THEIR network, THEIR money. It is theirs, and therefore their responsibility. Why didn't you call them FIRST?
  2. You changed their *root* password? And you expect them to be happy about this? You expect them to be understanding? What if you had bunches of machines and someone found one that you forgot to set up right? Granted, your fault for not setting it up right. But would you appreciate an email saying, "I changed your *root* password. Contact me if you want it." How would you feel?
  3. Beyond the root password, you logged into the machine as root? I'm wondering how much of your usage policy you just broke by doing that.

Before you start accusing me of having no idea what I am talking about, I have tracked crackers and hunted down comprimised machines that ended up being in the Eastern Block. So I have been in this situation. What you did you did out of excitement--if I were to hazard a guess. You probably didn't think too much about what you did until AFTER you did it. We all make mistakes. But in this case, you have made a big one that the other party might hold you liable for.

Think about it: how will they know whether you are malicious or benign? What evidence do you have to back up the fact that you are benign? You have already logged into their machine as root. You could have changed anything at this point (from their perspective). You already changed the root password--what else might you have changed?

All in all, you have not done anything to make things easy on yourself. I recommend getting on the phone immediately and talking to a person. Explain exactly what happened and hand over the password immediately. Perhaps your cooperation will help portray you in a better light.

FYI: I found that WHOIS coupled with some web page hunting almost always turned up at least a phone number, if not a specific name or account to contact about systems. I found a polite email explaining what I have seen (in your case, the email) goes a long way, and sysadmins appreciate that stuff. When you do that, you are being the polite, but concerned neighbor who calls about the strange car accross the street. You did the equivalent of walk into their house and change all the locks on all the doors.



----
Veritas otium parit. --Terence
eastern bloc is the usual convention. (2.00 / 6) (#54)
by monkeyfish on Thu Dec 14, 2000 at 01:49:05 PM EST

just being snotty.

[ Parent ]
Snotty, totty! (2.00 / 2) (#76)
by kostya on Fri Dec 15, 2000 at 09:27:18 AM EST

Cool--I'll remember that for next time :-)



----
Veritas otium parit. --Terence
[ Parent ]

Stupid, but understandable (3.08 / 12) (#47)
by QuantumAbyss on Thu Dec 14, 2000 at 09:49:50 AM EST

Okay. First of all you shouldn't have changed their root password - that was a big mistake. If you find something unsecure and you don't really know what you are doing the thing to do is NOT change stuff. Just email whomever and let them know that you might have found a problem and describe it to them. When you go and change things you are much more likely to make whoever you change it on feel defensive, and in a case like this you don't want them feeling defensive. Maybe they've got sucky people and they'll lie to cover their own butts and say you did other things.

Someone else posted something about your "friend" and him not being able to figure out whether it was a your box or a hosting companies. Well, it doesn't always take a lot to hack into a box, so it is probably an easy mistake to make if you are prone to making such mistakes. I'm sure that if he's telling the truth he's learned his leason and will look where he is stepping a bit more carefully in the future.

Science is not the pursuit of truth, it is the quest for better approximations to a perception of reality.
- QA
That was completely wrong. (2.75 / 12) (#48)
by mindstrm_2 on Thu Dec 14, 2000 at 10:18:11 AM EST

First, your friend did something rather illegal. Regardless of who he thought owned the box, he obviously knowingly attempted (and succeeded) in gaining access to something that he had no permission to use. Secondly, changing the root password is severely wrong. What if you just broke a bunch of e-commerce stuff by doing so? What if they WANTED it that way, and it's actually a firewall filter that failed or something? DO you KNOW, FOR SURE? The proper response, unless you actually really know the people personally, if you feel it's important, is to phone them. I assume you have the number, as you are hosting sites with them. And is this 'friend' of yours a really good friend?

Ignorance & Arrogance (3.21 / 19) (#49)
by mindstrm_2 on Thu Dec 14, 2000 at 10:29:17 AM EST

This is not an attack on anyone, but simply an observation I've made over the last few years.

It is increasingly common for young hackers (in the true sense of the word, or otherwise), to believe that, because they found a security hole in a system, they are 'smarter' than the company that owned the system, and the company should somehow be 'grateful', and that they can be arrogant asses about it even. That they are, in effect, elite gurus of security.

Let me paint a meatspace scenario.

I leave my house for work in the morning, and accidentally don't shut the door. You are in your car across the street, and notice this. What do you do?

Well.. let's see. Are you my good friend & neighbor? You might then go shut it for me, as any good neighbor would do, because you know my routine, and you're sure I'm going to work, and it was an accident.
What if you are a pizza delivery guy parked across the street just finishing a delivery, and you don't know me whatsoever? You don't dare touch my house. You have no idea whatsoever where I am going, when I'll be back, or what's going on. You keep your hands off, right?
What if I'm someone you know, like, say, a teacher, but don't know personally. What then? DO you lock my door, possibly locking me out of my house?

AND... regardless of what you do, do you somehow think you are smarter and more holy than me simply because you noticed I forgot to shut my door?



Slightly different case here... (4.66 / 6) (#50)
by davidduncanscott on Thu Dec 14, 2000 at 11:39:30 AM EST

What if, instead of your house, the door is that of a storage company where I'm keeping my stuff? Here I am, paying you to keep my things secure, and you're walking out and leaving the door open.

That said, I have a question. I'm an NT guy rather than a Unix guy, and here on this side of the aisle the equivalent of "root" would be "administrator". Step 1 after a system is installed is to change the name of that account. Is that not done in Unix?

[ Parent ]

Re: Slightly different case here... (4.40 / 5) (#51)
by MeanGene on Thu Dec 14, 2000 at 12:33:49 PM EST

That said, I have a question. I'm an NT guy rather than a Unix guy, and here on this side of the aisle the equivalent of "root" would be "administrator". Step 1 after a system is installed is to change the name of that account. Is that not done in Unix?

The Unix tradition is that root is always root. "Lesser" sub-administrators may have different names. However the other excellent Unix tradition that this hosting company screwed up royally is that root is not allowed to login from any place other than "trusted" terminal(s).

[ Parent ]

Good point. (3.50 / 6) (#52)
by mindstrm_2 on Thu Dec 14, 2000 at 12:47:48 PM EST

However, this is also different. He should simply take his business elsewhere.

I'm a Unix and NT guy... no, in unix, you don't change the name of root. As a general rule, and something we were given no information about here, though, all systems default to absolutely NOT allowing root to log in except from trusted terminals (usually local only, unless you specifically specify otherwise). I'd wonder if the way the guy really broke in was through another account and then found that he could su to root or something.

What you say about renaming Administrator on NT is a good idea, and something we unix types might not even consider, though I must say I've never actually seen any NT installation do this... (not that that means anything).






[ Parent ]
Changing name of "Administrator" (3.50 / 4) (#55)
by davidduncanscott on Thu Dec 14, 2000 at 01:55:43 PM EST

Well, you haven't looked at mine. :)

Seriously, though, it seems sort of obvious to me, like toggling off the thing that displays the name of the last user. Why give your assailant slack? I don't use my kids' names for passwords either.

As for taking his business elsewhere, I agree, unless his host comes up with a damned good reason for the absent password. Certainly he's within his rights to demand an explanation. Changing the password was probably going too far, although well-intentioned.

[ Parent ]

It was a Honey pot (3.78 / 23) (#58)
by c0ncept on Thu Dec 14, 2000 at 02:59:24 PM EST

I'm surprised nobody has suggested the possibility of this being a Honey Pot. Honey Pots seem to be gaining popularity in the security community these days [i.e. Desception toolkit], and several toolkits are available to set one up so you don't have to roll your own.
The fact that anybody, much less an isp, would have a blank root password (though I'm aware these kinds a lapses take place, negligence tends to not be my first assumption).
For those not familiar with the idea, a honey pot is a false target set up to attrack hackers. Several results from these studies are publicly availabe and definately worth reading. There's currently debate about how exactly to set up a honey pot -- whether to use some kind of chrooted environment or false services, or whether to actually use a vulnerable box and protect the rest of your network from it. Both have their merits/drawbacks, and a smart enough hacker will find a way to break out of a chroot ( there are documents on writing shellcode to this affect, and shellcode is publicly availabe). However, if you use a real system, there's always the chance that.... well, it's annoying being woken up at four in the morning by an admin in austrialia because one of your hosts are ping-sweeping his network.
The fact that you were able to change the root password without them knowing tends to back this up. I'd be willing to bet that: 1.) it's a false root. whoami -- i'll bet that you'll find your euid and egid are not zero. 2.) They're not set up for remote administration/remote administration only via ssh. You're telneting to port 23 of their routers, but being forwarded to another box on their network. Either they only allow ssh to connect to that host, are running telnet/ssh on a non-default port, or have the computer multi-homed with an address is the private range, and only allow administration on that interface, or a mixture of the above.

Just a suggestion I thought I'd throw out, since no one else seems to have suggested it. Back to lurking now.<nr> --c0ncept

Re: It was a Honey pot (3.75 / 8) (#59)
by transcend on Thu Dec 14, 2000 at 03:24:37 PM EST

I'm surprised nobody has suggested the possibility of this being a Honey Pot.

I'm surprised you didn't read the story, not counting numerous comments which pointed to that possibility. This is the last paragraph of the story:
Or could this be like a "fake" root account? I didn't try deleting anything so I don't know, I've heard of people doing things like that to dupe hackers into thinking they have some kind of power... I dunno. What do you think?

I'd say, if it is honey pot, it should have ignored changing password, and still should allow telneting with no password. And if I were you, I'd tryed to see, let say, if that ``root'' account is able to access your web site fies. If it is, it's certainly not honeypot.

[ Parent ]

Re: It was a Honey pot (4.28 / 7) (#63)
by c0ncept on Thu Dec 14, 2000 at 05:29:40 PM EST

I apologize for my ambiguity, when I said I was surprised nobody suggested that it was a Honey Pot, i meant specificly a box set up to observer hacker activity, and not merely a fake root acount. It's trivial to detect -- every process has at least six uid and gid's associated with it. the 'effective uid' and 'effective gid' are used to verify permissions, and 0 is always associated with the super-user account. You would have to redirect the getuid() and getgid() system calls to even begin to make it look legitimate -- this is possible and there is documentation on how to do it. The only point I'm trying to make is chaning the name of the root accound and creating a false root is far more trivial than anything I would call a honey pot.

Changing the name of the superuser accound is simply an attempt at security through obscurity (which isn't really security at all).

As for a honey-pot ignoring a change in password and still allowing someone to telnet in with no password, I think you're missing one of the major goals of the exsisting honeypot projects -- the goal is to appear as authentic as possible -- hence the arguments about chroot/false services vs. a real unsecured installation firewalled off. Ignoring a change of password would set of red-flags for even the most inept script kiddie, since at one point, usually early on in the incident, the attacker is bound do download the /etc/passwd and shadow file and run it through John (or whatever their favorite password cracker is).

Take a look around securityfocus.com, cert, sans, and a few other security sites and study a few incidents -- you'll find that it's common for an attacker to try to secure a host after breaking into it to ensure that nobody else breaks into it. Most audit tools offer the capability of automatically trying passwords, including password lists, password same as username. I've seen NT tools that establish a NULL Session, enumerate the account information and try the first name/last name of the person as the password. Plugging the Real Name field of the /etc/passewd file into a word list would be trivial, and once the box is rooted and the attacker has access to the log files, there's nothing preventing him from running something like ISS or Retina that makes a lot of noise. Both of those programs will report a zero-length password.



[ Parent ]

That is not security through obscurity (2.00 / 1) (#99)
by THEWeirdo on Sun Dec 17, 2000 at 12:39:29 AM EST

> Changing the name of the superuser accound is simply an attempt at security through obscurity (which isn't really security at all).

Not quite. First, that's `account'. Second, you're decieving the cracker into thinking that ey actually is root--you are not just hiding root's username. By your argument, passwords might as well be considered security through obscurity.

On that last line of thought, you could even consider a modified root username to be a sort of secondary password.

  - THEWeirdo

"Better paranoid than sorry" -- Me
[ Parent ]

asdf (2.00 / 2) (#102)
by use strict on Sun Dec 17, 2000 at 06:42:12 AM EST

I don't want to get too technical here, but in most cases, when someone cracks your machine, it's through an intermediary process. (like sshd w/ RSA or sendmail, bind, etc).

It doesn't matter if your username is foobar or root or weeble or supercalifragilisticexpialidocius, it just matters if you can get UID 0. root is only a literal indicator of such.

Changing the usernames to 'trap' someone is only going to catch the people who probably would have never had the knowledge to hack up utmp/wtmp to clean their trail anyways, much less something like tripwire or even a static filesize checker.

All changing the root account does is make it harder for some programs which *expect* root to be uid 0 (albeit written poorly), providing a larger security hole, and makes it harder for the sysadmin to concentrate on *real* tasks such as setting up reliable filtering at the network level, which actually help PREVENT these problems from happening in the first place. Right now at my work you'd have to be one talented cracker to hit behind our firewall, and save one machine, I think, the rest are all directly visible outside it. We have some good sysadmins, and we also have root accounts where MEMORY ACCESS is logged and compared, not just shell work. And besides, most of the important stuff is in a memory-based file system, where overwriting data is moot as nightly it is rewritten.

So let em have root. :)


[ Parent ]
I Did something similar... (4.00 / 6) (#61)
by mcowger on Thu Dec 14, 2000 at 04:33:59 PM EST

...though not quite to the same extent.

My former webhost ran some merchant software (Miva). I had been reading security focus, and found a new one about Miva...a pretty bad one, that allowed a hacker/crackr (whatever) to grab various CC# info. So I tried the exploit (it was a modified URL thing).(after dialing up to a local telnet BBS) I was able to do bad things.

But I didn't want to get sued for doing bad things, so I couldn't email them from my account. Nor could I email them from anywhere on cmapus (the IP at the time could be tracked to my logon history). SO what did I do? I emailed through 3(!!!) anonymous remailers (one of them web based) which I got to via anonymizer.com...I basically anonymized myself as much as possible.

I sent them an email explaining what was possiblerand a link top the secirityfocus article. So maybe thats what you should have done.
--Matt

Is this a hypothetical? (3.88 / 9) (#65)
by ContinuousPark on Thu Dec 14, 2000 at 05:59:23 PM EST

Then why don't you tell us the provider's name? I mean, there is now a root password (not precisely a good idea but other posters have talked about it already) so we don't get to do any harm . BUT it could be very informative because some of us may be considering buying some hosting this Xmas. And if you're saying that it's a major hosting company, well, I think that information could be useful. At least it might get a lot of press and that would hurry people at that company to solve this particular problem and any additional security problems they might have. Or is this a hypothetical and interesting story that actually never happened?

because (5.00 / 1) (#71)
by evro on Fri Dec 15, 2000 at 02:23:40 AM EST

They have other servers, this was just one server so they may have no root pw on others. Also I'm sure this one will have no root pw eventually. If it can happen once I'm sure it will happen again.

---
"Asking me who to follow -- don't ask me, I don't know!"
[ Parent ]
could it be (3.50 / 2) (#81)
by goosedaemon on Fri Dec 15, 2000 at 04:27:45 PM EST

is it possible that said host is idirect.com? i notice that that's the company hosting the website linked to in your signature...


[ Parent ]
duh (2.11 / 9) (#69)
by /dev/trash on Thu Dec 14, 2000 at 08:51:59 PM EST

Sure as hell wouldn't have a) logged on b) changed the password c) TOLD them. Right now. You're guilty as hell. You hacked their system and stole everything.

---
Updated 02/20/2004
New Site
duh? (3.66 / 3) (#82)
by budcub on Fri Dec 15, 2000 at 04:39:08 PM EST

If there was no root password, then did he really "hack" the system?

[ Parent ]
no (4.00 / 2) (#87)
by /dev/trash on Fri Dec 15, 2000 at 07:24:45 PM EST

No, he didn't. But why risk a lawsuit/criminal charges?

---
Updated 02/20/2004
New Site
[ Parent ]
Heheh .. (none / 0) (#105)
by job on Sun Dec 17, 2000 at 10:41:33 AM EST

I had a good laught out of your comment. This is truly the way computer-literate treated. He was probably a terrorist too.

[ Parent ]
well (3.57 / 7) (#70)
by evro on Fri Dec 15, 2000 at 02:22:25 AM EST

2 days later and still no reply from them. Maybe they don't care. I really don't feel like calling them. Anyway, thanks all for the advice.
---
"Asking me who to follow -- don't ask me, I don't know!"
Sounds to me... (1.58 / 12) (#75)
by communista on Fri Dec 15, 2000 at 08:46:11 AM EST

Is this a "Well see I have this "friend" that..." sort of thing?? And you/he reset the root password. Was that the only UNIX command he knew?? I would be highly pissed at your "friend" because you could be taken to jail for that....One more person that gives the true hackers a bad name. See ya on CNN, and thank your friend for the support.
/me fucks shit up!!!!
please.... (2.57 / 7) (#80)
by cosmol on Fri Dec 15, 2000 at 03:09:58 PM EST

One more person that gives the true hackers a bad name
Please tell me how playing a joke on a friend, on what you think is his machine, finding out that it is really a problem with the web hosting services machine, fixing the hole, and notifying the company is giving "true" (are you a "true" hacker?) hackers a bad name...

[ Parent ]
Think before you mod...(see above) (2.11 / 9) (#86)
by communista on Fri Dec 15, 2000 at 06:36:03 PM EST

Cosmol...WRONG ANSWER.... please think before you post or mod something down ok??? I think you misconstrue what I am saying.

  • I am one who supports the hacking community, but I am not personally a hacker. Just because I would have a voice about something does not mean I practice activities of that genre...

  • I am also a believer that the actions of others directly reflect a group as a whole.

  • Having the responsibility of monitoring mail servers and their activity in the past know that even though it was his friend that mailed him, the activity (where the mail came from and such) and that he (not the friend, the guy) could possibly lose access to his account and could possibly face charges...

    Look...I posted a reply only as a concern for the poor bloke who's friend sent him that message, and to express that it is unfortunate that childish "pranks" such as the one his friend pulled (when exposed by law officials or media) do negatively impact the image that people have of those who are proficient with the innerworkings of the Internet, servers...whatever. I say that because you seem awfully sensitive to the word "hacker".

    I did NOT however reply so that you could moderate something down that didn't rub you right. 1.00 was a bit harsh, but I suppose (I hope) you'll learn respect when you enter your teens. Oh was that harsh?? I'm sorry, but I think you've heard of what goes around, comes around.

    Cheers,
    Communista
    /me fucks shit up!!!!
    [ Parent ]
  • Mr Big Man, knows some html, I'm so humiliated! (2.71 / 7) (#88)
    by cosmol on Fri Dec 15, 2000 at 10:09:15 PM EST

    What's this about a Wrong Answer? My post was a question.

    My point is that this is hardly something I think would give "true" hackers a bad name. Patching security holes and notifying the company and all. And where do you get off calling me sensitive about the word hacker, you're the one concerned about the reputation of the "hacking community."

    I would just like it if people would think before they started insulting each other. Why did you have to suggest that the only command the dude knew was to change the password? Why do you assume I'm a teen ager? That's the arrogance I'm talking about...

    [ Parent ]

    Big MAN? Nope, I'm a chick, last time I checked... (2.14 / 7) (#92)
    by communista on Sat Dec 16, 2000 at 02:52:13 PM EST

    Who cares if I know HTML? You are acting juvenile, hence the comment. As for arrogance, I believe that your previous statement displayed that as well. It upsets me that you modded my first comment to a 1 with little reason to do so, other than that you didn't terribly like what I said. So this is where the flame war ends. Thanks for your witty insights and gender mirepresentations.
    /me fucks shit up!!!!
    [ Parent ]
    I'll mod as I see fit, thank you. (2.14 / 7) (#94)
    by cosmol on Sat Dec 16, 2000 at 06:09:52 PM EST

    and I suggest that everyone do the same.

    From the k5 faq :"Please note that 1 is not 'bad.' It just 'not as good as this other comment, which I'd rate five.'" I decided your comment was a 1.

    I apologize that I've touched upon your numerous insecurities and upset you... sheesh

    [ Parent ]

    Agreed..but, (none / 0) (#112)
    by communista on Mon Dec 18, 2000 at 08:03:21 PM EST

    I don't disagree with you. I agree, however...With the person who EXPLAINED why they modded down. Modding to a lower score and explaining why. This is not for a flame war, it's to get OPINIONS on stories, and other opinions. Some of my comments are flamebait, and I recognize that. I'm not on here for a popularity contest. But if you're gonna go on an angst rampage, explain why. Otherwise it's not justififed.
    /me fucks shit up!!!!
    [ Parent ]
    I thought I did explain (none / 0) (#114)
    by cosmol on Tue Dec 19, 2000 at 03:27:42 PM EST

    But if you're gonna go on an angst rampage, explain why
    please refer to my first and second replies for an explanation...

    [ Parent ]
    I'm not entirely sure, but....I'd have to say (none / 0) (#115)
    by communista on Wed Dec 20, 2000 at 07:27:31 PM EST

    No, you gave me a textbook response. You told me what the moderation guidelines say. I can easily read that for myself. Now I don't know about you, but I'd be willing to say that many of the K5 readers don't use that.

    *yawns*

    But thank you for your insight nonetheless. It was helpful.
    /me fucks shit up!!!!
    [ Parent ]
    can you read? (none / 0) (#116)
    by cosmol on Thu Dec 21, 2000 at 12:59:06 AM EST

    I said refer to my first and second posts for an explanation. I was trying to talk about the actual story before you had to take offense and turned it into a flame war.

    [ Parent ]
    Why I modded comment #75 to 1 (4.00 / 2) (#100)
    by THEWeirdo on Sun Dec 17, 2000 at 01:08:07 AM EST

    You reiterated what had already been said, repeated, and stressed, over and over, time and time again. Your comment had no original content. Call me picky, but I usually will rate a comment a bit lower than I would otherwise even if it's saying some thing for only the second time. Seeing the same comment worded differently a dozen times is perhaps the one thing I hate most about /.. And I don't like it any better on Kuro5hin.

    Now, why am I feeding the flames? Flames are another thing I hate about /. (among other fora)...

      - THEWeirdo

    "Better paranoid than sorry" -- Me
    [ Parent ]

    I'm dissapointed in the K5 crowd (3.44 / 9) (#79)
    by cosmol on Fri Dec 15, 2000 at 03:05:02 PM EST

    <RANT>
    A bunch of holier-than-thou naysayers.
    And ya'll like to diss on the slashdot crowd. sheesh.
    While there have been a few good posts, most people are just trashing evro for trying to fix a security hole that could affect his data! My favorite was the post about how evro must have automatically felt a sense of arrogance for discovering the hole, come on, I see the arrogance coming from the posts where people are like "well *I* would never do that, evro must be a dumbfuck." Oh yeah, and read the article before you post people. He is quite aware that the account could be a honeypot.
    </RANT>

    Dude! (none / 0) (#111)
    by mrfiddlehead on Mon Dec 18, 2000 at 02:23:21 PM EST

    Chill. Mondays, eh?
    :wq
    [ Parent ]
    True-Life Story... (4.75 / 8) (#84)
    by John_Booty on Fri Dec 15, 2000 at 05:14:31 PM EST

    Usually, companies seem to have that kind of an arrogant response. However, in this incredibly unbelievable instance that personally occured to me ...sometimes they just didn't care when we told them about their hole!.

    My friends and I were shopping for a good price on a computer game. We came across a site, eCompare.com, that had links to good prices on the game around the net. One of the prices was too good to be true: $5.99! This is on a new game that costs $50-$60 normally.

    Upon closer examination, we saw that the price for the item was actually contained in the link for the item. In other words, the link looked something like this (NOT the real URL).... http://www.blahblahblah.com/item/blahblah.cgi?itemid=324823984&price=5.99

    Through a little experimentation, we found that this trick worked for ANY item on the site! Being the good little boy scouts we are, we called them up and told them about it. The phone operator's response? You won't believe it. He basically said, "No, I've never heard of that feature before...I would go ahead and try for the lowest price". A week later, I called AGAIN and told them... and got the same response. I sent them 2 emails on the topic but they never responded.

    As of today, they still haven't fixed this hole yet (although the links have been removed from eCompare.com) My friend actually ordered and recieved a $950 item for $95 dollars this way. I ordered some items too. Is this morally wrong of us? Under any normal circumstances, I'd say "yes". But considering the company itself told us to "go for it".... is it really wrong?

    Moral issues aside, I wonder what they could do to us for taking advantage of this hole? Considering this hole could legitimately be stumbled upon simply by a typo when you're entering the URL... they'd have a hard time proving that we were "hacking". Unbelievably sloppy coding on the whole entire site, to be honest.

    By the way... we also found that you can put negative numbers for the item price. I wonder if they'd actually mail you a check along with your item? ;-)

    Also I just want to clarify: eCompare.com isn't the site with the hole... they have links to many other sites and the site with the hole was one of them. Don't mail me asking about which site it is either, I'm not saying. ;)


    _______________________________________________________________
    Anime, game, and music reviews at www.bootyproject.org... by fans, for fans.
    You talked to the operator? (4.20 / 5) (#85)
    by nstenz on Fri Dec 15, 2000 at 06:14:59 PM EST

    Who did you e-mail about the horrible coding? Is the operator the only person you talked to on the phone? I wouldn't bother with a 'dumb operator' on this one - you have to ask for the site admin... and if he/she doesn't believe you, ask for the guys who coded the stupid site. If they're contractors or a 3rd party, ask for contact info. You were obviously talking to the wrong people who knew nothing about the system.

    However... Congratulations on the stupidity of the people at the place that told you to 'go for it'... I certainly wish I could save a little money (although I wouldn't exploit something like this).



    [ Parent ]
    I emailed them too.... ;-) (4.00 / 4) (#89)
    by John_Booty on Fri Dec 15, 2000 at 11:11:43 PM EST

    You're right, the operators were clueless. I emailed the ONLY address I found on their site (customerservice@blahblahblah.com)... TWICE about the hole and received no response!

    It's a very chintzy site. Cheap. Definitely NOT Amazon.com... very little in the way of customer service contacts. I had to DIG to find that one solitary email address....

    At this point I just have to shake my head and hope my nice 192mb compact flash card arrives...I think I did the best I could to tell them about it. If they don't care, why should I?


    _______________________________________________________________
    Anime, game, and music reviews at www.bootyproject.org... by fans, for fans.
    [ Parent ]
    Re:True-Life Story... (3.50 / 4) (#90)
    by jeffsenter on Sat Dec 16, 2000 at 02:16:32 AM EST

    This is just my opinion, but I don't think sloppy coding like this is not going to stop until some companies go under because of it. I would actually get in touch with the FBI about this and ask if they have any suggestions... probably not.
    After that inform the FBI and the company that in X days you are going to post how to perform this trick all over the internet and everyone is going to use it and ripoff the company.
    This is of course only if you are feeling really ambitious. You certainly don't have a moral obligation to help the company any further.

    [ Parent ]
    I agree (4.00 / 4) (#91)
    by hardburn on Sat Dec 16, 2000 at 12:54:35 PM EST

    Yes, tell them you're going to tell everyone about the whole, post it to places like BugTraq, and watch the script kiddies have fun. The company will either fix the hole in an hour or be bankrupt by the end of the day. It would be more immoral to keep this to yourself and let the hole go on then to let it out.


    ----
    while($story = K5::Story->new()) { $story->vote(-1) if($story->section() == $POLITICS); }


    [ Parent ]
    I found it! (2.50 / 2) (#101)
    by btlzu2 on Sun Dec 17, 2000 at 02:41:42 AM EST

    I found it in a lucky 5 minutes. The site is down now, either coincidentally, or maybe they finally got wise. I could tell which one it was by looking at the link in the status line at the bottom of the browser.

    Considering you said the price was $950, you can eliminate books and other such items.

    Too bad, it would've been fun to try!
    "This machine will not communicate the thoughts and the strain I am under." --Radiohead/Street Spirit (Fade Out)
    [ Parent ]
    Found it (3.50 / 2) (#106)
    by Potsy on Sun Dec 17, 2000 at 08:16:46 PM EST

    I found it, too. Some, but not all, of the links with the "price" field in the URL are still in place on eCompare.com's site. The rest of them have been replaced by a URL that simply takes you to a part of [unnamed company]'s web site called "online orders".

    In either case, once you get to [unnamed company]'s web site, you still end up having to go to the "online orders" section anyway, even if you followed one of the links with the "price" field in the URL. Once you get to the "online orders" section, you simply fill out a form and then wait for an operator to call you. On this form, as with the URL, you can type in your own price. That's right. You can change the price to anything you want, even on the order form. However, since human intervetion is needed to complete an order, I believe they would notice if you tried to alter the price by too much, maybe even by one penny.

    Is that the way it always was, or did they just recently add the human intervetion step?

    Still, if the same dumb operators you mentioned are the ones completing the orders, perhaps they would just blindly place an order anyway, no matter what price you typed in. I wouldn't want to try it, though. If they caught it, they could easliy go running to the FBI and turn it into a big "hacking" case, and thus have you thrown away for a long time. It's not hard to imagine receiving a 10-20 year sentence for something like that, given how overzealous law enforcement is about "hacking", even though this is really the company's fault.

    [ Parent ]

    Found it in under 3 mins (3.00 / 2) (#107)
    by cobain on Sun Dec 17, 2000 at 11:46:35 PM EST

    Although, now it seems a rep will contact you to finish the purchase, has it always been that way?

    You did give a bit too much information, by giving out ecompare.com and someone else said you could see it in the links to the product. Not to mention you said you bought a $950 product which sent me right to the electonics.

    [ Parent ]
    Remote Root? (3.00 / 1) (#108)
    by ravskel on Mon Dec 18, 2000 at 02:14:26 AM EST

    hey... Is it just me, or am I the only one who notices things like the inability to Remotely login as root as a default on almost all linux distributions. Default intstall that is. So either soemone went out of their way to make it so that root could login remotely or, story fabricated...
    Then again. I've been known to be wrong.... From time to time.

    Depends ... (none / 0) (#110)
    by mrfiddlehead on Mon Dec 18, 2000 at 02:21:15 PM EST

    I always make sure that telnet is turned off and install an ssh daemon whenever I setup a system. Lately I've switched to openssh since it supports ssh2 and there are known problems with ssh1 and man in da middle type attacks (even though ssh1 is safe as long as you have the remote system's key stored locally, which you should if you're going to login as root, remotely). Remote root login is not inherently bad, IMHO.

    In this instance, I would think that the hosting service probably got hacked and the root password was emptied in /etc/shadow. I would hope so anyway, the idea that they left a root account wide open is just too scary to comtemplate.

    :wq
    [ Parent ]

    no problem (4.50 / 2) (#109)
    by zencode on Mon Dec 18, 2000 at 06:54:57 AM EST

    i have no compunction whatsoever about posting the link and explaing how to manipulate it.

    on ecompare.com, you will find a link such as this:

    http://www.aplusdigital.com/cgi-bin/webc.exe/st_prods.html?p_prodid=216&p_catid=2&PRICE=$389.00

    only three parts matter; the prodid=, the catid= and the PRICE=. in order to find what specific product you want to manipulate, just go to aplusdigital.com and find the item you want. for example, go to aplusdigital's digital camcorder section here. if you like the sony dcrtrv900 (the last item on the page), you will notice that the link contains the prodid= of 49 and the catid= of 2. now just take the 49, insert it into the prodid=, take the 2, insert it into the catid (it's already 2, actually) and you wind up with:

    http://www.aplusdigital.com/cgi-bin/webc.exe/st_prods.html?p_prodid=49&p_catid=2&PRICE=$389.00

    now you just change your price and voila! personally, i (a) make enough money and (b) don't have any desire to have three-letter gov't agencies crawling up my ass, so i'm not about to try this. i've got bigger fish to fry.

    my .02
    zencode

    http://www.iactivist.org/jason/

    re:no problem (none / 0) (#117)
    by Sporko on Fri Dec 22, 2000 at 01:58:53 AM EST

    There's about a 90% chance that they double check those figures in billing or shipping. I might believe it if the price was obfusicated, but it's far too obvious a way to manipulate the system.

    Chance are all that will happen is you'll get an email stating there was an error processing your order, and to try again.

    [ Parent ]

    What to do when you find a hole in a big site? | 120 comments (114 topical, 6 editorial, 1 hidden)
    Display: Sort:

    kuro5hin.org

    [XML]
    All trademarks and copyrights on this page are owned by their respective companies. The Rest 2000 - Present Kuro5hin.org Inc.
    See our legalese page for copyright policies. Please also read our Privacy Policy.
    Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
    Need some help? Email help@kuro5hin.org.
    My heart's the long stairs.

    Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!