[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[atlarge-discuss] Defacement of site

To: <atlarge-discuss@lists.fitug.de>
Subject: [atlarge-discuss] Defacement of site
From: "Abel Wisman" <abel@able-towers.com>
Date: Mon, 4 Nov 2002 09:08:02 -0000
Delivered-to: mailing list atlarge-discuss@lists.fitug.de
Importance: Normal
List-help: <mailto:atlarge-discuss-help@lists.fitug.de>
List-post: <mailto:atlarge-discuss@lists.fitug.de>
List-subscribe: <mailto:atlarge-discuss-subscribe@lists.fitug.de>
List-unsubscribe: <mailto:atlarge-discuss-unsubscribe@lists.fitug.de>
Mailing-list: contact atlarge-discuss-help@lists.fitug.de; run by ezmlm
Organization: Able Towers
Reply-to: <abel@able-towers.com>

It seems that there is a need for "explanation" or "proof" according to
Joop.

I cite from an earlier e-mail from me to WG-DNS from minutes before I
learned of the defacement;

<cut>
P.S. as test and example:

--16:09:16--  http://www.icannatlarge.com/
           => `www.icannatlarge.com/index.html'
Connecting to www.icannatlarge.com:80... connected!
HTTP request sent, awaiting response... 200 OK

------<getting all files, thus cut>-------

FINISHED --16:09:35--
Downloaded: 1,046,233 bytes in 34 files
[root@Prometheus icann]# 

As you see all files that one "can" get "freely" (passwd protected parts
need a little more inventive behaviour) are downloaded fast.

The result :
http://www.able-towers.com/~abel/icann/www.icannatlarge.com/

Regards

A
</cut>

Weirdly enough this is where I first saw the defacement.

As for the remainder: ask the panel,. Webmaster and yourself, I have no
responsibility or influence of anything that happened with the site ot
the forum, but od know that it usually does not take 4 or more hours to
stick databases back in sql and re-install the "forum" tarball.

What worries me is that not one of you seem to care about the userdata
that was compromised, what worries me is that the server in question is
still up and running.
Good practice in case of a hack is to take the server in question
off-line and do forensics; off-line, then replace the HDD('s) and
re-install, protect better, bring it on-line.

Now the client can put his/her back-ups back on the machine.

Read for php hacks on google ???? I really never heard they took over
security focus which always has been one of the forefronts for these
things.

Furthemore on a personal note Joop:

I think you should be less quick on inuendo's towards anyone. An out of
place and context cut does not hack it with me as an argument, though
you might think it does on this list, but it doesn't.  You quote me
incomplete and you know it, this is without going into plot-theories
simple to proof and with the first part it becomes perfectly clear that
I told them to put the back-up on the site, so there goes one theory.
Next the list thomas gracefully hosts for this group; fitug.de is a
University, with professional system administrators on more then enough
bandwidth, I do not have that fear and am also sure that if anything
happened with the list, Thomas would immediatley produce a subscriber
lsit.

Other maillists (WG ones setup by Jefsey) are run on yet another
machine.

I am also pretty sure that neither Sotirus nor James hacked the forum to
get it down, since I think both of these gentleman are democratic
creatures that might not like the technique you used, but respect
majority decisions.
Then you state: 

<cut> Craig StGeorge of webfarm will be able to help you with server
security in 
general. It is his server security that is at stake and there may have
been 
other clients affected on the same server </cut>

And that server hosts more clients and is still up and running ? Somehow
I wonder if he even knows. But it should have been off-line completeley.

And since you want to know whether the culprit can do it again (please
do not refer to this person as a hacker) well without having
root-privelidges you can never tell at all, and even with I would doubt
you could find it, if he/she was any good.

As i said earlier, clean it up, protect better, move back-ups in and
start roling again.

Kind regards

Abel


===========================

Information in this electronic mail message is confidential and may be
privileged.

It is intended solely for the addressee. Access to this message by
anyone else is unauthorised. If you are not the intended recipient any
use, disclosure, copying, or distribution of this message is prohibited
and may be unlawful.

Any attachment has been checked for viruses, but please rely on your own
virus checker and procedures.

If you contact us by email we will store your name and address to
facilitate communications. 

=========================

Able Towers and Able Consultancy are tradenames of Moordata Ltd.

2 Brickett Close 
Ruislip
Middlesex
HA4 7YE 
UK
+44 1895 635413
+44 77 53837191

www.able-towers.com
www.url.org

best co-lo rates in the UK



---------------------------------------------------------------------
To unsubscribe, e-mail: atlarge-discuss-unsubscribe@lists.fitug.de
For additional commands, e-mail: atlarge-discuss-help@lists.fitug.de

Follow-Ups:
- Re: [atlarge-discuss] Defacement of site
  - From: Jeff Williams <jwkckid1@ix.netcom.com>
- Re: [atlarge-discuss] Defacement of site
  - From: Joop Teernstra <terastra@terabytz.co.nz>

Prev by Date: Re: [atlarge-discuss] ICANNatlarge.org Resolves - Finally!
Next by Date: Re: [atlarge-discuss] Defacement of site
Previous by thread: Re: [atlarge-discuss] ICANNatlarge.org Resolves
Next by thread: Re: [atlarge-discuss] Defacement of site
Index(es):
- Date
- Thread