[ISN] Defacements/Server Compromise, Some Companies Simply Don't Care

From: InfoSec News (isnat_private)
Date: Thu Dec 27 2001 - 23:18:07 PST

  • Next message: InfoSec News: "[ISN] RE: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft Windows"

    http://packetderm.cotse.com/helpdesk/documents/editorials/edit_jh_009.html
    
    A Cotse Editorial
    John Holstein, 
    Cotse Helpdesk/Support
    
    Of course it's all a matter of perspective. If you speak of
    manipulating web site content to misrepresent company policies, sure
    they care. What I am speaking of is investigating and prosecuting the
    criminal element involved in the act of defacement, root compromise or
    infection by "worms". In otherwords, companies tend to "fix & forget".
    
    I recently spent some time with another admin talking about tech and
    system administrator issues. We spoke of a few items I thought I
    should share with Cotse readers.
    
    
    "....we were in the process of building a set of servers for use with
    our E-Commerce development branch, these servers, while not that
    sophisticated would operate around 30 websites, email, and various
    Apache modules, such as PHP, Perl, SSI and others. We installed a
    certain version of Linux, setup the basis for our servers and away we
    went. During the installation, I was new to the office so I didn't
    make myself "heard" well enough. I didn't want to be "pushy" so I
    didn't project enough concern toward security. What little input I
    used was toward attempting to get the primary admin to close a few
    security holes that we didn't need opened in the first place, such as;  
    Samba, NFS and LPD (printer support). The primary admin was set on
    doing an OOB install, whereas what came installed, stayed installed.
    At this point, I was very much aware that the admin didn't have a
    security mind-set, something that would eventually cause trouble.
    
    Over the course of the next month or two, we built the complimentary
    servers to house the ECommerce sites. The sites themselves were
    running well and we didn't have any trouble to note. Upon a thursday
    or friday afternoon, thursday I think, I was looking around the
    servers and found something very strange. One of the two servers was
    "down", seemingly "halted". I immediately contacted the other admin
    and asked if he had shut the box down. Of course, he had not. I took
    the box off the network and allowed it to reboot. Upon reboot, I did a
    simple "netstat", with little to no results and I further explored a
    "ps" command. The "ps" command was either missing or came up with some
    strange results (it's been awhile, forgive me for my memory lapse). I
    knew from experience that this was a first sign of a "root kit"  
    install.
    
    After doing some checks with the security sites, I found that I was
    0day +3 into the recent LPD exploit, well, being overly cautious, I
    immediately went to checking. Indeed, the LPD exploit was used on the
    server.
    
    Needless to say, I attempted to follow certain guidelines in taking
    the box offline, mirroring the drive, backing up, maintaining
    evidence. In fact, I wanted to put a totally different box in place
    and keep that particular machine out of the loop. Management, in a
    round-about-way didn't want any part of that. In fact, they wouldn't
    allow me to track back and find the origin of the intruder (which I
    already suspected a Worm had worked it's way to my system) nor did
    they want to involve the police....."
    
    This is one account that directly relates to management "covering up"  
    a particular exploitation of their networks and servers. I have heard
    of many more.
    
    If in fact this is common and this set of circumstances repeats itself
    world-wide, what expectations of law enforcement do we perceive when
    an ethical report of a website defacement or server compromise
    actually makes it to the desk of an investigator? Law enforcement
    gleen a lot of information for the investigation by way of statistics
    gathered from other instances of the same or similar crimes. If the
    crimes are not reported and profiles of criminals are not generated,
    how is law enforcement expected to render reasonable assumptions and
    accurate statistics? The fact is, they cannot.
    
    While completely understanding most website defacements are very
    simplistic and not overly malicious in the way the files are changed
    and/or manipulated, one must also understand that during an intrusion
    of webservers, enough information is gleaned to obtain further
    permissions and/or ease the business of completing social engineering
    schemes.
    
    Although most website defacements and root exploits occur on the
    "outside" servers, some, if not the largest percentage of actual
    defacements occur because of the "unicode exploits" in Microsoft IIS
    4.0/5.0 Servers. These exploits DO NOT undertake a sophisticated
    process in order to deface a website. A simple URL entered into the
    address line of the web browser of an unsuspecting netizen could in
    fact deface a website without the knowledge of the person doing the
    clicking.
    
    By no means does this mean that the assailant didn't have access to
    other resources, it only means that this is a very simple approach to
    defacement. In the basis of the unicode exploit, other commands and
    functions may be utilized for other goals.
    
    That's right folks, for those that do not understand or haven't been
    enrolled in the defacement scene, all you need do to "hack" a
    companies website that's running an OOB install of IIS 4.0/5.0 is
    enter a certain malformed URL into your Internet Browser (IE for
    instance) and click "go". The target of the URL will then be
    transformed from the website it once was, to whatever the writer of
    the URL wants it to be. How simple do they have to make it? Not
    speaking of the cracker, I am speaking about the writer of the web
    server software. A simple URL can "do-in" a companies website.
    
    Who's fault is it? What does it matter? Sure, the cracker is to blame
    for cracking the website. But seriously? A simple URL defacement?  
    Click on a link and *poof*, what once was a BIG CORPORATE SITE,
    relying on Microsoft to provide ample security, was reduced to some
    script kiddie chanting about the End of the World and how he/she
    RULEZ! it.
    
    Do the companies care? Evidently not. How many website defacement
    "crackers" have you seen convicted lately? Although I understand that
    Law Enforcement cannot prosecute all of the cases that could be
    presented in relation to defacement, they could in fact compile
    statistics relative to the M.O. of the cracker. This job is currently
    done by civilians! Personal web sites are devoted to the statistical
    analysis of web site defacements, where the information generated is
    done so by civilians. If in retrospect, this was done by a civilian,
    in relation to say arson, would we not have cause for concern?
    
    Being a volunteer fire fighter for 15+ years now, I know for a fact
    that the government collects data on every aspect of a fire. What
    materials were used to start the fire, electrical involvement,
    equipment involvement, radiated heat, blah blah blah. If we can do
    this with fire, why not computer systems? I mean heck, what better
    product to do statistics about than the product that compiles the
    statistics!
    
    This is a new world we live in and the rules and laws must change to
    meet the new era of information and communications. While we are well
    on our way to creating appropriate guidelines, the governments of the
    World are soon to realize their current law enforcement infrastructure
    cannot handle the work load that is presented to it.
    
    None of this will be done to suit the privacy advocates of the World,
    including myself. Folks, even though I want to keep as much of my
    privacy as I possibly can, I know some of the freedoms that we are use
    to will have to be given up, or at the very least, allowed to be
    changed in order to keep the status quo at the level we are use to.  
    There are two opposite sides to every debate. I am sure a middle
    ground is obtainable where everyone, well almost everyone, can meet
    and appease the majority of those concerned. Frankly, that's why it's
    called a "democracy". Without two opposing views, at an equal distance
    apart, a logical solution would be oppressed by the single minded
    behavior of an individual dominating force.
    
    When the average 13 yr old is opened up to the opportunity to "screw
    over" the system that he/she thinks is "against them" without
    subjecting themselves to "being caught" or criminal prosecution, do
    you not think, soon will be the time that 13 yr olds will become the
    criminals of the world? Hiding in the shadows, cracking whenever
    possible? That's been going on for years in front of the blind eye of
    law enforcement. But wait! They caught Kevin Mitnick! Yea, like he's
    one of twenty thousand. And he was "caught" not by law enforcement,
    but one of his peers.
    
    John Holstein, 
    Cotse Helpdesk/Support
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 06:03:36 PST