Comments on: Comments on 8083

Post number 8083

cheaily — Wed, 06 Jun 2001 00:17:43 -0800

EEEEEEEEEEEEK. Matt, hope you see this soon.

By: cheaily

cheaily — Wed, 06 Jun 2001 00:21:38 -0800

in case you're wondering what i'm on about: mefi was hacked at approximately 12.15am PST

By: mathowie

mathowie — Wed, 06 Jun 2001 02:22:28 -0800

Working on it with qJason for the past couple hours. I know exactly how they did it, what they did, and how they covered their tracks. I also know why it happened, which we're trying to fix now. The long story short is a stupid microsoft security patch installer is to blame for leaving the vulnerability open.

By: delfuego

delfuego — Wed, 06 Jun 2001 03:49:51 -0800

Figured out the problem with the hotfix installer, and patched the system about 20 minutes ago. Should be ready to rock; we'll see about that.

By: capt.crackpipe

capt.crackpipe — Wed, 06 Jun 2001 04:03:26 -0800

Wow, that was like a public service hack. "If you want more info on whats wrong with ur box Mr. Admin email me ... (yea we can still be friends ;p)."

By: internook

internook — Wed, 06 Jun 2001 04:25:08 -0800

A public service hack is like a window salesman smashing your windows to show you the drafts in your house.

By: TuxHeDoh

TuxHeDoh — Wed, 06 Jun 2001 05:08:21 -0800

... is like a window salesman smashing your windows....

Until I got to the end of the line, I swore you were talking about Windows - 95, NT, 2k. Funny.

By: m.polo

m.polo — Wed, 06 Jun 2001 05:17:11 -0800

(yea we can still be friends ;p). Hmm... With friends like these, who needs... Never mind.

By: mecran01

mecran01 — Wed, 06 Jun 2001 05:30:37 -0800

The self-righteousness of the cracker is reallly annoying. And if they're going to break into machines, why not put up something funny or interesting? geesh.

By: Irontom

Irontom — Wed, 06 Jun 2001 05:37:09 -0800

In light of the link that was posted earlier this week about the GNC DDOS attacks, this is in fact a pretty mild attack. On my own site, I would certainly prefer this kind of annoyance to some of the others that I have seen in the past.

By: donkeymon

donkeymon — Wed, 06 Jun 2001 05:50:00 -0800

I think that psychologically the cracker is riding the fence. They want the recognition of being Mr. Big-Time Cracker Guy, but they don't want to feel like a bad person and cry themselves to sleep at night, so instead of sending a nice email to Matt saying "Hey, here is this huge hole" or instead of trashing everything on the site, they go right down the middle and deface the site without really messing anything up. That is probably how I would do it too, I guess.

By: skallas

skallas — Wed, 06 Jun 2001 06:25:54 -0800

This guy isnt even a cracker, he's a defacer. Its definately a mixed bag, these big egos have to write something and a simple email to the admin saying 'Check out Q248483 for the hotfix you need before its too late' doesn't do it for them. Usually when that happens there's a public thank you and no one has to hide behind silly names like k0Ng'daCrAk3R. I think its the fear of not getting a public thank you that drives "nice defacers."

By: ktheory

ktheory — Wed, 06 Jun 2001 06:30:52 -0800

This hacker sounds more like a punk script kiddie, try to get cred, than anything else. He wasn't really being altruistic, because he could have simply emailed Matt about the problem.

By: ktheory

ktheory — Wed, 06 Jun 2001 06:31:47 -0800

Umm, I agree will skallas.

By: skallas

skallas — Wed, 06 Jun 2001 06:33:37 -0800

Sorry about the double, but jumped the gun. I'm sure this guy/gal, like lots of netizens out there want to legitimize the classical definiation of 'Hacker' as opposed to Cracker, but they continue to act like a typical Cracker or scriptkid that more or less feeds the anti-Hacker rhetoric.

By: fleener

fleener — Wed, 06 Jun 2001 06:40:33 -0800

Seems like a graffiti tagger putting his name on buildings instead of burning them down so as to inform us the building security sucks. OK, but, uhhh, we pretty much already know that. We operate everyday on an assumption that people will act in a civil manner. Storefronts like MetaFilter don't need ultratight security. They shouldn't need to hire a security guard to patrol their sidewalk to keep even taggers away. It's the banks and government offices that control sensitive information that we want being totally secure. MeFi doesn't even have credit card numbers on record, so what point is made in hacking us?

By: whuppy

whuppy — Wed, 06 Jun 2001 06:49:03 -0800

Time to switch to OpenBSD!.
Okay, sorry, I'll go back to Slashdot now.

By: whuppy

whuppy — Wed, 06 Jun 2001 06:52:33 -0800

Seriously, though: What are the issues involved in migrating MeFi to a real operating system? (ouch! okay, okay, I'll see you over in MetaTalk . . .)

By: jpoulos

jpoulos — Wed, 06 Jun 2001 06:55:19 -0800

This hacker sounds more like a punk script kiddie DON'T SAY "SCRIPT KIDDIES"!!!

By: PWA_BadBoy

PWA_BadBoy — Wed, 06 Jun 2001 07:00:12 -0800

What's wrong with "script kiddies"? That's exactly what they are. There's no m4d 5k1llz involved in hacking IIS servers. Just gotta know where to find the pre-written app that'll let you "hack" into the server. Plug in the IP and away you go. It's stupid really. Please give the hackers the respect they deserve and properly term these IIS "hackers" as "script kiddies", ok?

By: ph00dz

ph00dz — Wed, 06 Jun 2001 07:16:57 -0800

In defense of the script kiddies -- I recently got my hands on a really nice "vulnerability testing script" and I've gotta say, it was almost impossible to keep myself from wandering around, defacing people's sites. (I didn't actually do that, but I did poke around in some places I probably shouldn't have) You'd be shocked at how many sites are still vulnerable to that big IIS bug that was announced recently... I can imagine in the eyes of a 16-year old pimply faced kid, defacing sites would be a pretty exciting pastime.

By: darukaru

darukaru — Wed, 06 Jun 2001 07:17:00 -0800

up ur connection, foo, cause they will just keep comin at you

By: skallas

skallas — Wed, 06 Jun 2001 07:21:13 -0800

Storefronts like MetaFilter don't need ultratight security. I hope you're not a system admin.

By: fleener

fleener — Wed, 06 Jun 2001 07:30:40 -0800

Skallas, nope. I just draw a distinction between critical and non-critical web sites. OK, yes, tight security is needed everywhere in the sense that a low-priority site is likely hosted on a server along with high-priority sites, so the server needs tight security. I guess I'm asking, what purpose is served in disturbing MeFi when there are bigger sites that we will *really* care to know have lax security. When MeFi is hacked, people think "Oh, that's an inconvenience, boy I wish those hackers would stop annoying us." If Amazon gets hacked, we think "Oh shit, and they have my credit card number!" One has impact, the other is just annoying, in the eyes of average people.

By: lotsofno

lotsofno — Wed, 06 Jun 2001 07:39:06 -0800

damn, everyone took the good allusions to the grc column...

By: jpoulos

jpoulos — Wed, 06 Jun 2001 07:49:25 -0800

I should have added a :-) to my hysterical warning about the term SCRIPT KIDDIES. Wicked hates that, and I bet SonicX does too. :-) For some reason, when I hear that term, I think of the paperboys in Better Off Dead. "We want our two dollars......" "We want our m4d 5k1llz...."

By: fooljay

fooljay — Wed, 06 Jun 2001 08:10:33 -0800

Actually Skallas, everyone needs tight security, even if there's nothing but the operating system on the server. Why? Because, if for no other reason, it provides a base of operations for unaccountable distributed denial of service attacks. For those who don't know what that means (or have never been on the receiving end of one, as I have), what usually happens is this: Someone breaks into a bunch of unsecured (and hopefully underused) servers. They plant a client on the machine, replace a few binaries with Trojans to give them easy access back in, and cover their tracks on their way out. Once they have enough dummy servers around the internet, they can remotely launch a Denial of Service attack (usually in the form of massive repeated pinging) from so many different points that the administrators of the attacked site can't possibly shut out all of them at the router. Successful attacks will take out nearly any site. By the way, Matt, I would be very very careful about continuing on without a full security survey. Something about the message makes me think he's trying to lull you to sleep. Are you sure that they didn't leave any back doors or trojans? (One can't ever really be sure of this sort of thing, unless you're running something like Tripwire (on Unix) and running it correctly)

By: fleener

fleener — Wed, 06 Jun 2001 08:16:21 -0800

fooljay, are the people hacking web sites the same people doing Denial of Service attacks? If yes, isn't that a vicious cycle? e.g., I deface your site to encourage you to get better security against hackers, while at the same time launching Denial of Service attacks against other people. Am I warning you about myself? Or is it being said that site taggers are the "good guys" and that they don't do denial of service attacks?

By: dhartung

dhartung — Wed, 06 Jun 2001 10:25:28 -0800

I don't generally believe that DDoSers are going to be the same range of personalities for the defacers. Defacers want credit, and are usually sort of hit-and-run. DDoSers have to keep their conquests secret, install backdoors, et cetera, and when they launch their attack it's usually somebody they have some kind of grudge against.

By: sugarfish

sugarfish — Wed, 06 Jun 2001 10:53:05 -0800

is there a mirror of this anywhere? it sucks ass that it happened, but i wanna see!

By: bradlands

bradlands — Wed, 06 Jun 2001 11:16:17 -0800

Screenshot here.

By: barbelith

barbelith — Wed, 06 Jun 2001 11:40:58 -0800

I'd be really interested in getting Matt's opinion on this...

By: SpecialK

SpecialK — Wed, 06 Jun 2001 11:47:17 -0800

Sugar, the link in the first comment is a mirror.

By: mathowie

mathowie — Wed, 06 Jun 2001 12:02:51 -0800

there's a mirror in the first comment, and I saved the page here. I was shocked and pissed at first, and did the immediate "oh god, when was the last time I backed up the files and database?" thought. Jason called me at about 12:30AM last night (I was in bed, reading Fast Food Nation) and we ended up researching it and IMing back and forth for a few hours. I actually emailed the kid and he emailed back almost immediately. We found in the logs what went on, and I remembered why this was possible in the first place. So here's a breakdown: On May 14th, MS released a patch for a particularly nasty IIS bug. You could, using only a URL and port 80, run command line arguments on any IIS site. I tried to install the patch the day it was released, but it wouldn't install. A few days later, I installed Service Pack 2, and figured I was ok. It turns out service pack two included earlier IIS hotfixes, but not this May 14th one. I got an email yesterday from an admin in the UK saying that I was open to this sort of hacking and I should patch it up quick. So I tried to install it again, and again, got the error. This is precisely what the error was. So I still couldn't figure it out, and was going to contact Jason and ask his opinion of it eventually, but the hack happened last night, so we had to do it asap. Jason figured out that the error occurred because I disabled WebDAV support. The person in the linked usenet post emailed me back, saying he got the error because he installed Microsoft's suggested access control list on the file. The WebDAV disabling was also in an earlier Microsoft IIS security bulletin, so I'm a bit pissed at Microsoft for not doing the necessary quality control to spit out a better error than "can't find the file httpext.dll" (when the file exists exactly where the installer was looking for it). It would have been a lot nicer if the error was "You need to enable WebDAV before installing" or "You need to update your ACLs on the file httpext.dll before installing." So, the hacker/cracker/defacer seems to originate from a proxy server in Spain, cloaking their true location somewhat, and has visited MetaFilter a couple times. Last night the person used the exploit to transfer a single file to the server, called upload.asp. Though I don't use any ASP on MetaFilter.com, I left the parsing on for this site, so the uploaded file worked for them. They then used it to upload their new index file, and renamed the old one, then they removed the upload.asp and left. The Hushmail TOS seems to outlaw use of its system for communicating with hacked site owners, so at worst I could probably get that email account cancelled, at best I could probably get the IP used to connect to Hushmail. Maybe the Spanish proxy server is a compromised box as well, who knows. I don't know if pursuing any of these avenues would help more than hurt me in the long run though. So, after losing a few hours of sleep and finally getting the hotfixes installed, my opinion of Microsoft's QA department isn't very high.

By: CrayDrygu

CrayDrygu — Wed, 06 Jun 2001 12:48:45 -0800

"Though I don't use any ASP on MetaFilter.com" Which reminds me, I've always wondered what Mefi was written in. I don't recognize the .cfm extention, and web searches on it (which I'm usually good with) aren't turning up anything useful. "my opinion of Microsoft's QA department isn't very high" Took you this long? ;)

By: igloo

igloo — Wed, 06 Jun 2001 12:56:56 -0800

.cfm is Cold Fusion

By: jpoulos

jpoulos — Wed, 06 Jun 2001 13:29:47 -0800

. I don't know if pursuing any of these avenues would help more than hurt me in the long run though.? Matt, bro, you've got the MeFi Mob™ on your side. :-)

By: benbrown

benbrown — Wed, 06 Jun 2001 14:55:37 -0800

Matt, you should contact the admin of the proxy server in Spain to warn him that his box may be compromised. You should also contact Hushmail if only to tell them that someone may be using their service for illegal purposes. If your machine was in Virginia, you could have the dude arrested.

By: kindall

kindall — Wed, 06 Jun 2001 15:38:13 -0800

.cfm is Cold Fusion Which has always bugged me to no end, because I couldn't figure out what the hell the "m" stood for. And also because CFM is the Code Fragment Manager on the Mac.

By: rodii

rodii — Wed, 06 Jun 2001 15:40:28 -0800

It was originally called Cold Fusiom.

By: bradlands

bradlands — Wed, 06 Jun 2001 16:30:28 -0800

If your machine was in Virginia, you could have the dude arrested. Jason! Time to call FedEx again!

By: tomorama

tomorama — Wed, 06 Jun 2001 16:46:54 -0800

Which has always bugged me to no end, because I couldn't figure out what the hell the "m" stood for I've always assumed Cold Fusion Markup

By: Awol

Awol — Wed, 06 Jun 2001 16:51:25 -0800

I always assumed the "m" stood for mark-up.

By: jpoulos

jpoulos — Wed, 06 Jun 2001 17:21:04 -0800

I always assumed the "m" stood for mark-up. Right. Techincally, it's known as Cold Fusion Markup Language, CFML (vs. HTML). You'll note that web pages can have the extension .htm

By: jpoulos

jpoulos — Wed, 06 Jun 2001 17:22:06 -0800

You should also contact Hushmail if only to tell them that someone may be using their service for illegal purposes. I'm sure they'd be shocked to hear that.

By: mathowie

mathowie — Wed, 06 Jun 2001 17:33:08 -0800

I did contact hushmail and this is what they had to say (they don't keep track of IP access? yeah right):

From: postmaster@hushmail.com Date: Wed, 6 Jun 2001 16:11:03 -0800 (PDT) To: matt@haughey.com Subject: Re: HushMail.com Contact Form Submittal Hello, Unfortunately we don't log IP addresses against account activity, so we don't have any way of providing this information. If you would like to get what info we do have, then please contact you local police department, as we require a hard-copy court issued subpeona. You might try checking with your upstream provider and seeing if they have any IP logs that might be of help. We will disable this account if you send us a copy of the e-mail with the headers. All the best, TeamHush.

By: fooljay

fooljay — Wed, 06 Jun 2001 19:41:02 -0800

fooljay, are the people hacking web sites the same people doing Denial of Service attacks? I think in most cases, no. However, I happen to have run across one individual in the past who was a serious (dark-)grey-hat hacker. He would break into sites through various exploits, then plant his trojans. Apparently he was very very good at covering his tracks to avoid detection by detection systems (usually because they were poorly configured). To dissuade the sysadmins from doubting their IDSs, he would create new tracks mimicking a scr*pt k*ddie and deface the page giving a "shout out to his peeps", who were invaribly imaginary. While it seems like a lot of work, apparently the thrill of breaking into other systems wasn't enough for him, so his new game became nothing more than how long he could have access to the compromised systems. Or is it being said that site taggers are the "good guys" and that they don't do denial of service attacks? I don't believe that there's a clear line or overlap, but either way, a true white-hat does not deface. He informs the sysadmin of the vulnerable site. At most, he gains access to the system, reads a file from the filesystem (for proof of intrusion) and then logs the hell out. I am not a hacker. Just a hack...

By: lagado

lagado — Wed, 06 Jun 2001 20:43:00 -0800

I would be very wary of the system now. Just because the hack appeared harmless doesn't mean it actually was. As fooljay implied it's hard to know what you're up against here. This airchair personality profiling going on about black hats and white hats is not really helping. This exploit is the same one used by the PoisonBox worm (mentioned here a few weeks back) and it's big enough to drive a truck through. It allows any one to execute any code on the Windows command line. The biggest security hole of all however is the Windows NT operating system itself. It's just too big and complex to ever really be secure. I love the way Microsoft requires you to have WebDAV enabled in order to install the security patch. WebDAV is potentially another security hole and probably should be off. Trust Microsoft, I mean don't!

By: fooljay

fooljay — Wed, 06 Jun 2001 21:04:33 -0800

big and complex You misspelled "closed source"... ;)

By: mathowie

mathowie — Wed, 06 Jun 2001 21:50:07 -0800

I've done a full security check through the OS, looked for trojans listening on different ports, sniffed for backdoor programs, ran Steve Gibson's little security checker and everything seems clean. WebDAV is back off, and all the latest patches are on the box.

By: fooljay

fooljay — Thu, 07 Jun 2001 01:42:51 -0800

Nice job, Matt... Now aren't you glad it happened when you had plenty of time on your hands?

By: kindall

kindall — Thu, 07 Jun 2001 08:05:50 -0800

I always assumed the "m" stood for mark-up. ... You'll note that web pages can have the extension .htm Naming your HTML files "*.htm" is like asking yourself, "What would Jesus?"

By: Dn

Dn — Thu, 07 Jun 2001 08:27:39 -0800

well, not really.. it's actually allowing dos based browsers that can only handle a three-letter ext on files to still browse!!..hehe..

By: CrayDrygu

CrayDrygu — Thu, 07 Jun 2001 13:02:13 -0800

"it's actually allowing dos based browsers..." No it's not. The URL is completely independant of that. Anyone who's used Windows 3.1 for web surfing (as I have) should know that, since .html and other assorted 4-letter extentions work just fine. In fact, your browser doesn't care one bit what the file extention on the other end is, since the way your browser determines what kind of data to expect is sent in the MIME type. I could configure my server to return "text/plain" for all ".mov" files, and name my text files *.mov, and only broken browsers would try to show them in QuickTime. The main reason for allowing .htm is because, Back in The Day, people would write websites using OSes that only supported three-letter extentions. It's kinda hard to develop a website where pages end in ".html" when your OS doesn't support it. Sure, you could rename them on the server, but it would break all your links.

By: wackybrit

wackybrit — Fri, 08 Jun 2001 08:43:05 -0800

Simply e-mailing Matt might not have been an option. I don't know about Matt, but there are many webmasters who are -not interested- in holes in their system. However, when their home page is suddenly changed, they suddenly become very enthusiastic to solve the problem. I know, because it happened to me. I had a well known forum script running on my site and I knew there was a patch I could get to fix a hole in it.. but I didn't bother until a week after someone actually hacked it. Some of us are so busy, that we can't help but be apathetic until something really happens.