Join 3,433 readers in helping fund MetaFilter (Hide)


At these prices you'd be crazy not to buy one
January 21, 2011 7:17 PM   Subscribe

A blogger for information security firm Imperva reports the discovery of a hacker site offering root access on US & foreign government, military & educational sites for sale for prices ranging from $55 to $499, or just database records for the reasonable price of $20/1000. Besides US sites the hacker(s) also offer government servers in India, Taiwan & Italy. The hacker(s) also provide what they claim is proof of their access for the skeptical or cautious buyer. No credit card offers, please - the only currency they accept is Liberty Reserve.
posted by scalefree (29 comments total) 3 users marked this as a favorite

 
LOOKS LEGIT TO ME
posted by Sticherbeast at 7:22 PM on January 21, 2011


How much for metafilter.com?
posted by doublesix at 7:23 PM on January 21, 2011


They've just added sites in Uruguay & Albania. Maybe it's time to activate Old Shoe?
posted by scalefree at 7:27 PM on January 21, 2011 [2 favorites]


Let's ask him to hack into Russia's Dead Hand nuclear war system.
posted by thermonuclear.jive.turkey at 7:29 PM on January 21, 2011


Automated scanning for the sorts of SQL injection vulnerabilities that allow sites like these to be compromised is very easy to do using tools like SQLMap. No technical acumen beyond script kiddie level required.
posted by killdevil at 7:42 PM on January 21, 2011


As a consultant (but not a security consultant), I've encountered US government, military and educational sites where I could get root access from public interfaces. The amount of stank code out there is mind-boggling.
posted by me & my monkey at 7:46 PM on January 21, 2011 [1 favorite]


Waitaminute, Liberty Reserve claims their private money-moving services are "hacker-proof"?

IRONY ALERT! IRONY ALERT!
posted by oneswellfoop at 7:47 PM on January 21, 2011 [2 favorites]


Each and every Web form field is a fresh opportunity to build your own arbitrary SQL statements! It's amazing how often developers decide to pass GET parameters directly into SQL queries without any scrubbing.
posted by killdevil at 7:50 PM on January 21, 2011


So, does this mean we can start up a fledgling business demanding some Liberty Reserve for not tipping off the compromised website?
posted by crapmatic at 8:22 PM on January 21, 2011


How would you possibly determine whether this was legit or a honey pot?
posted by maxwelton at 8:40 PM on January 21, 2011 [1 favorite]


As he's asking for donations (at the bottom here) I'm assuming for-profit hacking isn't as lucrative and exotic as he'd hoped for.
posted by ymgve at 8:41 PM on January 21, 2011


Each and every Web form field is a fresh opportunity to build your own arbitrary SQL statements! It's amazing how often developers decide to pass GET parameters directly into SQL queries without any scrubbing.

This
posted by Flashman at 9:33 PM on January 21, 2011


Doesn't PHP have built-in functions to scrub data? I recall years ago when I was dabbling with PHP, a book that went into this pretty much had the user building their own functions to scrub data, and that looked like a recipe for trouble.
posted by crapmatic at 9:37 PM on January 21, 2011


maxwelton: You could hire them to hack your own website.
posted by cthuljew at 10:48 PM on January 21, 2011


This type of thing is partially why pci-dss was modified to require application firewalls.
posted by iamabot at 11:13 PM on January 21, 2011


How much for root at the Federal Reserve? Wait a second, if they could do that they wouldn't bother with this, would they?
posted by Tashtego at 11:35 PM on January 21, 2011


crapmatic: mysql_real_escape_string, in fact.
posted by disillusioned at 3:07 AM on January 22, 2011


So, who tried the free logins?
posted by Obscure Reference at 3:28 AM on January 22, 2011


The Runescape passwords are funny. I especially liked omfgIgothacked.
posted by PeterMcDermott at 5:14 AM on January 22, 2011


An initial glance at the list of runescape passwords shows multiple instances of same account name/password combinations, and attempting to look up a few of them finds one paid account, one free account, and a whole bunch of 'this account either does not exist or has never logged in'. So that at least is mostly bullshit.
posted by Lebannen at 7:15 AM on January 22, 2011


I'm curious about the text 'c100 v. Undetectable #18a' in one of the screenshots. Searching that text on Google brings a bunch of responses.
posted by midnightscout at 7:31 AM on January 22, 2011


crapmatic: mysql_real_escape_string, in fact.

And what do you use when you're using Postgres? Or MSSQL?
posted by Civil_Disobedient at 8:06 AM on January 22, 2011


c100 and Undetectable #18a are "shellers", PHP programs that give you shell access through a web interface. Apparently c100 is a "new version" of c99 which is a pretty well-known (= easily detected) one.
posted by mendel at 8:38 AM on January 22, 2011 [1 favorite]


PHP has a series of somewhat lame ways to prevent SQL/similar injection, even if you're using PostgreSQL. But like all PHP things, it's easy to do a bad job on this and very hard to do a good one.

PHP is a language that should be avoided if possible, for this and a host of other reasons. (It's perfectly good for small projects that aren't expected to grow, but increasingly horrible as your program moves from "small" to "medium" and beyond.

Other languages do better. Perl, for example, can (and should) be run in "taint" mode - where you literally aren't ALLOWED to use any variable from the command line unless you have extracted fields from it with a regex or similar.

See also "Little Bobby Tables".
posted by lupus_yonderboy at 8:47 AM on January 22, 2011 [3 favorites]


And what do you use when you're using Postgres?

pg_escape_string()

Or MSSQL?

be serious.
posted by quonsar II: smock fishpants and the temple of foon at 9:35 AM on January 22, 2011 [1 favorite]


Wow, my mind is boggled by the amount of sensitive information that you can extract from the official websites of real italian government high schools.

Also, albanian army single box root access? This is a clear threat to peaceful living, and we must appoint a mixed private sector/government commitee to study appropriate cpuntermeasures.
posted by 3mendo at 11:04 AM on January 22, 2011


You should not escape strings. Instead, you should use stuff like prepared statements, or, even better, a proper database library.
posted by ymgve at 12:07 PM on January 22, 2011 [3 favorites]


If we're talking about solutions, I'll have to sub for Dan Kaminsky since he's off grid at the moment & point to his anti-injection tool interpolique, which solves the problem by base64 encoding your input & letting MySQL decode it; since there's no (known) way to escape base64 encoding, as long as you use his new function calls you're safe. Simple but effective.
posted by scalefree at 1:10 PM on January 22, 2011


The story is also carried on Packetstorm.
posted by midnightscout at 11:25 PM on January 22, 2011


« Older 2K Games and Gearbox Software have announced that...  |  Steampunk Palin.... Newer »


This thread has been archived and is closed to new comments