June 6, 2001 12:17 AM   Subscribe

EEEEEEEEEEEEK. Matt, hope you see this soon.
posted by cheaily (49 comments total)
in case you're wondering what i'm on about: mefi was hacked at approximately 12.15am PST
posted by cheaily at 12:21 AM on June 6, 2001

Working on it with qJason for the past couple hours. I know exactly how they did it, what they did, and how they covered their tracks. I also know why it happened, which we're trying to fix now.

The long story short is a stupid microsoft security patch installer is to blame for leaving the vulnerability open.
posted by mathowie at 2:22 AM on June 6, 2001

Figured out the problem with the hotfix installer, and patched the system about 20 minutes ago.

Should be ready to rock; we'll see about that.
posted by delfuego at 3:49 AM on June 6, 2001

Wow, that was like a public service hack.

“If you want more info on whats wrong with ur box Mr. Admin email me ... (yea we can still be friends ;p).”
posted by capt.crackpipe at 4:03 AM on June 6, 2001

A public service hack is like a window salesman smashing your windows to show you the drafts in your house.
posted by internook at 4:25 AM on June 6, 2001

... is like a window salesman smashing your windows....

Until I got to the end of the line, I swore you were talking about Windows - 95, NT, 2k. Funny.
posted by TuxHeDoh at 5:08 AM on June 6, 2001

(yea we can still be friends ;p).

Hmm... With friends like these, who needs...

Never mind.
posted by m.polo at 5:17 AM on June 6, 2001

The self-righteousness of the cracker is reallly annoying. And if they're going to break into machines, why not put up something funny or interesting? geesh.
posted by mecran01 at 5:30 AM on June 6, 2001

In light of the link that was posted earlier this week about the GNC DDOS attacks, this is in fact a pretty mild attack.

On my own site, I would certainly prefer this kind of annoyance to some of the others that I have seen in the past.
posted by Irontom at 5:37 AM on June 6, 2001

I think that psychologically the cracker is riding the fence. They want the recognition of being Mr. Big-Time Cracker Guy, but they don't want to feel like a bad person and cry themselves to sleep at night, so instead of sending a nice email to Matt saying "Hey, here is this huge hole" or instead of trashing everything on the site, they go right down the middle and deface the site without really messing anything up. That is probably how I would do it too, I guess.
posted by donkeymon at 5:50 AM on June 6, 2001

This hacker sounds more like a punk script kiddie, try to get cred, than anything else.

He wasn't really being altruistic, because he could have simply emailed Matt about the problem.
posted by ktheory at 6:30 AM on June 6, 2001

Umm, I agree will skallas.
posted by ktheory at 6:31 AM on June 6, 2001

Seems like a graffiti tagger putting his name on buildings instead of burning them down so as to inform us the building security sucks. OK, but, uhhh, we pretty much already know that.

We operate everyday on an assumption that people will act in a civil manner. Storefronts like MetaFilter don't need ultratight security. They shouldn't need to hire a security guard to patrol their sidewalk to keep even taggers away. It's the banks and government offices that control sensitive information that we want being totally secure. MeFi doesn't even have credit card numbers on record, so what point is made in hacking us?
posted by fleener at 6:40 AM on June 6, 2001

Time to switch to OpenBSD!.

Okay, sorry, I'll go back to Slashdot now.
posted by whuppy at 6:49 AM on June 6, 2001

Seriously, though: What are the issues involved in migrating MeFi to a real operating system? (ouch! okay, okay, I'll see you over in MetaTalk . . .)
posted by whuppy at 6:52 AM on June 6, 2001

This hacker sounds more like a punk script kiddie

posted by jpoulos at 6:55 AM on June 6, 2001

What's wrong with "script kiddies"? That's exactly what they are. There's no m4d 5k1llz involved in hacking IIS servers. Just gotta know where to find the pre-written app that'll let you "hack" into the server. Plug in the IP and away you go. It's stupid really. Please give the hackers the respect they deserve and properly term these IIS "hackers" as "script kiddies", ok?
posted by PWA_BadBoy at 7:00 AM on June 6, 2001

In defense of the script kiddies -- I recently got my hands on a really nice "vulnerability testing script" and I've gotta say, it was almost impossible to keep myself from wandering around, defacing people's sites. (I didn't actually do that, but I did poke around in some places I probably shouldn't have)

You'd be shocked at how many sites are still vulnerable to that big IIS bug that was announced recently...

I can imagine in the eyes of a 16-year old pimply faced kid, defacing sites would be a pretty exciting pastime.
posted by ph00dz at 7:16 AM on June 6, 2001

up ur connection, foo, cause they will just keep comin at you
posted by darukaru at 7:17 AM on June 6, 2001

Skallas, nope. I just draw a distinction between critical and non-critical web sites. OK, yes, tight security is needed everywhere in the sense that a low-priority site is likely hosted on a server along with high-priority sites, so the server needs tight security. I guess I'm asking, what purpose is served in disturbing MeFi when there are bigger sites that we will *really* care to know have lax security. When MeFi is hacked, people think "Oh, that's an inconvenience, boy I wish those hackers would stop annoying us." If Amazon gets hacked, we think "Oh shit, and they have my credit card number!" One has impact, the other is just annoying, in the eyes of average people.
posted by fleener at 7:30 AM on June 6, 2001

damn, everyone took the good allusions to the grc column...
posted by lotsofno at 7:39 AM on June 6, 2001

I should have added a :-) to my hysterical warning about the term SCRIPT KIDDIES. Wicked hates that, and I bet SonicX does too. :-)

For some reason, when I hear that term, I think of the paperboys in Better Off Dead.

"We want our two dollars......"

"We want our m4d 5k1llz...."
posted by jpoulos at 7:49 AM on June 6, 2001

Actually Skallas, everyone needs tight security, even if there's nothing but the operating system on the server. Why? Because, if for no other reason, it provides a base of operations for unaccountable distributed denial of service attacks.

For those who don't know what that means (or have never been on the receiving end of one, as I have), what usually happens is this: Someone breaks into a bunch of unsecured (and hopefully underused) servers. They plant a client on the machine, replace a few binaries with Trojans to give them easy access back in, and cover their tracks on their way out.

Once they have enough dummy servers around the internet, they can remotely launch a Denial of Service attack (usually in the form of massive repeated pinging) from so many different points that the administrators of the attacked site can't possibly shut out all of them at the router.

Successful attacks will take out nearly any site.

By the way, Matt, I would be very very careful about continuing on without a full security survey. Something about the message makes me think he's trying to lull you to sleep. Are you sure that they didn't leave any back doors or trojans? (One can't ever really be sure of this sort of thing, unless you're running something like Tripwire (on Unix) and running it correctly)
posted by fooljay at 8:10 AM on June 6, 2001

fooljay, are the people hacking web sites the same people doing Denial of Service attacks? If yes, isn't that a vicious cycle? e.g., I deface your site to encourage you to get better security against hackers, while at the same time launching Denial of Service attacks against other people. Am I warning you about myself? Or is it being said that site taggers are the "good guys" and that they don't do denial of service attacks?
posted by fleener at 8:16 AM on June 6, 2001

I don't generally believe that DDoSers are going to be the same range of personalities for the defacers. Defacers want credit, and are usually sort of hit-and-run. DDoSers have to keep their conquests secret, install backdoors, et cetera, and when they launch their attack it's usually somebody they have some kind of grudge against.
posted by dhartung at 10:25 AM on June 6, 2001

is there a mirror of this anywhere? it sucks ass that it happened, but i wanna see!
posted by sugarfish at 10:53 AM on June 6, 2001

Screenshot here.
posted by bradlands at 11:16 AM on June 6, 2001

I'd be really interested in getting Matt's opinion on this...
posted by barbelith at 11:40 AM on June 6, 2001

Sugar, the link in the first comment is a mirror.
posted by SpecialK at 11:47 AM on June 6, 2001

there's a mirror in the first comment, and I saved the page here.

I was shocked and pissed at first, and did the immediate "oh god, when was the last time I backed up the files and database?" thought. Jason called me at about 12:30AM last night (I was in bed, reading Fast Food Nation) and we ended up researching it and IMing back and forth for a few hours. I actually emailed the kid and he emailed back almost immediately. We found in the logs what went on, and I remembered why this was possible in the first place.

So here's a breakdown:
On May 14th, MS released a patch for a particularly nasty IIS bug. You could, using only a URL and port 80, run command line arguments on any IIS site. I tried to install the patch the day it was released, but it wouldn't install. A few days later, I installed Service Pack 2, and figured I was ok.

It turns out service pack two included earlier IIS hotfixes, but not this May 14th one. I got an email yesterday from an admin in the UK saying that I was open to this sort of hacking and I should patch it up quick. So I tried to install it again, and again, got the error. This is precisely what the error was.

So I still couldn't figure it out, and was going to contact Jason and ask his opinion of it eventually, but the hack happened last night, so we had to do it asap.

Jason figured out that the error occurred because I disabled WebDAV support. The person in the linked usenet post emailed me back, saying he got the error because he installed Microsoft's suggested access control list on the file. The WebDAV disabling was also in an earlier Microsoft IIS security bulletin, so I'm a bit pissed at Microsoft for not doing the necessary quality control to spit out a better error than "can't find the file httpext.dll" (when the file exists exactly where the installer was looking for it). It would have been a lot nicer if the error was "You need to enable WebDAV before installing" or "You need to update your ACLs on the file httpext.dll before installing."

So, the hacker/cracker/defacer seems to originate from a proxy server in Spain, cloaking their true location somewhat, and has visited MetaFilter a couple times. Last night the person used the exploit to transfer a single file to the server, called upload.asp. Though I don't use any ASP on, I left the parsing on for this site, so the uploaded file worked for them. They then used it to upload their new index file, and renamed the old one, then they removed the upload.asp and left.

The Hushmail TOS seems to outlaw use of its system for communicating with hacked site owners, so at worst I could probably get that email account cancelled, at best I could probably get the IP used to connect to Hushmail. Maybe the Spanish proxy server is a compromised box as well, who knows. I don't know if pursuing any of these avenues would help more than hurt me in the long run though.

So, after losing a few hours of sleep and finally getting the hotfixes installed, my opinion of Microsoft's QA department isn't very high.
posted by mathowie at 12:02 PM on June 6, 2001

.cfm is Cold Fusion
posted by igloo at 12:56 PM on June 6, 2001

. I don't know if pursuing any of these avenues would help more than hurt me in the long run though.?

Matt, bro, you've got the MeFi Mob™ on your side. :-)
posted by jpoulos at 1:29 PM on June 6, 2001

Matt, you should contact the admin of the proxy server in Spain to warn him that his box may be compromised. You should also contact Hushmail if only to tell them that someone may be using their service for illegal purposes.

If your machine was in Virginia, you could have the dude arrested.
posted by benbrown at 2:55 PM on June 6, 2001

.cfm is Cold Fusion

Which has always bugged me to no end, because I couldn't figure out what the hell the "m" stood for. And also because CFM is the Code Fragment Manager on the Mac.
posted by kindall at 3:38 PM on June 6, 2001

It was originally called Cold Fusiom.
posted by rodii at 3:40 PM on June 6, 2001

If your machine was in Virginia, you could have the dude arrested.

Jason! Time to call FedEx again!
posted by bradlands at 4:30 PM on June 6, 2001

Which has always bugged me to no end, because I couldn't figure out what the hell the "m" stood for

I've always assumed Cold Fusion Markup
posted by tomorama at 4:46 PM on June 6, 2001

I always assumed the "m" stood for mark-up.
posted by Awol at 4:51 PM on June 6, 2001

I always assumed the "m" stood for mark-up.

Right. Techincally, it's known as Cold Fusion Markup Language, CFML (vs. HTML). You'll note that web pages can have the extension .htm
posted by jpoulos at 5:21 PM on June 6, 2001

You should also contact Hushmail if only to tell them that someone may be using their service for illegal purposes.

I'm sure they'd be shocked to hear that.
posted by jpoulos at 5:22 PM on June 6, 2001

I did contact hushmail and this is what they had to say (they don't keep track of IP access? yeah right):
Date: Wed, 6 Jun 2001 16:11:03 -0800 (PDT)
Subject: Re: Contact Form Submittal


Unfortunately we don't log IP addresses against account activity, so we don't have any way of providing this information. If you would like to get what info we do have, then please contact you local police department, as we require a hard-copy court issued subpeona. You might try checking with your upstream provider and seeing if they have any IP logs that might be of help. We will disable this account if you send us a copy of the e-mail with the headers.

All the best,
posted by mathowie at 5:33 PM on June 6, 2001

fooljay, are the people hacking web sites the same people doing Denial of Service attacks?

I think in most cases, no.

However, I happen to have run across one individual in the past who was a serious (dark-)grey-hat hacker. He would break into sites through various exploits, then plant his trojans. Apparently he was very very good at covering his tracks to avoid detection by detection systems (usually because they were poorly configured). To dissuade the sysadmins from doubting their IDSs, he would create new tracks mimicking a scr*pt k*ddie and deface the page giving a "shout out to his peeps", who were invaribly imaginary.

While it seems like a lot of work, apparently the thrill of breaking into other systems wasn't enough for him, so his new game became nothing more than how long he could have access to the compromised systems.

Or is it being said that site taggers are the "good guys" and that they don't do denial of service attacks?

I don't believe that there's a clear line or overlap, but either way, a true white-hat does not deface. He informs the sysadmin of the vulnerable site. At most, he gains access to the system, reads a file from the filesystem (for proof of intrusion) and then logs the hell out.

I am not a hacker. Just a hack...
posted by fooljay at 7:41 PM on June 6, 2001

I would be very wary of the system now. Just because the hack appeared harmless doesn't mean it actually was. As fooljay implied it's hard to know what you're up against here. This airchair personality profiling going on about black hats and white hats is not really helping.

This exploit is the same one used by the PoisonBox worm (mentioned here a few weeks back) and it's big enough to drive a truck through. It allows any one to execute any code on the Windows command line. The biggest security hole of all however is the Windows NT operating system itself. It's just too big and complex to ever really be secure.

I love the way Microsoft requires you to have WebDAV enabled in order to install the security patch. WebDAV is potentially another security hole and probably should be off.

Trust Microsoft, I mean don't!
posted by lagado at 8:43 PM on June 6, 2001

big and complex

You misspelled "closed source"... ;)
posted by fooljay at 9:04 PM on June 6, 2001

I've done a full security check through the OS, looked for trojans listening on different ports, sniffed for backdoor programs, ran Steve Gibson's little security checker and everything seems clean. WebDAV is back off, and all the latest patches are on the box.
posted by mathowie at 9:50 PM on June 6, 2001

Nice job, Matt... Now aren't you glad it happened when you had plenty of time on your hands?
posted by fooljay at 1:42 AM on June 7, 2001

I always assumed the "m" stood for mark-up. ... You'll note that web pages can have the extension .htm

Naming your HTML files "*.htm" is like asking yourself, "What would Jesus?"
posted by kindall at 8:05 AM on June 7, 2001

well, not really.. it's actually allowing dos based browsers that can only handle a three-letter ext on files to still browse!!..hehe..
posted by Dn at 8:27 AM on June 7, 2001

Simply e-mailing Matt might not have been an option.

I don't know about Matt, but there are many webmasters who are -not interested- in holes in their system. However, when their home page is suddenly changed, they suddenly become very enthusiastic to solve the problem.

I know, because it happened to me. I had a well known forum script running on my site and I knew there was a patch I could get to fix a hole in it.. but I didn't bother until a week after someone actually hacked it.

Some of us are so busy, that we can't help but be apathetic until something really happens.
posted by wackybrit at 8:43 AM on June 8, 2001

« Older launched today,   |   Newer »

This thread has been archived and is closed to new comments