EH-Net

A nice write-up from an incident happened recently at Apache:


Article can be read here (https://blogs.apache.org/infra/entry/apache_org_04_09_2010).

Very nice article, very informative. Love the step by step description of the attack and an overview of what needs to change in the future.

Well handled Apache!

I think it's crazy that they didn't realize the someone was brute-forcing logons to their issue tracking system until several days after the attack started.   Also, a URL expansion plug-in would go a long way here.

I like theway how they explain about the attack, I took some time to detect the attacker but they did and they are not trying to hide anything. Good information.

Very cool that they detailed the entire attack; interesting stuff.

If you can upload executable content, you can do some nasty things. I was doing a pen test and found some outdated PHP help desk software via DirBuster on one of their web servers. I couldn't believe there was a exploit for it on Milw0rm. You just ran the PHP script from the command-line, specified an IP address and directory where the help desk app was installed, and instant shell.

I found the MySQL credentials in one of the PHP files, and I was able to write a simple PHP file that allowed me to execute arbitrary SQL queries. I got everything from the users table and John cracked a super weak administrator password hash in just a few seconds.

I got that box and another share on the network, but I wanted the domain. I think password expiration/complexity requirements saved them there :(

I suppose those do go a long way :-)

@ Ketchup: That's true though. If someone is brute-forcing the hell out of your login page, shouldn't some little alarm go off or smth? Can't be that hard to write a script for that :-)
if ( $nrOfFailedLoginAttempsTheLastHour > 10000 ) { echo "ARGH" }

... or smth :-p

account lockout procedures (3 times login fail means account lockout for half an hour) are not new in the security world. most organizations have one implemented in a layer somewhere in there architecture.

this is an excelent example of how lacking such (extreme) security measures can mean a huge vulnerability that can be exploited, and will!

i love the full disclosure they did to show how, what, where and when so other people can learn from it!

I do like the lessons learned section.  I have been out of the unix world for almost two years now and had never used OPIE.  After reading the writeup, I can see the definite use of something like this.  The next time I have to admin a unix system, I'll definitely be using that to cover my butt.

From a pen-testing perspective, I found it enlightening that the sshd config files were misconfigured, allowing login access from the Internet (although this was specifically not desired).  Have to remember to check your configs with a real world test, don't just trust that everything lines up the way you think it should.