A nice write-up from an incident happened recently at Apache:


Article can be read here.

I think it's crazy that they didn't realize the someone was brute-forcing logons to their issue tracking system until several days after the attack started.   Also, a URL expansion plug-in would go a long way here.

Very cool that they detailed the entire attack; interesting stuff.

If you can upload executable content, you can do some nasty things. I was doing a pen test and found some outdated PHP help desk software via DirBuster on one of their web servers. I couldn't believe there was a exploit for it on Milw0rm. You just ran the PHP script from the command-line, specified an IP address and directory where the help desk app was installed, and instant shell.

I found the MySQL credentials in one of the PHP files, and I was able to write a simple PHP file that allowed me to execute arbitrary SQL queries. I got everything from the users table and John cracked a super weak administrator password hash in just a few seconds.

I got that box and another share on the network, but I wanted the domain. I think password expiration/complexity requirements saved them there

account lockout procedures (3 times login fail means account lockout for half an hour) are not new in the security world. most organizations have one implemented in a layer somewhere in there architecture.

this is an excelent example of how lacking such (extreme) security measures can mean a huge vulnerability that can be exploited, and will!

i love the full disclosure they did to show how, what, where and when so other people can learn from it!