.

apache.org incident report for 04/09/2010

<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Wed Apr 14, 2010 5:19 am

apache.org incident report for 04/09/2010

A nice write-up from an incident happened recently at Apache:

Apache.org services recently suffered a direct, targeted attack against our infrastructure, specifically the server hosting our issue-tracking software.


Article can be read here.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Wed Apr 14, 2010 5:58 am

Re: apache.org incident report for 04/09/2010

Very nice article, very informative. Love the step by step description of the attack and an overview of what needs to change in the future.

Well handled Apache!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed Apr 14, 2010 7:11 am

Re: apache.org incident report for 04/09/2010

I think it's crazy that they didn't realize the someone was brute-forcing logons to their issue tracking system until several days after the attack started.  Also, a URL expansion plug-in would go a long way here.
~~~~~~~~~~~~~~
Ketchup
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Wed Apr 14, 2010 9:49 am

Re: apache.org incident report for 04/09/2010

I like theway how they explain about the attack, I took some time to detect the attacker but they did and they are not trying to hide anything. Good information.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Apr 14, 2010 5:39 pm

Re: apache.org incident report for 04/09/2010

Very cool that they detailed the entire attack; interesting stuff.

If you can upload executable content, you can do some nasty things. I was doing a pen test and found some outdated PHP help desk software via DirBuster on one of their web servers. I couldn't believe there was a exploit for it on Milw0rm. You just ran the PHP script from the command-line, specified an IP address and directory where the help desk app was installed, and instant shell.

I found the MySQL credentials in one of the PHP files, and I was able to write a simple PHP file that allowed me to execute arbitrary SQL queries. I got everything from the users table and John cracked a super weak administrator password hash in just a few seconds.

I got that box and another share on the network, but I wanted the domain. I think password expiration/complexity requirements saved them there :(
The day you stop learning is the day you start becoming obsolete.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Thu Apr 15, 2010 2:34 am

Re: apache.org incident report for 04/09/2010

I suppose those do go a long way :-)

@ Ketchup: That's true though. If someone is brute-forcing the hell out of your login page, shouldn't some little alarm go off or smth? Can't be that hard to write a script for that :-)
if ( $nrOfFailedLoginAttempsTheLastHour > 10000 ) { echo "ARGH" }

... or smth :-p
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Thu Apr 15, 2010 7:58 am

Re: apache.org incident report for 04/09/2010

account lockout procedures (3 times login fail means account lockout for half an hour) are not new in the security world. most organizations have one implemented in a layer somewhere in there architecture.

this is an excelent example of how lacking such (extreme) security measures can mean a huge vulnerability that can be exploited, and will!

i love the full disclosure they did to show how, what, where and when so other people can learn from it!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

former33t

Full Member
Full Member

Posts: 226

Joined: Sat Feb 14, 2009 12:33 am

Post Thu Apr 15, 2010 5:57 pm

Re: apache.org incident report for 04/09/2010

I do like the lessons learned section.  I have been out of the unix world for almost two years now and had never used OPIE.  After reading the writeup, I can see the definite use of something like this.  The next time I have to admin a unix system, I'll definitely be using that to cover my butt.

From a pen-testing perspective, I found it enlightening that the sshd config files were misconfigured, allowing login access from the Internet (although this was specifically not desired).  Have to remember to check your configs with a real world test, don't just trust that everything lines up the way you think it should.
Certifications: CREA, MCSE: Security, CCNA, Security+, other junk

Return to News from the Outside World

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software