I was reading an article about a recent website (astalavista.com) that was hacked.
The perpetrator wrote down how he did it:
What can we learn from this to better secure web servers?
One of the things that puzzled me:
[+] Connecting to astalavista.com:80
[+] Grabbing banner...
LiteSpeed
[+] Injecting shellcode...
[-] Wait for it
[~] We g0tshell
uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
ID: uid=100(apache) gid=500(apache) groups=500(apache)
I tried searching to see if there was any remote injection vulnerability in Litespeed, but I could not find any. Some people claimed that the kernel was susceptible to the vmsplice() exploit, but doesn't this still require arbitrary code execution?
Another thing
mysql> select username,password,email from contrexx_access_users where is_admin = 1;
+------------+----------------------------------+-----------------------------+
| username | password | email |
+------------+----------------------------------+-----------------------------+
| system | 0defe9e458e745625fffbc215d7801c5 | [email protected] |
| prozac | 1f65f06d9758599e9ad27cf9707f92b5 | [email protected] |
| Be1er0ph0r | 78d164dc7f57cc142f07b1b4629b958a | [email protected] |
| schmid | 0defe9e458e745625fffbc215d7801c5 | [email protected] |
+------------+----------------------------------+-----------------------------+
system:f82BN3+_*
Be1er0ph0r:belerophor4astacom
prozac:asta4cms!
commander:mpbdaagf6m
sykadul:ak29eral
How did they get rainbow table coverage up to 18 characters long? How complete are the md5 rainbow tables out there?
First off, a few observations:
-Even though the banner grabbed is for LiteSpeed (a drop-in Apache replacement), the resulting access is through the Apache user
-Since the initial resulting access is through the Apache user, most likely this is an Apache/LiteSpeed level vulnerability, not a kernel vulnerability.
-.bash_history: Another ouch.
Secondly, how to better secure the system:
-Using an Intrusion Dection System like OSSEC, would have alerted the admins as critical files were changed.
-Using a Layer 7 (Application Layer) firewall could have filtered out the bad input that resulted in the initial web user compromise
-Don't store user's / customer's passwords. Always use a salted hash.
-Don't tick off attackers. :)
Finally, resources for md5 rainbow tables:
http://www.freerainbowtables.com/en/tables/md5/
http://project-rainbowcrack.com/table.htm
btw, I agree with Unknown, which is why I posted these links as evidence.
Anapologetos
The md5 rainbow tables are very complete. Especially when your password has your username in it.