Posts Tagged ‘Security’

Wherin Crackers Strike

Monday, October 12th, 2009

Sometimes, even the best of us can get a good lesson in security.

Last week, I found out that my website was attacked by crackers. Notice I use the word ‘crackers,’ not ‘hackers’, because hackers are not crackers, and it’s important to maintain the distinction. From what they left I can tell that they clearly fall in the black-hat camp. If I’d gotten a warning e-mail or a message on my site to tighten my security, I would take it as a reminder to batten down the hatches. But since they just left a juicy payload, I can assume that they’re up to no good.

From looking at the files they left, I can tell they wanted continuing access to the shell account on my web host, and they wanted to do so in secret. Since I work in web programming, I’ve seen my share of more-conspicuous payloads. These are usually surreptitious JavaScript files, plopped at the end of legit PHP scripts to do nasty things. Most of what I’ve seen have been little snippets of code that act as drive-by downloaders, trying to pull malicious executables onto hapless users’ computers. The only thing that my attacker’s payload did was grant PHP execution and shell access. Not damaging to anyone who happens across a compromised site, but potentially damanging to me — it essentially gave them free reign of my SHH account.

I could speculate about what they wanted to do. There are a lot of ways to do nasty things on the web. PHP is web-aware enough to allow them to do as they please and ( assuming they’ve covered their track properly) not get caught, either. But I doubt they were able to get much nastiness accomplished, because they executed their attack sloppily: they dropped their payload in the wrong directory. They put their files one level above my web root, meaning that the scripts were inaccessible over the web. At first I thought they may have found an exploit in my framework to allow access to anything on the filesystem, but after reviewing their code, I can see that this is not the case. I guess they wanted to get in, drop off the files, and get out. They may have even made a second attempt after determining that the first one didn’t work; I found two files with exactly the same code.

How did they do it? I’m not certain, but I have an idea. The only web app I use is WordPress, and I’m updated to the current version, so this is an unlikely point-of-entry. They would have to know about an exploit that’s not been reported yet, which is possible, but doubtful.

Much more likely is that they managed to guess or sniff my password. I’m the guilty one here, as I was using a simple password that I’ve been using for years, which had little variation, was dictionary-based, and was much too short. In addition to that, I’ve got a webcam at home that posts images fairly frequently (at regular intervals), and it used the same account as my main FTP/Shell account. As you may know, FTP passwords are sent in cleartext, so this was definitely a potential point of entry. Assuming that the password was the point of failure, I’m lucky that they didn’t do more damage, as I used the same password for shell access, MySQL, and even my web control panel, so they theoretically could have locked me out of everything. I’m hypothesizing here, but I’d guess such an attack would be counterproductive; I think they just wanted another remote-control node on the web to carry out any dirty business they happened to think up.

Of course, I took steps to ensure that things are more locked down, starting with changing every password associated with this site. I did this as soon as I found out, and before anything else, to sever any venues they might have had to retaliate against me. Then I checked WordPress for updates, just in case there might have been an exploit I missed. Next, I updated how my webcam saves the periodic images and created a new account specifically for it. Finally, I did a quick review of my code base, making sure they hadn’t left another way to re-gain access. Basically, I pulled down my whole site and did a global search for any of the crackers’ friend functions: eval(), the base64 functions, system() and friends, and file-related functions. I’ve still got to re-upload all the code to feel 100% safe again, but I’m pretty certain that nothing slipped by.

Stay tuned, because after I’ve further reviewed what they left and when I’ve done a bit more research, I’ll post an analysis of the code itself.

Democrats grow temporary spine…

Saturday, March 15th, 2008

Kudos to the House for blocking retroactive immunity to the telecoms for being complicit in the wiretapping of Americans. I considered this issue important enough to write Denny Rehberg about, and I got a response — straight along party lines. I don’t have the original letter I wrote, but I essentially took the standpoint that Montanans have been steamrolled by large corporations enough as it is, so as a Montanan Rehberg should realize that giving any sort of immunity to a corporation for any reason is a bad idea. His response?

The Protect America Act brings the outdated Foreign Intelligence Surveillance Act (FISA) of 1978 into line with current technological capabilities while adding appropriate liability protections for patriotic third parties who have helped defend our country.

The House of Representatives must pass this critical legislation without delay to ensure that Americans are protected from those who want to do us harm. I will do everything I can to ensure that these important protections are reinstated.

Sorry, Dave, the national agenda of the Republican Party trumps any obligation you may think I have to my constituents.

He lost in the end, as the house passed a bill refusing such retroactive immunity. This is actually a good, good thing. Bush and his cronies are trying to play the fear card. In the NY Times article, Bush is quoted as saying, “Companies that may have helped us save lives should be thanked for their patriotic service, not subjected to billion-dollar lawsuits that will make them less willing to help in the future. The House bill may be good for class action trial lawyers, but it would be terrible for the United States.”

This is bad logic, and it’s not very difficult to see why. I’m not surprised that you have no grasp of how our government works, Mr. President, but the scenario you described is not sufficient to change it. We have these things called checks and balances to prevent any one branch of the government (there are three, by the way) from overstepping its bounds. It’s also why you can’t declare war any time you want… oh, wait, scratch that one.

Anyway, the decision to take away Americans’ right to file suit against the telecoms for breaching their civil liberties is not Congress’s to make. All companies should be subject to “billion-dollar lawsuits” all the time because, let’s be frank, corporations don’t really care about the people they may hurt. The decision about whether the telecoms were complicit in violating Americans’ rights belongs to the judicial branch alone, and should be decided on a case-by-case basis. The legislative branch should never, ever preempt the courts’ ability to provide a path to justice for American citizens.

Taking away our ability to defend our rights and seek justice is a bad, bad idea. It essentially sends the telecoms the message that it’s okay to allow this kind of paranoid eavesdropping, and to go ahead and continue doing so, without fear of reprisal. Retroactive immunity is never a good idea. When you grant it, you acknowledge that those given immunity did in fact do something wrong, while at the same time declaring that nothing should be done about it.

Of course, Bush will veto any bill that attempts to seek justice the moment it arrives at his desk. But he’s on his way out. And there may be someone else in the White House soon enough to undo a lot of damage done by the president. That’s a good thing to think of (actually, there is more than one person who would probably do that, but I’m talking about the guy who will actually make it to the White House).