The post is a little low on details concerning the actual exploit used, but there's pretty massive carnage. Let's hope the admins have offsite backups.
For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii.
Being a security-related website, you'd expect the owners to be a little more careful, which is why this is interesting.
They did have off-site backups, which the hacker found and erased.
One strategy that I employ to mitigate this is to have my backup service connect to the production server, rather than the other way around. That way if your production services are compromised, your backups remain untouched (on a machine that's running no services, behind a firewall, etc, and for all intents invisible).
We use tarsnap (http://www.tarsnap.com) to handle our offsite backups. If you give your production servers write only keys you can mitigate this risk (and not send your backups across the wire in the clear).
My understanding is that an offsite backup is, as the name implies, a backup that is stored at a geographically separate location to your production site.
I have a few servers deployed at various locations around the world, and I have a machine here at home that performs rsnapshot daily backups of their files. I then make bi-monthly backups of those backups, and store them in a saftey deposit box at a bank. This means that if my servers go down, I can restore them to within a day. If my house burns down, I still have my data to within two-weeks.
That's pretty much how it should be done. Let's hope the guys at astalavista is smart enough to do that. Your approach adds an additional layer of protection in case, as you'd put it, someone gets into your home server and deletes them. That, and tapes are less likely to get corrupted or become unreadable than the drives on your server, which may cut down on recovery time.
When your business gets bigger, it might be worth it to look into dedicated hosting and have the datacenter do the backup for you. After all, you want to spend your time managing your IT crew, rather than driving those tapes to the bank :)
It looks like they first buffer overflowed Litespeed to spawn a shell (which was ironically running as a user 'apache'). The http headers that are being returned from Astalavista are consistent with this theory (in addition to the obvious output of the first binary run). Apparently Litespeed has a pretty dodgy security record after doing a cursory search.
Far more interesting was the root escalation exploit. 2.6.18 is a relatively recent kernel, and I haven't heard of exploits publically disclosing something of that caliber. Has anyone seen anything on securityfocus/bugtraq/milw0rm etc regarding this?
Good point. The kernel version in the transcript looks like the version I've got on a CentOS machine, so it's probably patched. Interestingly, the strings ("r00tr00t", "Executing shell") from the local-root tool they're using don't appear anywhere online, suggesting that it's something private and potentially unknown.
It's easy to modify strings in a simple C function/program. That's all that would be needed to modify and display the "r00tr00t" etc you are mentioning.
The version string "2.6.18-128.1.10el5" is exactly what CentOS 5.3 shows (toy VM I installed last week, updated to May 31, no updates today). They may have turned off SELinux for convenience ...
Why do you think they called it like that? It was founded in early 90's and altavista was "the" thing. I remember going there and learning about trojans, debuggers and disassembly as a kid.
Being a Latin geek myself I can't help but point out that nouns in the fourth declension (u stem) also end in -us in singular and receive an -us affix in plural as well.
"Virus" is however, in the second declension (virus -i n. "slime, poison, goo") with the oddity of being neutral while having a second declension -us ending which is normally a feature of masculine nouns. And indeed, its plural would be "viri".
Ironically, I was very careful with my choice of "virus vs. virii" when I wrote that message. I looked up the Wikipedia article for Plural of Virus ( http://en.wikipedia.org/wiki/Plural_of_virus ), and noted the sentence "In reference to a computer virus, the plural is often believed to be virii...".
As an amateur Latin geek myself, I agree that "viruses" is proper from a grammar standpoint, but I sided with Wikipedia because I was using computer terminology.
but if you read on.. "or, less commonly, viri, but both forms are neologistic folk etymology[1] and no major dictionary recognizes them as alternative forms."
Why is it that the plural of "radius" is "radii" but the plural of "virus" is not "viri"? I don't see "virus" as inherently denoting a multitude in the dictionary. Just curious.
Because with [radi]us the stem is "radi" but with [vir]us the stem is "vir". These words are from the same type (second declension) they both receive an -i affix in plural, hence radi + i = radii, vir + i = viri. Latin being Latin there are an awful number of exceptions but this is a somewhat general rule.
Put it like this: Grammatically speaking, the plural of virus is viri. Putting it into plural might or might not makes sense. Personally, I don't think that using plural for collections in Latin is a very big sin given that this is very common in classical Latin texts.
One example of this can be found in the famous introduction of Aeneid (I.1 "Arma virumque cano...") lines 31-32, where Virgil is using the plural form of the word "sea" (mare, plural: maria)
"multosque per annos / errabant acti fatis __maria__ omnia circum" - "for a number of years, driven by fate, wandering around on the seas"
Virus is Latin for poison. It's a mass noun because it denotes something uncountable (not in the strict mathematical sense, but in the how the hell do you count poison sense). As far as I know, there is no Latin plural form for virus.
Second declension singular nominative nouns end in 'us' and their plural form end in 'i', but fourth declension singular nominative nouns also end in 'us', but their plural form still end in 'us'. Also, like in every language, there are funky exceptions to these rules, like second declension singular nominative nouns which are neuter rather than masculine, but still end in 'us' rather than the normal 'um'. Moral of the story, don't assume that the plural of word ending in 'us' is 'i'.
It's also been about 8 years since I've taken Latin, so take that into consideration before someone goes all Life of Brian on me.
Interestingly, English words with irregular forms which are infrequently used often revert back to regular forms. The 'why' is simply because people prefer to say "viruses," either because they forgot the irregular plural form or because they prefer how a regular form sounds.
And furthermore "sands" is still perfectly legitimate, even though "sand" may be inherently plural (the "sands" of time, different "sands" of the world).
When a site is reported as 'hacked', am I alone in not wanting to visit it for a look-see? Aren't the same people who deface sites likely to try fresh browser compromises against rubberneckers?
I doubt quality folks such as the one's participating here at HN would ever post a link to a site, even a defaced one, that would potentially harm anyone visiting it. </circlejerk>
This somewhat concludes the whole point of the hax0rs:
Quote: "plaintext passwords? yes, those so called "security professionals" who charge you $6.66 / month to register at their hack-proof portal, save your passwords in plaintext... brilliant!"
Indeed. I figured this particular piece of news would interest both types of hackers, as it contains technical details you wouldn't expect from a standard defacement. It's rather similar to the urge to rubberneck at a car crash: it's both horrific and exciting at the same time.
If my assumption is incorrect and no one is interested, I will humbly tuck my metaphoric tail between my legs and refrain from posting such things again.
a bunch of people on efnet irc say that it was hacked by some guy named darkpontifex or some group called dikline or something. supposed to not be a litespeed vuln its actually an ntp daemon vuln just changed the name to confuse people.
i think that was the point: Astalavista is also an IT security company, yet they can't even keep themselves from being hacked in every way possible, using the simplest of prepackaged exploits available.
2.6.18-128.1.10.el5 is the latest patchlevel of RHEL or CentOS kernels. It seems like their security officers are sleeping on their keyboards. Good news for so-called enterprise linux customers. amazon.com? =)
btw, this is merely good quality of system maintaince (of course, their backup system is very funny), but this is very usual way people uses linux and oss nowadays - no one cares to much, thanks to apt-get and yum and xen.
Linux is a mainstream now, nothing special, just stupid, plain activity. It was cool when they were migrated from 2.4 to 2.6 kernel, or even from 2.1 to 2.2 glibc. Today it lost all its coolness and romance.
Just imagine what happening in corporate sector, who hires cheap boys or guys from third-world, like me.
The post is a little low on details concerning the actual exploit used, but there's pretty massive carnage. Let's hope the admins have offsite backups.
For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii.
Being a security-related website, you'd expect the owners to be a little more careful, which is why this is interesting.