Hacker News new | comments | show | ask | jobs | submit login
Astalavista.com hacked, including details (astalavista.com)
171 points by gmazzola 2675 days ago | hide | past | web | 64 comments | favorite

Page as it appeared on June 5, 2009 12:15AM EDT: http://pastebin.com/f751e9f5b

The post is a little low on details concerning the actual exploit used, but there's pretty massive carnage. Let's hope the admins have offsite backups.

For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii.

Being a security-related website, you'd expect the owners to be a little more careful, which is why this is interesting.

They did have off-site backups, which the hacker found and erased.

One strategy that I employ to mitigate this is to have my backup service connect to the production server, rather than the other way around. That way if your production services are compromised, your backups remain untouched (on a machine that's running no services, behind a firewall, etc, and for all intents invisible).

We use tarsnap (http://www.tarsnap.com) to handle our offsite backups. If you give your production servers write only keys you can mitigate this risk (and not send your backups across the wire in the clear).

I thought the typical definition of offsite backup also means data is backed up to a media like tape and stored in a different location.

How is your offsite backup implemented? Is the data stored on a network drive, or backed up to tape?

My understanding is that an offsite backup is, as the name implies, a backup that is stored at a geographically separate location to your production site.

I have a few servers deployed at various locations around the world, and I have a machine here at home that performs rsnapshot daily backups of their files. I then make bi-monthly backups of those backups, and store them in a saftey deposit box at a bank. This means that if my servers go down, I can restore them to within a day. If my house burns down, I still have my data to within two-weeks.

That's pretty much how it should be done. Let's hope the guys at astalavista is smart enough to do that. Your approach adds an additional layer of protection in case, as you'd put it, someone gets into your home server and deletes them. That, and tapes are less likely to get corrupted or become unreadable than the drives on your server, which may cut down on recovery time.

When your business gets bigger, it might be worth it to look into dedicated hosting and have the datacenter do the backup for you. After all, you want to spend your time managing your IT crew, rather than driving those tapes to the bank :)

Definitely a much better method of handling backups. Completely agreed.

What's the point in offsite backups (for security reasons) if they're connected over network connections?

Physical security, i.e. protection against fires floods and comets, etc.

It looks like they first buffer overflowed Litespeed to spawn a shell (which was ironically running as a user 'apache'). The http headers that are being returned from Astalavista are consistent with this theory (in addition to the obvious output of the first binary run). Apparently Litespeed has a pretty dodgy security record after doing a cursory search.

Far more interesting was the root escalation exploit. 2.6.18 is a relatively recent kernel, and I haven't heard of exploits publically disclosing something of that caliber. Has anyone seen anything on securityfocus/bugtraq/milw0rm etc regarding this?

There's a nasty bug in the vmsplice() syscall in anything from 2.6.17 to Exploits have been public since early 2008.



One of the files on their server is an exploit for that vulnerability. If they know about it, I would guess they aren't vulnerable, but who knows.

Good point. The kernel version in the transcript looks like the version I've got on a CentOS machine, so it's probably patched. Interestingly, the strings ("r00tr00t", "Executing shell") from the local-root tool they're using don't appear anywhere online, suggesting that it's something private and potentially unknown.

maybe it's just not indexed.

It's easy to modify strings in a simple C function/program. That's all that would be needed to modify and display the "r00tr00t" etc you are mentioning.

The version string "2.6.18-128.1.10el5" is exactly what CentOS 5.3 shows (toy VM I installed last week, updated to May 31, no updates today). They may have turned off SELinux for convenience ...

[P.S. my VM is 32 bits, because VirtualBox has an issue with 64 bit CentOS 5.3 and AMD PhenomIIs: http://www.virtualbox.org/ticket/3927 ]

I'm thinking I was not the only one reading the title as altavista.com and I was really shocked.

Thanks for the background info on the site.

I definitely read "altavista" at first too having never heard of astalavista until now.

Why do you think they called it like that? It was founded in early 90's and altavista was "the" thing. I remember going there and learning about trojans, debuggers and disassembly as a kid.

Offtopic, but please, don't use 'virii'. The correct plural is 'viruses'. 'Virii' is wrong for two reaons:

1) The Latin plural of word ending in -us is not -ii. -i at best.

2) 'Virus' doesn't have a Latin plural, because its meaning is like (in the sense of not having a plural) 'sand': it already denotes a multitude.

Being a Latin geek myself I can't help but point out that nouns in the fourth declension (u stem) also end in -us in singular and receive an -us affix in plural as well.

"Virus" is however, in the second declension (virus -i n. "slime, poison, goo") with the oddity of being neutral while having a second declension -us ending which is normally a feature of masculine nouns. And indeed, its plural would be "viri".

Neuter nouns of the second declension don't generally have plurals that end in -i, but rather in -a, so "vira" would be equally possible.

It's also important to note that scholars don't actually know the proper plural of virus because they haven't really found one in extant literature.

Wikipedia has a longer discussion at http://en.wikipedia.org/wiki/Plural_of_virus#Virus

Doo doo doo doo, doo doodoo do, Doo doo doo doo, doo doodoo do, Doo doo doo doo, doo doodoo do, Doo, doodoodoo, doo doo doo doo doo....

A bit hard to communicate, but that's the keyboard cat playing all of you off.

Ironically, I was very careful with my choice of "virus vs. virii" when I wrote that message. I looked up the Wikipedia article for Plural of Virus ( http://en.wikipedia.org/wiki/Plural_of_virus ), and noted the sentence "In reference to a computer virus, the plural is often believed to be virii...".

As an amateur Latin geek myself, I agree that "viruses" is proper from a grammar standpoint, but I sided with Wikipedia because I was using computer terminology.

but if you read on.. "or, less commonly, viri, but both forms are neologistic folk etymology[1] and no major dictionary recognizes them as alternative forms."

Why is it that the plural of "radius" is "radii" but the plural of "virus" is not "viri"? I don't see "virus" as inherently denoting a multitude in the dictionary. Just curious.

Because with [radi]us the stem is "radi" but with [vir]us the stem is "vir". These words are from the same type (second declension) they both receive an -i affix in plural, hence radi + i = radii, vir + i = viri. Latin being Latin there are an awful number of exceptions but this is a somewhat general rule.

Put it like this: Grammatically speaking, the plural of virus is viri. Putting it into plural might or might not makes sense. Personally, I don't think that using plural for collections in Latin is a very big sin given that this is very common in classical Latin texts.

One example of this can be found in the famous introduction of Aeneid (I.1 "Arma virumque cano...") lines 31-32, where Virgil is using the plural form of the word "sea" (mare, plural: maria)

"multosque per annos / errabant acti fatis __maria__ omnia circum" - "for a number of years, driven by fate, wandering around on the seas"

Virus is Latin for poison. It's a mass noun because it denotes something uncountable (not in the strict mathematical sense, but in the how the hell do you count poison sense). As far as I know, there is no Latin plural form for virus.

Second declension singular nominative nouns end in 'us' and their plural form end in 'i', but fourth declension singular nominative nouns also end in 'us', but their plural form still end in 'us'. Also, like in every language, there are funky exceptions to these rules, like second declension singular nominative nouns which are neuter rather than masculine, but still end in 'us' rather than the normal 'um'. Moral of the story, don't assume that the plural of word ending in 'us' is 'i'.

It's also been about 8 years since I've taken Latin, so take that into consideration before someone goes all Life of Brian on me.

Interestingly, English words with irregular forms which are infrequently used often revert back to regular forms. The 'why' is simply because people prefer to say "viruses," either because they forgot the irregular plural form or because they prefer how a regular form sounds.

And furthermore "sands" is still perfectly legitimate, even though "sand" may be inherently plural (the "sands" of time, different "sands" of the world).

If the plural of goose is geese why is the plural of moose not meese?

The correct term in Hixie English is virii. You need to learn your Hixie English (even the HTML5 standard is written in it).

Brutal indeed. Not only did they expose all aspects of astalavista, they actually trashed and dropped everything.

As bad as astalavista is, is it right to reciprocate and trash their server? It seems as if the hacker sunk to their level.

Are there legal ramifications to something like this?

"Are there legal ramifications to something like this?"

Uh, yeah, of course. Good luck catching them, though.

you're mistaking astalavista.box.sk with astalavista.com.

astalavista.com stole their name to ride on their popularity.

hell, i tend to find any reasonably detailed description of the process of exploiting something to be pretty interesting.

gives a fairly good idea of how to not make the same mistakes, if applicable.

Yeah, considering how last-decade astalavista.com is, I wouldn't be surprised if now is the most pageviews they've gotten in awhile ;)

When a site is reported as 'hacked', am I alone in not wanting to visit it for a look-see? Aren't the same people who deface sites likely to try fresh browser compromises against rubberneckers?

That seems like a decent security precaution.

However, since astalavista was the site in question, you will probably be safer to visit after the hack.

I doubt quality folks such as the one's participating here at HN would ever post a link to a site, even a defaced one, that would potentially harm anyone visiting it. </circlejerk>

This somewhat concludes the whole point of the hax0rs:

Quote: "plaintext passwords? yes, those so called "security professionals" who charge you $6.66 / month to register at their hack-proof portal, save your passwords in plaintext... brilliant!"

I especially liked "philip"... one of the 100 most common boy names.

dark side of me: I wonder how many of those passwords work to get into those e-mail accounts...

or bank accounts

I think scrolling down that was more suspenseful than any book I've ever read :)

mysql> drop database ... (x9 databases)

My jaws literally dropped when I got to that part.. that's gotta suck, even for a crude site like Astalavista.

Not as bad as where they found the backup plan in the bash history, FTP'd to their remote backups, and deleted them all...

Its the (other) hacker news this week on HN.

Indeed. I figured this particular piece of news would interest both types of hackers, as it contains technical details you wouldn't expect from a standard defacement. It's rather similar to the urge to rubberneck at a car crash: it's both horrific and exciting at the same time.

If my assumption is incorrect and no one is interested, I will humbly tuck my metaphoric tail between my legs and refrain from posting such things again.

That type of respect for quality makes HN great. </circlejerk>

From Digg: http://digg.com/security/astalavista_com_Hacked_2

http://romeo.copyandpaste.info gives an idea about anti-security movement...

a bunch of people on efnet irc say that it was hacked by some guy named darkpontifex or some group called dikline or something. supposed to not be a litespeed vuln its actually an ntp daemon vuln just changed the name to confuse people.

Read from line 1758 (at http://pastebin.com/f751e9f5b) and you'll see that those astalavista guys have no taste... Good riddance.

The hackers complain about Astalavista being targeted towards script kiddies. However, it looks like they used a prepackaged exploit, too.

i think that was the point: Astalavista is also an IT security company, yet they can't even keep themselves from being hacked in every way possible, using the simplest of prepackaged exploits available.

I saw some paypal details in there aswell, I'm wondering if astalavista used any of the same passwords to secure that account?


The tool they were downloading appears to have been private. Hence the anonymized IP and hostname (anti.sec.labs).

The site is back up now...

2.6.18-128.1.10.el5 is the latest patchlevel of RHEL or CentOS kernels. It seems like their security officers are sleeping on their keyboards. Good news for so-called enterprise linux customers. amazon.com? =)

btw, this is merely good quality of system maintaince (of course, their backup system is very funny), but this is very usual way people uses linux and oss nowadays - no one cares to much, thanks to apt-get and yum and xen.

Linux is a mainstream now, nothing special, just stupid, plain activity. It was cool when they were migrated from 2.4 to 2.6 kernel, or even from 2.1 to 2.2 glibc. Today it lost all its coolness and romance.

Just imagine what happening in corporate sector, who hires cheap boys or guys from third-world, like me.

That was painful to "watch" happen to them. Lesson learned. Do NOT f* with hackers...

Yes and the fact that there are always smarter people with more time on their hands than you out there on the internet.

Well, I guess they deserve it for screwing people over $6.66/month at a time for 15 years for distributing publically available material (literally).

Who? If it was altavista.com this might be news...

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact