Re: Multiple .edu sites reportedly victims of db theft

[John Ladwig <John.Ladwig () SO MNSCU EDU>]

+1

I have recently gained a newfound respect for SQLMap.

   -jml   *or maybe more than one*

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keller, 
Alex
Sent: Tuesday, February 03, 2015 2:13 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Multiple .edu sites reportedly victims of db theft

Among the hackers focused on building notoriety through data exfiltration posts on Pastebin, SQLmap (http://sqlmap.org) 
and SQLninja (http://sqlninja.sourceforge.net) are two of the most popular tools. If your database backed website is 
exposed to the public Internet, it is certain these tools have probed your server. They are easy to setup, include a 
bevy of pre-canned attacks, as well as features to facilitate more sophisticated techniques...perfect for the budding 
attacker.

Testing these tools against your own servers can be enlightening.

For reference, I've included my November post on Pastebin and Google hacking below.

Best,
Alex

-----Original Message-----
From: Keller, Alex 
Sent: Wednesday, November 19, 2014 2:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: RE: [SECURITY] Google Hacking

Great topic. I recommend testing and tuning your Pastebin alert search strings, too general and the results may include 
extraneous posts and will likely exceed the free account limits which I believe is 10 total alerts, after which the 
alerts are disabled; clearly an encouragement to upgrade to the PRO version (quite affordable) which removes such 
limitations.

If you want to deep dive on search based vulnerability discovery and pen testing, check out the awesome SearchDiggity 
tool:
http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/

No discussion of this topic would be complete without recognizing the contributions of Johnny “I hack stuff” Long who 
wrote the seminal book on the subject and founded the Google Hacking Database (GHDB) now hosted by the Offensive 
Security team at http://www.exploit-db.com/google-dorks/.

Best,
alex

Alex Keller
Information Technology
Stanford School of Engineering
axkeller () stanford edu  
(650) 736-6421


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Colleen 
Blaho
Sent: Tuesday, February 03, 2015 11:55 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Multiple .edu sites reportedly victims of db theft

I did a quick spot check of the CMS used by these sites. There doesn't seem to be a common software package there: 
Drupal, Wordpress, TYPO3, and a lot of "None found".

On 02/03/2015 02:01 PM, Joel L. Rosenblatt wrote:
> Hi,
>
> Can I ask if the sites that are on this list are running Drupal?
>
> Thanks,
> Joel Rosenblatt
>
>
> Joel Rosenblatt, Director Network & Computer Security Columbia 
> Information Security Office (CISO) Columbia University, 612 W 115th 
> Street, NY, NY 10025 / 212 854 3033 http://www.columbia.edu/~joel 
> Public PGP key
> http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x90BD740BCC7326C3
>
>
> On Tue, Feb 3, 2015 at 12:36 PM, John Stauffacher 
> <john () caffeinatednetworks com> wrote:
> > My apologies for formatting, I generally take the daily digests -- so 
> > I am picking up responses out of the listserv interface.
> >
> > Unfortunately, right now - I know very little. I'm working with a few 
> > organizations here in the states to see if we can isolate traffic 
> > from outside of the US that is suspect and is targeting their applications.
> > Having spent a good deal of time myself in Higher Ed, i understand 
> > the enormous pressures your under and how budgets are always tight, 
> > time is always tight -- but I would ask -- if you get some spare 
> > cycles start going through your access logs or ids logs looking for sqli attacks.
> >
> > I wanted to include some comments that Gary Warner from UAB sent out 
> > to another distro, as he went the extra mile to find even more 
> > background on
> > this:
> > - snip -
> > Not sure if there is enough to go on here or not, but when I visit 
> > the Pastebin link by this kid, there are many examples of his URLs in 
> > his other Pastes.  For example, here is a list of SQL probes he did against "nhs.uk".
> >
> > http://pastebin.com/5yxT6c8s
> >
> > His catalog of pastes can be accessed here:
> >
> > http://pastebin.com/u/abdilo
> >
> > Because he has also been probing the Australian government and many 
> > Australian educational institutions, I'm also passing this 
> > information to friends at ACMA and the AFP.
> >
> > Finding a single IP who hit several of those addresses, and then 
> > looking for that same IP on some of "our" .edus might be a path 
> > forward, but I believe it may be true that, as Greg points out, there 
> > is not enough information here to move an investigation forward.
> >
> > If there is "proof" that this is happening, I would strongly suggest 
> > sending a lead to our FBI friends who deal with academic breaches, 
> > but again, I'm not sure if we have that much information yet.
> >
> > Just thought you guys would be in the best position to try to 
> > determine what we might be able to do here.
> > - end snip -
> >
> > I think if we are going to make a run at stopping this person, we 
> > would need to collaborate a bit and start sharing some information.
> >
> >
> >
> >
> >
> > > Is there any other information about how or what is vulnerable, or 
> > > what information was extracted?  More information will be required 
> > > before any organisation could do a response and begin the 
> > > investigation into how to remediate.
> >
> > Greg
> >
> > On Tue, Feb 3, 2015 at 1:51 AM, John Stauffacher 
> > <john () caffeinatednetworks com> wrote:
> > > All,
> > >
> > > I came across an individual a few days ago on twitter (@abdilo_) 
> > > that was bragging about breaching multiple .edu's via sqli. He 
> > > claimed responsibility for a breach of Metropolitan State 
> > > University, and this afternoon dropped this partial list of .edu 
> > > sites that he reportedly has breached and absconded with their databases:
> > >
> > > http://pastebin.com/yyhT6tzc
> > > uq.edu.au
> > > columbia.edu
> > > usyd.edu.au
> > > upf.edu
> > > vcu.edu
> > > williams.edu
> > > monash.edu.au
> > > uji.es
> > > hu-berlin.de
> > > exeter.ac.uk
> > > mcmaster.ca
> > > ubc.ca
> > > waikato.ac.nz
> > > uwa.edu.au
> > > ohio-state.edu
> > > handles.gu.se
> > > iwm-kmrc.de
> > > purdue.edu
> > > lancs.ac.uk
> > > uni-erlangen.de
> > > luiss.it
> > > unimib.it
> > > purdue.edu
> > > univ-montp1.fr
> > > uw.edu.pl
> > > pless.cz
> > > inscripcions.org
> > > uni-oldenburg.de
> > > 141.89.97.231
> > > idecisions.org
> > > uni-mannheim.e
> > >
> > > If anyone on this list is a member of these organizations, or can 
> > > reach out to them -- it is important that they know. From the 
> > > communication that I have gotten from this person (all via twitter) 
> > > this issue seems to be systemic in some piece of software shared 
> > > amongst all these groups. If that is the case, then we are looking 
> > > at a vendor related flaw -- and the potential targets is pretty large.
> > >
> > > --
> > >
> > > John Stauffacher
> > > GPG Fingerprint: 5756 3A3B ADA3 22A6 9B26 6CA8 DB8D 2AC3 7699 0BD

--
Colleen Blaho

Information Security and Unix Services
University of Pennsylvania
School of Arts and Sciences
3600 Market St.
Suite 501
Philadelphia, PA 19104

Need to verify my public key?
<https://pgp.mit.edu/pks/lookup?op=get&search=0x6BA5B98CF9577D6B>