PaulDotCom mailing list archives
Getting Your Start Because You Got Hacked
From: tadaka at gmail.com (Jason Wood)
Date: Thu, 14 May 2009 13:02:41 -0600
This happened back when I was a jr sysadmin at a fairly large dotcom. My wife and I were having a party at our house with several of our friends when my cell phone went off. Sure enough, it was the NOC saying that this one web server kept running out of disk space and they couldn't figure out why. The operator had cleared out all the temp files he could find, removed a number of web server logs and some other stuff. Disk space dropped for about 30 minutes and then climbed back up over 90%. My computer was in the living room, so in the middle of the party I logged into this server and started poking around. First order of business was to figure out where the most disk space was being chewed up. C:\inetpub\ftproot was the culprit. I looked around the file system and found video games, music files, warez, etc all over the place. I checked the FTP config and saw that it was a default setup with no relation to the function of the web server. Anonymous access had full read/write. At this point, I was cracking up and asking people at the party if anyone wanted the latest Britney Spears album. I had 3-4 people crowded around my PC to watch what was going on. I uninstalled the FTP service, cleaned up the disk space and looked at the FTP logs. Sure enough, the server had been idle on FTP for weeks, then got discovered. In 2 days it went from unknown to very popular. It also didn't hurt that there were multiple OC3s coming into the environment. The users of the site must have been having a field day. Wait, I hear people asking, shouldn't the firewall have blocked the FTP connections? Well, not if it is set to allow FTP inbound to all servers. That later got changed too. Anyhow, it was a completely hilarious experience, particularly since I didn't setup the server so my pride wasn't at stake. ;-) On Thu, May 14, 2009 at 12:43 PM, Joshua Wright <jwright at hasborg.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was working for Johnson & Wales University and we had a Citrix server running on NT 3.51. I was one of the first people who got a cable-modem at home from Cox Communications, and it rocked! It rocked so much, someone else on the LAN discovered my workgroup and host, and connected to an unprotected share on my Windows 98 machine where he grabbed the .ica file with a stored password to the Citrix server. He called me at home to let me know how r00ted I was, after getting my home phone number from my wife's resume.doc file. Yeah, it was pretty painful, but it was my motivator to get into infosec. "Wow, that sucks, but at the same time, it's so awesome too" is the best way I can describe it. Years later we bumped into each other in Providence, and he told me how he's been watching my career since he called me that first time. I thanked him for his help. :) - -Josh Paul Asadoorian wrote:All: I'd like to start a new thread where we all share our experiences on how we got into computer security. Specifically I want to hear about people whose boxes got hacked, and sparked a life-long career in infosec. I may use your story in an upcoming piece I am working on, if I do I will contact you off-list for permission and such. Larry, I know you got a good story here ;) Thanks! Cheers, Paul-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) iEYEARECAAYFAkoMZm0ACgkQapC4Te3oxYy3FQCfR0ziVWtWs9aNzRi4+0UbWgEy uC8An3st451iUrFsaZu1nLEWXN+WU3a7 =+LQ1 -----END PGP SIGNATURE----- _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090514/8037a709/attachment.htm
Current thread:
- Getting Your Start Because You Got Hacked Paul Asadoorian (May 14)
- Getting Your Start Because You Got Hacked Joshua Wright (May 14)
- Getting Your Start Because You Got Hacked Paul Asadoorian (May 14)
- Getting Your Start Because You Got Hacked Mike Patterson (May 14)
- Getting Your Start Because You Got Hacked Jonathan Moore (May 14)
- Getting Your Start Because You Got Hacked Jason Wood (May 14)
- Getting Your Start Because You Got Hacked Dan Howerton (May 14)
- Getting Your Start Because You Got Hacked Paul Asadoorian (May 14)
- Getting Your Start Because You Got Hacked Sam Buhlig (May 14)
- Getting Your Start Because You Got Hacked Dan McGinn-Combs (May 14)
- Getting Your Start Because You Got Hacked Dave Ockwell-Jenner (May 14)
- Getting Your Start Because You Got Hacked Joshua Wright (May 14)
- Getting Your Start Because You Got Hacked Stephen Reese (May 14)
- Getting Your Start Because You Got Hacked Tim Mugherini (May 14)
- Getting Your Start Because You Got Hacked gold flake (May 15)
- Getting Your Start Because You Got Hacked Tim Mugherini (May 14)
- Getting Your Start Because You Got Hacked Christian Frichot (May 14)
- Getting Your Start Because You Got Hacked Joshua Wright (May 14)