Defacements/Server Compromise, Some Companies Simply Don't Care

[InfoSec News <isn () c4i org>]

http://packetderm.cotse.com/helpdesk/documents/editorials/edit_jh_009.html

A Cotse Editorial
John Holstein, 
Cotse Helpdesk/Support

Of course it's all a matter of perspective. If you speak of
manipulating web site content to misrepresent company policies, sure
they care. What I am speaking of is investigating and prosecuting the
criminal element involved in the act of defacement, root compromise or
infection by "worms". In otherwords, companies tend to "fix & forget".

I recently spent some time with another admin talking about tech and
system administrator issues. We spoke of a few items I thought I
should share with Cotse readers.


"....we were in the process of building a set of servers for use with
our E-Commerce development branch, these servers, while not that
sophisticated would operate around 30 websites, email, and various
Apache modules, such as PHP, Perl, SSI and others. We installed a
certain version of Linux, setup the basis for our servers and away we
went. During the installation, I was new to the office so I didn't
make myself "heard" well enough. I didn't want to be "pushy" so I
didn't project enough concern toward security. What little input I
used was toward attempting to get the primary admin to close a few
security holes that we didn't need opened in the first place, such as;  
Samba, NFS and LPD (printer support). The primary admin was set on
doing an OOB install, whereas what came installed, stayed installed.
At this point, I was very much aware that the admin didn't have a
security mind-set, something that would eventually cause trouble.

Over the course of the next month or two, we built the complimentary
servers to house the ECommerce sites. The sites themselves were
running well and we didn't have any trouble to note. Upon a thursday
or friday afternoon, thursday I think, I was looking around the
servers and found something very strange. One of the two servers was
"down", seemingly "halted". I immediately contacted the other admin
and asked if he had shut the box down. Of course, he had not. I took
the box off the network and allowed it to reboot. Upon reboot, I did a
simple "netstat", with little to no results and I further explored a
"ps" command. The "ps" command was either missing or came up with some
strange results (it's been awhile, forgive me for my memory lapse). I
knew from experience that this was a first sign of a "root kit"  
install.

After doing some checks with the security sites, I found that I was
0day +3 into the recent LPD exploit, well, being overly cautious, I
immediately went to checking. Indeed, the LPD exploit was used on the
server.

Needless to say, I attempted to follow certain guidelines in taking
the box offline, mirroring the drive, backing up, maintaining
evidence. In fact, I wanted to put a totally different box in place
and keep that particular machine out of the loop. Management, in a
round-about-way didn't want any part of that. In fact, they wouldn't
allow me to track back and find the origin of the intruder (which I
already suspected a Worm had worked it's way to my system) nor did
they want to involve the police....."

This is one account that directly relates to management "covering up"  
a particular exploitation of their networks and servers. I have heard
of many more.

If in fact this is common and this set of circumstances repeats itself
world-wide, what expectations of law enforcement do we perceive when
an ethical report of a website defacement or server compromise
actually makes it to the desk of an investigator? Law enforcement
gleen a lot of information for the investigation by way of statistics
gathered from other instances of the same or similar crimes. If the
crimes are not reported and profiles of criminals are not generated,
how is law enforcement expected to render reasonable assumptions and
accurate statistics? The fact is, they cannot.

While completely understanding most website defacements are very
simplistic and not overly malicious in the way the files are changed
and/or manipulated, one must also understand that during an intrusion
of webservers, enough information is gleaned to obtain further
permissions and/or ease the business of completing social engineering
schemes.

Although most website defacements and root exploits occur on the
"outside" servers, some, if not the largest percentage of actual
defacements occur because of the "unicode exploits" in Microsoft IIS
4.0/5.0 Servers. These exploits DO NOT undertake a sophisticated
process in order to deface a website. A simple URL entered into the
address line of the web browser of an unsuspecting netizen could in
fact deface a website without the knowledge of the person doing the
clicking.

By no means does this mean that the assailant didn't have access to
other resources, it only means that this is a very simple approach to
defacement. In the basis of the unicode exploit, other commands and
functions may be utilized for other goals.

That's right folks, for those that do not understand or haven't been
enrolled in the defacement scene, all you need do to "hack" a
companies website that's running an OOB install of IIS 4.0/5.0 is
enter a certain malformed URL into your Internet Browser (IE for
instance) and click "go". The target of the URL will then be
transformed from the website it once was, to whatever the writer of
the URL wants it to be. How simple do they have to make it? Not
speaking of the cracker, I am speaking about the writer of the web
server software. A simple URL can "do-in" a companies website.

Who's fault is it? What does it matter? Sure, the cracker is to blame
for cracking the website. But seriously? A simple URL defacement?  
Click on a link and *poof*, what once was a BIG CORPORATE SITE,
relying on Microsoft to provide ample security, was reduced to some
script kiddie chanting about the End of the World and how he/she
RULEZ! it.

Do the companies care? Evidently not. How many website defacement
"crackers" have you seen convicted lately? Although I understand that
Law Enforcement cannot prosecute all of the cases that could be
presented in relation to defacement, they could in fact compile
statistics relative to the M.O. of the cracker. This job is currently
done by civilians! Personal web sites are devoted to the statistical
analysis of web site defacements, where the information generated is
done so by civilians. If in retrospect, this was done by a civilian,
in relation to say arson, would we not have cause for concern?

Being a volunteer fire fighter for 15+ years now, I know for a fact
that the government collects data on every aspect of a fire. What
materials were used to start the fire, electrical involvement,
equipment involvement, radiated heat, blah blah blah. If we can do
this with fire, why not computer systems? I mean heck, what better
product to do statistics about than the product that compiles the
statistics!

This is a new world we live in and the rules and laws must change to
meet the new era of information and communications. While we are well
on our way to creating appropriate guidelines, the governments of the
World are soon to realize their current law enforcement infrastructure
cannot handle the work load that is presented to it.

None of this will be done to suit the privacy advocates of the World,
including myself. Folks, even though I want to keep as much of my
privacy as I possibly can, I know some of the freedoms that we are use
to will have to be given up, or at the very least, allowed to be
changed in order to keep the status quo at the level we are use to.  
There are two opposite sides to every debate. I am sure a middle
ground is obtainable where everyone, well almost everyone, can meet
and appease the majority of those concerned. Frankly, that's why it's
called a "democracy". Without two opposing views, at an equal distance
apart, a logical solution would be oppressed by the single minded
behavior of an individual dominating force.

When the average 13 yr old is opened up to the opportunity to "screw
over" the system that he/she thinks is "against them" without
subjecting themselves to "being caught" or criminal prosecution, do
you not think, soon will be the time that 13 yr olds will become the
criminals of the world? Hiding in the shadows, cracking whenever
possible? That's been going on for years in front of the blind eye of
law enforcement. But wait! They caught Kevin Mitnick! Yea, like he's
one of twenty thousand. And he was "caught" not by law enforcement,
but one of his peers.

John Holstein, 
Cotse Helpdesk/Support



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.