3

I was reading an article about a recent website (astalavista.com) that was hacked.

The perpetrator wrote down how he did it:

http://pastebin.com/f751e9f5b

What can we learn from this to better secure web servers?

One of the things that puzzled me:

    [+] Connecting to astalavista.com:80
    [+] Grabbing banner...
            LiteSpeed
    [+] Injecting shellcode...
    [-] Wait for it
   
    [~] We g0tshell
            uname -a: Linux asta1.astalavistaserver.com 2.6.18-128.1.10.el5 #1 SMP Thu May 7 10:35:59 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
            ID: uid=100(apache) gid=500(apache) groups=500(apache)

I tried searching to see if there was any remote injection vulnerability in Litespeed, but I could not find any. Some people claimed that the kernel was susceptible to the vmsplice() exploit, but doesn't this still require arbitrary code execution?

Another thing

mysql> select username,password,email from contrexx_access_users where is_admin = 1;
+------------+----------------------------------+-----------------------------+
| username   | password                         | email                       |
+------------+----------------------------------+-----------------------------+
| system     | 0defe9e458e745625fffbc215d7801c5 | info@comvation.com          |
| prozac     | 1f65f06d9758599e9ad27cf9707f92b5 | prozac@astalavista.com      |
| Be1er0ph0r | 78d164dc7f57cc142f07b1b4629b958a | paulo.santos@astalavista.ch |
| schmid     | 0defe9e458e745625fffbc215d7801c5 | ivan.schmid@comvation.com   |
+------------+----------------------------------+-----------------------------+

system:f82BN3+_*
Be1er0ph0r:belerophor4astacom
prozac:asta4cms!
commander:mpbdaagf6m
sykadul:ak29eral

How did they get rainbow table coverage up to 18 characters long? How complete are the md5 rainbow tables out there?

Community
  • 1
Unknown
  • 1,685
  • 6
  • 20
  • 27

2 Answers2

3

First off, a few observations:

-Even though the banner grabbed is for LiteSpeed (a drop-in Apache replacement), the resulting access is through the Apache user

-Since the initial resulting access is through the Apache user, most likely this is an Apache/LiteSpeed level vulnerability, not a kernel vulnerability.

-.bash_history: Another ouch.

Secondly, how to better secure the system:

-Using an Intrusion Dection System like OSSEC, would have alerted the admins as critical files were changed.

-Using a Layer 7 (Application Layer) firewall could have filtered out the bad input that resulted in the initial web user compromise

-Don't store user's / customer's passwords. Always use a salted hash.

-Don't tick off attackers. :)

Finally, resources for md5 rainbow tables:

http://www.freerainbowtables.com/en/tables/md5/

http://project-rainbowcrack.com/table.htm

btw, I agree with Unknown, which is why I posted these links as evidence.

Anapologetos

Josh Brower
  • 1,669
  • 3
  • 18
  • 29
  • Interesting. But it still seems like the passwords are still out of the scope of normal rainbow tables.For example, system is 9 chars with mixed case and symbols. A rainbow table of 1-7 ascii chars is 128 GB. Upping this 2 chars more will grow the table size by 8836x – Unknown Jun 05 '09 at 19:54
0

The md5 rainbow tables are very complete. Especially when your password has your username in it.

Karl Katzke
  • 2,596
  • 1
  • 22
  • 24
  • Up to how many characters how many symbols complete? How would it be especially when your username is in it? How would people know to prehash all combinations of your weird user name? – Unknown Jun 05 '09 at 19:42
  • The publicly distributed hash tables I know of go up to about 12 chars. Beyond that, well ... I have about 18 processor cores that run at up to 4 ghz in my spare room. If I were to start grinding out hash tables, how long would it take me to do 13 chars? Heck, my work desktop has 16 cores that run at > 2.5 ghz. If you are the type that's hacking people's accounts frequently, my guess is that you will have a script that will attempt a dictionary attack. Be1er0ph0r's PW is vulnerable to such an attack, regardless of length. – Karl Katzke Jun 05 '09 at 19:56