IT Breathes!

If you’ve been reading the news recently in the IT security world you’d know that the website Astalavista was recently hacked. Usually I don’t go care too much about these activities, websites get hacked all the damn time and it’s never really a big deal. But what makes this case special is whoever did the attack decided to paste their entire log online.

First some quick history. A while ago a website called Astalavista.box.sk came about to allow people easy access to security files and cracks

At its start in 1994, was one of the first search engines for computer security related information. In reality it turned out to be used as search engine for security exploits, software for usage in hacking and cracking and different keygenerators and software cracks. The site is also known for referencing things such as spyware and viruses. Because of this, the website is known to possibly contain data, links, downloadable files, and information some users would consider spyware, adware, or other unwanted programs.

Thriving off of the success of Astalavista.box.sk another site came along: Astalavista.com. This site was really just a rip-off of Astalavista masking itself as a security ‘community’.  From their own site:

Astalavista.com – the hacking & security community, is one of the world’s most popular and comprehensive computer security web sites. Astalavista.com was originally founded in 1997, by a hacker computer enthusiast. The name of the site came from the unforgettable line in the Terminator 2 movie – “Hasta La Vista Baby”. Since then, the site became the underground’s most respected and well maintained community for anything you ever wanted to know about security. The enormous database, the constant updates, the unique nature of the content published, the new services and features, all offered for free, turned Astalavista.com into what it is today – a cult!

It wasn’t until recently that a group known as Anti.sec decided they had had enough of Astalavista.com and decided to see what they could do. Most obviously they got in (using a 0day exploit no less). But what was interesting about this case was to see how easy it is to go from:

Exploit -> Command Line access -> Local Exploit -> Root Access

But what was even scarier is to see how common tools unix admins use on a daily basis (and current configurations) can be used against them to not only expose  weakness’ in their local machines but in a whole host of machines. Especially when we’re talking about CMS sites.

Let’s start with how they got in. There’s not much here (because the log is purposefully vague here, to keep the script kiddies at bay) but basically they used a 0day (or unknown) exploit against their Light Speed HTTP daemon. Once they had access to the server they were logged in as the ‘apache’ user. This user doesn’t have many rights other than reading websites. So using a local privilege escalation exploit they gained local root access. This is pretty much the end of this machine. Once someone has escalated their privileges to root they ‘own’ the box. They can install rootkits, keyloggers, bots, deface websites etc etc. And normally the hack would end here. But being the industrious kids they are they proceed to poke holes in the rest of their security. A quick scan through the ‘history’ log shows anytime someone used a command. Whoever the admin was for this machine felt it was necessary to log on to their database server passing the password through the command line:

mysql -h -ucontrexxuser2 -p0fEYNZgXz1pKe com_contrexx2_live < /root/defaultp_ports.sql

But the password stealing doesn’t end there. Peppered throughout the site are php scripts used to connect to the database. These scripts are normally used by content management systems (such as WordPress or cPanel) and because they are databases driven they obviously need access to the database. You can see above that at least the account wasn’t the ‘root’ account, the admin account in mysql, but was instead used for a separate account. At least they didn’t get the admin account…

sh-3.2# cat .my.cnf
[client]
user=da_admin
password=X9dctmRH

Oh nevermind. You see, the above file (my.cnf) is a MySQL configuration file. Some programs let you put this file in your home directory to make it easier on you when logging in to the server. The problem: it stores your password in plaintext. For a IT security website they sure don’t practice good security. And ‘da_admin’ really?

But it gets worse. Through reading a bunch of files the group found a file used for backup. Normally this would be a good thing, showing prudence on the part of the administrators that they were properly conducting backups. The problem? The file was a simple shell script which connected to an FTP server and uploaded the backups:

# ftp for synology backup server
FTP_HOST="212.254.194.163";
FTP_PORT="21";
FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
FTP_DIR="/astalavista.com";

As you can see the attacker has yet another password. Now in the log the attacker simply logs on to this server to see what’s there. Presumably they’re just after astalavista.com. In reality I’d be surprised if they didn’t log on to that server as well using SSH (because nowadays most systems are segregated when it comes to FTP and User logon). And, as demonstrated above, it is trivial to escalate privileges once you have local command line access.

So armed with this information the attackers knew the following:
-    Atalasvista.com website files, scripts, forums and content
-    The Database Admin username and password
-    The backup location (and access to the backups)

Without using much of your imagination you can imagine what they did next:

sh-3.2# rm -rf backup/
sh-3.2# rm -rf backup.14161/
sh-3.2# rm -rf ftp/
sh-3.2# rm -rf jon/
sh-3.2# rm -rf my/
sh-3.2# rm -rf mysqldata/
sh-3.2# rm -rf test/
sh-3.2# rm -rf tmp/
sh-3.2# cd ~
sh-3.2# rm -rf *
sh-3.2# rm -rf /var/log/
rm: cannot remove directory `/var/log//proftpd': Directory not empty
sh-3.2# rm -rf /home/*

ftp> cd astalavista.com
250 CWD command successful.
ftp> ls -la
[snip]
ftp> mdelete *

mysql> drop database astanet_membersystem;
mysql> drop database com_contrexx;
mysql> drop database com_contrexx2;
mysql> drop database com_contrexx2_live;
mysql> drop database ideapool;
mysql> drop database yourmaster;
mysql> drop database astanet_ads;
mysql> drop database astanet_mailing_lists;
mysql> drop database astanet_mediawiki;

Basically they did the following:

1. Delete the local website, scripts and pages
2. Delete the temp, test and logs
3. Delete the user folders
4. Connected to the FTP backup site and deleted the backups
5. Connected to the Database and dropped all the website database tables

They removed any existence of this website.

What can you learn from this? There’s a couple of things:

• Don’t store your passwords in plaintext
• Segregate your database access on a user basis
• Keep your current systems up to date with patches and security
• Do not push your backups but instead force the backup server to pull the information
• Never pass passwords through the commandline

All in all an impressive display and interesting log to read through.

Update: The attackers also went after one of the individuals who was researching in to this attack. You can see his log here. Basically used an SSH attack to gain access, found a boatload of passwords on the machine, accessed the database, dropped the database and deleted the entire file system. Still interesting.