Analysis of the Board Attack

So, all the readers of the 100 Hour Board should know by now (assuming you check your email account) that the Board was attacked and compromised recently.

I was waiting for all the disclosure emails to go out before posting. So, now we can discuss what happened.

On Thursday November 13, 2008 I was asked by an editor to make a code change on part of the site. Well, wasn't I surprised that when I tried to login to the server the account password had been changed. So this was when the fun began. I used an alternative access method to get onto the machine with root privileges and regain control of the normal user account. Then, of course, it was time to start digging to find out what "they" had been up to, where they came from, and how they got in.

I quickly discovered from the log files that the attackers were clever enough to gain access to the machine, however apparently incredibly stupid at the same time. So, there's a good chance it was mostly a script-kiddie attack. They remembered to clear the bash_history for the normal user, but (having accessed the root account using "sudo su"; I've revoked sudo privileges now, since I'm the only one that should be executing commands as root, and I have the root password to use that account when needed) forgot to clear root's bash_history from their last session. So I got to see some of their stupid in action, line by line. For example they list out a directory and then try to change directories into a regular file. Or run "cat" on a compressed file (so you get a bunch of garbage sent to the screen). They were, however, properly paranoid, checking for other logins several times during what appeared to be a short session.

After locking down the user accounts to prevent further shell access I went digging through more logs to find out who they were. So, while they were smart enough to erase their bash_history (most of it) they were also dumb enough to leave behind all of their auth_logs (the ones that say when people log in and from where) as well as all the of the apache logs from their attacks. So it was trivial to discover that the attackers were hitting the machine from locations in Ukraine and Russia (of course these were just their last bounces before coming to our machine and they could be coming through any number of points before that).

Based on the Apache logs they found the Board by doing a Google search looking for any ".edu" addresses that contain "id" in the URL anywhere and are running PHP. So, they appeared to be trolling for sites that might be vulnerable to SQL Injection attacks. My first thought was that they exploited a vulnerability in the Board software and executed an SQL Injection; but further analysis of the events suggest that was not the case. The particular part of the Board they attempted to attack was actually immune. Which, of course, is to suggest that other areas were less immune. I say "were" because I've been spending many waking hours of my life the last couple of weeks doing a line-by-line code review patching up security holes. It's been a tedious and tiring process, but overall the Board is much safer now.

So, what were they doing with the machine they had gained access to? Hosting spam. They weren't sending spam from our machine, which is nice, fewer headaches for us to deal with (being blacklisted, etc). But they had been hosting a Cialis/Viagra spam website in a directory and they embedded a hidden link on our site to promote search engine traffic for that page. They also installed several web interface back-doors to the system, at least 5 if I recall correctly. They were not very smart about hiding those, however, since a PHP file in an "Images" directory sticks out pretty obviously. So I cleaned out all of that garbage as well. Initial reviews of the database suggest that no malicious content has been injected there either.

So, all in all we weren't hit too badly. And had they not been arrogant enough to change the account password there's a good chance I wouldn't know about it still.



The fun, from my end, begins again when they find out that they no longer have access to the machine. Keeping a close eye on the machine they discovered the next day that their shell access was no longer valid. Then in the Apache logs they quickly discovered that all of their web-interface back-doors were missing as well. (This actually helps me because all the ones they checked were ones I had removed, which suggests I got them all.) Then they found that their spam site was no longer running, and that their hidden link on our site was gone. Now the crucial step was about to happen, they would check their next point of access to see if we had completely locked down the machine.

Much to my surprise they quickly and easily accessed the database via our phpMyAdmin interface. This was to my surprise because I had also changed the MySQL account passwords to prevent this very thing. I was afraid they had used some exploit in the phpMyAdmin code, but doing some very fast digging and checking I was sad/happy to discover that I was at fault. In my haste to get our new machine running I had apparently forgotten to remove one of the default "nobody" accounts in MySQL. I now have found that Ubuntu MySQL installations come with a script "mysql_secure_installation" which steps you through a script to make MySQL secure by removing anonymous accounts, setting the root password, deleting default databases, etc. I highly recommend it, it's apparently not well known since none of the Ubuntu MySQL Installation Tutorials I've read through have ever mentioned it.

So, now MySQL is locked down tight, and to prevent further issues of any kind access to phpMyAdmin has been restricted to on-campus only. It appears that they either found out about this change on November 20, or not at all yet. That depends on if they have a machine available to launch attacks from inside an insurance company in Canada which tried to access phpMyAdmin.

It's now been a couple days since I was writing this post, so I've lost my train of thought. So, I think I'll just end it here. We've cleaned out the machine and everything seems to be pretty good. There doesn't appear to by any XSS attacks running or malicious content hiding in the database, but if you see anything suspicious please send us an email so we can check into it.

Overreaction

This is what we call an "overreaction":

Man charged for firing gun at wife

A Holladay man faces charges for firing a gun at his wife multiple times during an argument. It happened Saturday around 8 p.m. at the Sandpiper Apartments at 1370 E. Spring Lane, which is about 5000 South.

Sheriff's deputies say Randolph Taylor Carley fired at least nine times at his wife as she tried to leave their home, hitting her once in the leg and grazing her side.

The woman's injuries were not life threatening.

Carley is now charged with second-degree felony attempted murder.

Obama's Use of Complete Sentences Stirs Controversy

I read this headline and assumed it was from The Onion, but when I noticed it wasn't I wanted a closer look.

It's actually an article written by Andy Borowitz, an award winning comedian and satirist. I find it hilarious: Huffington Post: Obama's Use of Complete Sentences Stirs Controversy.

Reproduced here for your reading enjoyment:

In the first two weeks since the election, President-elect Barack Obama has broken with a tradition established over the past eight years through his controversial use of complete sentences, political observers say.

Millions of Americans who watched Mr. Obama's appearance on CBS's 60 Minutes on Sunday witnessed the president-elect's unorthodox verbal tick, which had Mr. Obama employing grammatically correct sentences virtually every time he opened his mouth.

But Mr. Obama's decision to use complete sentences in his public pronouncements carries with it certain risks, since after the last eight years many Americans may find his odd speaking style jarring.

According to presidential historian Davis Logsdon of the University of Minnesota, some Americans might find it "alienating" to have a president who speaks English as if it were his first language.

"Every time Obama opens his mouth, his subjects and verbs are in agreement," says Mr. Logsdon. "If he keeps it up, he is running the risk of sounding like an elitist."

The historian said that if Mr. Obama insists on using complete sentences in his speeches, the public may find itself saying, "Okay, subject, predicate, subject predicate -- we get it, stop showing off."

The president-elect's stubborn insistence on using complete sentences has already attracted a rebuke from one of his harshest critics, Gov. Sarah Palin of Alaska.

"Talking with complete sentences there and also too talking in a way that ordinary Americans like Joe the Plumber and Tito the Builder can't really do there, I think needing to do that isn't tapping into what Americans are needing also," she said.

Comments I Wrote on Tests

I've been grading tests. Here are some of the fun comments I made:

Student: "Consider the language L={a,b | a! = b} (factorial), this can obviously not be recognized in 2ⁿ steps."
Me: "Really? There is a O(n (log n log log n)²) algorithm for factorials. Ooooo. Burn!"

Student: "If the TM had only 1 state, and the size of the alphabet = 2 it would appear more like 2^|w|..."
Me: "That's crazy talk."

Student: Long answer...
Me: "So close, but then you went on a tangent instead of hitting the answer."

Student: "The answer is Yesssssss but only 7 s's because too many s's will mean less mercy points if I'm wrong."
Me: "Sorry, check your coin again."

Canada

I was just catching up on some old Snide Remarks when I ran across this statement, I almost died:

Canada seems like France and England got together and had a baby, but they couldn't take care of it, so they sent it off to be raised by American parents, who abused it.

Democracy

So, I've been thinking over some of the results of the election. If you look through the results you'll find that several anti-gay-marriage measures passed in several states. People that support gay-marriage are irate over those measures passing, and many are taking aim at the LDS church. Unfortunately for them, when it comes down to it, the people that live in those areas voted, it was their votes that decided the outcome. The LDS church, or any other organization, didn't force anyone to vote one way or the other, there was no voter intimidation. The will of the people allowed measured like Proposition 8 to pass. That's how Democracy works. Sorry you don't like it. Sometimes Democracy doesn't turn out the way you want, I direct you towards the 8 years of Bush that we had to put up with. But you don't get to agree with Democracy when it goes your way, and then argue against Democracy when things go the other way.

There seems to be a lot of misunderstanding about the LDS church's role in the passing of Proposition 8. Yes, the church supported it. Yes, the church encouraged people to donate to the campaign to pass Prop 8. However, as always, individual members were allowed to decide the matter for themselves. You can oppose Proposition 8 and still be a temple worthy church member. Church members were not being "forced" or "coerced" into supporting, donating towards, or voting for Proposition 8.

I'm sorry if Democracy didn't work out for you this time. You can do what everyone else does, suck it up, and better luck next time. If the monetary contributions made by LDS church members was enough to swing the vote to pass Proposition 8 then next time your side will need to raise more money, that's how Democracy works. Deal with it.

Where You're From

I enjoy looking over the Google Analytics information every so often. The current crop of data is rather interesting because of the diverse and international readership that I apparently have, on occasion at least.

Here's the stats on where my visitors come from (over the last 30 days):
United States ---- 365
Canada ----------- 6
United Kingdom --- 5
Germany ---------- 3
Malaysia --------- 2
Saudi Arabia ----- 2
Mexico ----------- 1
Iran ------------- 1
Finland ---------- 1
Chile ------------ 1
Pakistan --------- 1
Poland ----------- 1
India ------------ 1
Romania ---------- 1
France ----------- 1
South Korea ------ 1
Spain ------------ 1

That's a pretty cool list if you ask me.

Michael Crichton Died

'Jurassic Park' author, 'ER' creator Crichton dies

I rather enjoyed most of Crichton's works. Too bad there will be no more to read now.

Hallelujah!

Obama won! Best part is that it wasn't even close so the McCain supporters won't be able to go around for weeks complaining about this or that, he lost, and his supporters booed when he conceded; real classy.

Too bad it took 8 years of idiocracy for enough of this country to realize what was happening, but now we can finally start drifting back towards the middle and a President who doesn't say things like "One of the things I've used on the Google is to pull up maps. It's very interesting to see--I've forgot the name of the program--but you get the satellite, and you can like, I kinda like to look at the ranch."

Questions For Me

Well, mainly just one question for me:

For someone so cynical about so much of life why do I allow myself to be so foolishly optimistic about dating?

Why do I let myself build up hopes and wishes when I know that it will only mean there will be further to fall when things don't work out, which they never do. So, I guess it's time to be done with all the nonsense of dating again for awhile. I've put myself out there several times in the last few months, and I'm tired of the results.