Hacked Recap
from the well,-that-was-fun dept
As mentioned over the weekend, we were briefly hacked on Saturday evening. We've put in a bit of time to figure out what happened, clean up the mess and correct the problems (and harden some other defenses as well). The short story is that we left open a big hole that we shouldn't have left open. Yay. We had certainly locked down most of the obvious holes, and people try to hack us on a semi-regular basis, with little success. But, if someone's persistent enough, they'll find a way. In this case, though, we made it a hell of a lot easier than we should have. This particular hacker tried hitting a whole bunch of different routes early Saturday morning, most of which got rejected (some people noticed his attempt to do a SQL injection via the comments -- that failed). However, he went on to try SQL injections just about everywhere and eventually found one where we hadn't properly escaped things, and bam, that's all it takes. As you probably know, this site has been around since 1998, and while we've dumped/updated most of the old code, and most of the new code is properly secured, there were still a little pieces left over from the ancient code -- and that's where the big vulnerabilities were. That's not an excuse. We should have caught it earlier (in fact, we actually had been testing some code to replace some of the vulnerabilities, but hadn't deployed it yet -- but, we now realize it wouldn't have blocked all the problems). But, it is what happened.From there, the hacker got into part of the blog admin (don't want to get into too many details of how the blog backend works, but it actually involves two separate admins -- which are separate from other stuff we do). Then, he basically had pretty good access to doing some stuff (though not everything) on the blog. He poked around a bit, deleted a bunch of comments, deleted a whole ton of old story submissions (most of which were junk anyway -- so thanks!) and then replaced a few stories on the front page with his fancy "hacked!" claims.
After that, the story is pretty straightforward. Once we realized what happened, we put the old stories back in place and made sure to quickly toss up some more secure walls to keep him out of the admin. We also shut down comments and submissions for a while, even though we were pretty damn sure the vulnerability wasn't there (it wasn't), but we wanted to make sure. Then a few of us spent some time digging around to understand just what the guy did so we could retrace his steps and make sure we killed off the basic vulnerabilities. Considering that he tried to hit us from a bunch of different angles, this took a bit longer than expected. But, once we figured out the basics, it was just a matter of tracking down the actual holes in the code. It was a little frustrating, since we really thought we'd blocked out SQL injections -- but in the end, it turns out we didn't do it absolutely everywhere. Anyway, there's a fair amount of code to go through, so we've been going over it with a fine-tooth comb, and checking it twice, then locking it down again.
Finally, we've been restoring the lost comments (we're doing that right now, so they might not all be back yet), of which we believe we didn't lose any (there's a small chance that a very very small number of comments were lost). Restoring the lost submissions is a bit much at this point (as I said, most were junk anyway), so if you submitted stories late Friday or Saturday, and really think we should see them, perhaps submit them again.
On the whole, there's not that much to say, other than check your code carefully, folks. If there's a hole somewhere, eventually someone's gonna find it. Luckily, this guy didn't do much damage -- just a bit of vandalism -- and he kept a few of us from enjoying what had otherwise been quite nice weekends with our friends and families. But he got us to go over our code pretty carefully (and mentally kick ourselves a few times), and get in touch with our inner CSI detectives to track down exactly what happened.
Update: Well, that was just great. Less than half an hour after posting this, our network provider went down for nearly two hours, despite supposedly having all sorts of redundancies. It had nothing whatsoever to do with the hack, but was a bigger issue for the provider. However, it did slow down us restoring the comments, meaning that comments need to remain off for probably another few hours. This has really been a fun weekend.
Update 2: Comments are back. We did end up losing a few comments, mostly those right before the hack. Really sorry about that. If you said something really important and it's missing... say it again, please.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacked, sql injection
Companies: floor64, techdirt
Reader Comments
Subscribe: RSS
View by: Time | Thread
we're back...
(Thanks to mcc and dty for all the extra work on the weekend. )
[ link to this | view in chronology ]
Re: we're back...
Did Backtype have backups like they did a few months ago? The two hack attacks seemed oddly similar...
http://www.techdirt.com/articles/20081023/1124452627.shtml
[ link to this | view in chronology ]
Re: Re: we're back...
That wasn't a hack. That was an internal muckup. But, most of the comments have been restored, and we're looking to see if we can get the remaining ones.
[ link to this | view in chronology ]
My SQL Injection
COMMIT;
That, of course, is the Oracle SQL syntax; for SQL Server and Sybase (Transact-SQL) follow that by GO; rather than COMMIT; :-)
[ link to this | view in chronology ]
Re: My SQL Injection
[ link to this | view in chronology ]
Re: Re: My SQL Injection
[ link to this | view in chronology ]
"lol ya cuz the link was made to steal you ip adress..."
http://www.techdirt.com/articles/20090820/0327475945.shtml
Apparently this person went through a lot of effort to hack techdirt. Did they have access to our IP addresses? Why would they go through so much effort to try to steal people's IP addresses and hack techdirt? Just out of curiosity.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
... Big Ole Grin
[ link to this | view in chronology ]
no ethical hacking
Anyways sorry it happened. I like this site and you guys certainly dont deserve having to deal with this type of thing. There are plenty of other sites out there that would make a pretty good target. Here is one http://www.rove.com/
That was a joke btw.
[ link to this | view in chronology ]
Re: no ethical hacking
Oh, they realize how easy it is to trace them, trust me. Most of them either don't care or they would make sure you don't trace them if they didn't want to be traced. There are little real consequences for "hacking" even if they are traced.
[ link to this | view in chronology ]
Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: no ethical hacking
Crackers are people who crack software. Good in their own right but usually don't go onto other people's computers.
Script Kiddies are those who copy-past code that doesn't belong to them. They are sloppy, and usually just do it to be "l33t". The lowest level of crap on the internet.
Comparing script kiddies to hackers is like comparing a kid who watched too much power rangers to a 4th level black belt.
I know people from all three categories. I have the utmost respect for hackers and crackers (usually really nice people). The script kiddies are assholes on and off line.
Granted, I may be a little out of date on my definitions. I've been online for a long, long time.
[ link to this | view in chronology ]
Re: Re: Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: Re: Re: no ethical hacking
Perhaps they feel abused or underappreciated by society, and choose this dubious method to lash back, after spending years of their lives and getting in hock up to their eyeballs at college only to find themselves sitting in the unemployment line next to assorted punks, drop-outs, and bohemians?
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: no ethical hacking
[ link to this | view in chronology ]
Re: Re: Re: no ethical hacking
Well, this is not entirely accurate. Some black hats function as vulnerability bounty hunters/researchers, and some of them arguably reduce the value (and hence income opportunities) of professional criminal programmers by making exploit code public. Some white hats leverage their legitimate access to sensitive systems to do damaging things (while still doing their jobs as well, so no one notices the other stuff right away).
A better way to think of it, rather than good/bad, might be authorized/unauthorized. If you want to get more granular, it could be authorized-malicious, authorized-benign, unauthorized-benign, unauthorized-malicious. You don't know who the bad ones are until after they've done something bad.
These days, anyone who engages in unauthorized-benign hacking but isn't doing it for money is stupid. In this case, whoever did it was probably either hired or was looking around for something to monetize eventually (well, I suppose there are "hacktivists" now, who do it for ideological reasons, but since they aren't doing it for money they fall under stupid).
[ link to this | view in chronology ]
Re: Re: Re: Re: no ethical hacking
Uh, pretend I actually typed "unauthorized-malicious" there instead.
[ link to this | view in chronology ]
Re: Re: Re: Re: no ethical hacking
You obviously have never opped a channel on Efnet. There are people out there who don't have anything better to do than to spam channels, hack websites, etc... for whatever reason. and I mean educated people at that, with degrees in things like math. and it's not that they make money off of doing it either, they just for whatever reason enjoy doing it. They try to take over channels and just want to make the channel members and operators lives miserable. They start trolling groups that organize "attacks" on channels where they flood the channels with junk making the lives of operators miserable, it's such a headache to deal with. Nobody really understands their psychology or why they do what they do.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: no ethical hacking
[ link to this | view in chronology ]
I'm not sure if this is the correct information but I found it on EFnet by looking up Biohazard. The person is also in an empty channel as well, a common practice for trolls and "hackers" on efnet (so the info is probably correct).
I probably really shouldn't release all this info but here goes.
bioboy@91.206.90.73 bioboy
91.206.90.73
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
That's separate. He could have seen some of what's been purchased (there's a running ticker of purchases), but no financial information. All of that is way separate and protected.
[ link to this | view in chronology ]
Re:
While in the admin, the guy had access to the comment admin, which would show email addresses of commenters if they left them. So it's possible that some email addresses were exposed. No passwords were exposed though.
[ link to this | view in chronology ]
Re: Re:
Mike, can you think of a separate kind of accounts where I DO NOT have to provide my name or email? I mean, in the comments, I oftentimes express opinions that could cost me my job, and I totally don't want them to be associated with my real name absolutely ANYWHERE...
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
heck, PHP 4.x had been EOL'ed.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Would you like the rest of the team to introduce themselves? It was "we" not "I."
And who might you be?
[ link to this | view in chronology ]
Re: Re:
Date: Mon, 24 Aug 2009 23:21:04 GMT
Server: Apache/1.3.33 (Unix) PHP/4.4.8 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7g
X-Powered-By: PHP/4.4.8
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
"
The "we team" might want to get to work on getting your server software out of 2004 and bringing it up to date. Plenty of holes there.
[ link to this | view in chronology ]
Re: Re: Re:
Enter the G-Men
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
Yeah! I bet the're all named "Mike" which is why Billy Mays wanted to clean Dennis' desk last week.
http://www.instantrimshot.com
Hah! Don't forget to tip your waitstaff.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Opensource
[ link to this | view in chronology ]
Re: Opensource
[ link to this | view in chronology ]
Re: Opensource
http://www.techdirt.com/articles/20090608/2201455173.shtml
[ link to this | view in chronology ]
Re: Re: Opensource
[ link to this | view in chronology ]
Re: Opensource
[ link to this | view in chronology ]
Re: Opensource
[ link to this | view in chronology ]
Re: Re: Opensource
There is a list on some website for every state of everyone who voted. Then there is another list that lists a bunch of voter numbers and the associated vote.
When I vote I am FIRST given a voter number on a computer. It's important the voter number comes first. I type in whom I want to vote for. Now mob boss (or someone I am selling my vote to) may ask for my voter number and I can give it to them and they can go online and look up the voter number and ensure that it contains the correct vote. But, what I could do is tell the system I am being coerced. Then the system will give me a true voter number first and I will type in who I really want to vote for and it will record it (it will not print out this number on the receipt, I must memorize it). Then it will give me a false voter number and I type in who I am supposed to vote for (say mob Boss wants me to vote for George Bush but I really want to vote for Ron Paul). The computer adds the false vote to the true list along with the true vote. But then there is another list that lists all the candidates and how many false votes each candidate has (it tells nothing else). It also makes up a random number of false votes for each candidate with fictitious numbers and it adds them to the true list and adds the number of fictitious votes for each candidate that it randomly generated to the number of coerced votes for each candidate on the other list. So it might look something like this
Number of Coerced votes for George Bush = 263
Number of coerced votes for Ron Paul = 157
(maybe 123 are randomly generated for George Bush by the system but no one knows that number).
(maybe 46 are randomly generated by the system for Ron Paul and not inserted by anyone where as the rest are inserted by people who claimed they were being coerced).
So for every false vote added to the true list for a candidate it gets subtracted because we know it should be subtracted based on the false voter list. Then we can see the result and make sure it adds up to the total number of people who voted.
Now there is the situation of, what if mob boss tells you to say your vote is coerced and he demands both numbers. Well, you can tell the system how many false votes you want to insert. What mob boss doesn't know is how many false votes you inserted. So you can tel the system you want to insert three false votes for George Bush (or any number of false votes) that show up on the true voter list (and get printed on your receipt) and get subtracted from the list as well because they get added to the number of coerced votes for George Bush as well. The true voter number won't show up on the receipt and the receipt does not distinguish between a false vote and a true vote so no one can know who you really voted for (you just have to remember your true voter number in that situation).
The only shortcoming in this system (and it's a major concern) is that it assumes that mob boss doesn't work for the government and that the system doesn't secretly keep track of false votes and their associated true votes. Basically it assumes the system doesn't somehow secretly work for mob boss in the background. But other than that it is foolproof.
Another shortcoming could be the idea that people might be required to take a picture of the screen showing who you really voted for with their cell phones.
Some things could help remedy that
A: Perhaps trying to create monitors that blur the image on them if a picture is taken.
B: Setting up the system so that the screen never distinguishes between a false vote and a true vote, you must distinguish based on what you type (and it tells you what to type depending on what you want to do). So the screen never actually tells you something is a true vote or not, you determine that based on what you type.
C: Disallowing cell phones and cameras in the voting booth with the computer and searching for them before someone enters.
[ link to this | view in chronology ]
Re: Re: Re: Opensource
[ link to this | view in chronology ]
Re: Re: Re: Opensource
[ link to this | view in chronology ]
Re: Re: Re: Re: Opensource
[ link to this | view in chronology ]
Re: Re: Re: Opensource
[ link to this | view in chronology ]
Just raising the question--interested to hear the answer.
[ link to this | view in chronology ]
Re:
Um. Seriously? Public domain means they're free to copy it and do whatever they want with it *elsewhere*. Not on our site.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
It was the physical instance of the site that was vandalized, the Techdirt servers that were broken into, through the site and affecting the site contents stored in the database. That's not intellectual property -- it's the machine, the admin interface, the data, etc.
I release all the code I write under a free license, but that doesn't mean anyone can use my my laptop -- nevermind vandalize it. I release all the songs I write under a free license, but that doesn't mean someone can use my guitar -- nevermind vandalize it.
I can only assume, for the sake of my own sanity, that this is a poor attempt at searching for hypocrisy, rather than believe that you actually don't understand the difference between copying a website and breaking into the software on the server that manages it.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
One kind of ethical hacking...
One thing they really hate is when you study their injection attempts, and then make "booby traps" consisting of scripts that sit in the location of exploitable files you don't use, and return fake probe responses saying you are hackable. They then they try to inject their stupid script/shell that has contained therein their favorite IRC network and #channel, plus the botnet command password, and commands.
Personally, I just upload the shells to Avira so they can make new signatures for Anti-Vir (free *nix & windows versions available).
Now that's pwning. (/me spits the bad taste out of his mouth caused by using leetspeak)
[ link to this | view in chronology ]
Re: Opensource
I just love the internet, ask a serious question, get told wy your question isn't valid
[ link to this | view in chronology ]
Re: Re: Opensource
[ link to this | view in chronology ]
Re: Re: Re: Opensource
Also, the statement "Ask a stupid question, get a stupid answer" always seemed dumb to me. I also don't see how my question was "dumb"
I'm not trying to say this blog is as important as e-voting machines. If you got that out of what I wrote then I think there are bigger issues. All I'm saying is if making the code of e-voting machines opensource is supposed to make them more secure, why not do it to the blog?
[ link to this | view in chronology ]
Re: Re: Re: Re: Opensource
I think it's a legitimate question. Thing is, it takes work to open source code. To clean up code and make it generic enough to be used elsewhere, to maintain a software project... it takes effort to release code, and it's not quite as simple as 'giving it way'.
Also, I think it's important for web services to be free (like libre.fm or identi.ca), but the Techdirt blog isn't a web service. The code is just their publishing platform. That could be useful to others... but, with mature open source publishing/content management options like WordPress, Drupal, Joomla!, etc, there likely wouldn't be a ton of interest from developers.
I'd say, IMHO, (1) it's not essential (like e-voting machines, or web services) and (2) the benefits of freeing up the code might not be worth the effort it would take to do so.
[ link to this | view in chronology ]
Technically, it does exist, as magnetic domains on an HDD in a server somewhere. These magnetic domains are controlled by the arrangement of proton spin axises, as real as any stack of bricks that make a house.
Now he didn't make the HDD, but you didn't make the bricks (or whatever) your house is built out of either. And your house, is just an arrangement of materials, dictated by intelligence. Does that make your house and possessions intellectual property? If so, can I do with them what I wish, perhaps, burn them to the ground? Hacking Mike's site is equitable to that, in several of the philosophical mannerisms you are clinging so tenaciously to.
[ link to this | view in chronology ]
In fact, Blaise, you even make the point yourself: you shake your finger about not knowing the difference between the "website" (which is IP) and the "software that manages it" (which, BTW, is also IP). And yet, you seem to not know the difference between a "free license"--which means you own it, but let people use it freely--and "public domain", which means nobody owns it, including you.
Which brings us back to the original point: Mike likes the idea of deciding what happens to other people's IP; but, not so much when it happens to him.
[ link to this | view in chronology ]
Re:
They didn't change the "intellectual property" (copyright here), they modified the contents of Floor64's database. That doesn't change any copyright claims (the "intellectual property"), or lack thereof, on the database. It changes the Floor64's actual database, specifically.
The expression on the Techdirt blog is essentially considered to be in the public domain -- that's what would be covered by copyright. That means anyone can use, adapt, built upon or modify that expression. That doesn't mean that anyone can use or modify Floor64's database.
I seriously hope that distinction isn't beyond your comprehension.
The website isn't itself "intellectual property." It contains content that would be covered by copyright. Because anyone can do what they want with the content doesn't mean that anyone can do what they want on Floor64's server or its database.
Is that hard to understand?
(And the software that manages the site is covered by copyright, but Floor64's copy and running instance is a different matter, and I specifically wrote "breaking into" the software -- i.e. unauthorized access.)
The distinction between public domain and freely licensed doesn't matter here since both allow the freedom to modify that you're having trouble understanding here. (Public domain content is also free content.)
If you have to try this hard to find some sort of hypocrisy, maybe you're searching for something that doesn't exist. I think you want to believe it exists, but you seem too smart for me to be convinced that you actually believe there's any kind of hypocrisy here.
[ link to this | view in chronology ]