Josh,
Thanks for the information. Your account, observations and suggestions are a
great help. I'm thinking about co-lo'ing a server so your post came in very
handy.
Best,
Rey Bango...
----- Original Message -----
From: "Josh R" <[EMAIL PROTECTED]>
To: "CF-Talk" <[EMAIL PROTECTED]>
Sent: Thursday, August 16, 2001 6:20 PM
Subject: Diary of a hack attempt
> Wednesday morning, someone tried hacking into my website. (Not the first
> time, won't be the last) Didn't look like they made it. I can't be
> surprised. I have a controversial article about hacking plus I offer a
> security script. The fun part is there's nothing of value up there (my
> shopping site doesn't store credit card info or anything like that). But
of
> course, they don't know that, and sometimes, they don't care.
>
> Since we just had a discussion about security, I figured I'd relate some
> details and observations for the sake of information. Perhaps this will
help
> some people improve their security. (I'm assuming it's a "he" for ease of
> writing so don't get all sexist on me.)
>
> Some non-important details have been left out to protect my butt, but
you'll
> get the full idea.
>
> (hack attempt)
>
> The first thing the guy did was try to use a well known IIS hole to look
at
> my application.cfm. Didn't work. Then he tried the same IIS hole to look
at
> my cart.cfm page. No luck there either.
>
> Then I received about 100 calls in about 2 minutes, each one aiming for
> locations of known scripts. It searched for known FrontPage extensions,
> locations of standard DLL files, well known CGI scripts, EXE files,
standard
> Cold Fusion files, stock shopping cart files, the works. He even looked
for
> scandisk logs and other known items. It tried a few locations for the same
> item, but not very much. Mostly it tried specific known holes.
>
> When that failed, he seemed to leave.
>
> (/hack attempt)
>
> OBSERVATIONS:
>
> This seems to have been what many people refer to as a "script kiddie".
Some
> young (in terms of computer skill) person with knowledge of a few holes
and
> a hacking program.
>
> First, he poked around to see if he could get information on my sites
layout
> and vital statistics. Looking at the application.cfm and cart.cfm were the
> best bets for finding out important info, so kudos to the hacker for
having
> some intelligence.
>
> Once he realized he wasn't going to get anywhere that way, he launched his
> "hack weapon of death".
>
> He has a program that runs through a list of known security holes. It
> systematically tries each one and alerts him to open doors.
>
> This has become a very standard way of attempting hacks. The days of some
> computer nerd exploiting one unknown hole is over. With so many systems
and
> possible security holes, the usual attack is a shotgun attack, trying
every
> known hole as quickly as possible.
>
> One thing I've noticed is that this shotgun method relies on one thing:
> Standard layouts.
>
> Every single hole he tried attempted to find a specific file in a specific
> location (or locations). These locations are known because programs
install
> the same way every time. For example, when installing FrontPage in the
> default way (the way 99.9% of people install software), the same
extensions
> are placed in the same location every time. Since the locations are known,
> the attack aims at those specific locations. The same is true about
certain
> settings. Since programs install with certain settings (or default
> passwords) these are also scanned for.
>
> In other words these attacks aren't like a "find" program that looks all
> over your system for a particular file, they're more like a "run" program
> that expects something to be in a standard location. Since the file it
wants
> isn't where it should be, nothing runs, and the hack is unsuccessful.
>
> However, since nothing on my system is in "default locations", this
attempt
> doesn't seem to work. A more personal touch is required to enter my site
and
> this guy didn't want to spend the time when other sites will probably fall
> victim to his shotgun technique.
>
> The important thing to remember about this kind of attack is that it isn't
> personal. These hackers are going "door-to-door" knocking and checking the
> handle to see if it's unlocked. When they find an entrance they head on
in.
> They don't know who you are and they don't care.
>
> This guy didn't have a personal vendetta against me or my site. If he did,
> he would have poked around a little closer, searched the internet for
> personal info about me, made phone calls, bribed employees and friends for
> info and found out as much as he could about me and my sites layout so he
> could find a way to break in.
>
> That didn't happen. He couldn't find an easy entrance so he moved on to
the
> next poor sucker. I got lucky this time.
>
> LESSONS:
>
> So what can we learn from this?
>
> Change all default settings on ALL programs:
>
> If you use Cold Fusion (which of course we all do), or anything else on
your
> servers, place it in a non-standard location. Change the install from
> C:\Program Files\Allaire\ColdFusion Studio x.x or C:\CFUSION
> to something like
> C:\MY FILES ARE\SAFERHERE\Allaire\ColdFusion Studio x.x
> Place your websites in a non-standard location, so they can't jump to
> something else via url hacking.
>
> If you use a stock shopping cart, or stock CGI script, or anything like
> that, Place it in a non-standard location like
> www.website.com/cgi-bin/realscriptshere/sendmail.cgi. Make sure nobody
> looking at your HTML can tell where your scripts are located.
>
> Example: If you use AHP Shopping Cart, or CartEase or AbleCommerce etc.
> Chances are that your files are right where hackers want them to be.
>
> IMPORTANT: Many of the attacks are looking for a hole relative to the
> website. For example they hunt for "../_vti_pvt/scripthole.dll" or
> "../../_vti_pvt/scripthole.dll" since it's usually placed one or two
folders
> away from your website. (God I love picking on FrontPage)
>
> Change standard passwords and default settings:
>
> When you install something (in a non-default location), always go through
it
> and change potentially dangerous default settings. Look for default
> passwords and change them.
>
> A little fact to drive the point home: A well known car company got into
big
> trouble because they only made about 53 different keys for all the cars
they
> made. If someone has a collection of those keys, they have access to every
> single car made by that company. This means your car unless you go through
> the trouble to have the car rekeyed with a custom key. Websites are just
> like this.
>
> I am by no means a security expert. I'm just throwing out some things I've
> noticed for the sake of discussion. If this helps great. If you have some
> tips of your own, please share.
>
> ================================
> Josh - [EMAIL PROTECTED]
> ================================
>
>
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Structure your ColdFusion code with Fusebox. Get the official book at
http://www.fusionauthority.com/bkinfo.cfm
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/[email protected]/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
