Pastebin launched a little side project called VERYVIRAL.com, check it out ;-) Want more features on Pastebin? Sign Up, it's FREE!
Guest

130416-#linode-HTP-update

By: a guest on Apr 16th, 2013  |  syntax: None  |  size: 9.49 KB  |  views: 1,373  |  expires: Never
download  |  raw  |  embed  |  report abuse  |  print
Text below is selected. Please press Ctrl+C to copy to your clipboard. (⌘+C on Mac)
  1. 07:44 < HTP> well good morning everyone
  2. 07:44 -!- mib_rpm3f8 [d4af59a2@ircip1.mibbit.com] has quit []
  3. 07:44 < Tea> Daedolon: Only options for autoindex are exact_size and and localtime according to the docs
  4. 07:45 < antihero> and the trolls arriv
  5. 07:45 < HTP> turns out, chris did the blog post after all
  6. 07:45 < erent> HTP: hey
  7. 07:45 < antihero> lol
  8. 07:45 < HTP> i've shredded all of your customer data and linode data
  9. 07:45 < erent> :)
  10. 07:45 < antihero> perhaps HTP hacked Linode's blog and wrote the post itself
  11. 07:46 < HTP> it wouldn't be as sweet :P
  12. 07:46 < bob2> nachtkriecher, you're confused
  13. 07:46 < nachtkriecher> yes i know :\
  14. 07:46 < bob2> nachtkriecher, add your zone to the dns manager, then tell us what it is
  15. 07:46 <@meskarune> DNS manager just hosts DNS records :P
  16. 07:46 < nachtkriecher> i can just ask my friend at work tomorrow who understands my gibberish
  17. 07:46 -!- best72 [~best72@116.214.108.1] has left #linode []
  18. 07:46 < A-KO> HTP: Why not take your skills and go work for some $gov somewhere? It pays reasonably well, 6-figure salaries...
  19. 07:46 < bob2> nachtkriecher, edit the hosts file on your desktop to point whocares.com and www.whocares.com to your linode ip
  20. 07:47 -!- robinetd [~robinetd@00018b6d.user.oftc.net] has quit [Remote host closed the connection]
  21. 07:47 -!- delph` [~michael@puma-mxisp.mxtelecom.com] has left #linode []
  22. 07:47 < erent> A-KO: we don't know if HTP is geniue :)
  23. 07:47 < erent> I was convinced by the previous log, the one with a nickname "ryan"
  24. 07:47 -!- mib_68v1r4 [d4af59a2@ircip1.mibbit.com] has joined #linode
  25. 07:47 < erent> and the blog post by linode staff is not convincing
  26. 07:47 < nachtkriecher> see that's the thing, if i do that, then i'm not testing the dns manager configuration, im only testing nginx
  27. 07:48 < erent> "we are using symmetric key encryption over private key, and it's all our heads"
  28. 07:48 < HTP> just a part of the pms i sent chris:
  29. 07:48 < HTP> <HTP> ┌──[HTP@thegibson]─[~/linode]
  30. 07:48 < HTP> <HTP> └─$ shred -vzun 3 linode-wwwroot/* linode-wwwroot/*/* linode-wwwroot/*/*/* linode-wwwroot/*/*/*/* linode/*/*/*/*/*
  31. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...
  32. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...871MiB/2.2GiB 40%
  33. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...1013MiB/2.2GiB 47%
  34. 07:48 < A-KO> erent: The blog post is fine
  35. 07:48 < bob2> nachtkriecher, yes, welcome to the internet
  36. 07:48 < HTP> H<HHTPH>H ┌──[HTP@thegibson]─[~/linode]
  37. 07:48 < HTP> H<HHTPH>H └─$ shred -uzn 3 *.sql
  38. 07:48 < HTP> H<HHTPH>H shred: customer.sql: pass 1/4 (random)...
  39. 07:48 < HTP> H<HHTPH>H shred: customer.sql: pass 2/4 (random)...
  40. 07:48 < HTP> etc
  41. 07:49 < A-KO> Must hand it to HTP for the Hackers reference...I watch that movie a few times per year....
  42. 07:49 < HTP> though i did typo and didn't add enough subdirs to the wwwroot, apparently
  43. 07:49 < nachtkriecher> bob2, so you're saying it's not possible to test my dns manager configuration without actually switching my domain name over?
  44. 07:49 < k00pa> HTP: any proof?
  45. 07:49 < A-KO> The thing that most worries me is that Linode didn't disclose the attack sooner...
  46. 07:49 < bob2> nachtkriecher, more or less
  47. 07:49 < nachtkriecher> ok
  48. 07:49 < lbotos> nachtkriecher: you could query the nameserver directly dig @ns1.linode.com mydomain.com
  49. 07:49 < erent> HTP: I don't think they are using fancy PROMPT, previous log from ryan was plain bash
  50. 07:50 < nachtkriecher> that's basically what i wanted to know
  51. 07:50 < Nightmare> HTP: you never said if you were single or not :(
  52. 07:50 -!- lysender [~lysender@222.127.29.66] has quit [Quit: Leaving.]
  53. 07:50 < erent> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc
  54. 07:50 < bob2> hence why i said to tell us the name
  55. 07:50 < nachtkriecher> mm ok
  56. 07:50 < nachtkriecher> well i have already done all the things you said to do
  57. 07:50 < nachtkriecher> nachtkriecher.com
  58. 07:50 -!- mib_68v1r4 [d4af59a2@ircip1.mibbit.com] has left #linode []
  59. 07:50 < A-KO> erent: If you're that worried just change your CC, done. No big deal.
  60. 07:50 < A-KO> Y'all act like this is the first compromise to ever happen on the Internet.
  61. 07:50 < erent> sure, not a big deal for me, I just want to learn the truth
  62. 07:51 < Tea> the truth is...
  63. 07:51 < Tea> !urmom
  64. 07:51 < linbot> Tea: Yo mommas so cheap, she sublets a 360! (740:8/3) [mrmuo]
  65. 07:51 < A-KO> the truth--linode got hacked, customer data, encrypted, was taken.
  66. 07:51 < HTP> no proof, that's the point. there's nothing left. one note i would like to add is
  67. 07:51 < bob2> nachtkriecher, you have no MX record, which is likely to be bad
  68. 07:51 < Tea> We don't have 360s anymore, need to update that one
  69. 07:51 < nachtkriecher> yes i deleted it, im not using mail
  70. 07:51 -!- robinetd [~robinetd@00018b6d.user.oftc.net] has joined #linode
  71. 07:51 < erent> A-KO: I use virtual CC, in which the balance is always 0, until I add the balance before paying anything
  72. 07:52 < erent> so, no worries for me, and I would advise using virtual CC for these kind of internet payment
  73. 07:52 < erent> if your bank supports
  74. 07:52 < A-KO> hacks and compromises occur all of the time, very few are disclosed.
  75. 07:52 < HTP> the CCrypter class of the linode application context was accessable from outside the wwwroot using undocumented ColdFusion methods. i was fully able to decrypt the ccs using the in-memory privkey that they supplied the password for.
  76. 07:52 < erent> A-KO: you are right, I'm looking forward for the method, actually :)
  77. 07:52 < erent> HTP: how did you take out the private key from memory from another process?
  78. 07:53 < A-KO> It's a shame he destroyed that data, I'd ask him for proof on that one ;)
  79. 07:53 < HTP> coldfusion runs as a single process, and its memory can be accessed using the ColdFusion wrapper
  80. 07:53 < A-KO> haha
  81. 07:53 < erent> you cannot access another process address space in different process
  82. 07:53 < HTP> it uses contexts to store memory
  83. 07:53 < A-KO> I just wrote a blog post about multi process server-side processing for security :( People gave me shit for it :(
  84. 07:54 < bob2> erent, yes you can
  85. 07:54 -!- ratrace [~ratrace@78-2-97-236.adsl.net.t-com.hr] has joined #linode
  86. 07:54 < erent> bob2: well, I would love to learn it how it is possible
  87. 07:55 < erent> I mean, it's a basic OS feature. not access another process address space, just stay where you are :)
  88. 07:55 < A-KO> grab some books and enjoy some long reading :)
  89. 07:55 < HTP> that being said, i think i'm going to screenshot this and frame it on my wall now
  90. 07:55 < bob2> erent, false
  91. 07:55 -!- kleinishere [~kleinishe@s229-171.resnet.ucla.edu] has joined #linode
  92. 07:55 < erent> bob2: lead me
  93. 07:55 -!- yasMouh [~is-sec.or@41.104.126.156] has joined #linode
  94. 07:55 -!- phendryx [~phendryx@d14-69-137-50.try.wideopenwest.com] has joined #linode
  95. 07:55 < erent> I would appreciate it and correct the information
  96. 07:55 < bob2> ?
  97. 07:56 < bob2> ptrace
  98. 07:56 < HTP> or if nothing else, include it in the zine
  99. 07:56 < bob2> and if you have root, you can just map the process
  100. 07:56 < erent> bob2: sure, but we are talking about ColdFusion process
  101. 07:57 < bob2> ?
  102. 07:58 < erent> ah, so they exploited colfusion to get root. It seemed just that they didn't get far beyond ColdFusion
  103. 07:58 < HTP> no, we exploited a linode cron task to get root
  104. 07:58 < HTP> by hiring Eugene Belford aka Mr. The Plague
  105. 07:58 < HTP> to administrate linode servers with his public key deployed under /root/.ssh/authorized_keys2
  106. 07:59 < Nightmare> ...is he hot?
  107. 08:00 < erent> I expected Chuck Norris, his ssh key is installed by default and he can access all the servers around the world
  108. 08:00 < A-KO> figures, used my debit card for linode...
  109. 08:00 < synapt> I feel like the claims keep changing, albeit a little here and there, but changing none the less over the day
  110. 08:01 < synapt> A-KO: Chuck norris did?
  111. 08:01 < HTP> you guys can talk about the cc data but we only really checked two of them (a whitehat and someone who got v& last year). www1 logs would prove that.
  112. 08:01 -!- yasMouh_ [~is-sec.or@41.108.82.119] has quit [Ping timeout: 480 seconds]
  113. 08:01 < HTP> one of em was using a prepaid visa giftcard anyway
  114. 08:02 < ella> Hi ho!  Is the Linode1024 to Linode2048 free upgrade a no future cost upgrade?
  115. 08:02 < A-KO> HTP: I would be foolish to assume that my CC data wasn't compromised, even if you sit here and assure me it was not...
  116. 08:02 <@qmr> ella: Yes.  http://blog.linode.com/2013/04/09/linode-nextgen-ram-upgrade/
  117. 08:02 < erent> HTP: well, I'm looking forward to HTP5
  118. 08:02 < Tea> ella: The prices of all planned increased by 5 cents, but other than that - free
  119. 08:02 < Tea> ella: Upgrade away
  120. 08:02 < HTP> yeah of course
  121. 08:02 -!- nachtkriecher [~nachtkrie@ppp118-208-235-169.lns20.hba2.internode.on.net] has quit [Quit: leaving]
  122. 08:02 < synapt> ella: extra 5 cents basically, just to round things up
  123. 08:03 < ella> qmr geee Linode is so giving :) WHat will I do with that extra CPU!  
  124. 08:03 < synapt> (simpler than the whole *.95 thing)
  125. 08:03 < HTP> erent, ;)
  126. 08:03 < ella> synapt Ooo 5 cents!  Have to give up chocolate one week a year :)
  127. 08:03 < erent> I hope they will include the method, and how they got into the box
  128. 08:03 < Tea> ella: Linode: Making you healthier(TM)
  129. 08:04 < ella> OK here goes - upgrading away ... I'm gonna regret this :) hahah!  Backup nearly complete, then I vanish for what 24 minutes :) then I return with luck!  Or I never log in again!
  130. 08:04 < HTP> well i think that covers everything. if anyone comes in later screaming, inform them we don't have their information nor do we care
  131. 08:04 < HTP> good luck #linode