daily pastebin goal
19%
SHARE
TWEET

130416-#linode-HTP-update

a guest Apr 16th, 2013 1,435 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. 07:44 < HTP> well good morning everyone
  2. 07:44 -!- mib_rpm3f8 [d4af59a2@ircip1.mibbit.com] has quit []
  3. 07:44 < Tea> Daedolon: Only options for autoindex are exact_size and and localtime according to the docs
  4. 07:45 < antihero> and the trolls arriv
  5. 07:45 < HTP> turns out, chris did the blog post after all
  6. 07:45 < erent> HTP: hey
  7. 07:45 < antihero> lol
  8. 07:45 < HTP> i've shredded all of your customer data and linode data
  9. 07:45 < erent> :)
  10. 07:45 < antihero> perhaps HTP hacked Linode's blog and wrote the post itself
  11. 07:46 < HTP> it wouldn't be as sweet :P
  12. 07:46 < bob2> nachtkriecher, you're confused
  13. 07:46 < nachtkriecher> yes i know :\
  14. 07:46 < bob2> nachtkriecher, add your zone to the dns manager, then tell us what it is
  15. 07:46 <@meskarune> DNS manager just hosts DNS records :P
  16. 07:46 < nachtkriecher> i can just ask my friend at work tomorrow who understands my gibberish
  17. 07:46 -!- best72 [~best72@116.214.108.1] has left #linode []
  18. 07:46 < A-KO> HTP: Why not take your skills and go work for some $gov somewhere? It pays reasonably well, 6-figure salaries...
  19. 07:46 < bob2> nachtkriecher, edit the hosts file on your desktop to point whocares.com and www.whocares.com to your linode ip
  20. 07:47 -!- robinetd [~robinetd@00018b6d.user.oftc.net] has quit [Remote host closed the connection]
  21. 07:47 -!- delph` [~michael@puma-mxisp.mxtelecom.com] has left #linode []
  22. 07:47 < erent> A-KO: we don't know if HTP is geniue :)
  23. 07:47 < erent> I was convinced by the previous log, the one with a nickname "ryan"
  24. 07:47 -!- mib_68v1r4 [d4af59a2@ircip1.mibbit.com] has joined #linode
  25. 07:47 < erent> and the blog post by linode staff is not convincing
  26. 07:47 < nachtkriecher> see that's the thing, if i do that, then i'm not testing the dns manager configuration, im only testing nginx
  27. 07:48 < erent> "we are using symmetric key encryption over private key, and it's all our heads"
  28. 07:48 < HTP> just a part of the pms i sent chris:
  29. 07:48 < HTP> <HTP> ┌──[HTP@thegibson]─[~/linode]
  30. 07:48 < HTP> <HTP> └─$ shred -vzun 3 linode-wwwroot/* linode-wwwroot/*/* linode-wwwroot/*/*/* linode-wwwroot/*/*/*/* linode/*/*/*/*/*
  31. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...
  32. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...871MiB/2.2GiB 40%
  33. 07:48 < HTP> <HTP> shred: linode-wwwroot/www.tgz: pass 1/4 (random)...1013MiB/2.2GiB 47%
  34. 07:48 < A-KO> erent: The blog post is fine
  35. 07:48 < bob2> nachtkriecher, yes, welcome to the internet
  36. 07:48 < HTP> H<HHTPH>H ┌──[HTP@thegibson]─[~/linode]
  37. 07:48 < HTP> H<HHTPH>H └─$ shred -uzn 3 *.sql
  38. 07:48 < HTP> H<HHTPH>H shred: customer.sql: pass 1/4 (random)...
  39. 07:48 < HTP> H<HHTPH>H shred: customer.sql: pass 2/4 (random)...
  40. 07:48 < HTP> etc
  41. 07:49 < A-KO> Must hand it to HTP for the Hackers reference...I watch that movie a few times per year....
  42. 07:49 < HTP> though i did typo and didn't add enough subdirs to the wwwroot, apparently
  43. 07:49 < nachtkriecher> bob2, so you're saying it's not possible to test my dns manager configuration without actually switching my domain name over?
  44. 07:49 < k00pa> HTP: any proof?
  45. 07:49 < A-KO> The thing that most worries me is that Linode didn't disclose the attack sooner...
  46. 07:49 < bob2> nachtkriecher, more or less
  47. 07:49 < nachtkriecher> ok
  48. 07:49 < lbotos> nachtkriecher: you could query the nameserver directly dig @ns1.linode.com mydomain.com
  49. 07:49 < erent> HTP: I don't think they are using fancy PROMPT, previous log from ryan was plain bash
  50. 07:50 < nachtkriecher> that's basically what i wanted to know
  51. 07:50 < Nightmare> HTP: you never said if you were single or not :(
  52. 07:50 -!- lysender [~lysender@222.127.29.66] has quit [Quit: Leaving.]
  53. 07:50 < erent> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc
  54. 07:50 < bob2> hence why i said to tell us the name
  55. 07:50 < nachtkriecher> mm ok
  56. 07:50 < nachtkriecher> well i have already done all the things you said to do
  57. 07:50 < nachtkriecher> nachtkriecher.com
  58. 07:50 -!- mib_68v1r4 [d4af59a2@ircip1.mibbit.com] has left #linode []
  59. 07:50 < A-KO> erent: If you're that worried just change your CC, done. No big deal.
  60. 07:50 < A-KO> Y'all act like this is the first compromise to ever happen on the Internet.
  61. 07:50 < erent> sure, not a big deal for me, I just want to learn the truth
  62. 07:51 < Tea> the truth is...
  63. 07:51 < Tea> !urmom
  64. 07:51 < linbot> Tea: Yo mommas so cheap, she sublets a 360! (740:8/3) [mrmuo]
  65. 07:51 < A-KO> the truth--linode got hacked, customer data, encrypted, was taken.
  66. 07:51 < HTP> no proof, that's the point. there's nothing left. one note i would like to add is
  67. 07:51 < bob2> nachtkriecher, you have no MX record, which is likely to be bad
  68. 07:51 < Tea> We don't have 360s anymore, need to update that one
  69. 07:51 < nachtkriecher> yes i deleted it, im not using mail
  70. 07:51 -!- robinetd [~robinetd@00018b6d.user.oftc.net] has joined #linode
  71. 07:51 < erent> A-KO: I use virtual CC, in which the balance is always 0, until I add the balance before paying anything
  72. 07:52 < erent> so, no worries for me, and I would advise using virtual CC for these kind of internet payment
  73. 07:52 < erent> if your bank supports
  74. 07:52 < A-KO> hacks and compromises occur all of the time, very few are disclosed.
  75. 07:52 < HTP> the CCrypter class of the linode application context was accessable from outside the wwwroot using undocumented ColdFusion methods. i was fully able to decrypt the ccs using the in-memory privkey that they supplied the password for.
  76. 07:52 < erent> A-KO: you are right, I'm looking forward for the method, actually :)
  77. 07:52 < erent> HTP: how did you take out the private key from memory from another process?
  78. 07:53 < A-KO> It's a shame he destroyed that data, I'd ask him for proof on that one ;)
  79. 07:53 < HTP> coldfusion runs as a single process, and its memory can be accessed using the ColdFusion wrapper
  80. 07:53 < A-KO> haha
  81. 07:53 < erent> you cannot access another process address space in different process
  82. 07:53 < HTP> it uses contexts to store memory
  83. 07:53 < A-KO> I just wrote a blog post about multi process server-side processing for security :( People gave me shit for it :(
  84. 07:54 < bob2> erent, yes you can
  85. 07:54 -!- ratrace [~ratrace@78-2-97-236.adsl.net.t-com.hr] has joined #linode
  86. 07:54 < erent> bob2: well, I would love to learn it how it is possible
  87. 07:55 < erent> I mean, it's a basic OS feature. not access another process address space, just stay where you are :)
  88. 07:55 < A-KO> grab some books and enjoy some long reading :)
  89. 07:55 < HTP> that being said, i think i'm going to screenshot this and frame it on my wall now
  90. 07:55 < bob2> erent, false
  91. 07:55 -!- kleinishere [~kleinishe@s229-171.resnet.ucla.edu] has joined #linode
  92. 07:55 < erent> bob2: lead me
  93. 07:55 -!- yasMouh [~is-sec.or@41.104.126.156] has joined #linode
  94. 07:55 -!- phendryx [~phendryx@d14-69-137-50.try.wideopenwest.com] has joined #linode
  95. 07:55 < erent> I would appreciate it and correct the information
  96. 07:55 < bob2> ?
  97. 07:56 < bob2> ptrace
  98. 07:56 < HTP> or if nothing else, include it in the zine
  99. 07:56 < bob2> and if you have root, you can just map the process
  100. 07:56 < erent> bob2: sure, but we are talking about ColdFusion process
  101. 07:57 < bob2> ?
  102. 07:58 < erent> ah, so they exploited colfusion to get root. It seemed just that they didn't get far beyond ColdFusion
  103. 07:58 < HTP> no, we exploited a linode cron task to get root
  104. 07:58 < HTP> by hiring Eugene Belford aka Mr. The Plague
  105. 07:58 < HTP> to administrate linode servers with his public key deployed under /root/.ssh/authorized_keys2
  106. 07:59 < Nightmare> ...is he hot?
  107. 08:00 < erent> I expected Chuck Norris, his ssh key is installed by default and he can access all the servers around the world
  108. 08:00 < A-KO> figures, used my debit card for linode...
  109. 08:00 < synapt> I feel like the claims keep changing, albeit a little here and there, but changing none the less over the day
  110. 08:01 < synapt> A-KO: Chuck norris did?
  111. 08:01 < HTP> you guys can talk about the cc data but we only really checked two of them (a whitehat and someone who got v& last year). www1 logs would prove that.
  112. 08:01 -!- yasMouh_ [~is-sec.or@41.108.82.119] has quit [Ping timeout: 480 seconds]
  113. 08:01 < HTP> one of em was using a prepaid visa giftcard anyway
  114. 08:02 < ella> Hi ho!  Is the Linode1024 to Linode2048 free upgrade a no future cost upgrade?
  115. 08:02 < A-KO> HTP: I would be foolish to assume that my CC data wasn't compromised, even if you sit here and assure me it was not...
  116. 08:02 <@qmr> ella: Yes.  http://blog.linode.com/2013/04/09/linode-nextgen-ram-upgrade/
  117. 08:02 < erent> HTP: well, I'm looking forward to HTP5
  118. 08:02 < Tea> ella: The prices of all planned increased by 5 cents, but other than that - free
  119. 08:02 < Tea> ella: Upgrade away
  120. 08:02 < HTP> yeah of course
  121. 08:02 -!- nachtkriecher [~nachtkrie@ppp118-208-235-169.lns20.hba2.internode.on.net] has quit [Quit: leaving]
  122. 08:02 < synapt> ella: extra 5 cents basically, just to round things up
  123. 08:03 < ella> qmr geee Linode is so giving :) WHat will I do with that extra CPU!  
  124. 08:03 < synapt> (simpler than the whole *.95 thing)
  125. 08:03 < HTP> erent, ;)
  126. 08:03 < ella> synapt Ooo 5 cents!  Have to give up chocolate one week a year :)
  127. 08:03 < erent> I hope they will include the method, and how they got into the box
  128. 08:03 < Tea> ella: Linode: Making you healthier(TM)
  129. 08:04 < ella> OK here goes - upgrading away ... I'm gonna regret this :) hahah!  Backup nearly complete, then I vanish for what 24 minutes :) then I return with luck!  Or I never log in again!
  130. 08:04 < HTP> well i think that covers everything. if anyone comes in later screaming, inform them we don't have their information nor do we care
  131. 08:04 < HTP> good luck #linode
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top