Home page logo
/

pauldotcom logo PaulDotCom mailing list archives

Getting Your Start Because You Got Hacked
From: tadaka at gmail.com (Jason Wood)
Date: Thu, 14 May 2009 13:02:41 -0600

This happened back when I was a jr sysadmin at a fairly large dotcom.  My
wife and I were having a party at our house with several of our friends when
my cell phone went off.  Sure enough, it was the NOC saying that this one
web server kept running out of disk space and they couldn't figure out why.
The operator had cleared out all the temp files he could find, removed a
number of web server logs and some other stuff.  Disk space dropped for
about 30 minutes and then climbed back up over 90%.

My computer was in the living room, so in the middle of the party I logged
into this server and started poking around.  First order of business was to
figure out where the most disk space was being chewed up.
C:\inetpub\ftproot was the culprit.  I looked around the file system and
found video games, music files, warez, etc all over the place.  I checked
the FTP config and saw that it was a default setup with no relation to the
function of the web server.  Anonymous access had full read/write.  At this
point, I was cracking up and asking people at the party if anyone wanted the
latest Britney Spears album.  I had 3-4 people crowded around my PC to watch
what was going on.

I uninstalled the FTP service, cleaned up the disk space and looked at the
FTP logs.  Sure enough, the server had been idle on FTP for weeks, then got
discovered.  In 2 days it went from unknown to very popular.  It also didn't
hurt that there were multiple OC3s coming into the environment.  The users
of the site must have been having a field day.

Wait, I hear people asking, shouldn't the firewall have blocked the FTP
connections?  Well, not if it is set to allow FTP inbound to all servers.
That later got changed too.

Anyhow, it was a completely hilarious experience, particularly since I
didn't setup the server so my pride wasn't at stake.  ;-)



On Thu, May 14, 2009 at 12:43 PM, Joshua Wright <jwright at hasborg.com> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I was working for Johnson & Wales University and we had a Citrix server
running on NT 3.51.  I was one of the first people who got a cable-modem
at home from Cox Communications, and it rocked!  It rocked so much,
someone else on the LAN discovered my workgroup and host, and connected
to an unprotected share on my Windows 98 machine where he grabbed the
.ica file with a stored password to the Citrix server.  He called me at
home to let me know how r00ted I was, after getting my home phone number
from my wife's resume.doc file.

Yeah, it was pretty painful, but it was my motivator to get into
infosec.  "Wow, that sucks, but at the same time, it's so awesome too"
is the best way I can describe it.

Years later we bumped into each other in Providence, and he told me how
he's been watching my career since he called me that first time.  I
thanked him for his help. :)

- -Josh

Paul Asadoorian wrote:
All:

I'd like to start a new thread where we all share our experiences on how
we got into computer security.  Specifically I want to hear about people
whose boxes got hacked, and sparked a life-long career in infosec.

I may use your story in an upcoming piece I am working on, if I do I
will contact you off-list for permission and such.

Larry, I know you got a good story here ;)

Thanks!

Cheers,
Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAkoMZm0ACgkQapC4Te3oxYy3FQCfR0ziVWtWs9aNzRi4+0UbWgEy
uC8An3st451iUrFsaZu1nLEWXN+WU3a7
=+LQ1
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090514/8037a709/attachment.htm 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]