Hackin9

If youre like me you actually have your own little website project hosted on one of the many inexpensive website hosting companies. Perhaps youve recommended one as a solution to a small business, or organization. You may also be aware that they are pretty attractive targets for professional computer criminals. Brian Krebs has a nice writeup of the value of your standard PC to a criminal here: http://krebsonsecurity.com/2012/10/the-scrap-value-of-a-hacked-pc-revisited/

The Value of a Web-Hosting Account

I want briefly expand on the added value of compromising a box sitting in a rack in one of these hosting companies.

The first is that since theyre already webservers, they do a better job with all the standard exploit-hosting, phishing-site, and other webserver values identified in Brians analysis. Secondly, they usually enjoy more bandwidth access than the average home/business PC, which a big advantage for criminals interested in launching Distributed Denial of Service (DDoS) Attacks (http://ddos.arbornetworks.com/2012/12/lessons-learned-from-the-u-s-financial-services-ddos-attacks/) Thirdly, compromising a single session on a shared server opens up all of the other accounts on that server as well as other servers in that data-center.

How They Are Gaining Access

A webserver has a different attack surface from the normal workstation. This is how theyre being compromised in no particular order.

Many webhosting providers limit the customer us using a web-based management tool like cpanel or webmin. They may have their own vulnerabilities that let an attacker in that way (if the hosting company isnt updating regularly or following good security practices.)

Many customers use these services because they dont have a lot of experience running servers, so they make make poor choices in selecting which applications they install and may be lax in keeping them up to date. Popular packages like wordpress, or drupal need to be regularly updated and configured securely. This is not always intuitive and there are a lot of vulnerable builds running out there.

FTP credentials are commonly targeted by other malware. For example, if your home PC stumbles upon an exploit site, one of the intermediary payloads will search for registry settings identifying FTP applications on the system and will attempt to extract the username/password and feed that up to the botnet controller. So while that botnet-for-hire is installing whatever banking trojan that theyve been contracted for, theyre also building up a database of credentials to other potential future hosting sites.

Once a criminal has an account on a server, it become easier for them to attack other accounts on the system or escalate privileges to take over the entire system. If a criminal has a stolen credit card or paypal account, they can easily gain access to an otherwise secure server.

What You Can Do

While you cant patch the server, cpanel, etc. you can keep your own services patched and configured securely. We live in an environment where you cant be certain that everything is secure, so you have to plan on something getting compromised and having a plan. In this case, you plan on the server being compromised some time in the future, and develop a recovery plan. This mean regular backups and inspection of the site. Logs should be exported off regularly for analysis and alerting. You want to quickly detect when things begin to go awry. So you should already work out what the best emergency/security/abuse contact process is for your hosting provider. These are things you will have to keep in mind when you recommend an inexpensive hosting solution to a friend, family member, or volunteer organization.
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

At the beginning of a sunny Monday morning earlier this month, I had never cracked a password. By the end of the day, I had cracked 8,000. Even though I knew password cracking was easy, I didn't know it was ridiculously easy—well, ridiculously easy once I overcame the urge to bash my laptop with a sledgehammer and finally figured out what I was doing.

My journey into the Dark-ish Side began during a chat with our security editor, Dan Goodin, who remarked in an offhand fashion that cracking passwords was approaching entry-level "script kiddie stuff." This got me thinking, because—though I understand password cracking conceptually—I can't hack my way out of the proverbial paper bag. I'm the very definition of a "script kiddie," someone who needs the simplified and automated tools created by others to mount attacks that he couldn't manage if left to his own devices. Sure, in a moment of poor decision-making in college, I once logged into port 25 of our school's unguarded e-mail server and faked a prank message to another student—but that was the extent of my black hat activities. If cracking passwords were truly a script kiddie activity, I was perfectly placed to test that assertion.

It sounded like an interesting challenge. Could I, using only free tools and the resources of the Internet, successfully:

Read 84 remaining paragraphs | Comments

 
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status