View previous topic :: View next topic |
Author |
Message |
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Fri Feb 07, 2003 12:42 am Post subject: Your worst security blunder |
|
|
Embarassment time
Please post your worst security blunders here, either first hand or that of a friend / colleague
|
|
Back to top |
|
|
b4rtm4n Trusted SF Member
Joined: 26 May 2002 Posts: 16777206 Location: Bi Mon Sci Fi Con
|
Posted: Fri Feb 07, 2003 12:54 am Post subject: |
|
|
Leaving a linux server unfirewalled on the net with wu-ftp enabled.
only took 3 weeks b4 it was 0\/\/n3d
4 years ago tho!
|
|
Back to top |
|
|
Networkguy Trusted SF Member
Joined: 29 Apr 2002 Posts: 16777215 Location: UK
|
Posted: Fri Feb 07, 2003 1:47 am Post subject: |
|
|
Not me but very funny
The night shift in a certain data center were getting bored one night. Of course they could not access any of the hard core porn on the net due to the corporate firewall rules.
But hang on, somebody realises that the data center is also a core node on our Internet backbone with several 9.6-GB feeds to it
So they head off down to a pair of very large and very expensive Juniper routers and patch into a spare gigabit ethernet port (this is a core internet transit router).
Next they build themselves a nice little proxy server and plug that in and from there route it back onto the corporate LAN.
You may have noticed that I didn't mention a firewall. Thats right. they didn't bother.
So for a few nights, they have the time of their lives surfing the darker side of the net and even help themselves to some spare space on a customers EMC storage array.
In 4 nights, they managed to use up half a terrabyte of storage with pictures, videos and mp3s
But then somebody notices during a routine security check that there is an unsecure web connection on the corporate LAN so the investigation starts.
So here we have guys who have the intelligence to configure a Juniper transit router, build themselves a proxy, configure this onto the corporate LAN and even reallocate an EMC storage array.
BUT
What they didn't do (and this is what got them sacked).
SWITCH OFF THE LOGGING ON THE PROXY
Just how much evidence did they think HR would need to sack them?
|
|
Back to top |
|
|
flw Forum Fanatic
Joined: 27 May 2002 Posts: 16777215 Location: U.S.A.
|
Posted: Fri Feb 07, 2003 2:38 am Post subject: |
|
|
saxo shouldn't you have started this with a example of your own. Just to show we all f*ckup sometimes. Here's two for me:
1. I forgot to shutoff sshd when under a active bot attack that looked for a open issue with ssh1 when we were using ssh2. I got it the next day. Oops
2. I also excepted a job from a jack of all trades and master of none when it came to IT and security.
|
|
Back to top |
|
|
squidly Trusted SF Member
Joined: 07 Oct 2002 Posts: 16777215 Location: Umm.. I dont know.. somewhere
|
Posted: Fri Feb 07, 2003 4:12 am Post subject: |
|
|
Ive not had anything as bad as that happen.. Just a friends was routing though my pc and he was dling some stuff from Kazaa. Well some script kiddie tracked it back to my ip and tired to attack me. At the time I had no firewall up, and no realy integerity checking. My schools firewall caught most of it.
On the other side of the fence I was playing around with arp-spoof and I killed one of the local cisco routers. Knocked apx 400 people off the net for a couple of hours. Thanks goodness they didnt look at the logs and see where the fake arps were comeing from
|
|
Back to top |
|
|
myhatisred Just Arrived
Joined: 11 Jan 2003 Posts: 0
|
Posted: Fri Feb 07, 2003 4:31 am Post subject: |
|
|
leaving port 23 open on my firewall when I closed everything else and had a nice linux box running until someone decided to take control of it. it's alright, that was 2 years ago, i've grown up since then.
|
|
Back to top |
|
|
Mongrel SF Mod
Joined: 30 May 2002 Posts: 8
|
Posted: Fri Feb 07, 2003 7:57 am Post subject: |
|
|
FTP site on my win2k - local user account - upload AND admin rights - script kiddie - rooted -
fortunately I noticed the machine was rebooted in the AM, tracked down all the goodies for posterity and study sake - wiped 'er clean and re-installed.
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Fri Feb 07, 2003 9:48 am Post subject: |
|
|
Ugh.. I wasn't thinking and I didn't think to sanatize the HTTP_REFERER variable when tracking how people were getting to my page... a friend of mine injected a bunch of javascript into my tables and flooded me with popups when I went to view the logs.. Although since then I've found that HTML & scripting injections can be fun
A worse one though.. not my domain, & was never responsible for it.. but one night I was poking around her server.. just reading and browsing.. went to her hosts support page and saw something about a webcontrol panel that you access via the cgi bin.. so of course I took a peek.. but not only did I take a peek, I 0wned that domain in under 10 seconds.. damn scary.. since there wasn't an account configured, it took whatever u/p I put in there and made me the administrator.. Now for the lucky part... she says that was supposed to have been taken down about 2 years ago and she had been told it was... during that 2 years, that domain was (at first anyway) despised by almost everybody in alt.hackers.malicious - a couple of them SWORE they were going to r00t it.. two years they tried every brute force, apache exploit, cgi exploit.... but they never bothered to stop and read the 'site owners manual' on the hosting companys support page... 2 years they tried and didn't see the open door right in front of them LOL
|
|
Back to top |
|
|
Mike Just Arrived
Joined: 05 Jan 2003 Posts: 0
|
Posted: Tue Feb 11, 2003 7:41 pm Post subject: |
|
|
on my freebsd server
i putted a copy of master.passwd in it
some users noticed it and decrypted the passwd so they could login without a notice
but now i still see stupid wheel users what do that
|
|
Back to top |
|
|
chris Forum Fanatic
Joined: 18 Apr 2002 Posts: 16777201 Location: ~/security-forums
|
Posted: Tue Feb 11, 2003 8:20 pm Post subject: |
|
|
Ive been caught out by classic social engineering
A few years back on irc, when there was the usual tonne of flaming and abuse, I accepted a file from what I thought was a trusted source. Checked the ISP(which at the time had dynamic IPs) and the ident / nickname / realname matched up so I accepted the file. I ran it, mcafee said it was fine.
Since it was from a trusted source (or so I thought) I didnt suspect anything. It opened a funny image, and a dos window spawned quickly at which point I knew something was wrong but not quite what. After analysis later turns out it was sub7 binded to a picture and editted slightly to bypass most signatures at the time
Noticed a stack of connection attempts after which were denied by the software firewall I was using at the time, conseal, so pulled the plug and reformatted
Last edited by chris on Tue Dec 09, 2003 11:27 pm; edited 1 time in total |
|
Back to top |
|
|
browolf Trusted SF Member
Joined: 19 Apr 2002 Posts: 1
|
Posted: Tue Feb 11, 2003 11:16 pm Post subject: |
|
|
only last week i made a cunning bat file with delprof to delete all the bazillions of local profiles created on our win2k boxes. I was just using net view to get a list of computer names.
it was a honest mistake i didnt think about ppl's laptops. luckily i only wiped out one person's profile who had their laptop on the network but not logged in. that was certainly a close one.
about 9 months ago. something went wrong in the switch cabinet (8 stacked switches) i was trying to fix it by myself in the evening. there was a night class on. unfortunately i didnt do a very good job. and i think i inadvertently unplugged some switches from each other. in the morning no-one could remember how they were supposed to plug together. we had to get someone from the firm that put them in to come and sort us out. it was a hideous mess b4 i made it worse. so they just unplugged everything and put them all back in again in a better order and made us a diagram.
|
|
Back to top |
|
|
WHISP3R Just Arrived
Joined: 12 Jan 2003 Posts: 0
|
Posted: Tue Feb 11, 2003 11:24 pm Post subject: Irc Screwup |
|
|
Opening a telnet connection with my IRC channel eggdrop and finding out that through /msg IDENT password the bot had set my hostmask to *bob*@*.undernet.org And I was on the Auto Op list, Allowing anyone with bob as a username logged into X to be Auto-oped
Moral: ALWAYS Always Add your eggdrop hostnames manually. Or ident and then change them.
|
|
Back to top |
|
|
ComSec Trusted SF Member
Joined: 26 Jul 2002 Posts: 16777215
|
Posted: Wed Feb 12, 2003 2:24 am Post subject: |
|
|
dont laugh ,an EX AOL member through work.......till i got booted and lost me job ........even had a spam collection box called e-mail LOL
"thank you aol"
|
|
Back to top |
|
|
tutaepaki Trusted SF Member
Joined: 02 May 2002 Posts: 3 Location: New Zealand
|
Posted: Wed Feb 12, 2003 3:23 am Post subject: |
|
|
I was asked by a collegue to scan his ADSL connection to see how secure he was. Turned he wasn't at all, the ADSL modem was wide open, and it took all of 5secs to google to turn up his config password.
The trick was when I showed him how easy it was, and left his work PC connected to the config screen of his ADSL modem, with auto-refresh enabled. In a classic case of timing, he'd just upgraded to a 10MB connection with a very low data cap.
He still blames me for the $600 bill he got from his ISP
|
|
Back to top |
|
|
Zilker Just Arrived
Joined: 02 Apr 2003 Posts: 0
|
Posted: Sat Apr 12, 2003 9:53 pm Post subject: NT blunder |
|
|
So I'm sr. sysadmin on a NT 4.0 network of about 8,000 users. I get a call from the helpdesk that "no one" can login. Hmmm. That's strange? I check and I can login, seems everyone around me (sysadmin team) can login. What could the problem be?
Everyone who has admin privledge can login, but no one else can? What could it be.
Then the "HOLY CRAP!!!!" moment hits. What would allow me, an administrator, to login but not anyone else? "Access this computer from the network"
Well, it seems one of the other administrators (read client) had decided to build themself a test domain controller. He wanted to secure the system so what does he do? He removed everyone except "Administrators" from the "Access this computer from the network" on his "test DC".
Of course, any policy change on a Backup DC is actually performed on the PDC and propogated. So in effect, by trying to secure his system, he had blocked everyone from accessing the NT domain.
|
|
Back to top |
|
|
ThePsyko SF Mod
Joined: 17 Oct 2002 Posts: 16777178 Location: California
|
Posted: Sun Apr 13, 2003 3:02 am Post subject: |
|
|
?? he put an unauthorized DC onto an existing network for "testing" purposes?? without realizing the impact or notifying anybody?? holy smokes... did you take him out back at the end of the day and beat the crap outta him at least?
|
|
Back to top |
|
|
|