Security Incidents mailing list archives
Re: CNET Hackers hit e-commerce site
From: chris () TYGERTEAM COM (Chris Davis)
Date: Sat, 4 Mar 2000 13:29:01 -0500
Hey Vincent :) My name is Chris Davis, and I am the security guy that is mentioned in that c|net article you pointed out. As we are the main investigative party involved in the pursuit of Curador In co-operation with the FBI, RCMP, and several other police agencies), I thought I would take a second and explain to you, and everyone else on the list exactly what Curador did to breach the security of 2 of his earlier victims. His method has changed recently, and unfortunately I am not able to go into the new methods with out possibly jeopardizing the investigation. The 2 earlier victims I am referring to are www.ltamedia.com and www.promobility.net The attack on both of these sites were identical, first he would start with what appears to be an automated scan for e-commerce sites with the showcode.asp vulnerability. (/msadc/samples/SELECTOR/showcode.asp is one of 6 or so possible variations) here is a snip from ltamedia's log during the attack: 2000-02-03 01:55:07 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA /msadc/Samples/SELECTOR/showcode.asp source=/msadc/Samples/../../../../../winnt/odbc.ini 200 0 1845 10278 441 80 HTTP/1.0 - - - This is a pretty straight forward grab for the odbc.ini ( His reasoning behind this for those that may not know, is to learn the names of the dsn(s) used to store the CC #'s) I say straight forward with one exception.. The string of AAAAAAAA he uses for his method.. This one has us confused.. RFP Rain Forest Puppy) and I have discussed this one particular area several times.. The best we can come up with as to why he is using the AAAAAAA Method is to either 1 - Try to avoid getting logged? or 2- For an anti IDS tactic. If either of those ideas are Curadors reasoning for the AAAAAAAA method than he is more stupid than I first gave him credit for :). If any of you happen to know what the AAAAAAAA method is being used for please email either myself or rfp () wiretrip net Next in his attack is to view the source for the order.asp 000-02-03 02:51:03 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 GET /msadc/Samples/SELECTOR/showcode.asp source=/msadc/Samples/../../../../../inetpub/wwwroot/order.asp 200 0 65388 500 12568 80 HTTP/1.1 Now he uses RDS to grab the CC#'s 2000-02-03 02:57:17 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 POST /msadc/msadcs.dll - 200 0 1113663 844 336384 80 HTTP/1.1 ACTIVEDATA - - 2000-02-03 03:02:56 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 POST /msadc/msadcs And that is about it.. In the promobility logs we see several more POST's via the msadcs.dll which it appears to be curador executing several more commands. Other than that.. both attacks are identical. I Hope this helps you out.. The main thing to avoid being vulnerable to such things.. Is to stay on top of the security issues with the OS's and Daemons which you use. If you find you are unable to do this, then look into hiring a security firm to do it for you, most decent firms now offer monitoring and a subscription type service where they will update and fix your box's as the 0day stuff starts to become recognized. Take care Chris Davis (www.tygerteam.com) ----- Original Message ----- From: "Vincent Lee" <vlee () giftssoft com> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Thursday, March 02, 2000 2:55 PM Subject: CNET Hackers hit e-commerce site Hello all, This is my first posting to Security-Focus, and I hope I am doing so in the right forum. Just read a clipping from CNET regarding a hacker obtaining stolen credit card numbers from an e-commerce site. http://news.cnet.com/news/0-1007-201-1562254-0.html?tag=st.ne.1007.thed.1007 -201-1562254
From what I understand, this is the second _major_ attack. Without going
into too much specifics, can anyone tell me how anyone (hacker or not) can do this? I may be naive, but to think that with all the breaches that is occurring, nowadays, you would think that even an e-commerce site would fare better. Maybe, I should be asking "how easy can it be?" - any answer would help me rethink my role in e-commerce, as well as, prepare myself for any such attacks. Any input appreciated. By the way, I have _learned_ a great deal since I signed on to Security-Focus. To all those who have posted questions and feedback - keep on doing so. You have no idea how many uneducated people out there are actually learning something from your posts. Thanks to all. I am no longer in the dark! Vincent Lee
Current thread:
- auto-reporting to ISPs, (continued)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: auto-reporting to ISPs Jon Lewis (Mar 01)
- Re: auto-reporting to ISPs Network Operations (Mar 02)
- Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
- Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
- CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- auto-reporting to ISPs Robert Graham (Feb 29)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)