Security Incidents mailing list archives

Re: CNET Hackers hit e-commerce site

From: chris () TYGERTEAM COM (Chris Davis)
Date: Sat, 4 Mar 2000 13:29:01 -0500


Hey Vincent :)

My name is Chris Davis, and I am the security guy that is mentioned in that
c|net article you pointed out.

As we are the main investigative party involved in the pursuit of Curador
 In co-operation with the FBI, RCMP, and several other police agencies), I
thought I would take a second and explain to you, and everyone else on the
list exactly what Curador did to breach the security of 2 of his earlier
victims. His method has changed recently, and unfortunately I am not able to
go into the new methods with out possibly jeopardizing the investigation.

The 2 earlier victims I am referring to are www.ltamedia.com and
www.promobility.net

The attack on both of these sites were identical, first he would start with
what appears to be an automated scan for e-commerce sites with the
showcode.asp vulnerability. (/msadc/samples/SELECTOR/showcode.asp is one of
6 or so possible variations) here is a snip from ltamedia's log during the
attack:

2000-02-03 01:55:07 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA /msadc/Samples/SELECTOR/showcode.asp
source=/msadc/Samples/../../../../../winnt/odbc.ini 200 0 1845 10278 441 80
HTTP/1.0 - - -

This is a pretty straight forward grab for the odbc.ini ( His reasoning
behind this for those that may not know, is to learn the names of the dsn(s)
used to store the CC #'s) I say straight forward with one exception.. The
string of AAAAAAAA he uses for his method.. This one has us confused.. RFP
 Rain Forest Puppy) and I have discussed this one particular area several
times.. The best we can come up with as to why he is using the AAAAAAA
Method is to either 1 - Try to avoid getting logged? or 2- For an anti IDS
tactic. If either of those ideas are Curadors reasoning for the AAAAAAAA
method than he is more stupid than I first gave him credit for :).  If any
of you happen to know what the AAAAAAAA method is being used for please
email either myself or rfp () wiretrip net

Next in his attack is to view the source for the order.asp

000-02-03 02:51:03 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 GET
/msadc/Samples/SELECTOR/showcode.asp
source=/msadc/Samples/../../../../../inetpub/wwwroot/order.asp 200 0 65388
500 12568 80 HTTP/1.1

Now he uses RDS to grab the CC#'s

2000-02-03 02:57:17 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 POST
/msadc/msadcs.dll - 200 0 1113663 844 336384 80 HTTP/1.1 ACTIVEDATA - -
2000-02-03 03:02:56 *<rm IP>* - W3SVC1 LTAMEDIAPROSERV 206.151.100.4 POST
/msadc/msadcs

And that is about it.. In the promobility logs we see several more POST's
via the msadcs.dll which it appears to be curador executing several more
commands.  Other than that.. both attacks are identical.

I Hope this helps you out.. The main thing to avoid being vulnerable to such
things.. Is to stay on top of the security  issues with the OS's and Daemons
which you use. If you find you are unable to do this, then look into hiring
a security firm to do it for you, most decent firms now offer monitoring and
a subscription type service where they will update and fix your box's as the
0day stuff starts to become recognized.

Take care

Chris Davis (www.tygerteam.com)

----- Original Message -----
From: "Vincent Lee" <vlee () giftssoft com>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Thursday, March 02, 2000 2:55 PM
Subject: CNET Hackers hit e-commerce site

Hello all,

This is my first posting to Security-Focus, and I hope I am doing so in the
right forum.  Just read a clipping from CNET regarding a hacker obtaining
stolen credit card numbers from an e-commerce site.

http://news.cnet.com/news/0-1007-201-1562254-0.html?tag=st.ne.1007.thed.1007
-201-1562254

From what I understand, this is the second _major_ attack.  Without going

into too much specifics, can anyone tell me how anyone (hacker or not) can
do this?  I may be naive, but to think that with all the breaches that is
occurring, nowadays, you would think that even an e-commerce site would fare
better.  Maybe, I should be asking "how easy can it be?" - any answer would
help me rethink my role in e-commerce, as well as, prepare myself for any
such attacks.  Any input appreciated.

By the way, I have _learned_ a great deal since I signed on to
Security-Focus.  To all those who have posted questions and feedback - keep
on doing so.  You have no idea how many uneducated people out there are
actually learning something from your posts.  Thanks to all.  I am no longer
in the dark!

Vincent Lee

Current thread:

auto-reporting to ISPs, (continued)
- - auto-reporting to ISPs Robert Graham (Feb 29)
    - Re: auto-reporting to ISPs Jon Lewis (Mar 01)
    - Re: auto-reporting to ISPs Network Operations (Mar 02)
    - Re: auto-reporting to ISPs Greg A. Woods (Mar 02)
    - Re: auto-reporting to ISPs Rasmus Andersson (Mar 02)
    - CNET Hackers hit e-commerce site Vincent Lee (Mar 02)
    - UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
    - UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
    - Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
    - Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
    - Port 65535 Murray, Mike (Mar 02)
    - @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
    - Re: Port 65535 Pavel Kankovsky (Mar 04)
    - Re: Port 65535 Murray, Mike (Mar 04)
    - Re: Port 65535 Richard Bejtlich (Mar 04)
    - Re: Port 65535 Keith Pachulski (Mar 06)
    - Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
    - Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
  - Re: @home: Is *anyone* really home there??? Wozz (Feb 29)
- Re: @home: Is *anyone* really home there??? Erick Brockway (Feb 29)

(Thread continues...)