# Been hacked?



## Pushrod (Jan 7, 2011)

I'd like to hear everyone's stories about times when they've been hacked.

I'll start:
Had a FreeBSD web server with an old copy of AWStats which was publicly viewable. I read one day that there was an exploit, and sure enough, I found that a Perl script had been loaded, which connects to an IRC server and can obey commands sent to it in a chat room.

Now it's your turn!


----------



## sossego (Jan 15, 2011)

About four, five years ago. I was using IRC without knowing what a safe channel meant.
I removed that user account.


----------



## gkontos (Jan 15, 2011)

9 years ago I had a win 2000 server running as a web server without any firewall, no NAT real IP being exposed to the Internet :stud
Lets just say that I soon discovered why even basic packet filtering is important when you deal with windows services...


----------



## SirDice (Jan 15, 2011)

gkontos said:
			
		

> 9 years ago I had a win 2000 server running as a web server without any firewall, no NAT real IP being exposed to the Internet :stud
> Lets just say that I soon discovered why even basic packet filtering is important when you deal with windows services...



A lot of people installed it, not knowing it also installed IIS by default. And then the IIS unicode bugs surfaced. Fun days, you could go around scanning for port 80 and get in 80% of the time you found an open port :e


----------



## expl (Jan 15, 2011)

win2k also supported admin logins without a password and smb daemon always shared all disks if you login as administrator. Most people left admin password empty during instalation, also preinstalled omes didnt have password.


----------



## gkontos (Jan 15, 2011)

admin password was not empty. The machine was a web server serving asp pages but it also run a nicely written COM+ application that used some RPC calls. Also, try to remember a nice virus that spread 8-9 years ago :beergrin


----------



## SirDice (Jan 16, 2011)

gkontos said:
			
		

> Also, try to remember a nice virus that spread 8-9 years ago :beergrin


Nimda, which used the unicode bug I described above 

Code Red was also interesting, ran completely from memory and never dropped any files.

Both infections were quite easily prevented. Even without patching the machine. I used to ran a custom install without patches. Anybody that tried that unicode trick got dropped into my executable :e


----------



## SirDice (Jan 16, 2011)

expl said:
			
		

> win2k also supported admin logins without a password and smb daemon always shared all disks if you login as administrator.


The admin shares (C$, D$, ADMIN$, etc) still exist, even on Vista and Seven. The fact that these share exists isn't the problem. The problem was, and still is, people not setting a proper password on the Administrator account.


----------



## respite (Jan 18, 2011)

I think it's safe to say everyone has been owned a few times in their career whether they discovered the intrusion or not. It takes an endless amount of configuration, audits, and patching to stay mildly secure at best. It only takes one vulnerability to leverage privilege escalation.

I don't trust anything in my enterprise. I wouldn't be all that surprised if I found my personal machines rooted.


----------



## nalaren (Jan 18, 2011)

Well - I have been hacked on my Yahoo! account - on my personal account actually and I am still not able to fix this problem and my account automatically sends spam Mail to all of my contacts which actually kind of freaks me out and gets me angry. Is there anything I can do about it?


----------



## gkontos (Jan 18, 2011)

nalaren said:
			
		

> Well - I have been hacked on my Yahoo! account - on my personal account actually and I am still not able to fix this problem and my account automatically sends spam Mail to all of my contacts which actually kind of freaks me out and gets me angry. Is there anything I can do about it?


Change your password maybe ?


----------



## shayne (Jan 21, 2011)

The old firewall at work got hacked when I forgot to lockdown ssh to a few public ips after some testing. I didn't realise that there were some awesome username/password combinations (staff/staff) that were added before my time.


----------



## Imanol (May 13, 2011)

I had a Fedora Core 9 installation, ssh server running, using only the root account, the password was asdfgh, and ssh settings weren't very restrictive, guess up the rest...

/root was blown away, with all my personal data, and all binaries were infected with a trojan/rootkit (a message to people that say there's no viruses in linux: get real...)

Thing is, I still use root account for everything, but now I know what I'm doing!


----------



## carlton_draught (May 13, 2011)

Several years ago when I ran XP, I got infected with malware. Once bitten, twice shy. I had always wanted to run Linux, and that was enough stimulus. From that point on I forced myself to run Linux on everything, with strong passwords, secure web browsing habits, NAT modem router with very little let through. AFAIK my computers have not been compromised since then. There has certainly been no sign of it.


----------



## SirDice (May 13, 2011)

carlton_draught said:
			
		

> From that point on I forced myself to run Linux on everything, with strong passwords, secure web browsing habits, NAT modem router with very little let through. AFAIK my computers have not been compromised since then. There has certainly been no sign of it.


I've used the same techniques on Windows. Haven't had a malware infection for at least 12 years. It's not the OS that's keeping you safe, it's you.


----------



## carlton_draught (May 13, 2011)

SirDice said:
			
		

> I've used the same techniques on Windows. Haven't had a malware infection for at least 12 years. It's not the OS that's keeping you safe, it's you.


You are mostly right. I tend to doubt that I would get infected if I were to choose to run a version of Windows today. Still, running an operating system that is 1% the target that Windows is can't hurt. Defense in depth.

And even now the only thing I can imagine wanting to use Windows for is games. Most of the good abandonware runs passably under Wine these days, so there is less and less motivation to bother building a Windows machine. Considering that I used to get excited about gaming on the C64, I often think of games from the mid 90s as "new".


----------



## vometia (Jun 17, 2011)

Just the once (that I'm aware of!), never quite figured out how they did it since it was hiding behind a firewall that remained untouched, though in my (more) foolish youth I wasn't running a separate DMZ network so it could have been any one of several protocols that were being passed through relatively unmolested.  It was almost more amusing than annoying in that I found from the bash history that it was a script-kiddie who didn't have the first clue about Unix and quickly gave up once he discovered it wasn't... well, whatever it was he was looking for.  Kind of surprised there was that much since the script in question nuked most of the logs but overlooked that one for some reason.  At least it was fairly benign, a quick restore from backups and being a bit more sensible about the security policy seemed to do the trick.

The most annoying bit was getting the train into the office, which was packed with sweaty press reporters, rather unexpectedly for a Sunday.  I had no idea why until I'd got back, when I discovered that Princess Diana had died that day.


----------



## Eponasoft (Jun 21, 2011)

Any time I set up an XP machine, it seems to be infected with Conficker within hours. It takes awhile of hardening the system to get it under control, but I am able to block the majority of attack points before even taking the machine online. Conficker is easily defeated, but even XP SP3 is vulnerable to it despite Microsoft saying it isn't.

I've never had a single hacker issue using FreeBSD, though we've had a few on Linux boxes... usually due to someone's insecure PHP script. Also, I recently left an install of WordPress unupdated on my main site (CentOS server), and it got hacked by the Pakistan Cyber Army. I hardly ever used that thing anyways, and just set up a blog on blogspot.com instead... let someone else handle the hacker lowlifes with nothing better to do than cause harm to other people because they're insecure in their sexuality and feel the need to boost themselves up by ... oh snap, I was rambling.


----------



## kpedersen (Jun 21, 2011)

For a while I was hosting a large part of AntiWPA (a site to host the files etc... for a community of developers researching methods to break / improve the Windows XP - Vista activation system.). The site has since been abandoned as many of us now prefer the mailing list / IRC.

For the best part of a year a large group of hackers were hellbent on hacking in and ruining stuff. They put quite a few brute forcing connections to it's FTP but they completely overlooked the fact that the server was not running Windows (was running FreeBSD 6.1). So their brute force "skript" only attempted 'Administrator' as the username. They had actually correctly guessed the password (was 'password1') many times but since the username was non-existent, they failed lol.


----------



## gkontos (Jun 24, 2011)

kpedersen said:
			
		

> So their brute force "skript" only attempted 'Administrator' as the username. They had actually correctly guessed the password (was 'password1') many times but since the username was non-existent, they failed lol.



Good one :e:e:e


----------



## SirDice (Jul 1, 2011)

And this has to do what with being hacked?

Please keep it on-topic or open your own thread.


----------

