# US national vulnerability database hacked



## gpatrick (Mar 14, 2013)

http://arstechnica.com/security/201...-taken-down-by-vulnerability-exploiting-hack/


> The federal government's official catalog of software vulnerabilities was taken offline after administrators discovered two of its servers had been compromised. By malware. That exploited a software vulnerability.


----------



## KNOStic (Mar 14, 2013)

Up until March 7, the nvd.nist.gov site was running on Windows Server 2008 and IIS 7.5, but after the breach, starting on March 9, it has been running on Linux and Apache. Hmmm. 

http://news.softpedia.com/news/NIST-National-Vulnerability-Database-Down-Malware-Identified-on-Two-Web-Servers-337103.shtml


----------



## chatwizrd (Mar 14, 2013)

Apache 1.3 and php 4.x probably


----------



## KNOStic (Mar 14, 2013)

And STILL an improvement.


----------



## Beeblebrox (Mar 14, 2013)

> Up until March 7, the nvd.nist.gov site was running on Windows Server 2008 and IIS 7.5


I suppose they don't have the budget to hire a real sysadmin and had to make-do with an off-the-shelf ${insert_stereotype_you_want_to_insult] graduate.

Of course, if you spend all your cash on banks, big oil and the ]defense department, it's normal to skimp on decent IT administration. Then, you can just sit back and blame the Chinese hackers - like blaming your neighbors for not watching your house when you went on vacation but left your doors and "windows" open.


----------



## KNOStic (Mar 14, 2013)

This story is just so rich in irony ... beyond the minimum adult daily requirement. Saddest thing about it is I spent better than 15 years in antimalware research, threw up my hands, went BSD, and life is good.

Windows 8 ... it's just so GSA.


----------



## zspider (Mar 15, 2013)

KNOStic said:
			
		

> This story is just so rich in irony ... beyond the minimum adult daily requirement. Saddest thing about it is I spent better than 15 years in antimalware research, threw up my hands, went BSD, and life is good.
> 
> Windows 8 ... it's just so GSA.



Maybe I'll deposit that on flibble's property, since no one else wants it.


----------



## kpedersen (Mar 15, 2013)

zspider said:
			
		

> Maybe I'll deposit that on flibble's property, since no one else wants it.



Lol, you might have to throw it pretty hard for it to get through all the Vaxxen you deposited earlier.


----------



## zspider (Mar 15, 2013)

kpedersen said:
			
		

> Lol, you might have to throw it pretty hard for it to get through all the Vaxxen you deposited earlier.



Not. Necessarily.


----------



## SirDice (Mar 15, 2013)

KNOStic said:
			
		

> Up until March 7, the nvd.nist.gov site was running on Windows Server 2008 and IIS 7.5, but after the breach, starting on March 9, it has been running on Linux and Apache. Hmmm.


If they keep it up to date the same way they did with their windows machines they're going to have a big surprise one day.

But as far as I know they got hacked using an SQL injection bug. Same thing will happen on a LAMP. Bugs like that have absolutely nothing to do with the OS or the webserver.


----------



## Beeblebrox (Mar 15, 2013)

> they got hacked using an SQL injection bug. Same thing will happen on a LAMP.


And that is why we have and use jails. While jails won't necessarily prevent SQL injection attacks, they will prevent escalation of the privileges gained through the injection.


----------



## SirDice (Mar 15, 2013)

Beeblebrox said:
			
		

> And that is why we have and use jails. While jails won't necessarily prevent SQL injection attacks, they will prevent escalation of the privileges gained through the injection.



True. But they'll get local access only anyway, usually on the www or nobody account. They would need a local root exploit to gain more privileges. That said, it's quite an eye opener if you look at what you can do with those "limited" accounts. It's enough to turn the box into a spamming or DDoS zombie :O


----------



## kpa (Mar 15, 2013)

Block outgoing connections completely on a jail except for few essentials like DNS and even then allow the connections only to the jail host, not to any address.


----------



## vertexSymphony (Mar 16, 2013)

kpa said:
			
		

> Block outgoing connections completely on a jail except for few essentials like DNS and even then allow the connections only to the jail host, not to any address.



Security is not about making a totally unusable environment ... it's about adding layers of measures to mitigate the damage that can be done; so a proper countermeasure can be taken in the event of a intrusion.

Regards.


----------



## kpa (Mar 16, 2013)

vertexSymphony said:
			
		

> Security is not about making a totally unusable environment ... it's about adding layers of measures to mitigate the damage that can be done; so a proper countermeasure can be taken in the event of a intrusion.
> 
> Regards.



But if the jail is only for hosting services that accept connections from the outside you can disable most of the outgoing traffic without rendering the jail unusable.


----------

