The chronicle of an attack!

A Hacker can attack his own community? At the 1st August the site www.backbox.org has been defaced by a group of crackers known under the name of eMP3R0r_TEAM. Their page has been online for about 2 hours before the site has been restored back. This attack has been successfully due to a misconfiguration of the shared server of a well known Italian internet service provider that hosts our pages which is for several days has exposed the home location of thousands of users to attacks by crackers! Fortunately backbox.org was the only site to have been defaced, but has not ruled out that other data has been stolen for future attacks at other sites. Our analysis has identified more than 5000 vulnerable accounts!

As you know BackBox is a community that part of the Free/Open Source Software, simply developing a Linux distribution, and would not have expected such an attack. We do not adhere to any side that would define us as a subject of attack. A hacker has valid reasons to attack a specific entity, would do it for moral principles, ethical and ideological. Assuming that a hacker will never attacked a proper communities in our case we are dealing with a group of unstable that running random attacks as soon as they detect any known vulnerability on any web portal.

Of course even if what happened was truely sad we had not discouraged and not lose heart. After restoring back online our web site we start to investigate to get further information. We have analyzed step by step the entire attack process by reverse and we were able the gathered useful information (including personal detail) about attackers.

The “dreaded” eMP3R0r_TEAM is a group of iranian activists who carry out attacks randomly on whole potential vulnerable web sites by targeting mostly European sites. During our investigation and analysis we were able to obtain the complete details of the man who personally performed the attack (nick iM4n) and we collected a variety of tests that confirmed his identity. Just to make you some idea of ​​a character who loves to dress brand, Tissot watches wears expensive, attends ski resorts of Uludag (Turkey) and has some very expensive computer equipment (laptop lenovo generation, etc..). The character that we dealing with is Amir Hosein, born in on 21/10/1983 in Hell (Tehran) Iran. He works full-time on IT security and he seems to be the head of a small team.

Returning to the technical aspects of the attack…

The issue has had dramatic implications for how it was managed by the our ISP. As we talking about a hosting shared in that case the responsibility of what happened is completely belong to ISP. Despite our repeated emails, the ISP has snubbed the entire story by not providing any kind of support and also denying us to access log to our site!

The attack began through one of the website with a Joomla installation insecure that reside on server where our site located. The crackers violating this CMS site and have uploaded a webshell with which they were able to read the backbox.org home directory. Strangely, for several days the home directory of all hosts on the shared server could be navigated easily by any user by allowing them also to read the configuration files. After heaving read the data relating to the installation of our forum (SMF) and using the same webshell they have changed the MySQL database records for the account admin and then getting administrative privileges/access to the forum. By obtaining the highest privileges there were quite easy for them to uploading a backdoor into the home of backbox.org through which they were able to modify the index.php file of our site.

After having confirmed the information above specified, by demonstrating how the data of all users of provider were exposed (and we were doing the entire job for provider), the provider have finally decided to pay attention to us and only after 5 days (since when we have noticed to them this issue) they were able to correct this vulnerabilities by setting correctly privileges for each user on server.

In on of their statement that they sent to us they says that after a careful analysis we have confirmed the vulnerability, which was occurred after an upgrade to a newer version of php. In short, the permissions of the public_html directory of “some accounts” were set up with incorrect values ​… (?)

The whole event/process is incredible… “a few accounts” as they say, are actually more than 5000 sites hosted on their servers. Since now the provider have no released any official declaration regardin! An “oversight” of this magnitude should be made ​​known as soon as possible in order to give users the ability to backup their data and change the passwords of their sites.

Actually (I mean right now), it seems to be not accessible/readable anymore the user home directories from neighbor/other accounts. That’s why we have decided to release this news after the issue has been fixed. We would like to get further attention of our provider to remain vigilant, it is possible that the crackers are in possession of other information that could compromise the security of the entire server again.

Regarding eMP3R0r_TEAM must be said that they’ve been kindly after all, by not causing big harm. By the way, an attack like this certainly not honored.

That is only the first part of our investigation…

BackBox Linux now with FluxBox window manager!

The team is proud to announce the release of backbox-fluxbox package. This release aims to be lean and fast on your desktop. FluxBox should be able to run on older hardware allowing people with weak to mediocre machines to enjoy the awesomeness of BackBox Linux. During the development of this package, our goal was to achieve a very delicate balance between a minimalistic and an easy to use setup which we hope we have done. Now the menu is self-generated, no manual editing… Therefore you can install any tool simply with synaptic or apt-get and the menu will auto rebuild itself. It’s that simple!

CAT2011, sul podio la squadra equipaggiata con BackBox!

L’esperienza milanese si conclude nel migliore dei modi per i “Jumpin Jester” 4 ragazzi di origine sarda che hanno deciso di partecipare alla quarta edizione dell’ormai noto evento “Cracca al Tesoro”.

Questa edizione ha visto sfidarsi ben 22 squadre per un totale di circa 100 partecipanti provenienti da tutta italia: Trento, Sassari, Varese, Torino, Pistoia, Fidenza e altre città della penisola.

Armati di vistose antenne le squadre hanno dovuto individuare cinque access point apprestati per l’occasione, quindi penetrare nei server ad essi collegati, configurati in modo da poter essere violati in modo più o meno facile. Una sala di controllo riceveva e verificava le avvenute intrusioni, poi stava ai concorrenti reperire indizi per proseguire ed ottenere le istruzioni che facevano guadagnare punti.

I Jumpin Jester equipaggiati appunto con BackBox Linux e sponsorizzati da Akhela hanno ottenuto 36 punti classificandosi cosi secondi alla loro prima partecipazione al CAT (primi i ragazzi di E-Quipe di Torino, terzi i Crackers Salati di Trento). Emilio Pinna, aka norby, studente di ingegneria informatica presso il Politecnico di Torino nonché nostro collaboratore ci ha fatto un breve resoconto della sua esperienza di cui riporto le parti più interessanti.

I 5 access point, sparsi in alcuni negozi della zona di Corso Como, proteggevano due macchine su cui fare breccia con ogni mezzo. La partenza della gara (ore 14.30) è stata abbastanza lenta per tutti… Sia per la difficoltà a trovare gli access point ufficiali, sia per i numerosi burloni che inondavano l’etere di finti beacon al fine di confondere gli avversari. La maggior parte di essi erano protetti con un’inefficace cifratura WEP abbastanza facile da craccare a patto di aver localizzato correttamente la posizione degli access point. Una volta entrati in possesso della password e guadagnati i primi 5 punti, era necessario scoprire velocemente gli IP delle macchine da attaccare. Gli utenti erano separati dalle macchine bersaglio con VLAN proprio per evitare che i partecipanti si attaccassero tra di loro (credendo fossero le macchine target). Motivo di confusione è stato l’uso di netmask /25, al contrario della solita /24, che ha tenuto impegnati i partecipanti meno preparati durante l’host discovery. Altra forma di protezione è stata l’adozione di tecniche per il flood protection che ha complicato e non di poco la mappatura della rete tramite port-scan.

Gli host e le vulnerabilità esposte erano diverse: la prima, con cui tanti si sono confrontati, era un SQL injection sfruttabile in maniera abbastanza banale, ma corredata di un limite di 5 tentativi e di un filtro sul tipo di dato inserito nel form exploitabile. Il filtro era in javascript lato browser e i tentativi venivano contati sul PHP session ID. Lascio a voi immaginare i due semplici passaggi da fare per bypassare queste protezioni. La seconda prova esponeva il codice dei cgi del server per permettere un veloce auditing allo scopo di trovare il giusto punto di attacco. Gli access point successivi al terzo erano protetti da WPA, compito di uno degli organizzatori era il generare il giusto traffico per permettere la cattura dell’handshake su cui fare il bruteforce delle password.

Come al solito la parte più scenografica dell’evento erano le tante squadre corredate di antenne di tutti i tipi, dalle Yagi al lungo tubo omnidirezionale dell’organizzatore Mayhem, dalle alte e pesanti antenne direzionali alle antennine di default incluse nelle schede wireless usb esterne Alpha (usate dalla gran parte dei partecipanti). Le squadre più attrezzate avevano dietro un carrello della spesa che conteneva gruppi di continuità o come nel caso dei Jumpin Jester, una batteria di macchina e un inverter, che hanno permesso di tenere accesi i pc con meno autonomia per tutto il tempo della gara.