Analyzing the Astalavista Hack

June 08, 2009

Several days ago, astalavista.com was torn down by an anti-security group. If you are not familiar with it, astalavista is a "security" community that discusses and hosts vulnerability information and exploits. The site appears to have been completely destroyed by attackers.

The attackers posted a text document detailing what they did on the site after they took it down. I have mirrored it here in case the other goes offline for whatever reason.

The details of the exploit itself are rather lacking. It appears to be some type of buffer overflow which created a shell through apache on port 80. From there they did some poking around and eventually executed a second exploit which escalated their privs from the apache user up to root.

This is already a huge problem, because the box is completely owned. The MySQL database passwords were available in plain text in various php files, so it was quick work to dump these. Root access meant that all the files on the server could be deleted at will. This is a bad situation to get your server into, and the only real way to avoid it is to keep all your services up to date and hope not to get hit by a zero day exploit.

The main thing that can be learned from this is the part of the attack that is truly the worst in my mind. The site had offsite backups, but they were unfortunately not being performed in the best way:

sh-3.2# cat /home/com/backup_system/backup.sh
#!/bin/sh
#####################################################################
#                                                                   #
#   incremental backup for astalavista.com                          #
#                                                                   #
#   author:    Paulo M. Santos <paulo.santos@astalavista.com>       #
#                                                                   #
#####################################################################
[snip]
PROG_DIR="/home/com/backup_system";
BACKUP_DIR="/home/com/backups";
DOBACKUP_FROM="/home/com/domains/astalavista.com/public_html";
# ftp for synology backup server
FTP_HOST="212.254.194.163";
FTP_PORT="21";
FTP_USER="astalavista.com";
FTP_PASS="yWHOJbzpWTWC6Xrmg1WnfBk5V";
FTP_DIR="/astalavista.com";

That's bad. They have the ftp host and password in plain text for their offsite backup. This allowed the attacker to log in to the backup server and delete all of the offsite backups as well. The key takeaway here is that if you are doing offsite backups, you should make sure that the two servers are separated in a way that doesn't allow a user who roots one to also destroy the other.

Check out my other pages tagged "blog".