Jun 08, 2009
There's a certain feeling a system admin gets when they find out that one of their boxen has been pwned. You can't really compare it to anything else but it seems to combine the worst symptoms of cardiac arrest, realizing that someone's just shot at you and not missed, being busted by military police while carrying, and discovering that you slept through your thesis defense. A personal website falling is bad enough, but when you're talking about an operation that's worth six or seven digits in American dollars you just know that heads were rolling.
Over the weekend a post to the Full Disclosure mailing list contained some proprietary information about T-Mobile's internal data network: hostnames, IP addresses, and operating systems of several dozen boxen (that have been tentatively validated by people claiming to have worked for them (wild-ass guesstimate of veracity: 40%)). The information posted is only partial: all of the IPs are out of RFC 1918, meaning that you'd have to get past the perimeter to actually get to the boxen. The crackers who posted the information imply that they have a lot more information than they released because they claim that they attempted to sell the data (including dumps of databases, financial records, and confidential documents) to some of T-Mobile's competitors but were unsuccessful (no surprise, really - no company wants to be brought up on charges of corporate espionage). They've thrown open the bidding on this sensitive data, but no one knows if anything will come of it. Only time will tell.
As if that weren't enough excitement for one weekend, the website Astalavista is toast. Early last Friday unknown crackers posted to Full Disclosure (F-D- is becoming so popular a list these days that the signal to noise ratio is becoming dangerously high) evidence of how thoroughly the site was cracked. The lengthy post contains transcripts of the initial penetration (it has been speculated through a bug in a web app), detailed directory listings, PHP code confirming what content management system they were using and the registration key for same. Practically every file on the servers that contained usernames and passwords was added to the transcript, and selected parts of the back-end database are in there for everyone to see (not just passwords, even a small number of private messages on the forums between the admins). For the admins' passwords some kind of righteous rainbow table must have been used because a few of those cracked passwords aren't too far off from line noise. What appeared to be a version of the vmsplice(2) exploit was used to break root, and that was all she wrote.
The final act of the crackers was to delete all of the backups and web content, and then drop the databases. Only a few frames and a banner are left.