{"id":600,"date":"2011-06-14T19:35:16","date_gmt":"2011-06-15T00:35:16","guid":{"rendered":"http:\/\/rud.is\/b\/?p=600"},"modified":"2018-03-10T07:53:37","modified_gmt":"2018-03-10T12:53:37","slug":"what-can-we-learn-from-the-lulzsec-senate-gov-hack-dump","status":"publish","type":"post","link":"https:\/\/rud.is\/b\/2011\/06\/14\/what-can-we-learn-from-the-lulzsec-senate-gov-hack-dump\/","title":{"rendered":"What Can We Learn From The @lulzsec senate.gov Hack Dump?"},"content":{"rendered":"

What can the @lulzsec senate.gov<\/a> dump<\/a> tell us about how the admins maintained their system\/site?<\/p>\n

[code light=”true”]SunOS a-ess-wwwi 5.10 Generic_139555-08 sun4u sparc SUNW,SPARC-Enterprise[\/code]<\/p>\n

means they haven’t kept up with OS patches. [-1 patch management]<\/b><\/p>\n

[code light=”true”]celerra:\/wwwdata 985G 609G 376G 62% \/net\/celerra\/wwwdata[\/code]<\/p>\n

tells us they use EMC NAS kit<\/span> for web content.<\/p>\n

The ‘last<\/code>‘ dump shows they were good about using normal logins and (probably) ‘sudo<\/code>‘, and used ‘root<\/code>‘ only on the console. [+1 privileged id usage]<\/b><\/p>\n

They didn’t show the running apache<\/code> version (just the config file\u2026I guess I could have tried to profile that to figure out a range of version numbers). There’s decent likelihood that it was not at the latest patch version (based on not patching the OS) or major vendor version.<\/p>\n

[code light=”true”]Alias \/CFIDE \/WEBAPPS\/Apache\/htdocs\/CFIDE
\nAlias \/coldfusion \/WEBAPPS\/Apache\/htdocs\/coldfusion
\nLoadModule jrun_module \/WEBAPPS\/coldfusionmx8\/runtime\/lib\/wsconfig\/1\/mod_jrun22.so
\nJRunConfig Bootstrap 127.0.0.1:51800[\/code]<\/p>\n

Those and other entries says they are running Cold Fusion, an Adobe web application server\/framework<\/a>, on the same system. The “mx8” suggests an out of date, insecure version. [-1 layered product lifecycle management]<\/b><\/p>\n

[code light=”true”] SSLEngine on
\n SSLCertificateFile \/home\/Apache\/bin\/senate.gov.crt
\n SSLCertificateKeyFile \/home\/Apache\/bin\/senate.gov.key
\n SSLCACertificateFile \/home\/Apache\/bin\/sslintermediate.crt[\/code]<\/p>\n

(along with the file system listing) suggests the @lulzsec folks have everything they need to host fake SSL web sites impersonating senate.gov<\/code>.<\/p>\n

Sadly,<\/p>\n

[code light=”true”]LoadModule security_module modules\/mod_security.so<\/p>\n

<IfModule mod_security.c>
\n # Turn the filtering engine On or Off
\n SecFilterEngine On<\/p>\n

# Make sure that URL encoding is valid\nSecFilterCheckURLEncoding On\n\n# Unicode encoding check\nSecFilterCheckUnicodeEncoding Off\n\n# Only allow bytes from this range\nSecFilterForceByteRange 0 255\n\n# Only log suspicious requests\nSecAuditEngine RelevantOnly\n\n# The name of the audit log file\nSecAuditLog logs\/audit_log\n\n# Debug level set to a minimum\nSecFilterDebugLog logs\/modsec_debug_log    \nSecFilterDebugLevel 0\n\n# Should mod_security inspect POST payloads\nSecFilterScanPOST On\n\n# By default log and deny suspicious requests\n# with HTTP status 500\nSecFilterDefaultAction &quot;deny,log,status:500&quot;\n<\/code><\/pre>\n
<\/IfModule>[\/code]<\/p>\n
shows they had a built-in WAF available, but either did not configure it well enough or did not view the logs from it. [-10 checkbox compliance vs security]<\/b><\/p>\n
[code light=”true”]-rw-r–r–   1 cfmx     102       590654 Feb  3  2006 66_00064d.jpg[\/code]<\/p>\n
(many entries with ‘102’ instead of a group name) shows they did not do identity & access management configurations well. [-1 IDM]<\/b><\/p>\n
The apache<\/code> config file discloses pseudo-trusted IP addresses & hosts (and we can assume @lulzsec has the passwords as well).<\/p>\n
As I tweeted in the wee hours of the morning<\/a>, this was a failure on many levels since they did not:<\/p>\n