Sunday, July 24, 2011

In case anybody is still wondering...

Given the media attention to recent hacks (Anonymous, AntiSec, NoNameCrew, etc) it is easy to observe how the public reacts to these incidents and read some comments on what people think about it. The most common reaction seems to be astonishment and a bit of surprise how apparent technical barriers can be circumvented.

Google dorks are by no means new, but do a good job in demonstrating how easy it could be sometimes. In the case of the German Customs Authority hack a misconfigured XAMPP installation seemed to be the gateway into the internal network. XAMPP is a preconfigured web development environment not intended for production use, as some security options are purposely turned off. Want some more XAMPP installations connected to the internet? Click here.

Looking for access to phpMyAdmin, a tool to administer web sever databases (and potentially to get full r/w access to several web sites at once)? Click here. Looking for user names and passwords of FTP logins, potentially used for web site administration? Click here. (By the way, a free online tool to decrypt these obfuscated passwords can be found here.)

Looking for access to the JMXConsole, an administrative interface of the JBoss application server that potentially allows you to upload your own applications and execute arbitrary operating system commands? Click here.

All in all, from my point of view, chances that a person with little knowledge can easily carry out an attack that gets media attention are quite high, if the attack process is turned around: Don't pick a juicy target and search for vulnerabilities - instead take a vulnerability or misconfiguration and search for a well-known target.

2 comments:

  1. Third link in your ws_ftp link is a link to lakshmitravels.[xx]. The last section of the file exposes:

    [ALJazira]
    HOST=www.aljaziragroup.[xxx]
    UID=aljaziragp%02b2b6a PWD=VFB3617328BE8F8CB3A[...]F9F9AAFA5AB9A7043
    PASVMODE=0
    TIMEOFFSET=0

    If this is intended? :) Curious if you would find one server that is listed in a Google dork, which is not yet partly compromised.

    ReplyDelete
  2. Must say that this link can be useful for you - https://www.idealsvdr.com/ma-data-room/ . Regards, Rick

    ReplyDelete