------------1------------
>>>cix.support/4internet 2282 ibell(710)6Dec99 15:32
CIX security break-in?
REPORT TYPE: High Priority
At some time in the last few days, one file (elite/incoming.htm) has
disappeared from my website. I am 100% sure i did not delete it so i
assume the cause is either a server fault (unlikely since just one
file was lost) or someone hacking into my account.
Could you look into this as a matter of great urgency please?
I have since restored the file.
ian b
CONFIGURATION DETAILS:
Ameol2 Revision: 2.52.2000
CTL3D Version: 2.31
Operating System: Windows 95 4.0.950
Processor: Intel Pentium
Comms Driver: Ameol2 Unified 32-Bit Driver 1.2
CIX Account: Dial Up Conferencing
Spell Checker: DLL version 4.21, dictionary date 24/01/99
------------2------------
>>>cix.support/4internet 2283 ibell(478)6Dec99 18:27 c2282*
Further to this, i think i have had another break in. Someone has
now replaced this file in question with a fake error message (below).
PLEASE would the CIX operators look into this ASAP.
I have renamed the bogus file fake.htm and re-uploaded the original.
ian b
------------------------------
Forbidden
You don't have permission to access /~ibell/elite/incoming.htm
on this server.
------------3------------
>>>cix.support/4internet 2286 iainh(187)6Dec99 19:35 c2283*
That's not a file. It's a message generated by the server because
incoming.htm can't be found.
Are you sure you aren't looking for incoming.htm but have uploaded
Incoming.htm ?
Iain
------------4------------
>>>cix.support/4internet 2289 magsys(135)6Dec99 20:55 c2286*
If it was not found, the error would have been 404.
403 suggest a protected directory or strange access rights on the file.
Angus
------------5------------
>>>cix.support/4internet 2306 iainh(163)7Dec99 09:36 c2289*
OK, ... because the file couldn't be /served/.
Either way, that is NOT an html file that a hacker has sneaked in, it's
an error message from the server.
Iain
------------6------------
>>>cix.support/4internet 2301 hoagy(29)7Dec99 00:20 c2286*
No, it was a 403 not a 404.
------------7------------
>>>cix.support/4internet 2295 kestrel(690)6Dec99 22:08 c2283*
I've checked www.cix.co.uk/~ibell/incoming.htm and
www.cix.co.uk/~ibell/Incoming.htm, and they both produce a 404 error here
(i.e. file not found).
the same applies with www.cix.co.uk/~ibell/fake.htm.
I'll pass this on to our Ops department for investigation, but I'm sure
they will ask whether there's any way that your password could have been
compromised. It might well be worth telephoning CIX support and
requesting a password change.
as a point of interesst, looking up some of our tomes of reference at
home, a 403 error means "the request was denied for a reason that the
server does not want to (or has no means to) indicate to the client".
/\/\ac
CIX
------------8------------
>>>cix.support/4internet 2302 hoagy(304)7Dec99 00:20 c2295*
403 usually relates to file permissions. But that's not something the user
could have broken using ftp.
CIX' ftp logs will tell them when/if/etc the file was deleted via any
'normal' mechanism. (OK, I'm assuming they log ftp accesses, which I
don't know for sure, but I'd be amazed if they don't).
------------9------------
>>>cix.support/4internet 2304 blowfish(753)7Dec99 08:09 c2302*
Looks like someone changed the permissions on fake.htm (there
are a couple of other reasons why Apache would give a 403, but
they're unlikely). If Ian FTPs into his webspace and does an
ls -l on fake.htm we'll be able to tell him what the problem is.
(BTW, are you sure that you can't change file permissions over
FTP with CIX? Most places accept the SITE CHMOD extension, but
I never use CIX webspace so I don't know for sure.)
Jon
[jpn@jamie jpn]$ telnet www.cix.co.uk 80
Trying 194.153.0.125...
Connected to www.cix.co.uk.
Escape character is '^]'.
HEAD /~ibell/elite/fake.htm HTTP/1.0
HTTP/1.1 403 Forbidden
Date: Tue, 07 Dec 1999 08:01:10 GMT
Server: Apache/1.2.6
Connection: close
Content-Type: text/html
Connection closed by foreign host.
------------10------------
>>>cix.support/4internet 2309 ibell(691)7Dec99 12:44 c2304*
> Looks like someone changed the permissions on fake.htm (there
> are a couple of other reasons why Apache would give a 403, but
> they're unlikely). If Ian FTPs into his webspace and does an
> ls -l on fake.htm we'll be able to tell him what the problem is.
Yes, using CuteFTP to display the permissions reveals that somebody
had set them all "off".
> (BTW, are you sure that you can't change file permissions over
> FTP with CIX? Most places accept the SITE CHMOD extension,
When i try site CHMOD command on a file with owner R&W access the
server says "permission denied".
Can anyone tell me it they have succeeded in changing the attributes
of their CIX webserver files?
ian b
------------11------------
>>>cix.support/4internet 2310 blowfish(273)7Dec99 13:06 c2309*
Hmmm...do you still own the file? You should be able to fix the
permissions if you do. (I don't know whether you can check this
with CuteFTP - you might need to use FTP from a command prompt
and do ls -l).
If you don't own the file, something strange is happening...
Jon
------------12------------
>>>cix.support/4internet 2312 ibell(363)7Dec99 14:34 c2310*
> Hmmm...do you still own the file? You should be able to fix the
> permissions if you do.
I am unable to CHMOD permissions even on files freshly uploaded by me.
I *am* able to rename and delete them.
>(I don't know whether you can check this with CuteFTP - you might
> need to use FTP from a command prompt and do ls -l).
How do i do this, please?
ian b
------------13------------
>>>cix.support/4internet 2327 blowfish(420)7Dec99 21:19 c2312*
> I am unable to CHMOD permissions even on files freshly uploaded by me.
> I *am* able to rename and delete them.
Hmmm. Maybe CIX have disabled the command - in which case, it's
a bit of a mystery how the permissions got changed.
> How do i do this, please?
Go to Start Menu/Run, type "ftp www.cix.co.uk", login with
your username and password, then type "ls -l" (no quotes on
either of those, by the way).
Jon
------------14------------
>>>cix.support/4internet 2341 ibell(549)8Dec99 13:12 c2327*
> Go to Start Menu/Run, type "ftp www.cix.co.uk", login with
> your username and password, then type "ls -l" (no quotes on
> either of those, by the way).
Thanks. Result is:
---------------------
150 Opening ASCII mode data connection for /bin/ls.
total 17
-rw-r--r-- 1 20719 10001 782 Dec 1 22:51 default.htm
---------- 1 0 1 8156 Dec 6 14:06 fake.htm
-rw-r--r-- 1 20719 10001 8156 Dec 6 18:09 incoming.htm
226 Transfer complete.
----------------------
Does this reveal ownership details?
ian b
------------15------------
>>>cix.support/4internet 2344 hoagy(771)8Dec99 14:18 c2341*
Yes. 20719 is your own ID, everyone else will have a different one. So
default.htm and incoming.htm are owned by you.
fake.htm is owned by user 0, ie root, ie the 'admin' user for Unix. I
think CIX ftp server is running a fairly up-to-date Solaris, so it won't
let you 'give away' files to another user unless they've changed the
default configuration. Thus, it seems unlikely to be something you've
done.
ISTM that the ball is in CIX' court.
One thing strikes me about this thread: It's like most others in this
conference, in that support have been no help at all, and most of the
useful answers come from customers instead. Plus ca change.
PS It seems an odd thing for a cracker to do. Seems to me more likely to
have been caused by a bug somewhere.
------------16------------
>>>cix.support/4internet 2347 blowfish(141)8Dec99 15:47 c2341*
> Does this reveal ownership details?
Sure does - your file is owned by root. I think that maybe
CIX should comment at this point....
Jon
------------17------------
>>>cix.support/4internet 2360 rikki(63)8Dec99 23:35 c2347*
I think so too - I've asked for an explanation.
Richard
CIX
------------18------------
>>>cix.support/4internet 2464 ptravers(58)14Dec99 00:18 c2360*
> I've asked for an explanation.
And that would be...?
------------19------------
>>>cix.support/4internet 2553 rikki(61)15Dec99 23:27 c2464*
The ownership by root is normal, so I'm told.
Richard
CIX
------------20------------
>>>cix.support/4internet 2561 hoagy(111)16Dec99 00:32 c2553*
Of course it isn't.
CIX deleted the file, and replaced it with something non-accesible, that
much is clear.
------------21------------
>>>cix.support/4internet 2565 blowfish(209)16Dec99 09:16 c2553*
This sounds far from normal, unless CIX routinely give access
to allow customers to overwrite root-owned files in their web
directories. Can we have an explanation as to *why* this is
considered normal?
Jon
------------22------------
>>>cix.support/4internet 2569 iainh(173)16Dec99 12:38 c2565*
The file was created by the server, not the user. It is an error message,
caused by unavailability of a requested page.
Renaming or copying it may not change this.
Iain
------------23------------
>>>cix.support/4internet 2570 blowfish(88)16Dec99 12:56 c2569*
Um, no. The server doesn't write out a file when it
creates these error messages.
Jon
------------24------------
>>>cix.support/4internet 2571 hoagy(50)16Dec99 14:06 c2569*
Wrong. Very wrong.
See the ftp log posted above.
------------25------------
>>>cix.support/4internet 2574 iainh(26)16Dec99 18:28 c2571*
Where is this log?
Iain
------------26------------
>>>cix.support/4internet 2575 blowfish(165)16Dec99 18:51 c2574*
cix:2341. When the permissions were changed on his incoming.htm
file, Ian renamed the file to fake.htm. This must have been done
by somebody with root access.
Jon
------------27------------
>>>cix.support/4internet 2582 hoagy(135)16Dec99 19:37 c2574*
cix:2341
Given that TPTB have now even admitted what they've done to ibell's files,
I'm surprised that you're still questioning it.
------------28------------
>>>cix.support/4internet 2595 iainh(89)17Dec99 17:17 c2582*
That's not a log, it's a directory listing.
If tptb have said they did it, fine.
Iain
------------29------------
>>>cix.support/4internet 2613 chrisjj(84)18Dec99 15:00 c2582*
Read again - TPTB have not admitted they've tampered with ibell's files.
- Chris
------------30------------
>>>cix.support/4internet 2621 rbeasley(121)18Dec99 20:31 c2582*
What admission might that be? According to Ian Bells postings there has
certainly been no such admission.
Roy Beasley
------------31------------
>>>cix.support/4internet 2622 timill(284)18Dec99 21:23 c2621*
in cix:2491, ng says:
"I understand that out IT director, Mark Wilson, has been in touch with
you via email regarding this issue and that you are fully aware of what
action has been taken and why."
which looks like an admission that Cix did something to ibell's site to
me.
Tim
------------32------------
>>>cix.support/4internet 2623 rbeasley(129)18Dec99 21:56 c2622*
Nonsense. One only has to look at the reply (cix:2500) to discover that no
such "admission" has been forthcoming.
Roy Beasley
------------33------------
>>>cix.support/4internet 2320 dstiles(206)7Dec99 17:10 c2302*
> not something the user
> could have broken using ftp
They can if it's a sub-directory on a Unix server. At least, I
can on my other Unix/Linux sites; never actually tried it on cix,
I have to admit.
------------34------------
>>>cix.support/4internet 2325 hoagy(87)7Dec99 19:00 c2320*
I'd have thought CIX would have disabled SITE CHMOD, but you're right,
they haven't.
------------35------------
>>>cix.support/4internet 2331 dstiles(150)7Dec99 23:08 c2325*
Don't see why they should disable it. I should be able to refuse
access to private directories by the public, for example, by
setting permissions.
------------36------------
>>>cix.support/4internet 2333 hoagy(183)8Dec99 01:50 c2331*
That's not the way to do it, though. If you refuse access to one web
browser using file permissions, then you'll refuse it to EVERYONE.
.htaccess is there for that sort of thing.
------------37------------
>>>cix.support/4internet 2348 dstiles(109)8Dec99 15:52 c2333*
No, there are good reasons for refusing permission to everyone
except the owner. Not often, but there are.
------------38------------
>>>cix.support/4internet 2351 hoagy(282)8Dec99 18:24 c2348*
But even you wouldn't be able to access the file via a web browser. The
web server probably runs as 'nobody', and will be the same uid regardless
of who's browsing. So no-one can read a file with 0400 permission. Are
you using your ftp space as a backup store or something?!
------------39------------
>>>cix.support/4internet 2353 dstiles(59)8Dec99 20:48 c2351*
As I said, there are reasons. And it's not on cix anyway.
------------40------------
>>>cix.support/4internet 2308 ibell(559)7Dec99 12:44 c2295*
> I've checked www.cix.co.uk/~ibell/incoming.htm and
> www.cix.co.uk/~ibell/Incoming.htm, and they both produce a 404 error
> here (i.e. file not found).
URLS are www.cix.co.uk/~ibell/elite/incoming.htm
and www.cix.co.uk/~ibell/elite/fake.htm.
> I'll pass this on to our Ops department for investigation,
Thnaks. Please let me know the result as soon as you can.
> but I'm sure they will ask whether there's any way that your
> password could have been compromised.
Absolutely not. But i've requested a password change anyway.
Thanks.
ian b
------------41------------
>>>cix.support/4internet 2342 ibell(379)8Dec99 13:12 c2308*
>> I'll pass this on to our Ops department for investigation
Any news?
>> but I'm sure they will ask whether there's any way that your
>> password could have been compromised.
> Absolutely not. But i've requested a password change anyway.
I was informed of my "new password" at 15:00 yesterday but infact it
remains to be changed. Any idea when this will be done?
ian b
------------42------------
>>>cix.support/4internet 2345 hoagy(256)8Dec99 14:18 c2342*
Of course for passwords to be secure, you need to be able to set it
yourself (and you need the discipline to be able to set it to something
secure).
This remains missing from CIXIP, but then the service has only been
running for just over four years.
------------43------------
>>>cix.support/4internet 2486 ibell(125)14Dec99 15:43 c2342*
>>> I'll pass this on to our Ops department for investigation
Its now been over a week. Please tell me the result.
ian b
------------44------------
>>>cix.support/4internet 2491 ng(318)14Dec99 17:31 c2486*
I understand that out IT director, Mark Wilson, has been in touch with you
via email regarding this issue and that you are fully aware of what action
has been taken and why.
Should you wish to discuss the matter further, you are welcome to contact
him. I understand that you have his contact details.
Nick
CIX
------------45------------
>>>cix.support/4internet 2500 ibell(561)14Dec99 19:14 c2491*
> I understand that out IT director, Mark Wilson, has been in touch with
> you via email regarding this issue and that you are fully aware of what
> action has been taken and why.
This is completely false. Though two days ago (six days after the
incident) Mark Wilson emailed me saying that the file was causing CIX
"adverse publicity" and requesting that it be "removed from the public
eye", neither this nor any other email from CIX has mentioned any "action
taken".
Do i take you to mean that CIX/Mark were responsible for this incident?
ian b
------------46------------
>>>cix.support/4internet 2503 ng(110)14Dec99 20:33 c2500*
I have forwarded your message to Mark with a request that he respond
directly by private email.
Nick
CIX
------------47------------
>>>cix.support/4internet 2533 ibell(476)15Dec99 13:50 c2503*
> I have forwarded your message to Mark with a request that he respond
> directly by private email.
I've had another email from Mark, this time threatening to "terminate the
contract with [me]" if I do not remove the file - I have done so.
But again, there is no reference to the previous removals of this file
from CIX.
I want to make it absolutely clear in this forum that I received no
notification or forewarning from CIX of either removal of this file.
ian b
------------48------------
>>>cix.support/4internet 2538 colinc(21)15Dec99 16:09 c2533*
Par for the course.
------------49------------
>>>cix.support/4internet 3247 ibell(87)22Jan00 10:28 c2533*
Can you please confirm whether these file attacks were official CIX
action?
ian b
------------50------------
>>>cix.support/4internet 2299 joz(190)6Dec99 23:24 c2282*
> a matter of great urgency
Should be done by phone. You should call support on 0845 355 5151 between
9 AM and 10 PM, Monday to Friday, or noon to 6 PM on Saturday and Sunday.
Jerry
CIX
------------51------------
>>>cix.support/4internet 2317 pukka(233)7Dec99 15:39 c2299*
If a break in of this severity was proved real, phoning
support during 'working' hours is not a solution. If someone
broke into CiX I would not like them rummaging around for 15
hours (6pm Sunday to 9am Monday) unmolested.
Andy