Advertisement
Home
Saturday, 22 November 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  8778  71.58%
Win 2003  1950  15.90%
Win 2000  722  5.89%
Solaris 9/10  402  3.28%
FreeBSD  226  1.84%
Other  185  1.51%

Total attacks: 12263 of which 4619 single ip and 7644 mass defacements

Polls
Should Zone-H continue mirroring defacements? (floods will be purged)
 
Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
ZONE-H In Numbers
 News: 14559
 Advisories: 11
 Managers: 1
 Administrators: 1
 Super Administrators: 3
 Operators: 3
 Registered Users: 38288
 Downloadable Files: 3888
 Digital Attacks: 2981160
 Attacks On Hold: 2258
 Online Users: 125
Syndicate
Visitors' Map
Highlight on most recent attacks
jiefanglu.gov.cn/zkn.txt by ZoRRoKiN       ytjj.gov.cn/zkn.txt by ZoRRoKiN       bislig.gov.ph by Ashiyane Digital Security Team       prefeiturajoseraydan.com.br by Fatal Error       semag.taquarussu.ms.gov.br by Fatal Error       pmsaltodolontra.com.br by Fatal Error       cmirituia.com.br by Fatal Error       pmriobrancodoivai.com.br by Fatal Error       prefeituraborrazopolis.com.br by Fatal Error       pmcurionopolis.com.br by Fatal Error       
Latest advisories
Latest on Digital Warfare
Latest on Geopolitics
Freenode official comments on hacked irc servers. PDF Print E-mail
User Rating: / 0
PoorBest 
Monday, 26 June 2006

bullseyeFreenode is the largest FOSI ( Free and Open Source Software ) for IRC, and hosts many official support channels including Debian, Gentoo and other large user base software.

One of freenode's servers was compromised, and an intruder was able to cause various forms of havoc, including klining many users and staff.the staff reported that they believe that about 25 nickserv passwords were compromised during a limited time frame window Sunday.

Rumors are that the main O:LINES were not restricted to IP, thus allowing anyone from any host to try to authenticate as an Admin, and this is belived to be the initial vector for the takeover... 

Click on "read more" to have a look at the IRC chan where Freenode staff and users were discussing the incident...



./ratbert.log---- Log opened Sat Jun 24 20:45:03 2006
./ratbert.log-= 20:45:03[notice(ratbert!i=ratbert@freenode/staff/pdpc.levin)] [Global notice] I am a fat asshole, who loves abuse, die
./ratbert.log:= 20:45:14[notice(ratbert!i=ratbert@freenode/staff/pdpc.levin)] DCC SEND YOUAREALLJUDENLOL
./ratbert.log---- Log closed Sat Jun 24 20:51:02 2006
---------------------------------------------------------------------------------------------------------------------------
--- Log opened Sun Jun 25 20:10:47 2006
= 20:10:49Irssi: #freenode-moderated: Total of 552 nicks [1 ops, 0 halfops, 0 voices, 551 normal]
= 20:11:13Irssi: >>> Join to #freenode-moderated was synced in 26 secs
= 20:11:33<   Astinus> ANNOUNCEMENT:   Please guys, don't ask me questions in /msg. I'm going to voice people in order, that's all... HedgeMage will be handling your questions, I've already had like 50 new windows open ... Just ask and I'll voice you when its your turn, don't expect a response until that time!
= 20:13:17Irssi: #freenode-moderated: Total of 619 nicks [1 ops, 0 halfops, 0 voices, 618 normal]
= 20:13:22<   Astinus> As I just said folks, don't ask me questions in your /msg. All I want to know is you're wishing to question HedgeMage after we get started, I'll voice you in order!
= 20:15:27             HedgeMage waits for the scroll to quiet.
= 20:16:18<   Astinus> Well, I just passed my previous record for windows open in Irssi ;)   Once again, just let me know you've got questions and wish to be queued (and conversely, if you wish to be removed from queue) and I'll +v you when the time is right!  No questions in /msg please, HedgeMage will take them very soon!
= 20:17:16< HedgeMage> I'll advise everyone to please ignore joins and parts... I don't expect this to slow down for a while
= 20:17:22< HedgeMage> we plan to start soon anyway
= 20:19:29                 Astinus sets +o HedgeMage
= 20:20:45<   Astinus> If you're running Irssi and want to ignore joins/parts/quits to keep the scrolling down, please /ignore #freenode-moderated JOINS PARTS QUITS
= 20:20:53<   Astinus> We're about to begin, start your engines!
= 20:21:35<@HedgeMage> Okay, folks.  I'm going to restate what's already gone out in case anyone missed it, and then we will begin taking questions
= 20:22:28<   Astinus> A helpful user says  /ignore *!*@*  NOTI will work for our X-Chat users :)
= 20:23:18<@HedgeMage> Last night, one of freenode's servers was compromised, and an intruder was able to cause various forms of havoc, including klining many users and staff.
= 20:24:02<@HedgeMage> We are currently investigating our security situation, and cannot give out any technical details until our investigation is complete.
= 20:25:14<   Astinus> * For server, one may substitute "staffer account".
= 20:25:20<  christel> thank you Astinus
= 20:25:52<@HedgeMage> We believe that <25 nickserv passwords were compromised during a limited window, but all concerned individuals are encouraged to change their nickserv passwords just in case.
= 20:25:57<@HedgeMage> thanks, Astinus
= 20:27:14<@HedgeMage> We'll open up the floor for questions, one at a time, in a moment.  Please keep your question concise, and type it ahead of time so we can move as quickly as is practical.
= 20:28:18                 Astinus sets +v alex323
= 20:28:23<+  alex323> Are the passwords in the services databases encrypted and/or hashed? What steps are you doing to prevent such an event from occurring again?
= 20:28:45<+  alex323> Are proper Q:lines in place to prevent users from spoofing services nicks?
= 20:29:43<+  alex323> In the event that this needs to be reported to a higher authority, what should we say
= 20:30:04<+  alex323> What kinds of investigations are going on?
= 20:30:21<@HedgeMage> Passwords are stored as hashes, and we will have more information on specific new security measures as they are implimented.
= 20:30:23<+  alex323> What are the consequences for those found responsible?
= 20:30:33<@HedgeMage> alex323: I asked for concise, please.
= 20:30:37<@HedgeMage> Others will want turns, too
= 20:30:42<+  alex323> Understood.
= 20:30:51                 Astinus sets -v alex323
= 20:30:57<   Astinus> We'll answer those questions, then move on. Thanks alex323
= 20:31:25<@HedgeMage> q-lines are in place, but this intruder could have overriden them.
= 20:32:23<@HedgeMage> I'm not going to itemize security evaluations that are still in progress, as that would compromise our work.
= 20:33:09<@HedgeMage> Regularly changing your nickserv/chanserv pw is a good security practice, and something you can do to help your channel and nick remain secure.
= 20:33:24                 Astinus sets +v emes
= 20:34:14<+     emes> Is there any credibility to the claims that hackers from EFNet were responsible?
= 20:34:15<@HedgeMage> emes: are you ready?
= 20:34:25                 Astinus sets -v emes
= 20:35:59<@HedgeMage> We are not releasing our suspect list, but we have some reasons to expect that bantown or GNAA may have been involved.
= 20:36:32                 Astinus sets +v taoist
= 20:36:40<+   taoist> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
= 20:36:42<+   taoist> Thank you.  Now that the sale of Freenode to the GNAA is complete, what new changes can we expect to see?
= 20:36:47                 Astinus sets -v taoist
= 20:37:13                 Astinus sets +v fugi
= 20:37:50<   Astinus> Sorry about that folks, even more indication that muppets from the GNAA might be involved ;)
= 20:38:04             HedgeMage chuckles
= 20:38:10<   Astinus> Can people please have their questions typed and ready, so that when voiced, things move faster?
= 20:38:46                 Astinus sets -v fugi
= 20:38:55                 Astinus sets +v aka_druid
= 20:39:34             Astinus looks at his watch
= 20:39:44<@HedgeMage> next?
= 20:39:44                 Astinus sets +v Naconkantari
= 20:39:44<+aka_druid> oh, I wanted to ask about the passwords being compromised, if youa re goin to put in some announcement
= 20:39:51                 Astinus sets -v aka_druid
= 20:40:02             Astinus thinks this constitutes an announcement :)
= 20:40:17<+Naconkant> Is this type of attack over for now, or can we expect more in the future?
= 20:40:26                 Astinus sets -v Naconkantari
= 20:41:29<@HedgeMage> We believe this attack to be over, but future attacks are always possible...
= 20:41:55                 Astinus sets +v Mark_Ryan
= 20:41:55<+Mark_Ryan> For those of us who aren't intimately aware of the workings of IRC servers, is there a way we can identify to ChanServ that doesn't involve an /msg? Can we use the server password field? Or an /identify server-side alias?
= 20:42:05                 Astinus sets -v Mark_Ryan
= 20:42:28<   Astinus> Mark_Ryan: Provide your password upon connect, it'll be securely passed to NickServ
= 20:43:07<   Astinus> Mark_Ryan: Also, /quote NickServ is an alternative to /msg. It'll more ably handle Services being down/spoofed.
= 20:43:11<       Rez> also, /ns and /cs are server commands (may need to be prefixed by quote, ie /quote ns) that direct commands to them
= 20:44:03                 Astinus sets +v Ziggy
= 20:44:06<+    Ziggy> Did the so-called "hackers" have access to the filesystem? Is it possible they downloaded any services data? People with dictionary passwords might be interested, even if it is hashed.
= 20:44:24                 Astinus sets -v Ziggy
= 20:46:27<@HedgeMage> Our hashes are salted MD5, rainbow tables won't work... it would be very CPU intensive to attack each one, even if the whole thing were compromised (which, at this time, we don't think is the case)
= 20:46:31<@HedgeMage> We again remind you that you can help yourself by regularly changing passwords
= 20:46:57                 Astinus sets +v Tompkins
= 20:46:57<+ Tompkins> What evidence - besides the events that took place right now - do you have against the GNAA?
= 20:47:13                 Astinus sets -v Tompkins
= 20:48:00<@HedgeMage> We're not releasing any information about the results of forensic examination or other investigations, whether that data implicates or exonerates the GNAA.
= 20:48:14                 Astinus sets +v ardinary
= 20:49:19                 Astinus sets -v ardinary
= 20:49:29                 Astinus sets +v trelane
= 20:50:08<   Astinus> trelane: Got a question? :)
= 20:50:20<+  trelane> no dunno why I was voiced I'm busy elsewhere, sorry
= 20:50:31                 Astinus sets -v trelane
= 20:50:34<   Astinus> That was unexpected, he had /msg'd me :)
= 20:50:50                 Astinus sets +v nenolod
= 20:50:52<+  nenolod> ok, two questions:
= 20:50:53<+  nenolod> m_services.c says:
= 20:50:53<+  nenolod>   if (IsHoneypot(sptr) || !(acptr = find_person(NICKSERV, NULL)))
= 20:50:53<+  nenolod> so does /quote NickServ really provide any real protection?
= 20:50:55<+  nenolod> and
= 20:51:16<+  nenolod> bantown says they are sniffing packets at a place where a freenode server is located, any comment on this would be nice :)
= 20:51:33                 Astinus sets -v nenolod
= 20:52:19<   Astinus> nenolod: We don't believe (at this time) that bantown is capable of sniffing traffic from any of our sponsors. Its possible they're upstream somewhat, but OSUOSL (our main sponsor) are usually pretty good about network security.
= 20:52:55<   Astinus> nenolod: Regarding the m_services.c question, I'm not a coder, I had understood /quote NickServ to be more secure but will defer to your superior knowledge on that one :)
= 20:53:11                 Astinus sets +v WhiteNoise
= 20:53:18<@HedgeMage> My apologies, I had to step out a moment (minor parenting emergency)
= 20:53:19<+WhiteNois> You mention that you believe that < 25 users had their passwords compromised.  How did you arrive at this estimate?  How much confidence should we place in that low a figure?
= 20:54:15                 Astinus sets -v WhiteNoise
= 20:54:53<@HedgeMage> WhiteNoise: there was a small window between the time that nickserv went down and our servers stopped accepting connections. While >25 is only an estimate, we are fairly confident that it is accurate. That said, it is quite easy to change your password so you *know* you are safe.
= 20:55:25             Astinus notes that's <25 not >25 ;)
= 20:55:36<@HedgeMage> ack sorry
= 20:55:38<@HedgeMage> BAD typo
= 20:55:41                 Astinus sets +v richjkl
= 20:56:56                 Astinus sets -v richjkl
= 20:57:02                 Astinus sets +v blackmanheartiez
= 20:57:35<+blackmanh> HY MOM, IM ON TV. GUYS I HAVE TO MAKE IT CLEAR. GNAA DID NOT HACK THIS, IT WAS PSEUDO USER DEPAKOTE MORE AT WWW.MYSPACE.COM/PHOTOSHOP
= 20:57:36<+blackmanh> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
= 20:57:37<+blackmanh> BYE
= 20:57:38<+blackmanh> LOL
= 20:57:39<+blackmanh> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
= 20:57:39<+blackmanh> DCC SEND welcome-our-new-gnaa-overlords 0 0 0
= 20:57:43                 Astinus sets -v blackmanheartiez
= 20:57:51<   Astinus> Sorry about that
= 20:57:59                 Astinus sets +v DosBubba
= 20:58:18<+ DosBubba> 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat . /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
= 20:58:18<+ DosBubba> I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
= 20:58:21<+ DosBubba> Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen
= 20:58:21<+ DosBubba> IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
= 20:58:21<+ DosBubba> Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
= 20:58:22<+ DosBubba> IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
= 20:58:25<+ DosBubba> Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
= 20:58:32             Astinus sighs
= 20:58:46                 HedgeMage sets -v DosBubba
= 20:58:51                 Astinus sets +v dorphell
= 20:59:43                 Astinus sets -v dorphell
= 20:59:55                 Astinus sets +v hoopydink
= 21:01:09<@HedgeMage> next?
= 21:01:15                 Astinus sets -v hoopydink
= 21:01:29                 Astinus sets +v JapaneseGangster
= 21:01:33<+JapaneseG> What are the concequences of this event?  ie. Will access be limited for certain parties?
= 21:01:49                 Astinus sets -v JapaneseGangster
= 21:02:42<@HedgeMage> JapaneseGangster: While we can't, right now, comment on security measures that aren't in place yet, we need to assess our vulnerability and whether a crime was committed.  We don't, at this time, have evidence of enough damage for that to be the case.
= 21:03:00                 Astinus sets +v nalbright
= 21:03:00<+nalbright> have you considered opening up an SSL port on the servers to help cut down on sniffing?
= 21:03:12                 Astinus sets -v nalbright
= 21:04:13<@HedgeMage> nalbright: At this time, not all of our servers are dedicated to freenode only, so that is not possible.  We hope to aquire more dedicated servers in the future so we can offer that feature.
= 21:04:33                 Astinus sets +v avillia
= 21:04:39<+  avillia> Two things: 1. What sort of additional fallout has the Slashdot article caused, and 2, What was up with staff members asking for donations via global notice as the attack (+ cleanup) was still happening? Thanks in advance.
= 21:04:41<+  avillia> Also: <GNAA joke/plug>.
= 21:04:50                 Astinus sets -v avillia
= 21:05:44<@HedgeMage> The slashdot article didn't cause any real fallout until someone told me about it, I read the comments, and annoyed my husband by rolling my eyes at the less intelligent ones.
= 21:05:50<@HedgeMage> ;)
= 21:06:10                 Astinus sets +v Jin
= 21:06:10<+      Jin> What do you think the motive or purpose of the attack was?
= 21:06:24                 Astinus sets -v Jin
= 21:06:40<@HedgeMage> As I answered to nalbright's question, we are trying to get more dedicated servers to increase security, asking while security is an issue, we hoped, would be a wake-up for potential donors.
= 21:06:55<@HedgeMage> Jin: we're still assessing that, and can't comment right now.
= 21:07:34                 Astinus sets +v Link
= 21:08:09<@HedgeMage> Re: the notice regarding donations, lilo has asked me to apologize if anyone was offended
= 21:08:36<@HedgeMage> link?
= 21:08:44<@HedgeMage> next?
= 21:08:53                 Astinus sets -v Link
= 21:08:58                 Astinus sets +v openbysource
= 21:08:58<+openbysou> all i want is voice at freenode-social. why don't you guys give us voice on joining freenode-social. why does it take so long for you guys to give us voice. please be fast man. we need to wait sometimes sometimes around more than 3 hours. if you guys are working around with these security issues it's okay but do take care of freenode-social keep that thing going man.please try give us voice as fast as u can don't make it too
= 21:08:58<+openbysou>  long. take for example right now so many of us in the  queue at freenode-social.
= 21:09:06                 Astinus sets -v openbysource
= 21:09:07             <<< openbysource [Idiot.] kicked by Astinus
= 21:09:45                 Astinus sets +v SushiGeek
= 21:10:23<   Astinus> SushiGeek: Got a question mate?
= 21:10:51<+SushiGeek> woah
= 21:10:52<+SushiGeek> Yes I do
= 21:10:56             Astinus smiles
= 21:11:05<+SushiGeek> Are you taking any measures to prevent this kind of thing from happening in the near future?
= 21:11:14                 Astinus sets -v SushiGeek
= 21:11:57<@HedgeMage> SushiGeek: Thank you for your concern, but as I said before we'll release information on new security measures when possible, as they are implemented.
= 21:12:38<   Astinus> RE: The question about #freenode-social  ::  Its a social channel, not a method of gaining support on the network. We'll voice you when we notice, please don't bug us about it. /stats p or /who freenode/staff/* for contacting people who can help with problems!
= 21:12:49                 Astinus sets +v nf
= 21:12:49<@HedgeMage> :) thanks Astinus
= 21:12:51<+       nf> Do you have any reason to believe that there may be an insider providing information to various outside parties, that could be a threat?
= 21:12:59                 Astinus sets -v nf
= 21:13:34<@HedgeMage> I'm sorry, nf, but as I've said, discussing our security asessments right now is not prudent.  We're still working on gathering all of the information we can.
= 21:13:49                 Astinus sets +v Teratogen
= 21:13:50<+Teratogen> was the FBI contacted and are they participating in the investigation of this incident?
= 21:14:07<@HedgeMage> see my last answer... can't comment now.
= 21:14:12<+Teratogen> thanks
= 21:14:17                 Astinus sets -v Teratogen
= 21:14:27<   Astinus> Guys - please don't ask questions similar to ones previously asked.
= 21:14:37<@HedgeMage> Since most of these seem to be repeats, we're going to close for now.  I'd like to reiterate that we encourage all concerned users to change passwords
= 21:15:03<   Astinus> We can't comment on matters of security, anything said might taint investigations by any law enforcement authorities in the near future. We are looking into this, we are serious about finding the root cause of this, and we have your security in mind.
= 21:15:37<   Astinus> With that said - now's a good time to change those passwords ;)   We do believe <25 accounts may have had their NickServ account password compromised, change it now - end of problem.
= 21:15:43<@HedgeMage> Please set /mode yournick +w if you would like to see the announcement when we do this again.
= 21:16:10<   Astinus> This room will go -m shortly, so ya'll can chat before we have another session.
= 21:16:23<@HedgeMage> try not to get blood on the carpet ;)
= 21:16:34<   Astinus> Or we'll send in the cleaners, with pointy brooms ;)
= 21:18:30                 Astinus sets -o HedgeMage
= 21:18:33                 Astinus sets -m
= 21:18:33<   nunsoup> DCC SEND "startkeylogger" 0 0 0
= 21:18:33<  b33fc0d3> O.o
= 21:18:33< Naconkant> ceiling cat is watching you.
= 21:18:33< QuantumBe> (o__o)
= 21:18:33<         J> BACON
= 21:18:34             bureado hugs channel
= 21:18:34<   enderst> heh
= 21:18:34<   snorkle> !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
= 21:18:35<   Mulvane> Now with this attack, auto identification isn't so wise. This brings into question rejoins to channels that require a user to be indentified or be forwared to #please-register. Could this behavior be modified to allow member to join, but put in a +q mode so they can't speak, change nick or anything like the moderated channels? Or maybe a way to track a last connection in case of random disconnects and joins to reallow the
= 21:18:35<   latvian> wow, Astinus, that was very rude of you. i was one of the first persons in here and you completely ignored me.
= 21:18:35<  WeblionX> First blood! :)
= 21:18:35<     rooly> spam
= 21:18:35<     rooly> spam
= 21:18:35<     rooly> spam
= 21:18:35<     rooly> spam
= 21:18:35<     rooly> spam
= 21:18:35< jeebusmob> wewt
= 21:18:35<   snorkle> !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
= 21:18:35<   snorkle> !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
= 21:18:35<   ShaunES> What a farce. "LOL WE CAN'T COMMENT".
= 21:18:35< StoneCyph> During what time period were nickserv passwords compromised, for those of us who know at what times we'd logged in and who are reluctant to change passwords unless nessecary?/join #freenode
= 21:18:35<   snorkle> !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
= 21:18:35<   Eidolos> omg deluge
= 21:18:35<   snorkle> !!!!!!LOLDONGS!!!!!VIVA EL CHE!!!!!!LOLDONGS!!!!!
= 21:18:36<  DosBubba> 'Grats out to the GNAA for their newly acquired property, irc.vaccus.com #chat . /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join.
= 21:18:36<  DosBubba> I would like to thank Freenode for taking the time to gather the whole of IRC, it has been our pleasure to take part in such a trolling opportunity.
= 21:18:36<  DosBubba> Remember: /server -m irc.vaccus.com -j #chat Attacks will continue if you don't join. !startkeygen
= 21:18:36<  DosBubba> IRC was founded on the principles of trolling, and we thank Freenode from the bottom of our hearts for carrying the fine tradition into the 21st century - hopefully beyond.
= 21:18:36<  bitplane> wooo
= 21:18:39                 lilo sets +m
= 21:18:41<      lilo> got to love that
= 21:18:42                 lilo sets +i
= 21:18:44< HedgeMage> so much for that.
= 21:18:48             <<< DosBubba [Bye] kicked by Astinus
= 21:19:02<   Astinus> some people need to grow up :/


Comments Index (Total Messages: 1)
me don't know Written by Rachel on 2007-01-25 23:56:15

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org - Unrestricted Information
Joomla! is Free Software released under the GNU/GPL License.
 Top!