[2363] in WWW Security List Archive
Re: Need a Security Consult
daemon@ATHENA.MIT.EDU (Beth Frank)
Tue Jul 9 13:39:56 1996
From: efrank@ncsa.uiuc.edu (Beth Frank)
To: Todd_Nugent@mail.chapman.com
Date: Tue, 9 Jul 1996 10:16:38 -0500 (CDT)
Cc: www-security@ns2.rutgers.edu
In-Reply-To: <1996Jul08.142331.2919680611@mail.chapman.com> from "Todd_Nugent@mail.chapman.com" at Jul 8, 96 02:23:31 pm
Errors-To: owner-www-security@ns2.rutgers.edu
Todd,
Which version of the NCSA httpd were you using? Did he break in
through the server itself or a CGI script? To the best of our knowledge
the current server (1.5.2) and the previous release (1.4) have no holes.
We can't of course vouch for CGI scripts. We have done some cleanup
on some of the scripts packaged with the server. It would be a good idea
for anyone who installed 1.4 scripts to pick up new copies.
-Beth
>
> Reply
> To: RE>>Need a Security Consultant 7/8/96
> 1:53 PM
> > I agree - you will be a *constant* target and they will *always* try to
> > get in - which makes the task of keeping the hackers at bay so difficult.
>
> > Some hackers will spend *years* going after a corporation.
>
> I can tell you this is true from a hacker I recently monitored who got into
> one of our sacrificial servers outside our perimeter network. He had a set
> of scripts that he ran every night checking every possible ip address in a
> set of corporate domains for most of the known unsecure versions of common
> software. It worked for him too. After 12 nights of not getting into a
> particular corporate network, they added a new machine which had NFS
> running and this guy was in with an IP spoofing NFS attack. It was an eye
> opener for me that adding a non-hardened machine for a single night is not
> just a risk, but a sure breakin! And of course this person used tools
> which left no traces in syslog, wtmp, etc. (He got in through our NCSA
> httpd server....you don't have to say it.)
>
> Todd
--
Elizabeth(Beth) Frank
NCSA Server Development Team
efrank@ncsa.uiuc.edu
