Daemian Mack home

astalavista.com compromised

June 4, 2009

Anybody who’s had an interest in security over the last 10 years has probably heard of astalavista.net – kind of a clearinghouse for all sorts of security-related info, vulnerability announcements, etc.

Here’s a blow-by-blow transcript of their systems getting completely wiped out by someone who didn’t agree with their practices. The transcript is hosted on pastebin.com but was originally available as the index.html of the site itself.

It looks like they used custom code to exploit a hole in astalavista’s Litespeed webserver; googling the exploit used just brings up copies of the transcript itself.

This is probably the most brutal exploit transcript I’ve ever seen – reference line 1839 where the exploiter, having found where the backups are being stored by trawling the admin’s .bash_history, FTPs there and deletes their offsite backups. (If your production system stores the FTP password or password-less SSH keys to your offsite backup server, exposed through your .bash_history no less, is it really offsite?)

astalavista is still down at the moment; I imagine they’ve scrambled to change all their passwords, shore up their exposure, and see if they can dig up a backup from anywhere.

It makes a pretty remarkable contrast with this recent How I Hacked Hacker News (with arc security advisory) accounting by someone who compromised Paul Graham’s news.ycombinator.com via some pretty painstaking research of system behavior – and then worked with Robert T. Morris (the Robert T. Morris) to get the issue fixed.