黑客声称已取得Linode所有信用卡信息

美国Web托管服务商Linode上周五向用户发出电子邮件通知，称发现可疑入侵行为，希望用户对密码进行重置。Linode当时还表示，没有发现用户数据被窃取。截然相反的是，黑客却声称已经取得Linode 所有信用卡号和密码Hash。据最新消息：代码片段和服务器目录已被黑客公开。（Linode 居然把加密信用卡使用的公钥和私钥放在了一起，简直不忍直视……）498)this.w
idth=498;' onmousewheel = 'javascript:return big(this)' style="width: 481px; height: 243px" border="0" alt="黑客声称已取得Linode所有信用卡信息" width="639" height="317" src="http://s1.51cto.com/wyfs01/M00/07/0E/wKioOVFuE7ew77mwAAC102RWYC4145.jpg" />这是4月15日的linode.log文件.'ryan_' is involved with HTP (a computer cracking collective).TL;DR version:05:10 < ryan_> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc05:11 < ryan_> if that's not proof I don't know what isIf you are a linode customer, I strongly suggest reconsidering. Andchanging your banking credentials.（译：如果你是Linode的客户，我强烈建议你更换你的银行卡认证信息）。05:05 < ryan_> Hey I can tell you05:05 < ryan_> exact details of the attack05:05 < ryan_> manager.linode.com was br
eached with a coldfusion exploit05:05 < ryan_> it was compromised for a couple of weeks05:05 < kyhwana> I hope they're using b
crypt/similar, etc.05:05 < ryan_> we made a deal with linode staff not to share it05:05 < ryan_> kyhwana: sha256crypt05:05 < kyhwana> ryan_: god some proof?05:05 < shmoon> "we"?05:05 < kyhwana> s/d/t05:05 < kyhwana> heh05:05 < ryan_> they contacted law enforcement05:05 < ryan_> broke the deal05:05 < ryan_> kyhwana: the released database should serve as proof05:06 < ryan_> We will also release the logs of the linode staff who participated in this deal05:06 < shmoon> "WE"???05:06 < shmoon> who is we?05:06 < ryan_> of course they wouldn't have ever told you (customers) about it if we didn't tell them that we will release the data after we saw them contacting LE05:06 < ryan_> does it matter who is "we"?05:06 < ryan_> It's an entity I represent05:07 < drclawski> of course it matters who you represent05:07 < ryan_> you probably weren't targetted but doesn't stop us from releasing your credit card info since linode staff tried to fuck us over05:07 < shmoon> hm05:08 < drclawski> well, the way you talk right now I'm glad linode contacted law enforcement05:08 < shmoon> 05:08 < gerryvdm_mbp> ah, could change back to my original password after intermediary one!05:08 < Ruchira_> ryan_: got a link to that db where I can download it?05:08 < Ruchira_> :*05:08 < kyhwana> link 2 pastebin plz05:09 < ryan_> Ruchira_: not yet05:09 < mestri> this sounds so fishy05:09 < shmoon> credit card details were leaked ? 05:09 < chesty> full of it05:09 < ryan_> https://twitter.com/hacktheplanet05:09 < ryan_> you can follow there05:10 < ryan_> hey05:10 < ryan_> lets prove it this way05:10 < chesty> there's nothing there05:10 < Ruchira_> ryan_: gimme the db or GTFO05:10 < ryan_> https://bin.defuse.ca/hq0Ay8RzpKdR6vQwYxnmhc05:11 < ryan_> if that's not proof I don't know what is05:12 < mestri> hm i see.05:12 < Ruchira_> wow someone can right click and view source O_o05:12 < ryan_> Ruchira_: do you have the slightest idea on what you are talking about?05:12 < Ruchira_> yup05:12 < ryan_> well then, I wouldn't have the source code of any of those files, right?05:13 < ryan_> and why would I have the y_key_57284cb2de704e02.html file name?05:13 < ryan_> caker:{SHA}f6gtSn8vrtJfOr5BL73qur9pZjM=05:13 < ryan_> mgreb:{SHA}Rs6+t2AmP8Zk9Tt2L8V6KoF/p68=05:13 < ryan_> tasaro:{SHA}VX3HOGFij2T+vBPQsJziNeFih9s=05:13 < ryan_> restelow:kO8AB7F2vGeTY05:13 < ryan_> irgeek:{SHA}vB9kanV+A2b6YBHskkgrWPmDLhU=05:13 < ryan_> sschwertly:{SHA}MhAwd561ZtgAH2NgXLltvmWlgfQ=05:13 < ryan_> dariti:{SHA}qWfPCORks8jobCzOHX6BcX5FS+Q=05:13 < ryan_> bkaplan:{SHA}npf7EGrBJVP/L70h830WZcjBMP8=05:13 < ryan_> psandin:{SHA}tKrcBAD/mj25kX0MSrZKtWAbpRk=05:13 < kyhwana> why would there be random AMI bios ROMS in that htdoc?05:13 < ryan_> afolson:{SHA}udkD+S5jcqr66VDf6OgSxhHhbzQ=05:13 < ryan_> cron:{SHA}FFwIAcaqmbdxfVGfpoCtd4pva4Y=05:13 < ryan_> I wouldn't have those either05:14 < ryan_> I don't know05:14 < scottymeuk> kyhwana: even linode has random shit l
ying around like the rest of us 05:14 < ryan_> ask linode staff05:18 < ryan_> kyhwana: I just pasted admin hashes05:18 < ryan_> that should be enough05:19 < ryan_> and manager is on the same box as the main website05:19 < kyhwana> So what? anyone can make up hashes05:19 < ryan_> See http://www1.linode.com/manager/05:19 < AlexC_> The best thing to do is to wait for an official response from Linode, a follow up to their blog post05:19 < ryan_> kyhwana: yes and I can get all the files in their wwwroot?05:19 < ryan_> give me a name of a file
which source you want05:21 -!- mode/#linode [+b *!*ryan@54.228.197.*] by akerl05:21 -!- mode/#linode [+ntc ] by ChanServ05:21 -!- ryan_ was kicked from #linode by akerl [ryan_]05:22 < akerl> Sorry, I was busy nomming05:24 -!- ssthormess [~c9f90a58@chat.linode.com] has joined #linode05:24 < kyhwana> well, LEO involvement just imply CC breaches. If there's any chance of a CC breach, i'd like to know so I can change my CC number05:24 < AlexC_> chesty: If they don't, they're stupid (and I don't like using that word to describe Linode after being with them for years!)05:24 -!- ryan| [~violator@37.235.49.168] has joined #linode05:24 < ryan|> quite rude of you05:24 < Ruchira_> hi ryan!:05:24 -!- azizur [~rahmaa09@gatek.mh.bbc.co.uk] has joined #linode05:24 -!- mode/#linode [+b *!*@37.235.49.*] by akerl05:25 < ssthormess> anyone works for linode here?05:25 -!- ryan| was kicked from #linode by akerl [ryan|]05:25 < chesty> and the cover up begins05:27 -!- root__ [~h@vmx13318.hosting24.com.au] has joined #linode05:27 -!- root__ is now known as ryan||05:27 < chesty> http://seclists.org/nmap-dev/2013/q2/305:27 < ryan||> Quite rude out of you05:27 < ryan||> To ban me like that05:28 < ryan||> akerl: Mind sharing what motivated your bans on me?05:28 < ryan||> Did I offend you by sharing the truth?05:29 < ryan||> Hey, you didn't go by our deal. What did you expect?05:30 < ryan||> I had a nice deal with linode staff that they don't share the fact that they got owned with anyone and we won't release info on their hack05:30 < ryan||> (including customer credit cards)05:30 < ryan||> which will now be released05:30 < AlexC_> ryan||: This is best sorted between you and Linode, if you could just let this channel get on to normalilty and support users that'd be great05:31 < ryan||> AlexC_: oh, but it's users data at stake here05:31 < scottymeuk> ryan||: if your going to release it, then why are you here? Nothing we can do to stop you.05:31 < ryan||> scottymeuk: why can't I stop by and talk05:31 < ryan||> Is that illegal?05:32 < ryan||> ssthormess: you don't care about the fact that it took linode staff about two weeks to tell their customers about the breach?05:33 < ssthormess> ryanll: no. I work with Citibank Chase and Bank of America and all three have zero customer liability.05:33 < Ruchira> ryan||: give us the link to cold fusion vulnerability that you are talking about 05:34 < ryan||> Ruchira: 0day05:34 < ryan||> linode staff apparently failed to deduce it themselves and relied on
chmodding CFIDE to 00005:36 < ryan||> (It's surprising that anyone is still running coldfusion, that's like connection a windows 98 box to the internet without a firewall)05:36 < ryan||> ssthormess: did you
reset your instance api keys?05:36 < ryan||> lish keys too?05:36 < ssthormess> ryanll: how I do that?05:37 < ryan||> Do you care about your data integrity?05:37 < ryan||> would you mind if your linode was hacked?05:37 < kyhwana> ohnoes, you have a public key!05:37 < ryan||> kyhwana: lish passwords were stored in plain text05:38 < ryan||> Last time I checked you couldn't disable password authnetication05:38 < ryan||> and linode staff didn't properly secure the screen setup lish uses so it allowed breaking out of lish to the host environment05:38 < ryan||> so someone using the same node as you being compromised would be enough for your server to be compromised05:38 < kyhwana> and who leaves a login into their box logged in on lish eh?05:38 < ryan||> Does it matter when you can break out to the host environment?05:39 < ryan||> And unless you changed your api key, someone can just change your boot configs to init=/bin/bash05:40 < gerryvdm_mbp> lish passwords were saved in plaintext?05:40 < ryan||> Yep05:40 < ryan||> so were the api keys (which could at least have been hashed)05:42 < ryan||> credit cards were encrypted, sadly both the private and public keys were stored on the webserver so that provides 0 additional security05:42 < AlexC_> If this is true, which I'm guessing it is, it's like finding out a good friend of many years has betrayed you I deeply hope that Linode provide full transparency on this05:42 < gerryvdm_mbp> are they hashed now?05:42 < ryan||> AlexC_: did they provide any transparency on the previous hacks?05:42 < ryan||> gerryvdm_mbp: probably not05:43 < AlexC_> ryan||: Not entirely, which was just wonderful05:43 < ryan||> I don't know, but seeing how long it took for linode staff to detect us. I doubt it05:43 < gerryvdm_mbp> i can understand php script kiddies storing passwords as plaintext, but a hoster.... that would be quite shocking05:43 < AlexC_> But if they don't give details this time, they are going to have to do something incredilble to keep me as a customer05:43 < ryan||> Well linode also had terribly
configured coldfusion05:43 < Ruchira> ryan||: I dont think linode would ever store lish passwords on plain text. 05:44 < ryan||> (adobe
manuals tell you to not allow public access to /CFIDE/, which linode did)05:44 < ryan||> Ruchira: oh but they did05:44 < gerryvdm_mbp> ryan|| how do you know this?05:44 < scottymeuk> gerryvdm_mbp: im pretty sure its one of the first things even script kiddles learn 05:44 < ryan||> Because I'm one of the people who hacked it?05:44 < Ruchira> ryan||: proof?05:45 < gerryvdm_mbp> you cant be a professional and not knowing how even hashing with salts is such a bad idea, but plaintext... that would be several levels of incompetence05:45 < ryan||> The zine is scheluded to be released on the first of may which will contain the full database05:45 < ryan||> Ruchira: I can get you the source code of the script that stores lish passwords05:45 < ryan||> sec05:45 < db> ryan||: which zine?05:45 < ryan||> let me find it, coldfusion is horrible to read05:45 < ryan||> db: htp505:47 < Ruchira> ryan||: first of the may? why?05:47 < ryan||> Ruchira: due to other content05:48 -!- ryan|| [~h@vmx13318.hosting24.com.au] has quit [autokilled: This host violated network policy. Mail support@oftc.net if you think this in error. (2013-04- 15 09:48:28)]05:48 < chesty> how has he violated network policy?05:48 < shmoon> even i am wondering05:49 < kyhwana> hacked box, obviously05:49 < scottymeuk> Because they want to try and hide it?05:49 < AlexC_> Not cool Linode, not cool05:49 < shmoon> man even i am afraid now :S05:49 -!- ryann [~25eb31a8@chat.linode.com] has joined #linode05:49 < Ruchira> wow 05:49 < ryann> Why are people so rude nowadays05:49 < ryann> glining me like that and stuff05:49 < ryann> Well akilling, little difference05:50 < chesty> someone doesn't want the truth to be known05:50 < ryann> Generally having to ban users is a clear sign of incompetence by the staff05:50 < AlexC_> Yep, which is *very* bad of Linode05:51 < AlexC_> I understand they may not want someone to disclose details like this, but the details *need* to come out. If Linode don't do it them selves, then they are fools05:51 < ryann> If linode had any way of proving that I'm not telling the truth they wouldn't be banning me05:51 < ryann> they'd be calling me out05:51 < chesty> ryann: so my linode has FDE, do you need to reboot in order to break in?05:51 < Ruchira> all the staff should be eyeing on this chat right now lol 05:51 < mikegrb> lulz05:51 < ryann> chesty, not necessary05:52 < AlexC_> Ruchira: I assume due to the lack of their presence, they are all huddled around a table discussing this05:52 < ryann> FDE will make it significantly harder, but you can still access the memory while it's running05:52 < rww> except for mikegrb, who is dilligently sitting here typing "lulz" every so often05:52 < rww> (yes, I know)05:53 < chesty> ah well, i made it harder, so I'm happy05:53 < ryann> btw05:53 < ryann> $dbhost = 'newnova.theshore.net';05:53 < ryann> $dbname = 'linode_forums';05:53 < ryann> $dbuser = 'linode';05:53 < ryann> $dbpasswd = 'cfr41qa';05:56 < ryann> gdi can't linode just use some normal language05:56 < ryann> Their
current source is horrible to read trough05:56 < Ruchira> ryann: the shore was abandoned long time ago. Im wondering why would they use that host name for a db host 05:57 < ryann> Ruchira, the forum is pretty old too05:57 < ryann> phpbb205:57 < ryann> <cfif ListLen(cgi.script_name, "/") gt 2 AND ListGetAt(cgi.script_name, 2, "/") eq "linode" AND NOT ListFind("index.cfm,linode_edit.cfm, linode_resize.cfm,label.cfm,cancel.cfm,dc_choose.cfm,su.cfm,pastdue.cfm", ListGetAt(cgi.script_name, 3, "/"))> <cfinclude template="/members/linode/common /dsp_topNav.cfm"> </cfif>05:57 < ryann> this code05:57 < ryann> It's so dirty I feel bad reading it05:58 < AlexC_> ryann: People have been bugging them to upgrade the forums for a long time05:59 < ryann> I like how linode does stuff like this05:59 < ryann> manager/controllers/Signup.cfc: var lsd = query("getLinodeSignupData", "SELECT FieldName, Fieldvalue FROM ln_LinodeSignupData WHERE LinodeSignupID = #ls.LinodeSignupID#").recordSet;05:59 < ryann> var lsd06:00 < AlexC_> ryann: So, are you saying CC details have also been compromised?06:00 < ryann> Yep06:00 < AlexC_> ryann: And you plan on releasing these?06:00 < ryann> They did try to encrypt them, but using public key encryption doesn't work if you have the public and private key in the same directory06:00 < AlexC_> Oh linode06:00 < shmoon> please dont get me wrong, can you hack someone's box here? so that its compeltely proved or something, i need to ge tback to work too. dont hack mine.06:00 < ryann> AlexC_, probably. Linode didn't hold on to their part of the deal06:01 < AlexC_> ryann: Sure, but there is no reason to compromise so many people06:01 < Ruchira> ryann: money deal?06:01 < ryann> Ruchira, "We won't share if you don't share"06:02 < ryann> But they contacted law enforcement, we were monitoring their communications and caught onto that though06:02 < Ruchira> so whats the point of hacking linode then?06:02 < ryann> Access to a couple of clients06:02 < ryann> nmap was just funny06:02 < Ruchira> bitcoin?06:02 < ryann> If I wanted bitcoins, I'd have went after softlayer and got mtgox06:02 < ryann> But money's boring06:03 < scottymeuk> Money is boring, i agree.06:03 < gerryvdm_mbp> bitcoin is money?06:03 < ryann> Well, it's not06:03 < scottymeuk> gerryvdm_mbp: naa06:04 < ryann> But what would you do with it besides exchange it to money?06:04 < scottymeuk> ryann: try to buy a linode on IRC06:04 < gerryvdm_mbp> store it 06:04 -!- ryann [~25eb31a8@chat.linode.com] has quit [Quit: CGI:IRC]06:05 -!- ryannn [~25eb31a8@chat.linode.com] has joined #linode06:05 -!- brennannovak [~brennanno@67-5-163-45.ptld.qwest.net] has joined #linode06:05 < ryannn> Bitcoins are quite useless, and besides storing bitcoins after stealing everything from mtgox would be pointless06:05 < Ruchira> ryannn: for what kind of "content" that you are waiting for?06:05 < ryannn> as bitcoin prices would permanently crash as the last bits of trust are gone06:06 < ryannn> Ruchira, other targets06:06 < Ruchira> to release it on may 106:06 < gerryvdm_mbp> only use i can think of it is exchanging pure services 06:06 < gerryvdm_mbp> but then again its an unnecessary layer06:06 < scottymeuk> gerryvdm_mbp: if it ever got mainstream, governments would find a way to control it anyway, so its pointless06:07 < gerryvdm_mbp> its a scheme, it cant get mainstream06:07 < ryannn> Bitcoins are mostly a lie anyways06:07 < scottymeuk> Regardless, if it got 'big', they would find a way06:07 < ryannn> They say there's no 'central weak point'06:07 < ryannn> Yeah there is, there's the developers06:08 < ryannn> There's been bugs in the client that have allowed the blockchain to split previously06:08 < ryannn> One could just backdoor the bitcoin client binaries, not the source.06:08 < ryannn> Nobody would figure it out until it's too late06:10 < scottymeuk> Id rather a bank control my money, so that if it all goes fucked up, there is atleast someone to blame.06:15 < gkmngrgn> hello, i forgot my password and linode's email reminder service doesn't work. i checked spam box but there's no email from linode.06:15 < shmoon> ryannn: can you give him the password?06:15 < scottymeuk> shmoon: damn you, you beat me to it!06:23 < ryannn> shmoon, sorry I only have the sources on my server06:23 < ryannn> db is on my desktop06:24 < scottymeuk> ryannn: so your not in this to do large scale damage, only after a few clients?