[gmazzola]

Page as it appeared on June 5, 2009 12:15AM EDT: http://pastebin.com/f751e9f5b

The post is a little low on details concerning the actual exploit used, but there's pretty massive carnage. Let's hope the admins have offsite backups.

For those who don't know of Astalavista, it was a popular website for "hackers" with relatively low-quality content. It started in 1994, and was one of the first search engines for computer security information. It hosted software exploits, and quickly degenerated into a forum for sharing software cracks, spyware, and virii.

Being a security-related website, you'd expect the owners to be a little more careful, which is why this is interesting.

[enneff]

They did have off-site backups, which the hacker found and erased.

One strategy that I employ to mitigate this is to have my backup service connect to the production server, rather than the other way around. That way if your production services are compromised, your backups remain untouched (on a machine that's running no services, behind a firewall, etc, and for all intents invisible).

[ekarulf]

We use tarsnap (http://www.tarsnap.com) to handle our offsite backups. If you give your production servers write only keys you can mitigate this risk (and not send your backups across the wire in the clear).

[jlcheng]

I thought the typical definition of offsite backup also means data is backed up to a media like tape and stored in a different location.

How is your offsite backup implemented? Is the data stored on a network drive, or backed up to tape?

[enneff]

My understanding is that an offsite backup is, as the name implies, a backup that is stored at a geographically separate location to your production site.

I have a few servers deployed at various locations around the world, and I have a machine here at home that performs rsnapshot daily backups of their files. I then make bi-monthly backups of those backups, and store them in a saftey deposit box at a bank. This means that if my servers go down, I can restore them to within a day. If my house burns down, I still have my data to within two-weeks.

[jlcheng]

That's pretty much how it should be done. Let's hope the guys at astalavista is smart enough to do that. Your approach adds an additional layer of protection in case, as you'd put it, someone gets into your home server and deletes them. That, and tapes are less likely to get corrupted or become unreadable than the drives on your server, which may cut down on recovery time.

When your business gets bigger, it might be worth it to look into dedicated hosting and have the datacenter do the backup for you. After all, you want to spend your time managing your IT crew, rather than driving those tapes to the bank :)

[sev]

Definitely a much better method of handling backups. Completely agreed.

[obanite]

What's the point in offsite backups (for security reasons) if they're connected over network connections?

[notaddicted]

Physical security, i.e. protection against fires floods and comets, etc.

[iheartmemcache]

It looks like they first buffer overflowed Litespeed to spawn a shell (which was ironically running as a user 'apache'). The http headers that are being returned from Astalavista are consistent with this theory (in addition to the obvious output of the first binary run). Apparently Litespeed has a pretty dodgy security record after doing a cursory search.

Far more interesting was the root escalation exploit. 2.6.18 is a relatively recent kernel, and I haven't heard of exploits publically disclosing something of that caliber. Has anyone seen anything on securityfocus/bugtraq/milw0rm etc regarding this?

[duskwuff]

There's a nasty bug in the vmsplice() syscall in anything from 2.6.17 to 2.6.24.1. Exploits have been public since early 2008.

http://www.milw0rm.com/exploits/5092

http://www.milw0rm.com/exploits/5093

[bdr]

One of the files on their server is an exploit for that vulnerability. If they know about it, I would guess they aren't vulnerable, but who knows.

[duskwuff]

Good point. The kernel version in the transcript looks like the version I've got on a CentOS machine, so it's probably patched. Interestingly, the strings ("r00tr00t", "Executing shell") from the local-root tool they're using don't appear anywhere online, suggesting that it's something private and potentially unknown.

[oscardelben]

maybe it's just not indexed.

[sev]

It's easy to modify strings in a simple C function/program. That's all that would be needed to modify and display the "r00tr00t" etc you are mentioning.

[ableal]

The version string "2.6.18-128.1.10el5" is exactly what CentOS 5.3 shows (toy VM I installed last week, updated to May 31, no updates today). They may have turned off SELinux for convenience ...

[P.S. my VM is 32 bits, because VirtualBox has an issue with 64 bit CentOS 5.3 and AMD PhenomIIs: http://www.virtualbox.org/ticket/3927 ]

[Timothee]

I'm thinking I was not the only one reading the title as altavista.com and I was really shocked.

Thanks for the background info on the site.

[bdmac97]

I definitely read "altavista" at first too having never heard of astalavista until now.

[danijel]

Why do you think they called it like that? It was founded in early 90's and altavista was "the" thing. I remember going there and learning about trojans, debuggers and disassembly as a kid.

[Confusion]

Offtopic, but please, don't use 'virii'. The correct plural is 'viruses'. 'Virii' is wrong for two reaons:

1) The Latin plural of word ending in -us is not -ii. -i at best.

2) 'Virus' doesn't have a Latin plural, because its meaning is like (in the sense of not having a plural) 'sand': it already denotes a multitude.

[DrJokepu]

Being a Latin geek myself I can't help but point out that nouns in the fourth declension (u stem) also end in -us in singular and receive an -us affix in plural as well.

"Virus" is however, in the second declension (virus -i n. "slime, poison, goo") with the oddity of being neutral while having a second declension -us ending which is normally a feature of masculine nouns. And indeed, its plural would be "viri".

[nertzy]

Neuter nouns of the second declension don't generally have plurals that end in -i, but rather in -a, so "vira" would be equally possible.

It's also important to note that scholars don't actually know the proper plural of virus because they haven't really found one in extant literature.

Wikipedia has a longer discussion at http://en.wikipedia.org/wiki/Plural_of_virus#Virus

[mistermann]

Doo doo doo doo, doo doodoo do, Doo doo doo doo, doo doodoo do, Doo doo doo doo, doo doodoo do, Doo, doodoodoo, doo doo doo doo doo....

A bit hard to communicate, but that's the keyboard cat playing all of you off.

[gmazzola]

Ironically, I was very careful with my choice of "virus vs. virii" when I wrote that message. I looked up the Wikipedia article for Plural of Virus ( http://en.wikipedia.org/wiki/Plural_of_virus ), and noted the sentence "In reference to a computer virus, the plural is often believed to be virii...".

As an amateur Latin geek myself, I agree that "viruses" is proper from a grammar standpoint, but I sided with Wikipedia because I was using computer terminology.

[nopassrecover]

but if you read on.. "or, less commonly, viri, but both forms are neologistic folk etymology[1] and no major dictionary recognizes them as alternative forms."

[sev]

Why is it that the plural of "radius" is "radii" but the plural of "virus" is not "viri"? I don't see "virus" as inherently denoting a multitude in the dictionary. Just curious.

[DrJokepu]

Because with [radi]us the stem is "radi" but with [vir]us the stem is "vir". These words are from the same type (second declension) they both receive an -i affix in plural, hence radi + i = radii, vir + i = viri. Latin being Latin there are an awful number of exceptions but this is a somewhat general rule.

Put it like this: Grammatically speaking, the plural of virus is viri. Putting it into plural might or might not makes sense. Personally, I don't think that using plural for collections in Latin is a very big sin given that this is very common in classical Latin texts.

One example of this can be found in the famous introduction of Aeneid (I.1 "Arma virumque cano...") lines 31-32, where Virgil is using the plural form of the word "sea" (mare, plural: maria)

"multosque per annos / errabant acti fatis __maria__ omnia circum" - "for a number of years, driven by fate, wandering around on the seas"

[thomaspaine]

Virus is Latin for poison. It's a mass noun because it denotes something uncountable (not in the strict mathematical sense, but in the how the hell do you count poison sense). As far as I know, there is no Latin plural form for virus.

Second declension singular nominative nouns end in 'us' and their plural form end in 'i', but fourth declension singular nominative nouns also end in 'us', but their plural form still end in 'us'. Also, like in every language, there are funky exceptions to these rules, like second declension singular nominative nouns which are neuter rather than masculine, but still end in 'us' rather than the normal 'um'. Moral of the story, don't assume that the plural of word ending in 'us' is 'i'.

It's also been about 8 years since I've taken Latin, so take that into consideration before someone goes all Life of Brian on me.

[psyklic]

Interestingly, English words with irregular forms which are infrequently used often revert back to regular forms. The 'why' is simply because people prefer to say "viruses," either because they forgot the irregular plural form or because they prefer how a regular form sounds.

[__david__]

And furthermore "sands" is still perfectly legitimate, even though "sand" may be inherently plural (the "sands" of time, different "sands" of the world).

[Tritis]

If the plural of goose is geese why is the plural of moose not meese?

[Sephr]

The correct term in Hixie English is virii. You need to learn your Hixie English (even the HTML5 standard is written in it).

[asnyder]

Brutal indeed. Not only did they expose all aspects of astalavista, they actually trashed and dropped everything.

As bad as astalavista is, is it right to reciprocate and trash their server? It seems as if the hacker sunk to their level.

Are there legal ramifications to something like this?

[enneff]

"Are there legal ramifications to something like this?"

Uh, yeah, of course. Good luck catching them, though.

[takeda]

you're mistaking astalavista.box.sk with astalavista.com.

astalavista.com stole their name to ride on their popularity.

[noodle]

hell, i tend to find any reasonably detailed description of the process of exploiting something to be pretty interesting.

gives a fairly good idea of how to not make the same mistakes, if applicable.

[andreyf]

Yeah, considering how last-decade astalavista.com is, I wouldn't be surprised if now is the most pageviews they've gotten in awhile ;)