|
Sometimes it is fun to just setup a machine, stick it out in the DMZ and see what happens to it.
Grab a pizza, sit back and what the logs... It is amazing how quick stuff gets found.
I was staging a machine once, got called to dinner and by the time I cam back it was full of stuff. Kind of funny really.
|
|
|
|
|
At a firm where I worked, a consultancy was contracted to prepare a new, interactive web site to allow people to make bookings on-line (this was when broadband first started being rolled out).
There were two problems with the new web-server:
The web-site itself (written using IIS/ASP (VB)) was unreliable and would crash intermittently, requiring a reboot of the server to wake it. The firm who wrote it were unable to find/fix the problem.
The ftp wasn't secured: one day, after the customary reboot to restart the web service, the machine started whinging about disk space etc. When I investigated I found some very cleverly hidden directories, hundreds of levels down a directory structure attached to the \Windows tree, containing hundreds of illicit copies of Playstation games which it was serving to the 'pirate' community...
Needless to say, we took the management of that server in-house from that point, and then also rewrote the entire site in PHP, hosted it on a small linux machine and had no further problems...
8)
|
|
|
|
|
My personal favorite was a lab machine we were (re)installing XP on, and we forgot to disconnect the network cable. The machine was infected with several viruses before the XP install completed...
Software Zen: delete this;
|
|
|
|
|
Camilo Sanchez wrote: we had this ftp in our company that one day appeared full of porn
apparently anonymous access to the ftp was enabled
Anonymous access to the ftp was enabled?
There's an excuse I need to remember.
-Richard
Hit any user to continue.
|
|
|
|
|
I just found my favorite. We paid a third party for a site redesign. They have talented project managers and artists, but crap developers. They added a link on every page that invites the world to "email this page to a friend." The .net app had input fields for from name, from email, to email, subject line(!) and "special message". The email body was "I thought you might be interested in this..." followed by the same full paragraph of legal crap we are required to use in our corporate sig. The mail was routed through our main exchange server. To demonstrate the danger, I spoofed an email as the CEO that looked completely legitimate.
|
|
|
|
|
I knew of an IT services company that had an incident once where they found one of their employees had been saving viruses on their personal network share! A "virus hobbyist", if you will, who had somehow figured that this was not only a good idea, but that it should also be done on the corporate network. Brilliant.
|
|
|
|
|
I know this is kind of off-topic but the worst security flaw I've ever seen/read about was at news. (5 o'clock, the morbid news here)
A 19 years old boy was home alone and he was... watching porn and doing other unchristian stuff.
After 4 hours of "working out" he closed the browser and put his torrents on seed and then went to sleep.
Well half an hour later his mother (who was very religious) came home and she had to check a few emails.
When she opened the browser some web pages were restored, 4 of which were porn videos. (like one wasn't enough >.>)
And the consequences: The mother castrated her child while he was asleep (with a salad knife, ironically) and popped out his eyes out of his head. (with the same knife)
Well, the mother ended up in a hospital (for severe mental illness) (St. Paraschiva Hospital ) and her (dead) son was buried... Her 4 other children ( ) were given to their grandparents.
Cause: Her son forgot to enable Private Browsing or open a Private Tab or use a similar feature of his browser.
Consequence: Castration, eyeball popping and, eventually, death.
Nobody died because of your security flaws. That boy did!
_______________________
Anyway, I use my netbook computer for "Shared Storage" - as I call it in the network. It's a folder in my laptop that I am sharing over the home network for code storage.
When I went to sleep, I forgot to shut down my netbook. The problem is, I also had Remote Desktop enabled for all connections and I was connected to the internet!
Well, while I was asleep, someone broke into my netbook and copied all my codes for himself and now he's making lots of money out of it - while I am making free, little programs for both personal and public use.
I can name that person but I won't, because it's not nice. I'll remain with the knowledge out of this... (Which is more important than money, in my humble opinion.)
The flaw(s) is(are) Microsoft's f***ing fault - When someone attempts to remotely connect to your computer, you are given a 20-seconds warning to log out or you will be automatically logged out OR that I forgot to shut down my computer. That person or someone else would have eventually broke into my netbook but whatever.
Because of Microsoft and/or my remembering skills someone else makes now profit (Which I could use a lot these days!).
I <3 C#!
|
|
|
|
|
Gather 'round kiddies, while I spin a tale of olde tyme computing, back when mainframes roamed the planet and fed on punched cards.
I was a wee sprout teaching myself how to program on a timesharing PDP-8 in high school.
The crowd I ran with usually had all the passwords, either through visiting the computer center, stopping the processor and using a disk diagnostic tool to pull the master password off the hard disk, or bugging the automatic logout program. But mostly through what is now called social engineering..."Hello, Fred? I know you don't use the computer (terminal) at your school, but could you get me the password to your school's account? Yeah, it's usually written on the blackboard by the terminal."
Unfortunately the teachers and system manager thought we had some machine language program that would coerce the passwords out of the system by forcing it to fail and as a last gasp would spit out the passwords as sort of a "help me!" before crashing.
Stop laughing, these bozos were serious.
So we had the name and so we set out to earn it. After about a month of trying to crack the security, we gave up. The timesharing environment was a rubber playpen that would not let us have access to the goodies.
And then I cracked it...by accident. Really. In what seems to be the pattern of my programming life, I have this innate and uncontrollable talent for finding bugs. Most of my career it has been a pain "Why is it only you that has trouble with the software?", but at my current job, it is a boon.
Back at the plot. I had gotten hold of the system programmer's guide for the OS and had gotten tired of flipping pages to interrelate system tables. Until I was seduced by the dark side of programming, I was studying to be an architect and had access to large sheets of paper and a drafting board. So I made this master layout of all the system tables and how they interconnected.
When I was done, I could see how I could go from public information and drill down to the input/output buffers. The system guide said you did not have buffers until you were logged in. I should have known it was BS because we used to hide what we were typing from the noobs by typing a long string of commands on the same line as the login. Since the keystrokes were not echoed until you were logged in, only someone good at reading keystrokes could see what we were doing.
But it got me to thinking I could watch what was being done at the other school's terminals. So I hacked out a quick little program called "Snoopy" and set it to watching the terminal next to mine. It worked wonderfully. And then seemed to hang. Hesitantly, as though someone was hunting and pecking at a keyboard the word "LOGIN" appeared. I about crapped my pants. This was the days of ASR-33 teletype terminals and printed output. If one of the teachers had come in, they'd have proof that I was cracking the system. You couldn't turn the monitor off or reboot the computer, my only option would have been to rip off the paper and eat it. Which would have looked a tad suspicious by itself.
The timesharing nature of the environment had made the pointers I was chasing go invalid and accidentally connected me to a buffer where someone was logging in.
A few years later, stories of this exploit earned me a little conversation with the FBI.
"A whale of a tale I tell you lads, a whale of a tale and it's all true, I swear by my tattoo."
Psychosis at 10
Film at 11
|
|
|
|
|
Google's been doing this to unwary website operators almost since it's inception. So many cases have hit the news over the years I've lost count.
Sounds like a case of "doomed to repeat" to me.
patbob
|
|
|
|
|
|
rohans84 wrote: directory browsing was enabled
So you're working for ACS:Law[^]?
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
we were not so stupid to put our transactional data (customer data) on a box which is connected to internet
|
|
|
|
|
here is another gem by my colleague. I believe he was drunk when he wrote this as I don't think he would do this in senses.
Page executingPage = null;
try
{
executingPage = HttpContext.Current.Handler as Page;
}
catch(InvalidCastException ex)
{
executingPage = HttpContext.Current.Handler as Page;
}
R A M
|
|
|
|
|
It at least recognises the futility: as can't throw an exception, it returns a null instead...
Real men don't use instructions. They are only the manufacturers opinion on how to put the thing together.
|
|
|
|
|
I know that there are a number of programers that don't understand proper Exception Handling, but this one is really bad. Maybe he was thinking that he should retry? Even then it is not done properly.
Just because the code works, it doesn't mean that it is good code.
|
|
|
|
|
yeahhh.. it won't go in catch block ever.
R A M
|
|
|
|
|
If at first you don't succeed, try, try, try throw, throw, throw again. Or something like that.
Chris Meech
I am Canadian. [heard in a local bar]
In theory there is no difference between theory and practice. In practice there is. [Yogi Berra]
|
|
|
|
|
|
I have an improved version:
Page executingPage = null;
while (true)
{
try
{
executingPage = HttpContext.Current.Handler as Page;
break;
}
catch (InvalidCastException ex)
{
continue;
}
}
|
|
|
|
|
Yep, this should work MUCH better
____________________________________________________________
Be brave little warrior, be VERY brave
|
|
|
|
|
LOL!!! Oh man.. you just made my week.
|
|
|
|
|
lol then what was the use of the variable "ex" he simple don't understand exception handling
Vuyiswa Maseko,
Spoted in Daniweb-- Sorry to rant. I hate websites. They are just wierd. They don't behave like normal code.
C#/VB.NET/ASP.NET/SQL7/2000/2005/2008
http://www.vuyiswamaseko.com
vuyiswa@its.co.za
http://www.itsabacus.co.za/itsabacus/
|
|
|
|
|
DWC - (Zero tolerance for) drunk while coding...
|
|
|
|
|
That's GOT to be a DWC!!
|
|
|
|
|
I'm always more productive when drunk.
(Off-topic)
But yeah, he was probably drunk.
|
|
|
|