Disclaimer: The following is from a post from HackForums. I am in no way claiming this to be my own, but it was funny and I thought you guys would enjoy it.
"""
Hey guys,
I recently did a security audit for a small business, and I thought some of you might get a kick out of this story.
I am an IT consultant that specializes in security applications and network security infrastructure, and on the side, I do a handful of penetration tests when they come up, and do a bit of writing here on the forums and elsewhere. A little over a month ago, I was asked by a friend to help him out with a security assessment for a small legal firm that suffered from an attack. I figured it would be a nice but of side-work, and not much else was going on, so I agreed and contacted the owner the same day.
I cannot release explicit details about the company because they still have some security issues to work out, but I'll try to be as detailed as I can. So, this company owns a couple of production servers, one of which maintains their website and a SQL database that contains a long list of case-files. They sell subscriptions to lawyers nationally to access these files for reference material and support for their cases and stuff like that. About 70% of their income, I would say, relies on this server's integrity and availability to their customers.
Essentially what happened was, they hired some outsourced development team from the Ukraine to build the back-end database and create the search-feature so their customers could easily reference those casefiles. The company was slow to pay their bills, and withheld the final payment from the developers until they finished the job. They refused and insisted on payment. The company decided to fire them after their refusal and did not send them their final payment. Instead of finishing their job, the developers decided to break into the production server and shut down the website. The next day, they started wiping files and kicked the server off after deleting the root-level passwords.
By the time I had come into the job, this had already happened three days prior. Basically, they wanted me to do a malware and rootkit removal to guarantee their server was clean and to search for any other threats that they would need to fix later.
Here is where it gets hilarious. Their administrator that they hired to host and secure their production server is a total egotist. What originally was a job to secure a web-production server became a mission to make this guy eat his words.
Here is the timeline of events:
The first day the hack occurred, at around 4am, it appeared to be a denial of service attack, according to the administrator by the time everyone woke up.
What had actually happened was the attackers logged into the Webserver and deleted the front page. They then shut the server down and knocked off a backup.
The administrator finally realized the actual nature of the attack, but did not report it. He claimed that they got into the server by brute forcing the owner's password which was supposedly weak. He claimed to have it under control. He was told to disconnect the server until it could be assessed.
The following day, the attackers returned, this time, deleting the entire database, the website, and root passwords. Again, the website was knocked off.
The administrator insisted this was not possible. Nevertheless, there it was, a 404 error across the entire site. It was at this point my friend was brought in to investigate.
The administrator claimed that the issue must have been caused by weak passwords and blamed the owner, and that there was no other way the attackers could have gotten in becaus hr was a "Security Genius"
He also claimed to have hacked into NASA, worked for the FBI to avoid jail time, which was his excuse for having NO certifications to his name other than compTIA A+, and later he claimed that he hosted TripAdvisor...
My friend, also a penetration tester, asked me to help him with the audit and to help me prove this guy was a fraud.
When I was told what this guy's "resumé" was, I nearly passed out from laughing so hard.
I asked for sudo-access to the server, which I had to wait two days for while he bitched about the owner hiring me and my friend to "insult his abilities and intelligence." He refused to give access to us, claiming that it would be a security risk. I told him that his server was already compromised and that there was no way he could guarantee it was secure, especially after restoring the last backup they had available (which was 30 days old).
Instead of waiting for him to quit dragging his feet, we took the initiative and did some initial assessments. Port scans, vulnerability scans, and so on. We found numerous vulnerabilities attached to the website, courtesy of Nikto, including numerous HTML injection and SQL injection vulnerabilities, and at least one instance of an XSS javascript vulnerability. That was not the worst part... the Webserver was running it's http services on Apache Coyote v1.0. We later discovered that the web service had never been updated. This still isn't the worst part...
After the admin reluctantly delivered the password, and I waited two hours for him to give me the fucking IP address so I could actually SSH into the damn thing, I found even more rediculousness.
The ROOT password was a permutation of the company's name... increadibly fucking easy to guess. If I had to compare it to a similar password, it would be like me making my password: "trueDEM0N" except it only had 8 characters...
The last password change for the root password matched the day of the server's OS installation. I was pretty pissed, but I went on silent until I did a full assessment of the server.
It gets worse than this...
I originally did what I was told. Run a virus scan, search for any rootkits or backdoors, and go from there. I was shocked to find that there was not one, single instance of a backdoor or malicious code anywhere on the system...especially considering what else I did not find...
There was no Antivirus software installed on the system. I also found no host-side firewall, which would explain why my Nmap scans were not bounced when I ran a full TCP connect scan...
For shit and giggles, I decided to brute force the password that was given to the developers along with the four other user-level accounts. I was hopeful because I noticed that he had hashed the shadow passwords in SHA-512, and even salted them.
I tried Hydra first, just to see if it was possible to crack the password remotely. It connected and had utterly no problem letting me hammer away at the server's passwords. The administrator never even knew I was attacking the passwords remotely, whicheck told me there was no network IDS.
I even downloaded the passwd and shadow file with scp without any complaint from the server. No file restriction whatsoever... it didnt even so much as demand I re-enter the password, throw a warning banner, or anything.
I used Hashcat to attack the passwords with a full keyspace bruteforce attack. I let it run on my shitty laptop overnight and into the afternoon the next day while I was at work. It resolved every single password by the end of those 16 hours. Bear in mind...thus was a Phenom II quad-core 1.8ghz processor running Intel graphics... and it only took 16 hours...
But it gets even worse...
The developers' password had not been changed since the day it was created...had sudoer access...and was an exact match of the root password...along with two of the other usernames. Essentially, he gave the developers their own username, using the same password as the root.
I called the owner immediately to tell her my findings, and came to find out that this administrator had charged their credit card for "overtime" that he spent responding to the hack that was his fault in the first place. He claimed that it was his job to host the server. Any time spent doing backup/recovery, malware removal, and security response was considered "extra work." He followed up by blaming them for not having an off-site backup solution in place and told them that it was not his job to recommend or provide backup solutions. He further insisted that they would never find anyone who could use node.js and manage a linux server, and proceeded to insinuate that neither of us knew what we were doing.
At this point, I lost my shit.
I took copies of every log on that system and phoned the owner and her staff and conference called them to deliver my initial report. The owner was furious, to say the least, and I was graciously given the satisfaction to call the administrator out in front of everyone over the phone. I even sent them the Whois report on trip advisor to prove he was completely full of shit. They are entirely self-hosted...not that we couldn't already guess that. Not only was he fired, but they are currently trying to find a way to file charges against him for fraud and negligence.
Unfortunately, they never signed an official contract with him, so the terms of their agreement were never determined. They have since migrated their server to another domain host and are still reeling from the damage done to their company and reputation. The administrator has been, essentially, publicly shamed, at the very least, and to my knowledge is going to be losing a lot of business. I doubt he will ever work as anything more than a Level 1 help desk peon for the rest of his life...if that.
I laugh because the guy was totally full of shit, but I feel just awful for the poor sicker he scammed. The best I could do for them was heavily discount their assessment since it literally took me less than a day of actove work-time to give a full assessment.
For the sake of the administrator and the company's anonymity, I will not be revealing either of their identities. To do so would be professional and I would like to thank the user "Donalen" for having the courage to call me out on my unprofessionalism for even entertaining that thought.What I can tell you is that, it came out that his servers were located in an outdoor barn, that he has no record of working for the government, has never worked for the FBI, and his only instance of being a "hacker" was when he was prosecuted for defacing a website.
If my partner, who I'd like to thank for bringing me in on this job, wishes to reveal himself, feel free, dude. Take a bow.
I hope you guys enjoyed the story as much as I enjoyed this job, despite everything that came out of it. It really reminded me of how important it is to verify certifications. This has definitely been my "worst case scenario" of the year.
To you server hosts and web developers out there, don't be that guy. And to you site/business owners, always perform solid background checks and certification verification. It results in far less heartache for everybody.
Thanks for reading everybody.
"""
