PDA

View Full Version : SLiM server hacked?



Dave Owen
2005-02-07, 10:29
Something similar happened to a friend of mine who had one computer for
casual use connected to his cable modem without a firewall, and one
computer used exclusively as a video editing workstation.

One day he decided to use Windows networking to move files from one
computer to the other, and left the video editing workstation drive
share open. A few days later, he found a file in the share root called
"READMENOW.txt" and contained text that essentially said "You need to
get a firewall for your computer; I could have deleted all of your video
files, but I didn't."

So if I were you, first thing I'd do is look to see if you're sharing
your Music folder using Windows networking (presumably without a
password); I'd guess that, like the recent inadvertently-public webcam
google thing, someone searching on the default SlimServer home page URL
will be able to pull up non-firewalled SlimServer installations, see
where the music folder is, then attempt to access it via Windows
networking.

As for the tagging not reflecting correctly, I don't know. It could be
something they did to the files, or something more interesting (like
pointing your server at a new directory, and filling that directory with
the same tagged mp3 over and over with your old filenames). Seems like a
lot of work, though...

Ben Coombs
2005-02-07, 11:40
A couple of weeks ago, there were some articles on www.boingboing.net
about finding live personal web cams using special searches on google.
I looked into it, there's a database of odd search terms at
ihackstuff.com, on the site someone has posted a google exploit to the
slimserver software:

http://johnny.ihackstuff.com/index.php?module=prodreviews&func=showcontent&id=921

Highlights that if you do a search for "welcome to squeezebox" in the
title of a url, then you'll come up with a load of open slimservers:

http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+

As already mentioned though, any basic firewall or password turned on
should protect against this.


On Mon, 7 Feb 2005 09:29:51 -0800, Dave Owen <dowen (AT) sapient (DOT) com> wrote:
> Something similar happened to a friend of mine who had one computer for
> casual use connected to his cable modem without a firewall, and one
> computer used exclusively as a video editing workstation.
>
> One day he decided to use Windows networking to move files from one
> computer to the other, and left the video editing workstation drive
> share open. A few days later, he found a file in the share root called
> "READMENOW.txt" and contained text that essentially said "You need to
> get a firewall for your computer; I could have deleted all of your video
> files, but I didn't."
>
> So if I were you, first thing I'd do is look to see if you're sharing
> your Music folder using Windows networking (presumably without a
> password); I'd guess that, like the recent inadvertently-public webcam
> google thing, someone searching on the default SlimServer home page URL
> will be able to pull up non-firewalled SlimServer installations, see
> where the music folder is, then attempt to access it via Windows
> networking.
>
> As for the tagging not reflecting correctly, I don't know. It could be
> something they did to the files, or something more interesting (like
> pointing your server at a new directory, and filling that directory with
> the same tagged mp3 over and over with your old filenames). Seems like a
> lot of work, though...
>

Jack Coates
2005-02-07, 11:43
Ben Coombs wrote:
> A couple of weeks ago, there were some articles on www.boingboing.net
> about finding live personal web cams using special searches on google.
> I looked into it, there's a database of odd search terms at
> ihackstuff.com, on the site someone has posted a google exploit to the
> slimserver software:
>
> http://johnny.ihackstuff.com/index.php?module=prodreviews&func=showcontent&id=921
>
> Highlights that if you do a search for "welcome to squeezebox" in the
> title of a url, then you'll come up with a load of open slimservers:
>
> http://www.google.com/search?q=intitle%3A%22welcome.to.squeezebox%22+
>
> As already mentioned though, any basic firewall or password turned on
> should protect against this.

Call me a purist, but exploiting stupid (er, willfully ignorant?) people
is not the same as exploiting software. I do like that his hack avoids
the inurl tag, which is starting to be blocked by Google in response to
the PHP worms.

--
Jack at Monkeynoodle dot Org: It's a Scientific Venture...
Riding the Emergency Third Rail Power Trip since 1996!

kdf
2005-02-07, 11:58
Quoting Jack Coates <jack (AT) monkeynoodle (DOT) org>:

>
> Call me a purist, but exploiting stupid (er, willfully ignorant?) people
> is not the same as exploiting software. I do like that his hack avoids
> the inurl tag, which is starting to be blocked by Google in response to
> the PHP worms.

Leaving slimserver is like leaving your wallet on the dashboard of your car.
Nothing inherently insecure about that, but it gets attention and gives the
impression that you 1) have something worth messing with and 2) are potentially
ignorant/lazy/forgetful enough to have left yourself vulnerable in other ways.

In this case, this hack wasnt' really an exploit of slimserver. Since audio
files are NOT modified by slimserver, this would have been an access by some
other means. Anyone getting in via your slimserver web access could only mess
up your settings, create a few playlist with funny/rude names or wake
you/neighbours/dog up in the middle of the night with loud music.

-kdf

Ben Coombs
2005-02-07, 12:26
Sorry, i agree, exploit was too strong a word.


On Mon, 07 Feb 2005 10:58:15 -0800, kdf <slim-mail (AT) deane-freeman (DOT) com> wrote:
> Quoting Jack Coates <jack (AT) monkeynoodle (DOT) org>:
>
> >
> > Call me a purist, but exploiting stupid (er, willfully ignorant?) people
> > is not the same as exploiting software. I do like that his hack avoids
> > the inurl tag, which is starting to be blocked by Google in response to
> > the PHP worms.
>
> Leaving slimserver is like leaving your wallet on the dashboard of your car.
> Nothing inherently insecure about that, but it gets attention and gives the
> impression that you 1) have something worth messing with and 2) are potentially
> ignorant/lazy/forgetful enough to have left yourself vulnerable in other ways.
>
> In this case, this hack wasnt' really an exploit of slimserver. Since audio
> files are NOT modified by slimserver, this would have been an access by some
> other means. Anyone getting in via your slimserver web access could only mess
> up your settings, create a few playlist with funny/rude names or wake
> you/neighbours/dog up in the middle of the night with loud music.
>
> -kdf
>

Robin Bowes
2005-02-07, 13:05
kdf wrote:
> ... or wake you/neighbours/dog up in the middle of the night with loud music.

Heh heh, (evil glint in eye...)

R.
--
http://robinbowes.com