Hack IIS6 Contest 545
ThePurpleBuffalo writes "This just came in across a BugTraq mailing list from Roger Grimes: 'Starting May 2nd and going until June 8th, the server located at http://www.hackiis6.com/ will welcome hackers to attack it. If you can deface the web site or capture the "hidden" document, you win an X-box! Read contest rules for what does and doesn't constitute a successful hack. We've tried to be as realistic as possible in what constitutes a successful hack, and in mimicking a basic HTML and ASP.NET web site. ' "
and done. (Score:5, Funny)
Re:and done. (Score:5, Funny)
Re:and done. (Score:3, Insightful)
GUESS WHAT IS PROTECTING IT. (Score:5, Interesting)
Obviously it's behind a Firewall at a pretty decent looking data center. It looks like a minimum security prison on the outside:
http://www.consonus.com/ [consonus.com]
The thing that pisses me off... (IF) nmap fingerprinted the OS right. Is that this IIS6 box is behind a Nokia IPSO.
http://www.nokia.com/cda1/0,1080,43324,00.html [nokia.com]
If you look on the right hand side of the page you will notice that Nokia credits the UNIX roots of IPSO.
So this Windows zealot is hiding his IIS6 box behind a big, bad ass, UNIX gatekeeper. For contest to prove that Microsoft rules... Shouldn't ISA Server be protecting the brave little web server?
http://www.microsoft.com/isaserver/default.mspx [microsoft.com]
It really pisses me off that he advertises the ability to put together an impenetrable IIS6 environment and that a key solution is a UNIX firewall.
If Microsoft ever makes a statement about this contest in their marketing and it was in fact behind an IPSO they should feel silly, not proud.
Re:and done. (Score:5, Informative)
Re:and done. (Score:3, Insightful)
Does DOS attacks count (Score:5, Funny)
No a DOS does not count, slashdot is out :) (Score:5, Informative)
1. External denial of service attack against web server computer, or any participating vendor, or device. Denial of service attacks due to successfully modified content on web server computer are fair game.
They counted on that one
We may not be able to hack it... (Score:2, Funny)
And who is to say (Score:4, Interesting)
Re:And who is to say (Score:3, Funny)
Re:And who is to say (Score:5, Funny)
---
telnet://sinep.gotdns.com [gotdns.com] - LORD, Tradewars 2002, SuperSlots!
Re:And who is to say (Score:5, Interesting)
Re:And who is to say (Score:2, Insightful)
That's what MS would do if they were offering a $100,000 prize.
That's not what an IT magazing would do for a $100 game console
Re:Why would the crackers tell them? (Score:3, Funny)
And if I was a serious cracker, I'd want to be topped with a serious kind of cheese, like maybe a strong Stilson...
Which is to say, d00D, the word is "hacker," like it says in the article, and is recognized universally throughout any media intended for those beyond high school reading level.
Let it go... just.. let it go...
Request for anyone trying this (Score:5, Funny)
Re:Request for anyone trying this (Score:2, Funny)
Re:Request for anyone trying this (Score:3, Funny)
g_______________________________________________g
o_/_____\_____________\____________/____\_______o
a|_______|_____________\__________|______|______a
t|_______`._____________|_________|_______:_____t
s`________|_____________|________\|_______|_____s
e_\_______|_/_______/__\\\___--___\\_______:____e
x__\______\/____--~~__________~--__|_\_____|____x
*___\______\_-~____________________~-_\____|____*
....just kidding
# Please try to keep
Re:Request for anyone trying this (Score:5, Funny)
Frodo is doing gay porn now?
Re:Request for anyone trying this (Score:5, Informative)
And if you can hack the XBox (Score:5, Funny)
How long (Score:4, Insightful)
If this is a test of IIS's security (for example as opposed to Apache) they should make it an ongoing test, and measure it not by whether it was hacked within a certain short time period, but how many times it is hacked over a long period of time.
Re:How long (Score:5, Insightful)
This is really just a publicity game. If makes MS look good if it makes it through the week, but it doesn't really prove that their software is secure.
On the other hand, if they DO get hacked, that would look pretty bad. But.. who'se to say they haven't totally locked that thing down to the point where it's both not really representative of a "normal" server.
*shrug*
Re:How long (Score:3, Insightful)
Re:How long (Score:3, Insightful)
Re:How long (Score:5, Insightful)
Real admins who work anywhere in the private sector do the best they can with the small amount of resources they have. They don't do anything like "verify the rest of the code" whatever the fuck that means. Real admins have 2 hours to get a new box up and running before they have to go put someone elses totally unrelated fire out. They install the OS image that they run on every other server which almost certainly has some things running that don't need to be because it's a general purpose image. Other than that they try their best to run a decent firewall in the 5 minutes a week that they have time to work on it, keep the patches as up to date as they can and hope the next time they get hit it's not too bad.
Just because you have 40 hours of unemployment related free time a week to keep your killer 3 linux box home network/server farm uber secure and updated doesn't mean people in the real world do any such thing.
You want a real test of who has the more secure product? Install IIS/Asp.net & Apache/php using as close to the default settings as possible and see which one gets hacked first. Because I guaruntee you that 80% of the time strapped overworked sysadmins out there are going to do exactly that, simply because they don't have time to do anything else.
Re:How long (Score:3, Interesting)
That sounds like too much hard work (Score:3, Insightful)
Anything you plug into that and boot gets KickStarted through an install. Come back later to find it showing the new root password and a short list of questions about what it should be running. Answer questions, watch it shut down, drop it in its new home and fire it up.
Use URPMI, apt or whatever to keep the packages up to date so your installs are automatically fresh/secure and you only need do anyth
Re:You mean real 'worthless' admins, right? (Score:4, Insightful)
Re:You mean real 'worthless' admins, right? (Score:4, Funny)
1. All your servers run under the exact same hardware, configuration, and settings.
2. All your servers run the exact same services (because we all know how useful is to have 5 different servers running Exchange / Qmail
3. You have the spare duplicate servers to build and test all the pristine locked down images.
In short, grandparent post must either work in his basement or in Disneyland!
Re:How long (Score:2, Insightful)
Re:How long (Score:5, Insightful)
What makes IIS inherently more difficult to secure then Apache or any other web server? Besides the generic "ITS TEH MICRO$OFT!!!!"
Several things (Score:3, Informative)
It comes out of the box will all manner of unnecessary things turned on.
It uses OS-level functions and system calls ("tightly integrated"), so when you hack IIS, you pwn the box, too.
Apache requires you to read the documentation and crack the httpd.conf with a text editor in order to change stuff. This ensures that you are at least one evolutionary level above blind, one-armed chimp, which is the only required leve
Re:Several things (Score:4, Insightful)
Um, bullshit.
I've been trying to teach myself more about Linux and Apache. And, honestly, I haven't a clue about half the stuff in the httpd.conf file. I'm getting there, but that still hasn't stopped me from getting a web server functioning, nor has it stopped me from getting apache-ssl up and running, with squirrel mail. Is my server anywhere near secure? I highly doubt it. Truth is, the Win2K server with IIS5 I had running beforehand was probably more secure, simply because I had a clue about what I was doing in those clicky "Internets MMC configurator for IIS".
As the old axiom goes, "it's a poor carpenter who blames his tools". Yes, the Linux/Apache setup is more secure by default, but when it's setup by someone with little to no clue what they are doing, it's very likely to end up unsecure. Once I am a little more knowledgeable about running and securing Linux/Apache, I'll probably reformat the box, start over, and do a better job about it. Until then, I just assume the box is going to be hacked. And, no, I don't think I am above the evolutionary level of blind one-armed chimp when it comes to running Apache. Hoestly, comming in blind the online manuals sucked.
Re:Several things (Score:3, Informative)
I saw strange requests in my logs all of a sudden to doubleclick. People were making money off my open proxy... haha woops!
Check out the rules (Score:5, Funny)
There goes 3/4 of the most qualified contestants.
Re:Check out the rules (Score:5, Funny)
There goes 3/4 of the most qualified contestants.
Does faking your age count as social engineering?
Does DDoS'ing it count? (Score:2)
If I could hack IIS6 .. (Score:5, Insightful)
Re:If I could hack IIS6 .. (Score:5, Insightful)
The point of these cute little contests with their cracker jack box prizes isn't to find out if there are exploits floating around in the wild. The point is to find out if any exploits have become so prevalent that someone would cash them in for a secret decoder ring. If not, they can hang their shingle saying, "Challenge still unhacked after foo months!" while those of us in the trenches scoff and continue our due diligence.
Security is a state of mind, not a state of being.
What security is worth (Score:5, Insightful)
When is the Hack Apache contest? (Score:4, Interesting)
Re:When is the Hack Apache contest? (Score:5, Funny)
Every day on over 60% of the world's web servers.
no one will do it (Score:2)
Thats giving away trade secrets that are worth far more than a lousy Xbox....
pfff... (Score:2, Funny)
The only problem with this contest.... (Score:5, Funny)
Re:The only problem with this contest.... (Score:2)
*cough* [xbox-linux.org]
LOL! (Score:4, Funny)
5. Physical Attacks
Because, you know, us axe-murderer geek slashdotters were going to charge into the building where the server is and hack away using our cleaver 2d6.
WTF? (Score:5, Funny)
Re:WTF? (Score:5, Funny)
It's a Holy Cleaver, he factored in the double damage it does to daemons.
*rimshot*
The sad thing is.... (Score:3, Funny)
Something tells me I need to look for the "Magical Amulet of Get-A-Life" next time I'm hacking my way through a problem with my Cleaver 2d6...
18+ (Score:2, Insightful)
Contest announcement (Score:5, Insightful)
Re:Contest announcement (Score:3, Insightful)
this "informaiton" that would simply be used to deface websites?
If you have the sort of access that would allow you to deface a website, you likely have access to do a whole lot more. We are talking about compromising a system. The same exploit could potentially be used for any number of other things.
Opportunity Cost (Score:2)
I tried... (Score:5, Funny)
I tried to hack into it and this stupid paperclip keeps getting in the way.." I looks like you're trying to hack a Website..."
Re:I tried... (Score:2)
Lab rats (Score:3, Insightful)
Who cares? (Score:2)
The problem with insecure web sites is that the apps themselves are the biggest security threats. It's been three years since I've heard of anybody I know actually becoming a victim of a web server security hole, but in the last year I can think of seven separate occasions where a web app has allowed somebody to deface and/or take control of a web site.
In the end it do
just silly.. (Score:2)
To an honest and moral person, perhaps it is worth an xBox.. to almost anyone else, that is way to valuable of a skill to lose over an xBox (this presumes they'll close the hole/exploit you use).
Even if you are honest, an xBox is hardly worth the time/effort you'll spend doing this.
Re:just silly.. (Score:2)
What about ZOMBIES? (Score:2, Insightful)
This needs to be resolved!
Re:What about ZOMBIES? (Score:3)
-Jesse
Security Through Destruction (Score:2)
PS2 (Score:5, Funny)
make it a PS2 instead and then it will be worth my time!
Does Social Engineering count? (Score:2, Interesting)
Grr... (Score:2)
Re:Grr... (Score:2, Funny)
Such low valued prize (Score:2)
Isn't this technically illegal? (Score:3, Interesting)
I think they really need to have a lawyer right the release for someone to enter this contest. It just doesn't seem right. Or am I a victim of propaganda?
Re:Isn't this technically illegal? (Score:2)
Re:Isn't this technically illegal? (Score:2, Funny)
IT'S A TRAP!
Re:Isn't this technically illegal? (Score:5, Informative)
Full context of original e-mail. (Score:2, Informative)
Welcome to the HackIIS6.com Contest!
Starting May 2nd and going until June 8th, the server located at
http://www.hackiis6.com/ [hackiis6.com] will welcome hackers to attack it. If you can
deface the web site or capture the "hidden" document, you win an X-box!
Read contest rules for what does and doesn't constitute a successful
hack. We've tried to be as realistic as possible in what constitutes a
successful hack, and in mimicking a basic HTML and ASP.NET web site.
F
That's a lot of faith.... (Score:2)
Before the site went down, i noticed that it said "We've tried to be as realistic as possible in what constitutes a successful hack and in mimicking a basic HTML and ASP.NET web site.". Anyone can secure a box running next to no services.
Perhaps a good time for a reminder (Score:3, Informative)
In short, if it's broken, that's valuable. If it isn't broken in the time allotted, on the other hand, that doesn't mean it's secure.
It's already defaced!!! (Score:5, Funny)
I put up on their page a fake hack contest...
I never really thought it would last soo long and even less being on slashdot.
lol
Predetermined outcome? (Score:3, Interesting)
From TFA:
Sounds like the results have already been decided.
Of course the easiest way to make any system "impenetrable" is to power it off...
Weee, another publicity-drenched waste of time (Score:5, Insightful)
Someone should've hit the progenitors of this little "contest" upside the head with the Garfinkle book [oreilly.com] before they decided to go ahead with it.
If said book had impacted the morans' cranium, they would've realized that such contests are useless for determining a system's hardness. Or they'd be dead. End results are about the same. So, let us review the possible results:
Does the latter scenario PROOF that the system is hacker-proof? Is it? Nope, sorry, it isn't.
To prove that a system is unhackable, I have to demonstrate that in every case the security will not fail. If you have a random testing plan (i.e., a "contest"), then you'll never be sure you touched all the scenarios or even the most likely ones.
To prove that a system is hackable, I just have to find one situation where it can be hacked. Finito; sayonara; have a nice day.
The latter is relatively easy to do. The former is very hard (and sometimes impossible) to accomplish. It is much easier to hold a "contest," declare yourself the winner ("UNBREAKABLE, BABY! w00t!") and then go sell a bunch of units to the PHBs [dilbert.com].
Re: (Score:3, Insightful)
Re:Hmm.. (Score:2)
Now go mod me down
Re:Hmm.. (Score:3, Informative)
shellcode = "/bin/rm -rf
launcher = "cat
netcat_shell = "cat
yea.. run that!
Re:Hmm.. (Score:2)
Date: Apr 20 2005
Cute.
shellcode = "/bin/rm -rf
launcher = "cat
netcat_shell = "cat
Re:Hmm.. (Score:2, Funny)
Re:Physical Access (Score:4, Informative)
"A successful hack does not include:
Re:Physical Access (Score:2, Funny)
5. Physical attacks.
Ah shit..
Re:Physical Access (Score:2)
Well, no shit sherlock. Every OS, including Linux, is easily crackable if you have access to the hardware.
Re:Physical Access (Score:2)
Re:Hack? Or crash? (Score:2)
Re:Hack? Or crash? (Score:2)
Um, no (Score:2)
Re:Hack? Or crash? (Score:2)
2) We're talking about IIS not IE.
Re:won't take long.... (Score:5, Insightful)
I may have migrated our web servers from IIS4 on NT4 to apache on debian as soon as I got the chance but that doesn't mean I'm not able to call bullshit on typical wannabe geeks slating MS software with no real knowledge of why they're slating it.
Re:won't take long.... (Score:2, Insightful)
Apparently not.
Re:But is it the default config... (Score:2)
Huh? Why does someone who asks questions that are answered in the linked article get modded "Interesting" or "Insightful"?
Re:But is it the default config... (Score:3, Insightful)
My guess is because most meta modderators are too afraid to hit the "unfair" option when these things come up.
I think too many people think that meta modding is meant to weed out the trolls and they seem to take pity on the clueless.
I'm not afraid of the unfair button. Only the meek fear the unfair button.
Re:But is it the default config... (Score:2)
Re:But is it the default config... (Score:2)
Re:Done (Score:2)
*Shiver*
Re:Is it running IIS 6? (Score:3, Informative)
They just switched to IIS 6.0 yesterday, actually.