> 06:00 < AlexC_> ryann: So, are you saying CC details have also been compromised?
> 06:00 < ryann> Yep
> 06:00 < AlexC_> ryann: And you plan on releasing these?
> 06:00 < ryann> They did try to encrypt them, but using public key encryption doesn't work if you have the public and private key in the same directory
Jesus Christ. I agree, there is something very wrong with how Linode is treating this situation. Cperciva's comment a couple of days back about the doubletalk in the official statement seems especially precinct, and the new claim about both the private and public keys for the credit card info being stored in the same place... appallingly incompetent if true.
The CEO has already stated that the private key had passphrase encryption, which is strong, and only stored in their heads. You have to take their word on that, but I don't see any proof of CCs being decrypted.
07:52 < HTP> the CCrypter class of the linode application
context was accessable from outside the wwwroot using
undocumented ColdFusion methods. i was fully able to
decrypt the ccs using the in-memory privkey that they
supplied the password for.
i cannot imagine that a remembered passphrase would take too long to brute-force on a few multi-GPU setups. unless they did something meaningful like making it a long sentence rather than some short-but-complex-for-humans 15 char string. http://xkcd.com/936/
Notably seclists/nmap is (was?) hosted on Linode and was tampered with in this attack.
Apparently, the hackers looked up a Quora list of notable sites hosted on Linode and went after those [2], suggesting that the attackers wanted to burn a 0day for some notoriety or to damage Linode/Coldfusion reputation.
05:21 -!- mode/#linode [+b !ryan@54.228.197.*] by akerl
05:24 -!- ryan| [~violator@37.235.49.168] has joined #linode
05:24 < ryan|> quite rude of you
05:25 -!- ryan| was kicked from #linode by akerl [ryan|]
05:27 -!- root__ [~h@vmx13318.hosting24.com.au] has joined #linode
05:27 -!- root__ is now known as ryan||
05:27 < ryan||> Quite rude out of you
05:27 < ryan||> To ban me like that
Really puts into perspective the difference in the levels of skill involved.
When dealing with someone of this level, they really should have just notified everyone immediately. There's no telling what info these people have now.
The speed at which he switches hosts implies he's got quite a sophisticated tool chain set up for this. The level of skill really becomes parent if you read the rest of the log though.
There are several minutes of delay in there. I could just about set up a brand new VPS, ssh to it, install irssi and connect within that amount of time. Let alone logging into a system I already had set up.
I agree...
Then the skid chose the nick "root_" in an attempt at appearing to have "rooted" some box...
It's no difficult task to ssh into another server and reconnect, and if "ryan" is who I think it is, he's a bot herder who enjoys DDoS attacks on those who upset his false sense of superiority.
He's well versed in server management, but exploiting other's servers is what he's working towards, and he failed to crack a server belonging to some friends of mine, so his only recourse was a DDoS.
I was interested in setting up a Linode account but I think it's best to wait for some more information at this point. Thoughts?