|
-
January 26th, 2002, 08:08 PM
#1
 Hacking Challenge
Me and my buddie have our own little web site breakfree.com. What we do is build and host web sites for people in our local area. What we need you to do is test our system for holes. If you do get into our system tell us how you got in and where the hole is, and if you want tell us how you would fix the problem... Im putting my trust in all of you not to **** up our system. If you feel the need to deface our web site all the power to yeah. We dont care about ittle stuff like that... defaceing take nothing but a minute to fix. So with that say and done have fun..
HAPPY HACKING
Keepen it real
FreeAgent
-
January 26th, 2002, 08:53 PM
#2
You host several other sites?
At you customers page http://www.breakfree.com/customers/ following links are down (could not locate remote server):
www.deejaycorner.com
www.gleamchemicals.com.au
-
January 26th, 2002, 09:05 PM
#3
They did not pay there bill this month... When they pay it will be back up....
-
January 26th, 2002, 09:15 PM
#4
I would remove these links then. Now it looks like your service is bad.
It's not good PR to have broken links. 
Or you should rerout those links to a page that says unavailable or something similar
btw: if you see many attempts on your FTP server or firewall logs that could be me probing your ports... 
-
January 26th, 2002, 09:21 PM
#5
Proxy open
Hey FreeAgent,
I'am currently surfing through your proxy... did you know you are running a public proxy?
Thx for doing this, it's a very fast proxy... if you did not knew this send me a PM about the prob.
-
January 27th, 2002, 04:18 AM
#6
-
January 27th, 2002, 04:30 AM
#7
-
January 27th, 2002, 04:45 AM
#8
Just looknig at it I found this info so far
HTTP/1.1 200 OK
Date: Sun, 27 Jan 2002 03:36:28 GMT
Server: Apache/1.3.22 (Unix) mod_perl/1.26 PHP/4.1.1 mod_ssl/2.8.5 OpenSSL/0.9.6a
X-Powered-By: PHP/4.1.1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html
Like [WebCarnage] said how can you prove that this is your site?
[gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange] 
-
January 27th, 2002, 05:03 AM
#9
 Hmmm...
Hmmm...I did a scan aswell on http://www.breakfree.com
And I found NONE of the folders contained in that site protected in any way...care to check up on that. And I find a 'lack-of-folders' for this particular site. I mean,...here's a list:
[list=1]
aboutus
contactus
customers
design
hosting
icons* -> Small
images* -> Images
onlineacct
servers[/list=1]
* Has subfolder(s)
And none of these require passwords to enter. I also found that there was no "Bin" or "CGI-Bin" folder...odd. And because of the lack of security. One could easily program a bruteforcer and crack any account. For there seems to be no limit for how many times you can input an invalid account name and password. And yes,...I did test this*. But I have no reason to muck up any sites. Just thought I'd let you, the seemingly impossible, webmaster. Furthermore, one could easily URL-Surf to just about any folder he or she wanted. And thats not good. Try to fix that up a bit.
* when you enter an invalid usrname and pwrd. This URL will keep on continuing itself:
http://www.breakfree.com/onlineacct/login.php?error=1
Try seeing if you can alter the HTML in there so after 3 or 5 unsuccessful attempts a cookie will be installed so no furthermore trying can and will be allowed for the next 24 hours, or next reboot. Just an idea.
...This Space For Rent.
-[WebCarnage] 
-
January 27th, 2002, 07:22 AM
#10
Sorry about the late post.... Well let me start off by telling you how and where we run breakfree.com. Breakfree is ran out of my friends house for two good reasons. 1 my friend is rich and his dad springs the bill for the T1 modem he is running. 2 He has a whole wing of his dads house to him self. So we made one of his rooms into an office so to speak. Pat (thats my friend) is a linux and Unix wiz so he wanted to make a linux server. I know little to nothing about linux and unix so I left that all to him. Ok now here is what i do with breakfree.com. I do all the html,java,and php so i guess you can say im the interface man. I make all the stuff you can see and he does the guts the stuff you dont see.
Why did we start breakfree.com?
We just started it for a little extra money to help us with school. Right now we only host our friends sites. I told you guys to try and crack into the site b/c I want to start hosting more people so we can get more money... But before I can do that i need to know that I have a hack free system. Now I know we dont lol so before I start opening to the common public we need to fix all the problems you just listed... You all made some really good points. My buddie Pat is shocked that we have this ment problems lol he was under the impression that his firewall was up and running I guess not hehehe. You guys had no problem getting in.... So thanks for your help and keep checking in from time to time to see if we are getting better...
Oh before I go if you know of any good fire walls or any programs to help us with our security let us know about it.....
Thanks again for all your help.......
Keepen it real
FreeAgent
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Hmmm...
And were supposed to tell you exact detials on how we got in eh? ...hmmm,...sounds a bit off if you ask me.