Morons on Display at Boston University: Major Web Server Security Screwup
|
08-23-2011, 07:51 PM,
Post: #1
|
|||
|
|||
Morons on Display at Boston University: Major Web Server Security Screwup
While searching for info about an IP address on Google I came across this alarming search result:
Quote:Apache Status http://www.google.com/search?sourceid=chrome&ie=UTF-8&q=host-134-60-107-208-static.midc Whoever the IT department IDIOT is who is responsible for not protecting the server status page of the people.bu.edu server (and allowing it to be indexed in google) should be fired http://people.bu.edu/SERVER/STATUS/index..._gcalendar&controller=|echo ...but wait it gets better: their server statistics page is also wide open http://people.bu.edu/stats/ http://people.bu.edu/stats/current/ server directory paths, files, IP addresses of visitors...all exposed message to BU computer science students: if you're paying $40K annually to be taught about "computer security" by the completely incompetent idiots in BU's IT department who created this major security hole you're wasting your money.
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
08-23-2011, 09:04 PM,
(This post was last modified: 08-23-2011, 09:08 PM by mandy.)
Post: #2
|
|||
|
|||
RE: Morons on Display at Boston University: Major Web Server Security Screwup
They might also want to check for cross-site scripting problems on their site.
people.bu.edu server status Wrote:0/0/4582 . 0.27 38 30 0.0 0.00 196.54 c120.nskorea.com people.bu.edu GET //index.php?option=com_zimbcomment&controller=../../../../. people.bu.edu server status Wrote:- 0/0/1 . 0.04 23970 163 0.0 0.00 0.00 81.27.38.57 people.bu.edu GET /?option=com_s5clanroster&controller=../../../../../../../. When you see an URL like this in your logs "../../../../" it usually means somebody is trying to hack your server via an XSS (cross-site scripting) attack. In the case of BU the "somebody(s)" are servers in South Korea and Norway Another problem they need to fix: their server has exposed directories without .htaccess or even index.php files. http://people.bu.edu/SERVER/graphics/ Another problem: their exposed Analog Stats program is very outdated and needs to be updated. They're using version 5.31 which was released in January 2003 (http://www.analog.cx/docs/wasnew5.html) people.bu.edu Wrote:Web statistics report produced by: Another problem: people.bu.edu Wrote:Server: Apache/1.3.6 (Unix) The server's outdated Apache v1.36 was released 7 years ago and contains several security holes, including a (surprise, surprise) XSS vulnerability which was first disclosed in 2007 http://secunia.com/advisories/26273/ |
|||
08-24-2011, 09:08 PM,
(This post was last modified: 08-24-2011, 09:11 PM by regic.)
Post: #3
|
|||
|
|||
RE: Morons on Display at Boston University: Major Web Server Security Screwup
Quote: While searching for info about an IP address on Google I came across this alarming search result: If you want alarming check out this stopforumspam database entry and click on the whois: http://www.stopforumspam.com/ipcheck/171.159.64.10 WHOIS Wrote:Bank of America BAC-171-128-0-0-1 (NET-171-128-0-0-1) 171.128.0.0 - 171.206.255.255 There are multiple entries for Bank of America in the stopforumspam.com database and if you google B of A's IP addresses you'll see that their outsourced employees in India, when they're not making a few extra bucks on the side by spamming links in forums, are also surfing malware infested porn sites while sitting at their desks at Bank of America. Every single visitor from B of A, including employees using computers located in the US, that has visited our sites over the past year has either been using the security hole filled Internet Explorer 7 or the even buggier 10-year-old Internet Explorer 6. Google and the French and German governments have banned their employees from using these 2 browsers versions but Bank of America allows their employees to surf the web with them. When a company like Bank of America is negligent and doesn't filter employee Internet access, doesn't use up-to-date patched software, and allows its employees to use security hole filled unsafe web browsers like IE6/IE7 to surf malware infested porn sites from the same office computers that they use to access customer's accounts/financial data it is putting its millions of customers at risk of identity theft. |
|||
1 user Likes regic's post |
08-25-2011, 12:08 AM,
Post: #4
|
|||
|
|||
RE: Morons on Display at Boston University: Major Web Server Security Screwup
(08-24-2011, 09:08 PM)regic Wrote:Quote: While searching for info about an IP address on Google I came across this alarming search result: This is beyond insanity. A friend e-mailed me on 08/23 and stated "The Bank of America system failed last week. I don't know how extensive the failure was but in NB you could not get your money out of the bank for at least part of one day. " He had a theory based on insider info, but I wonder if the crash was actually related to this very troubling info? |
|||
08-25-2011, 12:26 AM,
Post: #5
|
|||
|
|||
RE: Morons on Display at Boston University: Major Web Server Security Screwup
Quote:A friend e-mailed me on 08/23 and stated "The Bank of America system failed last week. I don't know how extensive the failure was but in NB you could not get your money out of the bank for at least part of one day. " Their website is less reliable than their ATM network http://sitedown.co/bank-of-america Compare the number of downtime reports for Bof A (140+) during the past 3 days to the number for Amazon (1), Ebay (2) , or Groupon (8) which have similar traffic. http://sitedown.co/ebay http://sitedown.co/amazon http://sitedown.co/groupon |
|||
01-27-2012, 12:30 AM,
Post: #6
|
|||
|
|||
RE: Morons on Display at Boston University: Major Web Server Security Screwup
Quote:When a company like Bank of America is negligent and doesn't filter employee Internet access, doesn't use up-to-date patched software, and allows its employees to use security hole filled unsafe web browsers like IE6/IE7 to surf malware infested porn >insert> ANY sites from the same office computers that they use to access customer's accounts/financial data it is putting its millions of customers at risk of identity theft. add another negligent financial company to the list: IP: 12.10.219.169 USER AGENT: msie 7.0 The IP belongs to AMERICAN EXPRESS : I'm assuming that none of the bailout money AmEx and Bank of America received went to their IT departments since neither company apparently has the manpower to devote to the simple task of updating the bug filled browsers on their employees desktops. AmEx security negligence + Bof A security negligence = personal and financial info of a few hundred million people potentially at risk thanks to these boinktard companies p.s. in case anyone is wondering, my company does update our desktop browsers as soon as updates are issued my computer Wrote:User Agent: Mozilla/5.0 (X11; FreeBSD i386; rv:9.0.1) Gecko/20100101 Firefox/9.0.1
"Well, Jay was so giddy that someone named Jay was involved with this site we posted our first non-eBay listing in 3 years here at Lunarbid (we tried two items at Yahoo once upon a time, they bombed)" -Marie posting in a LunarBid thread at OTWA in 2005 wins the award for 'most moronic reason ever given for choosing a venue"
"thanks twat u must have nothing better 2 do. do u talk to all your members like that. will not be recomending your site. best way to put it is TULIPTOOLS.COM IS REALLY SHIT. DONT JOIN." -pubescent owner of rinky dink off2auction.com in 2011 |
|||
« Next Oldest | Next Newest »
|
Possibly Related Threads… | |||||
Thread | Author | Replies | Views | Last Post | |
50 Open Source Network and Server Security Tools | mandy | 0 | 2,804 |
11-11-2008, 10:30 AM Last Post: mandy |
|
Diagnosing a Hacked Linux Server | Kristijntje | 0 | 2,888 |
08-25-2007, 02:09 PM Last Post: Kristijntje |
|
Web services punch holes in traditional security techniques | mandy | 0 | 2,866 |
08-05-2007, 09:26 AM Last Post: mandy |
|
Protecting your Web Server from Attacks: Why Web applications are at High Risk | mandy | 0 | 2,503 |
02-26-2007, 11:11 AM Last Post: mandy |
|
How to improve the security of your OpenSSH server installations | mandy | 1 | 3,062 |
05-27-2006, 08:30 AM Last Post: mandy |
|
Secure Your Linux Server | regic | 0 | 2,488 |
03-25-2006, 05:52 PM Last Post: regic |
|
Test your server for vulnerabilities with Nikto | misteroriginal | 2 | 3,634 |
02-25-2006, 04:10 AM Last Post: misteroriginal |
|
GSA Shuts Its eOffer Government Bidding Web Site Due to Security Flaws | mandy | 0 | 2,384 |
01-15-2006, 08:28 AM Last Post: mandy |
Users browsing this thread: 2 Guest(s)