Welcome Guest.   Make a donation to an author on the site April 16, 2014, 08:12:41 AM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: [1] 2 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Interesting Discovery Involving Rented Servers  (Read 12793 times)
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« on: April 29, 2009, 09:00:48 AM »

OK Gothi[c] and I were having a little chat in the IRC chat about old data on servers and how to remove it.

So I decided to see if I could find any data from the dedicated server my friend just got, sure enough I found a lot of interesting and weird data....

Bottom line is if your going to cancel a server from a company make sure you wipe the hard drive(s) before you do as most companies just repartition and format the drive they don't wipe any data off it.

That means your passwords, your emails, pictures and what ever else that was on the server still could be accessible, on the flip side that means if someone before you had illegal data on the server and your server gets seized for what ever reason.

You COULD be held accountable for the data that THEY had on it.

So when you getting a new rented server make sure you wipe the drive before you lose access.
And when getting a new rented server make sure you/your host wipes the drive before you start putting your data on it.
Logged
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 855



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #1 on: April 29, 2009, 09:13:22 AM »

It's quite a disturbing discovery with some serious implications.

Hollow's server is a GNU/Linux server, and he was able to tell, just from looking at the raw harddrive data (which is a simple oneliner command on GNU/Linux: eg: strings /dev/sda), that the previous user ran windows on it. He was able to retrieve pieces of registry data, emails, and other data.

What this means:
  • Say you decide to move hosts, or discontinue a server, the next person that gets your hard drive (hosting companies recycle a lot, of course), also gets all of your data, if you don't properly wipe your hard drive before discontinuing the server.
  • When you get a new server, all the old data is still floating around on the hard drive, just invisible to your OS.
    This means that if your server were ever subjected to an investigation by authorities for whatever reason, and the old owner had illegal material on it, they could easily think it's data you deleted.
    Thus it is a good idea to not only wipe the hard drive when leaving a host, but also when getting a new server.

How to properly wipe data:

Obviously, if the data survives a reformat, it will also survive when you simply delete the files.

The only way to be certain the data is gone, is by actually overwriting the physical data on the disk with random data.

On GNU/Linux there is an utility called 'shred' which offers a secure way of removing files by overwriting the physical data multiple times with random data, unlike 'rm' which only removes the links to the physical data, so the file 'appears' gone.

Alternatively you can use dd to overwrite the entire harddrive like so:
[copy or print]
dd if=/dev/urandom of=/dev/sda
(where sda = the harddrive to erase of course)

Perhaps someone can give some tips on what to use on windows servers to properly wipe data.
The problem on windows is that the OS typically stops working when it's erasing itself smiley (which is not the case on *nix when you use a statically linked application that can run from memory, like dd).

I have always been aware that data is not removed after a reformat or after removing a file. Though I must admit I never connected the dots, thinking about the implications when it comes to server hosting.
I think this practical experiment hollow did, clearly illustrates that the dangers of not wiping data are real!
Thanks hollow!
Logged
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #2 on: April 29, 2009, 09:20:14 AM »

Yes the previous owner of the server did have windows on it, in fact it looked a lot like a desktop computer based on the pictures I started recovering with photorec which is part of the testdisk package.

Don't let the program name fool ya photorec can restore a lot more than photos it can restore a bunch of file formats including MSSQL databases.

Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,348



View Profile Give some DonationCredits to this forum member
« Reply #3 on: April 29, 2009, 10:23:07 AM »

Good advice, thanks.

This happens in the consumer world as well. Used disks from computer parts shops are notorious for having all kinds of stuff on them. One time I even accidentally booted up a full Win98 installation that was left on a 540 Meg drive that I hadn't formatted yet, and wondered where all the extra desktop icons came from before realizing what was going on...

Didn't know it happens in server-land. You'd think people would have half a clue...
Logged

All children left unattended will be given a mocha and a puppy.
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 855



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #4 on: April 29, 2009, 10:26:07 AM »

Quote
Didn't know it happens in server-land. You'd think people would have half a clue...

Most people assume the hosting company wipes the drive before reusing it. Obviously they don't. Most just do a simple format, which leaves all the data intact.

eg: mk2fs -j /dev/sda1 - which is what your typical GNU/Linux distro install cd runs to format the hd, does not null the hd. It only creates the inodes table to hold the links of files to the raw data. (like the file allocation table in fat16/32 or the master file table on ntfs)

Most people, including hosting companies, just figure that when they delete the partition, and reinstall another OS, all old data is gone.
« Last Edit: April 29, 2009, 10:32:45 AM by Gothi[c] » Logged
mouser
First Author
Administrator
*****
Posts: 32,645



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #5 on: April 29, 2009, 11:03:53 AM »

Great post.. scary stuff.
Logged
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #6 on: April 29, 2009, 09:23:14 PM »

The only way I found that I was able to actually wipe the drive while it was in use was the "shred" command

[copy or print]
shred -f -z -v -u /dev/sda

Replace "/dev/sda" with what ever block device you wish to wipe.

Please note: This command will take a VERY VERY long time.
Logged
Carol Haynes
Waffles for England (patent pending)
Global Moderator
*****
Posts: 7,918



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #7 on: April 29, 2009, 09:40:08 PM »

Ouch ....
Logged

40hz
Supporting Member
**
Posts: 9,851



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #8 on: April 30, 2009, 10:59:04 PM »

Perhaps someone can give some tips on what to use on windows servers to properly wipe data.

If you have physical access to the machine and you want to be really secure, the best bet is to first completely wipe the drives with a utility like DBAN and then reinstall your OS. Since that's not usually doable with a rented server, the next  best bet is to run a  utility to overwrite the free space on your disks.

I'd suggest installing Eraser ( http://eraser.heidi.ie/ ) on your server. It's what we use. The latest stable release (ver5.86a)  is compatible with Server 2k3 and 2k8  - and it's free under GPL!

Set it to overwrite the drive's freespace using a single pseudorandom pass. That would leave your files intact while nuking any traces left behind from previous usage.

It's a time consuming process with a slow machine or a large hard drive, but it works quite well. Defragging and consolidating the freespace on the target drive before overwriting can help speed things up a bit. Fortunately, you'll really only need to do it once on a rented server.

There's a nice illustrated step-by-step on using Eraser at this link:

http://www.afterdawn.com/...securely_delete_files.cfm

 Cool

Logged

Don't you see? It's turtles all the way down!
4wd
Supporting Member
**
Posts: 3,222



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #9 on: May 01, 2009, 02:30:57 AM »

Windows XP includes a command that will do what you want, (also available to Win2000):

cipher
Quote
Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

eg.  cipher /w:C:\  should wipe all unused space on the C: drive.

Otherwise there's always DBAN.
« Last Edit: May 01, 2009, 02:37:49 AM by 4wd » Logged

Four wheel drive: Helping you get stuck faster, harder, further from help...........and it's no different on this forum Evil
mediaguycouk
Supporting Member
**
Posts: 244


see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #10 on: May 01, 2009, 03:52:33 AM »

The thought of a windows command that could format windows from inside windows. Can you imagine the support calls?
Logged

Learning C# - Graham Robinson
Gothi[c]
DC Server Admin
Charter Honorary Member
***
Posts: 855



see users location on a map View Profile WWW Give some DonationCredits to this forum member
« Reply #11 on: May 01, 2009, 04:52:10 AM »

The thought of a windows command that could format windows from inside windows. Can you imagine the support calls?

Unfortunately it seems it can only overwrite unused data, so you wouldn't be able to erase windows while running it. (So you probably leave a lot of registry data behind etc)

I'd be interesting if someone were to find a tool to wipe the entire OS. as you're running it, remotely, just like you can on *nix.

So far it looks like a boot disk (eg dban) is the best solution, but usually (but not always) that requires physical access. Softlayer for example, lets you mount remote media, so it would be possible to pull it off there, but I don't think many other hosts offer that feature, and often the budget limits the choices you have.
Logged
y0himba
Charter Member
***
Posts: 422



Yar.

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #12 on: May 01, 2009, 06:51:41 AM »

As for Windows, I use Eraser when working in Windows.  When I sell a computer or HDD, I use DBAN(Darik's Boot And Nuke).  Just boot form the CD/DVD/Floppy/USB stick, choose your options, and wait for a while. (Sometimes over 8 hours depending on HDD size).  Securely and completely erases and obfuscates data preventing recovery.
« Last Edit: May 05, 2009, 08:52:35 AM by y0himba » Logged

My Web Site:  http://www.y0himba.net
40hz
Supporting Member
**
Posts: 9,851



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #13 on: May 01, 2009, 08:01:39 AM »

Windows XP includes a command that will do what you want, (also available to Win2000):

cipher
Quote
Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

eg.  cipher /w:C:\  should wipe all unused space on the C: drive.

Otherwise there's always DBAN.


The only problem with the Cipher command is that it uses three write passes and can't be changed. We used to use Cipher until drive capacities go too big for it to be practical for us. That's when we switched over to using Eraser, which does allow for a single pass.

From what I've been reading, the consensus among most security experts is that a single-pass overwrite is every bit as effective as a multipass wipe. Or at least it is with today's forensic recovery software.

Logged

Don't you see? It's turtles all the way down!
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #14 on: May 01, 2009, 08:28:59 AM »

I guess this is one of the things that are so obvious you forget to thing about smiley

Personally, I wouldn't bother with anything but a simple single-pass wipe, which is good enough to prevent any software based recovery attempt. I don't know which hardware reconstruction attempts are possible (I suspect there's a lot of urban legend, based on the older MFM drives and whatnot), but I'm doubt anybody would go through the trouble of doing magnetic residue analysis or whatever on anything I do smiley

As for wiping a Windows system if you don't have a "fancy host", I guess the solution would be overwriting the MBR with a disk-wipe tool... should definitely be doable, but I don't know any that supports this off-the-shelf.

The above assumes dedicated servers, btw. I guess you're SOL if you use a shared server without "root" access, and virtualized servers could be a problem as well.
Logged

- carpe noctem
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,348



View Profile Give some DonationCredits to this forum member
« Reply #15 on: May 01, 2009, 10:21:59 AM »

Quote
As for wiping a Windows system if you don't have a "fancy host", I guess the solution would be overwriting the MBR with a disk-wipe tool... should definitely be doable, but I don't know any that supports this off-the-shelf.

Doesn't plain ol' fdisk do this?

If that doesn't work, just post your email to a disreputable website, turn off your anti-virus, and you'll get MBR-corrupting software delivered right to your inbox!  tongue
Logged

All children left unattended will be given a mocha and a puppy.
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #16 on: May 01, 2009, 10:23:47 AM »

Oh, I didn't mean just overwriting the MBR, I meant "place a disk-wiping tool in the MBR bootstrap code" smiley
Logged

- carpe noctem
40hz
Supporting Member
**
Posts: 9,851



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #17 on: May 01, 2009, 01:26:28 PM »


Doesn't plain ol' fdisk do this?

If that doesn't work, just post your email to a disreputable website, turn off your anti-virus, and you'll get MBR-corrupting software delivered right to your inbox!  tongue




Logged

Don't you see? It's turtles all the way down!
40hz
Supporting Member
**
Posts: 9,851



A'Tuin

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #18 on: May 01, 2009, 11:10:34 PM »

Personally, I wouldn't bother with anything but a simple single-pass wipe, which is good enough to prevent any software based recovery attempt.

Agree. A single-pass zero write should be more than sufficient.

A tech buddy of mine pointed me to this link: http://www.somacon.com/p336.php

Quote
Erase Disk Free Space Script


Use this script to erase all the free space on your disk drive by filling it with blank, zeroed files. The WSF script runs on Windows and is freeware licensed under GPL. Just copy it to the drive you want to fill up, and double-click on it.

This script is handy when you want to sell or give away an old flash or hard disk drive, and you want some certainty that files on the drive are not easily recoverable. First erase all the files on the drive, then run this script. After it finishes, all user-writeable areas of the disk will have been written over with zeroes. With a 7200 rpm drive, it takes approximately one hour to fill up one hundred gigabytes. Because it does not overwrite or delete any existing files, the script is safer to use for novices.

This script is useful for the casual Windows users who want to clear out their disk with minimal fuss. You should be transferring ownership of the drive to someone who is unlikely to attempt to recover files from the drive, and you should not have highly sensitive information on the disk.

If you need something more secure, try the freeware Eraser program. You can read the source code for more details. This script can also be used as a crude benchmark to measure the raw write speed of your disk. The Western Digital 7200 rpm drives on my system wrote the files at 32-36 MB/second.


I can't vouch for it since I haven't tested it yet. But I did read through the script, and it does look like it's a workable solution. (Didn't spot anything malicious in it either - which is always a plus. Grin )

« Last Edit: May 01, 2009, 11:14:41 PM by 40hz » Logged

Don't you see? It's turtles all the way down!
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #19 on: May 02, 2009, 05:29:08 AM »

40hz: that probably works the same way as the SDelete SysInternals' tool - allocating a "damn big file", then a bunch of smaller files in an attempt to use all free space on the disk. The method isn't 100% perfect though, as a little filesystem metadata can be left intact. And of course there's the issue of wiping the registry, which can contain enough sensitive information...
Logged

- carpe noctem
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #20 on: May 03, 2009, 10:13:49 PM »

OK I have been working on a program that will wipe the disk from within windows and so far it almost works only a few things right now that need to be addressed with it.

1.) Speed - It took over 10 hours to almost wipe a 8GB vmdisk
2.) Possible use in malware -  very easy to wipe the mbr and more with this so far.

Any suggestions would be greatly appreciated.

EDIT: I don't know if I will be releasing this due to the possible use in malware.
« Last Edit: May 03, 2009, 10:15:22 PM by hollowlife1987 » Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #21 on: May 04, 2009, 03:47:48 AM »

Hollow, what's the modus operandi for your wiper? Simply opening \\.\PHYSICALDRIVEx: and WriteFile to that handle? If that's the case, then:

1) how are you able to wipe the system disk? you probably aren't going to load new apps while wiping your system partition, but stuff like pagefile or registry access...?
2) don't worry about malware uses, they already know how to cause mischief smiley
Logged

- carpe noctem
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #22 on: May 04, 2009, 10:27:28 AM »

It opens the disk.sys driver and has disk.sys write to the hard drive(s).
But as i said I couldn't get it to wipe the full disk but i don't know what it missed.

I need to speed it up as testing takes too long 10+ hours.

It uses some undocumented API as well.

Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,348



View Profile Give some DonationCredits to this forum member
« Reply #23 on: May 04, 2009, 10:31:32 AM »

Oh, I didn't mean just overwriting the MBR, I meant "place a disk-wiping tool in the MBR bootstrap code" smiley

Ooh, now that would be cool...  Cool
Logged

All children left unattended will be given a mocha and a puppy.
hollowlife1987
Honorary Member
**
Posts: 87


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #24 on: May 04, 2009, 11:11:51 AM »

Could do this if my program wont wipe the full drive, as I know it overwrites the MBR very easily
Logged
Pages: [1] 2 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.058s | Server load: 0.02 ]