Author Topic: Interesting Discovery Involving Rented Servers (Read 33880 times)

hollowlife1987 · « **on:** April 29, 2009, 09:00 AM »

OK Gothi[c] and I were having a little chat in the IRC chat about old data on servers and how to remove it.

So I decided to see if I could find any data from the dedicated server my friend just got, sure enough I found a lot of interesting and weird data....

Bottom line is if your going to cancel a server from a company make sure you wipe the hard drive(s) before you do as most companies just repartition and format the drive they don't wipe any data off it.

That means your passwords, your emails, pictures and what ever else that was on the server still could be accessible, on the flip side that means if someone before you had illegal data on the server and your server gets seized for what ever reason.

You COULD be held accountable for the data that THEY had on it.

So when you getting a new rented server make sure you wipe the drive before you lose access.
And when getting a new rented server make sure you/your host wipes the drive before you start putting your data on it.

Gothi[c] · « **Reply #1 on:** April 29, 2009, 09:13 AM »

It's quite a disturbing discovery with some serious implications.

Hollow's server is a GNU/Linux server, and he was able to tell, just from looking at the raw harddrive data (which is a simple oneliner command on GNU/Linux: eg: strings /dev/sda), that the previous user ran windows on it. He was able to retrieve pieces of registry data, emails, and other data.

What this means:

Say you decide to move hosts, or discontinue a server, the next person that gets your hard drive (hosting companies recycle a lot, of course), also gets all of your data, if you don't properly wipe your hard drive before discontinuing the server.
When you get a new server, all the old data is still floating around on the hard drive, just invisible to your OS.
This means that if your server were ever subjected to an investigation by authorities for whatever reason, and the old owner had illegal material on it, they could easily think it's data you deleted.
Thus it is a good idea to not only wipe the hard drive when leaving a host, but also when getting a new server.

How to properly wipe data:

Obviously, if the data survives a reformat, it will also survive when you simply delete the files.

The only way to be certain the data is gone, is by actually overwriting the physical data on the disk with random data.

On GNU/Linux there is an utility called 'shred' which offers a secure way of removing files by overwriting the physical data multiple times with random data, unlike 'rm' which only removes the links to the physical data, so the file 'appears' gone.

Alternatively you can use dd to overwrite the entire harddrive like so:

[Select]

dd if=/dev/urandom of=/dev/sda

(where sda = the harddrive to erase of course)

Perhaps someone can give some tips on what to use on windows servers to properly wipe data.
The problem on windows is that the OS typically stops working when it's erasing itself

(which is not the case on *nix when you use a statically linked application that can run from memory, like dd).

I have always been aware that data is not removed after a reformat or after removing a file. Though I must admit I never connected the dots, thinking about the implications when it comes to server hosting.
I think this practical experiment hollow did, clearly illustrates that the dangers of not wiping data are real!
Thanks hollow!

hollowlife1987 · « **Reply #2 on:** April 29, 2009, 09:20 AM »

Yes the previous owner of the server did have windows on it, in fact it looked a lot like a desktop computer based on the pictures I started recovering with photorec which is part of the testdisk package.

Don't let the program name fool ya photorec can restore a lot more than photos it can restore a bunch of file formats including MSSQL databases.

Edvard · « **Reply #3 on:** April 29, 2009, 10:23 AM »

Good advice, thanks.

This happens in the consumer world as well. Used disks from computer parts shops are notorious for having all kinds of stuff on them. One time I even accidentally booted up a full Win98 installation that was left on a 540 Meg drive that I hadn't formatted yet, and wondered where all the extra desktop icons came from before realizing what was going on...

Didn't know it happens in server-land. You'd think people would have half a clue...

Gothi[c] · « **Reply #4 on:** April 29, 2009, 10:26 AM »

Didn't know it happens in server-land. You'd think people would have half a clue...

Most people assume the hosting company wipes the drive before reusing it. Obviously they don't. Most just do a simple format, which leaves all the data intact.

eg: mk2fs -j /dev/sda1 - which is what your typical GNU/Linux distro install cd runs to format the hd, does not null the hd. It only creates the inodes table to hold the links of files to the raw data. (like the file allocation table in fat16/32 or the master file table on ntfs)

Most people, including hosting companies, just figure that when they delete the partition, and reinstall another OS, all old data is gone.

mouser · « **Reply #5 on:** April 29, 2009, 11:03 AM »

Great post.. scary stuff.

hollowlife1987 · « **Reply #6 on:** April 29, 2009, 09:23 PM »

The only way I found that I was able to actually wipe the drive while it was in use was the "shred" command

[Select]

shred -f -z -v -u /dev/sda

Replace "/dev/sda" with what ever block device you wish to wipe.

Please note: This command will take a VERY VERY long time.

Carol Haynes · « **Reply #7 on:** April 29, 2009, 09:40 PM »

Ouch ....

40hz · « **Reply #8 on:** April 30, 2009, 10:59 PM »

Perhaps someone can give some tips on what to use on windows servers to properly wipe data.
-Gothi[c] (April 29, 2009, 09:13 AM)

If you have physical access to the machine and you want to be really secure, the best bet is to first completely wipe the drives with a utility like DBAN and then reinstall your OS. Since that's not usually doable with a rented server, the next best bet is to run a utility to overwrite the free space on your disks.

I'd suggest installing Eraser ( http://eraser.heidi.ie/ ) on your server. It's what we use. The latest stable release (ver5.86a) is compatible with Server 2k3 and 2k8 - and it's free under GPL!

Set it to overwrite the drive's freespace using a single pseudorandom pass. That would leave your files intact while nuking any traces left behind from previous usage.

It's a time consuming process with a slow machine or a large hard drive, but it works quite well. Defragging and consolidating the freespace on the target drive before overwriting can help speed things up a bit. Fortunately, you'll really only need to do it once on a rented server.

There's a nice illustrated step-by-step on using Eraser at this link:

http://www.afterdawn...ely_delete_files.cfm

4wd · « **Reply #9 on:** May 01, 2009, 02:30 AM »

Windows XP includes a command that will do what you want, (also available to Win2000):

cipher

Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

eg. cipher /w:C:\ should wipe all unused space on the C: drive.

Otherwise there's always DBAN.

mediaguycouk · « **Reply #10 on:** May 01, 2009, 03:52 AM »

The thought of a windows command that could format windows from inside windows. Can you imagine the support calls?

Gothi[c] · « **Reply #11 on:** May 01, 2009, 04:52 AM »

The thought of a windows command that could format windows from inside windows. Can you imagine the support calls?
-mediaguycouk (May 01, 2009, 03:52 AM)

Unfortunately it seems it can only overwrite unused data, so you wouldn't be able to erase windows while running it. (So you probably leave a lot of registry data behind etc)

I'd be interesting if someone were to find a tool to wipe the entire OS. as you're running it, remotely, just like you can on *nix.

So far it looks like a boot disk (eg dban) is the best solution, but usually (but not always) that requires physical access. Softlayer for example, lets you mount remote media, so it would be possible to pull it off there, but I don't think many other hosts offer that feature, and often the budget limits the choices you have.

y0himba · « **Reply #12 on:** May 01, 2009, 06:51 AM »

As for Windows, I use Eraser when working in Windows. When I sell a computer or HDD, I use DBAN(Darik's Boot And Nuke). Just boot form the CD/DVD/Floppy/USB stick, choose your options, and wait for a while. (Sometimes over 8 hours depending on HDD size). Securely and completely erases and obfuscates data preventing recovery.

40hz · « **Reply #13 on:** May 01, 2009, 08:01 AM »

Windows XP includes a command that will do what you want, (also available to Win2000):

cipher
Administrators can use Cipher.exe to encrypt and decrypt data on drives that use the NTFS file system and to view the encryption status of files and folders from a command prompt. An updated version of the Cipher tool has been released for Windows 2000, and is included with Windows XP. The updated version adds another security option. This new option is the ability to overwrite data that you have deleted so that it cannot be recovered and accessed.

eg. cipher /w:C:\ should wipe all unused space on the C: drive.

Otherwise there's always DBAN.
-4wd (May 01, 2009, 02:30 AM)

The only problem with the Cipher command is that it uses three write passes and can't be changed. We used to use Cipher until drive capacities go too big for it to be practical for us. That's when we switched over to using Eraser, which does allow for a single pass.

From what I've been reading, the consensus among most security experts is that a single-pass overwrite is every bit as effective as a multipass wipe. Or at least it is with today's forensic recovery software.

f0dder · « **Reply #14 on:** May 01, 2009, 08:28 AM »

I guess this is one of the things that are so obvious you forget to thing about

Personally, I wouldn't bother with anything but a simple single-pass wipe, which is good enough to prevent any software based recovery attempt. I don't know which hardware reconstruction attempts are possible (I suspect there's a lot of urban legend, based on the older MFM drives and whatnot), but I'm doubt anybody would go through the trouble of doing magnetic residue analysis or whatever on anything I do

As for wiping a Windows system if you don't have a "fancy host", I guess the solution would be overwriting the MBR with a disk-wipe tool... should definitely be doable, but I don't know any that supports this off-the-shelf.

The above assumes dedicated servers, btw. I guess you're SOL if you use a shared server without "root" access, and virtualized servers could be a problem as well.

Edvard · « **Reply #15 on:** May 01, 2009, 10:21 AM »

As for wiping a Windows system if you don't have a "fancy host", I guess the solution would be overwriting the MBR with a disk-wipe tool... should definitely be doable, but I don't know any that supports this off-the-shelf.

Doesn't plain ol' fdisk do this?

If that doesn't work, just post your email to a disreputable website, turn off your anti-virus, and you'll get MBR-corrupting software delivered right to your inbox!

f0dder · « **Reply #16 on:** May 01, 2009, 10:23 AM »

Oh, I didn't mean just overwriting the MBR, I meant "place a disk-wiping tool in the MBR bootstrap code"

40hz · « **Reply #17 on:** May 01, 2009, 01:26 PM »

Doesn't plain ol' fdisk do this?

If that doesn't work, just post your email to a disreputable website, turn off your anti-virus, and you'll get MBR-corrupting software delivered right to your inbox!

-Edvard (May 01, 2009, 10:21 AM)

40hz · « **Reply #18 on:** May 01, 2009, 11:10 PM »

Personally, I wouldn't bother with anything but a simple single-pass wipe, which is good enough to prevent any software based recovery attempt.
-f0dder (May 01, 2009, 08:28 AM)

Agree. A single-pass zero write should be more than sufficient.

A tech buddy of mine pointed me to this link: http://www.somacon.com/p336.php

Erase Disk Free Space Script

Use this script to erase all the free space on your disk drive by filling it with blank, zeroed files. The WSF script runs on Windows and is freeware licensed under GPL. Just copy it to the drive you want to fill up, and double-click on it.

This script is handy when you want to sell or give away an old flash or hard disk drive, and you want some certainty that files on the drive are not easily recoverable. First erase all the files on the drive, then run this script. After it finishes, all user-writeable areas of the disk will have been written over with zeroes. With a 7200 rpm drive, it takes approximately one hour to fill up one hundred gigabytes. Because it does not overwrite or delete any existing files, the script is safer to use for novices.

This script is useful for the casual Windows users who want to clear out their disk with minimal fuss. You should be transferring ownership of the drive to someone who is unlikely to attempt to recover files from the drive, and you should not have highly sensitive information on the disk.

If you need something more secure, try the freeware Eraser program. You can read the source code for more details. This script can also be used as a crude benchmark to measure the raw write speed of your disk. The Western Digital 7200 rpm drives on my system wrote the files at 32-36 MB/second.

I can't vouch for it since I haven't tested it yet. But I did read through the script, and it does look like it's a workable solution. (Didn't spot anything malicious in it either - which is always a plus.

)

f0dder · « **Reply #19 on:** May 02, 2009, 05:29 AM »

40hz: that probably works the same way as the SDelete SysInternals' tool - allocating a "damn big file", then a bunch of smaller files in an attempt to use all free space on the disk. The method isn't 100% perfect though, as a little filesystem metadata can be left intact. And of course there's the issue of wiping the registry, which can contain enough sensitive information...

hollowlife1987 · « **Reply #20 on:** May 03, 2009, 10:13 PM »

OK I have been working on a program that will wipe the disk from within windows and so far it almost works only a few things right now that need to be addressed with it.

1.) Speed - It took over 10 hours to almost wipe a 8GB vmdisk
2.) Possible use in malware - very easy to wipe the mbr and more with this so far.

Any suggestions would be greatly appreciated.

EDIT: I don't know if I will be releasing this due to the possible use in malware.

f0dder · « **Reply #21 on:** May 04, 2009, 03:47 AM »

Hollow, what's the modus operandi for your wiper? Simply opening \\.\PHYSICALDRIVEx: and WriteFile to that handle? If that's the case, then:

1) how are you able to wipe the system disk? you probably aren't going to load new apps while wiping your system partition, but stuff like pagefile or registry access...?
2) don't worry about malware uses, they already know how to cause mischief

hollowlife1987 · « **Reply #22 on:** May 04, 2009, 10:27 AM »

It opens the disk.sys driver and has disk.sys write to the hard drive(s).
But as i said I couldn't get it to wipe the full disk but i don't know what it missed.

I need to speed it up as testing takes too long 10+ hours.

It uses some undocumented API as well.

Edvard · « **Reply #23 on:** May 04, 2009, 10:31 AM »

Oh, I didn't mean just overwriting the MBR, I meant "place a disk-wiping tool in the MBR bootstrap code"
-f0dder (May 01, 2009, 10:23 AM)

Ooh, now that would be cool...

hollowlife1987 · « **Reply #24 on:** May 04, 2009, 11:11 AM »

Could do this if my program wont wipe the full drive, as I know it overwrites the MBR very easily