Yikes .... not just a username/password, but the sa account.  For those who aren't too familiar with SQL Server, that's basically the "root" account and it can do anything to the entire database server.  In addition, because many SQL service accounts run with high privledges on the server (i.e., domain or local admin) if you have control of the "sa" sql account you generally can take control of and access the entire server and/or network.

 Scary.  Especially since the database server is *not* firewalled.  

.. Maybe someone ought to email the guy before someone gets 'DROP' happy?

 preserved for future

<snippet removed by moderator>

Microsoft OLE DB Provider for SQL Server error '80040e37'

Invalid object name 'tbl_Directory'.

<snippet removed>

Uh oh ... they ask for CC info:<link removed by request>

They *really* need to hope that isn't stored in the database.

kswanton:

 Scary.  Especially since the database server is *not* firewalled.  

.. Maybe someone ought to email the guy before someone gets 'DROP' happy?

yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

Jeff S:

yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

 I emailed them and left a phone message.

Call me a facist-moderator if you like, but I edited out their information.   Please don't repost, let's be responsible.  A WTF is one thing, but something like this is a pretty big deal.

 I emailed the address that is listed as the contact on the WHOIS record, which is the same email on the 'Contact Us' link of the site.

 Did you also contact the 'Tech Support', i.e. local web shop?

BTW, I agree - live WTFs possibly exposing CC info and addresses require responsibility. 

I emailed one of the client sites that had databases on that box, I think they deserve to know how their money has been used. Although I'm sure the dev would disclose such a serious breach in security had occured to his clients. It's only right. And of course I didnt execute any queries.

Jeff S:

yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

We usually get one of these "open database" WTFs every 3 weeks or so.  The result is a bunch of morons making insufferable Bobby Tables jokes and generally fucking the database to hell within the first 30 minutes of it being posted.  This is followed by a circle jerk of self-congratulation at being such amazing hackers.  Finally, myself or someone else will call them all children and publicly wish for a law enforcement agency to track the crime back to this forum, followed by a subpoena to Alex and the poster being rewarded with a few years of being sodomized by neo-Nazis and Latino gang members in a state prison.  You think I'm joking, probably, and sadly I am not.  This is the general intelligence level of the forum at this point in time.

Thanks for doing the right thing and redacting the info and trying to contact the site administrator.  Hopefully your efforts will pay off. 

uncaughtException:

I one of the client sites that had databases on that box, I think they deserve to know how their money has been used. Although I'm sure the dev would disclose such a serious breach in security had occured to his clients. It's only right. And of course I didnt execute any queries.

Multiple clients are using that box?  Yet the server-wide SA account is being used?  I don't type this as often as I'd like these days but ... WTF?

kswanton:

...before someone gets 'DROP' happy?

I agree with whatever Quietust just posted above.

Its been fixed, error no longer shows. But here's a quote from what looks like the dev team's website:

• We are Digital Architects who design and build Digital Lifecycle Systems (DLS). Our unique DLS architecture:
• Encourages biased user participation
• Monitors user data in real-time
• Efficiently manages dynamic e-commerce solutions
• Our Custom DLS takes on life. This advanced technology encourages micro-economies that synergistically scale into living-digital-systems.
• Our expertise in Business Management, Macro Economics, Interior Design, Personnel Management, Real Estate, Data Systems, Outdoor Sports, Digital Audio / Video and Tourism insures a well grounded understanding of fundamental business principles.
• We are the Leader.
• We are the Innovator.

Sounds good....

We are Digital Marketing Advisors.

uncaughtException:

• We are the Leader.
• We are the Innovator.

 

I am the Walrus. Coo coo ca choo?

uncaughtException:

Its been fixed, error no longer shows. But here's a quote from what looks like the dev team's website:

• We are Digital Architects who design and build Digital Lifecycle Systems (DLS). Our unique DLS architecture:
• Encourages biased user participation
• Monitors user data in real-time
• Efficiently manages dynamic e-commerce solutions
• Our Custom DLS takes on life. This advanced technology encourages micro-economies that synergistically scale into living-digital-systems.
• Our expertise in Business Management, Macro Economics, Interior Design, Personnel Management, Real Estate, Data Systems, Outdoor Sports, Digital Audio / Video and Tourism insures a well grounded understanding of fundamental business principles.
• We are the Leader.
• We are the Innovator.

 Wow, 90 words and not a shred of meaning.  After reading that I still have absolutely no idea what they actually do.

morbiuswilters:

Jeff S:

yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

We usually get one of these "open database" WTFs every 3 weeks or so.  The result is a bunch of morons making insufferable Bobby Tables jokes and generally fucking the database to hell within the first 30 minutes of it being posted.  This is followed by a circle jerk of self-congratulation at being such amazing hackers.  Finally, myself or someone else will call them all children and publicly wish for a law enforcement agency to track the crime back to this forum, followed by a subpoena to Alex and the poster being rewarded with a few years of being sodomized by neo-Nazis and Latino gang members in a state prison.  You think I'm joking, probably, and sadly I am not.  This is the general intelligence level of the forum at this point in time.

Thanks for doing the right thing and redacting the info and trying to contact the site administrator.  Hopefully your efforts will pay off. 

(a) doesn't do regular backups

(b) doesn't encrypt sensitive info

which means that when another idiot wipes the database, someone's losing critical data.

Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here"; but intentionally deleting stuff is frowned upon, even among hackers. Some idiots never learn, though.

danixdefcon5:

Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here";

That might make sense if you want to show absolutely that you have access to the database.  I always try to get into contact with the admins when I encounter security breaches like this. 

morbiuswilters:

danixdefcon5:

Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here";

That might make sense if you want to show absolutely that you have access to the database.  I always try to get into contact with the admins when I encounter security breaches like this. 

Sometimes, it's difficult to find the admin's contact information. Sometimes, the admin doesn't believe the danger level. In these times, doing something like that may be required, and it's less intrusive than adding a row to their main database labeled 'insecure', with every row having the value MININT.

That having been said, I've only once had to resort to something like that (although my instance wasn't a database leak, but a web page to arbitrary execution as root hole, so I made a file named "/-Anyone can read or write to your filesystem anywhere they want-", and then told his boss about it a couple days later as he hadn't managed to fix the problem. He also had not managed to delete or rename that file, despite the fact that deleting the file had been his main focus over those days.) Oddly enough, his boss seemed to mind my involvement more than he minded the problem (although at least he realized that the problem needed fixing before anyone else found out.) He really didn't like hearing my offer to fix it for them, and especially did not like my gleeful reminder that, no, I didn't need to be "granted" access to the box to fix it - just the written permission to do so.

Note: No, the boy wonder who couldn't figure out, even after two days of trying, how to remove a file with a leading dash or spaces in it wasn't fired. Well, at least, not for this incident.

 call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.

Kazan:

call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.

This hurts me more than it will hurt you: you're an asshole.  Wait, that didn't hurt me at all!  Anyway, there's no telling how this system got into this state.  It could be a company full of good developers with one moron sysadmin who ended up exposing the entire database.  Whatever damages are done extend far beyond the person(s) responsible for the breach.  In fact, this site has shown many times that competent people can end up screwed over by WTFy co-workers who aren't even reprimanded for their mistakes.  I think it's a bit presumptuous to assume that every person involved with that site deserves to have their data and systems wrecked.  Regardless, I was mostly complaining about the retards on this forum who trash an exposed system as soon as it is posted.  Even if the sysadmin was "asking for it", there is nothing lamer than destroying someone's data for the fuck of it. 

morbiuswilters:

Even if the sysadmin was "asking for it", there is nothing lamer than destroying someone's data for the fuck of it. 

Sure, it's fun to play around and feel all powerful when you find exploits, but wouldn't you rather take this obvious opportunity to make some good cash and (at least try to) sell your expertise to them to fix it?  If what was stated earlier about the knowledge of the company that leaves blatant holes like this, there's a good chance they don't have any employees that can fix this.

Kazan:

 call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.

You can argue that maybe the programmer deserves it, but not the company that employed the programmer.