Archive for Sunday, August 6, 2006
Hackers infiltrate Web site
August 6, 2006
Advertisement
The main Web site for the Douglas County Fair looked a little different Saturday.
Hackers claiming ties with an activist Turkish Muslim computer-hacking community used the home page of the fair's Web site, dgcountyfair.com, as a billboard over the weekend.
The message: "Dont (sic) War!"
"The timing of it could have been better," said county fair board member Tara Flory.
The fair's events wrap up today.
A hacker posting as "Crackers_Child" posted the message along with contact information at a Web site called sibersavascilar.com.
The Web site links to activists in Turkey and on several pages explains in detail how to hack different kinds of Web sites.
Another page on the site displays anti-Israeli propaganda alongside Muslim imagery.
Several other Web sites hacked by sibersavascilar.com members display political and religious messages, including anti-U.S. and pro-Islam slogans.
"It's called 'hacktivism'," said William "Chuck" Easttom, of the Texas-based Chuck Easttom Consulting. "And it's becoming fairly common."
Easttom, an author and expert on computer hacking, said that groups who have a political message to convey often hack into the home pages of certain Web sites to make a point. For example, he said, if someone wants to hack into the U.S. Army Web site, they typically attack the recruitment home page rather than internal army sites.
Then, Easttom said, hackers tag a Web site with a message - much like the county fair site.
"Tagging a Web site is the most common kind of hacking," he said.
But the hackers who attacked the fair site seemingly post at random, choosing Web sites promoting various things from all over the world.
"The randomness tells me one thing," Easttom said. "This is some kid. This is not a serious hacker."
And, Easttom said, these kinds of hacks are typically harmless, as most Web sites holding sensitive information - banking records, medical histories - have plenty of security to protect them.
Flory said her brother, Trent Flory, was already working to repair the site, and that the hacking incident wasn't a big deal.
"Hackers get in there," she said.
More like this
- FBI investigating nationwide hacking contest July 3, 2003
- Al-Jazeera Web site hacked by 'patriot' March 28, 2003
- Hackers post anti-war message on U.N. site August 14, 2007
- Hacker 'contest' disrupts some Web sites July 7, 2003
- Teen-ager suspected in Web site hackings March 10, 2002
Top ads RSS
- Temporary Programmer Univ. of KS, Geological Survey Write function and ...
- Dishwasher The Merc is hiring! We’re looking for a high ...
- Customer Service/ Manager Trainees!! $450/wk. Must be able to start ...
- LPN Baldwin Healthcare is currently accepting applications for a full ...
- Grant Monitor Higuchi Biosciences Center, KU Duties include coordination of ...
Marketplace
Arts & Entertainment · Bars · Theatres · Restaurants · Coffeehouses · Libraries · Antiques · Services
- Blog: I Am A Stripper. November 3, 2009 · 319 comments
- Obama finding it harder to blame Bush for job woes November 7, 2009 · 58 comments
- Mass shooting worst ever at U.S. military base; 12 killed November 6, 2009 · 188 comments
- FINAL: Daniel Thomas runs for 183 yards in KSU's 17-10 victory over KU November 7, 2009 · 53 comments
- Blog: Dillons, Hyvee, And Checkers---I'Ve Shopped And Compared. See The Results. November 8, 2009 · 8 comments
- Poll: Would you vote the same way today as you did for president in 2008? November 6, 2009 · 61 comments
- CritiTech leader has stake in lab building November 7, 2009 · 35 comments
- Maine repeals gay-marriage law in historic vote November 4, 2009 · 240 comments
- Emergency crews respond to multiple injury, car versus motorcycle accident November 6, 2009 · 50 comments
- Nation's unemployment rate exceeds 10 percent for the first time in 26 years November 6, 2009 · 97 comments
- Sacred landmark: Capital campaign drives changes at ECM in its 50th year at KU November 7, 2009
- Woman passes driver’s exam on 950th try November 7, 2009
- Kansas Supreme Court upholds ban on commercial wind farms in scenic Flint Hills October 30, 2009
- KU graduate student in critical but stable condition after chemical contamination November 5, 2009
- Kansas Supreme Court chief justice said budget problems could force courts to close November 6, 2009
- Hot dog vendor enhances downtown flavor June 22, 2009
- Conference on Kansas tourism slated for later this month October 5, 2009
- Growing an economic development opportunity August 29, 2009
- Regents Chairwoman asks legislators to put away the budget knife November 6, 2009
- Former House speaker has vital message for America November 7, 2009
6 August 2006
at 6:56 a.m.
Permalink
Marion (Marion Lynn) says…
This comment was removed by the site staff for violation of the usage agreement.
6 August 2006
at 7:35 a.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
Oh and by the way…………..
If the hackers got into the home page, I mean really got IN using the ADMIN Control Panel, they were IN!
Unless each file within the public HTML of the site is individually password protected with different passwords, the hackers had at least temporary access to the entire site.
They only wanted to plant the message on the home page and had no real dirty work in mind…..we hope….they could have planted a program which is called a time bomb which starts doing funny stuff to the stie hours, days or weeks after the fact and such a program might be difficult to find.
Either way, if they got into the home page, the rest of the site was also wide open and the County is lucky that it is even still up!
There is also a way to plant what is essentially a pop-up which comes up on top of the home page whenever it is accessed by the public but those are normally blocked by the user's filters.
The hackers got in and looked at whatever they wanted.
Thanks.
Marion.
6 August 2006
at 7:49 a.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
rightthinker:
Agreed.
The thing that worries me is what if the same (in)security system is used on other County sites??!!!!!!!!!
I think that the local soialists would have been looking for veggie and soy burgers, though!
Yeeeecccchhhhhhhhhhhhhhhhhhhhhh!
Thannks.
Marion.
6 August 2006
at 8:04 a.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
Ohmigawd, rightthinker!
I just realised that the authorities are going to be investigating the same people who do that nekkid calendar every year!
Our guys will have to approach them wearing NBC (Nuclear, Biological, Chemical) suits and the guys should be awarded medals for valour just for doing so!
I mean, did you SEE those photos of those nekkid socialists, commies and anarchists?
Put you off your dinner, those will!
Thanks.
Marion.
6 August 2006
at 11:22 a.m.
Suggest removal
Permalink
mommaeffortx2 (Anonymous) says…
why is it if we have freedoms of speech a local paper can sensor your thoughts and opinions on a public site
6 August 2006
at noon
Suggest removal
Permalink
fletch (Anonymous) says…
Hmmmm, who would hit the Douglas County Fair website with anti-war messages? Gee, could it be those wacky kids at Solidarity?
International political hackers don't go after sites like this. They go after targets they know will be effective avenues for distributing their message. Going after the DougCo Fair website would be like going out hunting for deer and deciding to shoot a squirrel instead. It's too easy and it's not worth the time and effort. This was somebody local, which narrows down the suspect list. Specifically, it narrows it down to Solidarity.
6 August 2006
at 12:02 p.m.
Suggest removal
Permalink
niles (Anonymous) says…
I doubt muslims were smart enough to do this, i'd bet American, European or Chinese kids tried to stage it on them.
6 August 2006
at 12:21 p.m.
Suggest removal
Permalink
badger (Anonymous) says…
Yeah, this definitely has 'script-kiddie' written all over it in big, badly spelled writing.
Pfui.
6 August 2006
at 12:23 p.m.
Suggest removal
Permalink
ksmattfish (Anonymous) says…
“why is it if we have freedoms of speech a local paper can sensor your thoughts and opinions on a public site”
Why would you ever think a website run and maintained by a private business would be public? The LJW is owned by individuals, not the city at large. How does controlling content on a website constitute censoring thought?
6 August 2006
at 12:36 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
The record needs to be set straight.
Website defacement is not the action of a hacker, it is the action of a script kiddie. These are people who are just skilled enough to be dangerous. To deface a website one does not need root, just the same privilege level as the web server, in this case, Apache. To truly hack a machine, obtain the passwd file or shadow file and crack them. However, Apache may be running as root, in which case the server got 0wn3d. By examining this machine, I have deduced that the system administratior for it is an idiot. holygrailale brought up ssh, and that's a great remote access solution, unless the version you are running is way out date and subject to buffer overflow attack permitting the attacker to run arbitrary system commands. The most likely scenario is that an outdated apache or openssh was exploited. Given my cursory investigation, it seems the attacker did root the box or created a user account and the administrator likely doesn't know it and doesn't know how I know it. Ironically the server hosting dgcountyfair.com is doing something far more nefarious that wasn't mentioned in this article.
I hope some law enforcement folks drop me a line. Its been too long since I've worked with them.
ThePlanet is known for having terribly unsecured servers, I deal with php/mysql attacks and ssh brute force attempts coming from their machines all the time.
Please let me know if you have any questions, and to the county fair staff, please let me know if you would like to have a more secure site.
6 August 2006
at 1:13 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
holygrailale:
You seem to be a familiar with a portscanner, which means you've already seen the bigger problem. The answer to your question was not in my post. I think you should keep in mind the idea that many innocuous things can be used destructively.
niles:
I hate to burst your bubble, but its the American kids that don't do this (as much). Chinese and Muslim hacking teams are the most prolific. Why? Because they have a message to send. Also, unlike American kiddies, they have no fear of punishment.
6 August 2006
at 1:19 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
For those wondering how defacements are carried out and how the attacker might have chosen the douglas county fair, allow me to introduce you to the average “hacking team”.
There are several muslim hacking teams in existence. I am intimately familiar with one team based in Albania that has tried to take out one of my company servers for months. The attacks are not the result of some guy sitting down saying, “Crafty Kansans! I'm gonna get them!” Its a script using google to find sites running particular content managers, default configurations, or outdated services, and the automatically attacking them. The team in this case doesn't care who they hit, just as long as the their message is spread.
This is how most operate.
Disclaimer: I'm not saying for certain this is what happened. This is simply a theory based on extensive experience.
6 August 2006
at 2:35 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
Well said holygrailale. I'm rather fond of zone-h. I also like insecure.org a lot. Security is everyone's responsibility.
By the way, did you figure out what about that server is bothering me so much? I believe it is still in a compromised state. Just because the sites are up doesn't mean it still isn't 0wnz0r3d.
6 August 2006
at 2:37 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
holygrailale:
Thank you for your very kind compliment!
I ain't doin' too bad for a Baby Boomer who five years ago didn't know how to turn on a computer and who is learning more every day and who generates 99% of his income on the 'net.
I's skeered of hackers and the like so I take specail pains to be familiar with internet security and can even do some html, perl, asp and some other crazy thing; maybe Java Script; I forget; I've been outside in the heat so I'm not sure right now!
Compmd:
On consideration, you are 100% correct!
I better go check my grounding rods and such!
And those demented Albanian dwarves!
Pesky critters!
I have more trouble with the Russkies though, who keep after that “other site”, trying to sell penis enlagement and “replica” watches!
And you folks out there discounting Muslims………….
……….ya better not; one of the best internet pirates I know is a guy named Ali!
I keep the Chinese off my back by using a couple of their servers and they will not screw with the money!
;)
Russians are nuts and they don't care!
The Russians are really the best though and there is much to be learned from them and they are not shy about imparting info to the novice, oddly enough.
I have like nine SSls and I don't know how much I have spent buying Norton and XP for the boxes but I could have bought a nice used car, I'm sure!
If they could get into the Fair site, they can get into any other county or City site without too much sweat and ID theft(Which is what it is all about anyeay!) is pretty spooky; that's why they do the port scannng, etc.
Heck, just for grins I ran an email address scanning program the other day and picked up over 2000 addresses from Larryville, I don't know how many from the LJW but was quite pleased to find that I could not get ANY out of RCT!
Folks need to be aware of the dangers of the net!
The net is very much l;ike a voluptuous psychopathic woman……the best you will ever find but she will turn into a Praying Mantis and kill you when she is finished with you!
Be aware!
Thanks.
Marion.
6 August 2006
at 3:33 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
pico? no self respecting script-kiddie would use pico!
[root@iDontThinkSo ~]# ssh -vvv dgcountyfair.com
OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to dgcountyfair.com [69.56.139.2] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2
Really kind of an old version of SSH don't you think? 10 to 1 odds this is how they got in.
6 August 2006
at 3:58 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
Oh and 20 to 1 it has a rootkit. They had better do a complete reinstall.
6 August 2006
at 4:24 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
For the record, I use my powers for good.
“my suspicion is that someone's /etc/passwd, /etc/shadow and /etc/group file is now on a system not in Texas.”
eh, maybe, but probably not.
“there's a new account in the root group that shouldn't be there. ”
possibly, but there is no legal means of determining that.
“Really kind of an old version of SSH don't you think? 10 to 1 odds this is how they got in.”
Yes to the first, quite possibly to the second.
“Oh and 20 to 1 it has a rootkit. They had better do a complete reinstall.”
I would bet with those odds.
I'm still surprised nobody took note of this: 6666/tcp open melange Melange Chat Server 1.10
What is the most common use of an irc server on a machine that has known to be exploited on a network known for lax security? Botnet controller. Who wants to take bets on that?
6 August 2006
at 4:26 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
rightthinker: a cavity search on “Observer”?
Whatever are you thinking?
Thanks.
Marion.
6 August 2006
at 4:29 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
By the way, my earlier dleetd post contained but a comment about the lack of security on the website.
jeeeeeeeez!
Thanks.
Marion.
6 August 2006
at 4:36 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
If I had to guess it is sharing Warez and MP3's, providing a bot for denial of service, and spreading spam. Yeah I cant imagine the chat server either but I was extra suspicious of everything above 4660..
4660/tcp filtered mosmig
4672/tcp filtered rfa
6346/tcp filtered gnutella
6666/tcp open melange Melange Chat Server 1.10
6699/tcp filtered napster
Now that you mention it though Melange is “open” … duh!
6 August 2006
at 4:48 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
Should have said I cant imagine the chat server (or any service above 4660) as a “legitimate” service for the douglas county fair. I came to this thread late, sorry.
6 August 2006
at 4:58 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
Don't worry about the fltered ports. Since this is owned by a hosting company those ports are likely filtered by the default firewall rules.
Also, since a few knowledgeable folks seem to have been drawn out, riddle me this: do you see anything odd about mysql on that box? :)
6 August 2006
at 5:08 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
The server in question is actually hosting a few websites in addition to dgcountyfair.com, so that should make a lot more stuff make sense now. ThePlanet is a general purpose hosting company.
Remember, there is a big difference between a closed tcp port and a filtered one.
6 August 2006
at 5:11 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
Well, for whtever it is worth, anyone who “spams”; that is, sends Uncolicted Commercial Email via stolen boxes is an idiot and wil most likely get what they deserve.
The sending of UCE is NOT illegal; the methods are just controlled.
Anyone who infects another's box or website should be shot at dawn as far as I am concerned.
As has been said, a good firewall will prevent infection.
Thanks.
Marion.
6 August 2006
at 5:21 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
“anyone who “spams”; that is, sends Uncolicted Commercial Email via stolen boxes is an idiot and …Anyone who infects another's box or website should be shot at dawn as far as I am concerned.”
Amen to that, Marion!
6 August 2006
at 5:32 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
Assuming the database (MYSQL) is only there for the webserver (APACHE) and given that they are running on the same machine, there is not a reason to have it accepting connection from the cloud.
3306/tcp open mysql MySQL 4.1.20-standard
I wonder if the County, or the City for that matter, ever has had a really good security audit. No matter how good or bad the IT department is, a second set of eyes never hurts. Given the relative sophistication of the Lawrence Community in this area they could probably get a good scan with areas to focus on and possible resolutions for little or no taxpayer dollars.
6 August 2006
at 5:52 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
Excellent Sigmund! You are correct. There is no good reason for mysql to be accepting connections from anyone other than localhost.
I don't know anything about the county's network, and my familiarity with the city network is limited. They both should be doing pen testing.
6 August 2006
at 6:22 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
compmd:
Now do not get me wrong here; I do not beleive that the sending of harmless UCE is bad as long as that UCE contains no Trojans; etc.
All you have to do is hit “Delete” or ignore it and it wil fall off you board in a few days.
I believe that legitimate and harmless UCE is much like junk snail mail:
Open it or throw it away.
Commercial email is the way that things will be from here on out so we'd better get acustomed to it.
Commerce is moving to the 'net and anyone who does not, unless they have a permanent niche market, will go broke.
Thanks.
Marion.
6 August 2006
at 7 p.m.
Suggest removal
Permalink
dstavin (Anonymous) says…
Do any of you frequent posters have your own Web sites? Just wondering if your uncensored opinions are publicly available elsewhere online.
6 August 2006
at 7:02 p.m.
Suggest removal
Permalink
dstavin (Anonymous) says…
And no, I'm not a hacker ! :-)
6 August 2006
at 7:07 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
dstavin:
You gottabetheonlyguy in town who does not know that I run:
RiverCityTalk.com
Thanks.
Marion.
6 August 2006
at 8:04 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
holygrailale wrote:
“Marion:
you run RiverCityTalk?????
you lied to me!!!!!
(skillet upside the head)”
Marion writes:
What in the world are you talking about?
I thought that everyone hereabouts knew that I am the Dreaded ADMIN of RCT?
I have NEVER denied that and in fact promote the site every chance I get.
What in the world are you talking about?
ForChrissakes, my PIC is on evry post and iot is the one that I stole from the LJW “On The Street” thingy!
Thanks.
Marion.
6 August 2006
at 8:05 p.m.
Suggest removal
Permalink
Marion (Marion Lynn) says…
Ooops.
I think I've just been had.
;)
Thanks.
Marion.
6 August 2006
at 8:12 p.m.
Suggest removal
Permalink
Sigmund (Anonymous) says…
Well, you lied to me! ~ Ray Kinsella. 'Field of Dreams'
I have a slightly different opinion of where this attack came from, but would not bet money on it. Because of the defacement and the Douglas County Fair were on the same weekend the timing suggests to me the person responsible is in the area. I distrust coincidence.
I would love to get legal access to that machine and do the forensics on it. Often times script kiddies scripts are flawed and don't quite cover their trails. And generally the author of a script is far more skilled than the person who merely executed it.
6 August 2006
at 8:38 p.m.
Suggest removal
Permalink
compmd (Anonymous) says…
oh man, holygrailale, I know Dave Nordlund, Mark Nace, and Craig Paul. I just exchanged some emails with Dave not too long ago. And Craig asked me to be nice on the KU network a few years back. Same timeframe I met Mark. :) I'm old school myself, but clearly there was more to the story, so scanning was naturally the next step.
Sigmund, if you're after forensic analysis of hacks like this, I have plenty of material. One of my servers was fielding as many as 10,000 attacks per day for a while. Message me and I'll send you some of the lovely perl and php that is commonly used, including one that uses google to find its targets. A quick (potential) explanation for the coincidental timing could be explained if there was a timeframe parameter included.
6 August 2006
at 9:15 p.m.
Suggest removal
Permalink
hottruckinmama (Anonymous) says…
holy cow. looks like you all had quite a tussle tonight. thats got to be some kind of a record deleted posts even for you rightthinker.
i don't know what was posted but i sure can't figure out ljw. the other night there were a couple of really rude comments about the poor lady that got killed at baldwin junction. but they left them alone. i bet whatever was written here couldn't have been half that bad. go figure i guess.
6 August 2006
at 9:53 p.m.
Suggest removal
Permalink
oldgranny (Anonymous) says…
One thing Rightthinker is right about. He says you don't know the meaning of the word “nut case” until you go to Texas. Its true. I had the misfortune to live there for several years. Remember the old commercial's for Texas tourism that went something like “Texas. A whole other Country”? Ha. They weren't kiddin'. Give me Kansas any day.
6 August 2006
at 10:05 p.m.
Suggest removal
Permalink
oldgranny (Anonymous) says…
You are right on the mark observer. And the disgrace that is in the whitehouse is the worst kind..not even a true Texan or a cowboy..but a want-to-be.
7 August 2006
at 1:26 a.m.
Suggest removal
Permalink
Multidisciplinary (Anonymous) says…
holygrailale…ok…have to know…tell me your connections with above mentioned men. Not going to name those in particular, but holy crap, this town is gettin smaller by the minute. And one has one of my computers, with WAY too much information on it. LOL.
Oh, this is too weird.
roflmao..ps the info on all goes the same way LOL.
7 August 2006
at 8:47 a.m.
Suggest removal
Permalink
KSChick1 (Anonymous) says…
so are we just suggesting removal randomly or what the hell was in those posts?
I called the urinal world Sat. AM and reported the DG co fair website had been hacked because when I clicked on the little piggy in their ad on the front page of ljworld.com, it came up Don't War and an email address
of course the yahoo answering the phone got all confused and said it was not their website that got hacked, it was the DG co fair website
?!?huh?!?! isn't that what I said?
thanks for being so on top of it!
LOL
8 August 2006
at 10:46 p.m.
Suggest removal
Permalink
Multidisciplinary (Anonymous) says…
Thanks. That made me feel a LOT better.:)
Damn. Well, dating can have it's unintentional repercussions, can't it?
Nothing I can do about it now.
9 August 2006
at 1:40 a.m.
Suggest removal
Permalink
kansasjhawk (Anonymous) says…
My God, my people give it a rest!…who cares anymore!