Archive for Sunday, August 6, 2006

Hackers infiltrate Web site

August 6, 2006

Advertisement

The main Web site for the Douglas County Fair looked a little different Saturday.

Hackers claiming ties with an activist Turkish Muslim computer-hacking community used the home page of the fair's Web site, dgcountyfair.com, as a billboard over the weekend.

The message: "Dont (sic) War!"

"The timing of it could have been better," said county fair board member Tara Flory.

The fair's events wrap up today.

A hacker posting as "Crackers_Child" posted the message along with contact information at a Web site called sibersavascilar.com.

The Web site links to activists in Turkey and on several pages explains in detail how to hack different kinds of Web sites.

Another page on the site displays anti-Israeli propaganda alongside Muslim imagery.

Several other Web sites hacked by sibersavascilar.com members display political and religious messages, including anti-U.S. and pro-Islam slogans.

"It's called 'hacktivism'," said William "Chuck" Easttom, of the Texas-based Chuck Easttom Consulting. "And it's becoming fairly common."

Easttom, an author and expert on computer hacking, said that groups who have a political message to convey often hack into the home pages of certain Web sites to make a point. For example, he said, if someone wants to hack into the U.S. Army Web site, they typically attack the recruitment home page rather than internal army sites.

Then, Easttom said, hackers tag a Web site with a message - much like the county fair site.

"Tagging a Web site is the most common kind of hacking," he said.

But the hackers who attacked the fair site seemingly post at random, choosing Web sites promoting various things from all over the world.

"The randomness tells me one thing," Easttom said. "This is some kid. This is not a serious hacker."

And, Easttom said, these kinds of hacks are typically harmless, as most Web sites holding sensitive information - banking records, medical histories - have plenty of security to protect them.

Flory said her brother, Trent Flory, was already working to repair the site, and that the hacking incident wasn't a big deal.

"Hackers get in there," she said.

Comments

Christine Pennewell Davis 8 years, 12 months ago

why is it if we have freedoms of speech a local paper can sensor your thoughts and opinions on a public site

fletch 8 years, 12 months ago

Hmmmm, who would hit the Douglas County Fair website with anti-war messages? Gee, could it be those wacky kids at Solidarity?

International political hackers don't go after sites like this. They go after targets they know will be effective avenues for distributing their message. Going after the DougCo Fair website would be like going out hunting for deer and deciding to shoot a squirrel instead. It's too easy and it's not worth the time and effort. This was somebody local, which narrows down the suspect list. Specifically, it narrows it down to Solidarity.

badger 8 years, 12 months ago

Yeah, this definitely has 'script-kiddie' written all over it in big, badly spelled writing.

Pfui.

ksmattfish 8 years, 12 months ago

"why is it if we have freedoms of speech a local paper can sensor your thoughts and opinions on a public site"

Why would you ever think a website run and maintained by a private business would be public? The LJW is owned by individuals, not the city at large. How does controlling content on a website constitute censoring thought?

compmd 8 years, 12 months ago

The record needs to be set straight.

Website defacement is not the action of a hacker, it is the action of a script kiddie. These are people who are just skilled enough to be dangerous. To deface a website one does not need root, just the same privilege level as the web server, in this case, Apache. To truly hack a machine, obtain the passwd file or shadow file and crack them. However, Apache may be running as root, in which case the server got 0wn3d. By examining this machine, I have deduced that the system administratior for it is an idiot. holygrailale brought up ssh, and that's a great remote access solution, unless the version you are running is way out date and subject to buffer overflow attack permitting the attacker to run arbitrary system commands. The most likely scenario is that an outdated apache or openssh was exploited. Given my cursory investigation, it seems the attacker did root the box or created a user account and the administrator likely doesn't know it and doesn't know how I know it. Ironically the server hosting dgcountyfair.com is doing something far more nefarious that wasn't mentioned in this article.

I hope some law enforcement folks drop me a line. Its been too long since I've worked with them.

ThePlanet is known for having terribly unsecured servers, I deal with php/mysql attacks and ssh brute force attempts coming from their machines all the time.

Please let me know if you have any questions, and to the county fair staff, please let me know if you would like to have a more secure site.

compmd 8 years, 12 months ago

holygrailale:

You seem to be a familiar with a portscanner, which means you've already seen the bigger problem. The answer to your question was not in my post. I think you should keep in mind the idea that many innocuous things can be used destructively.

niles:

I hate to burst your bubble, but its the American kids that don't do this (as much). Chinese and Muslim hacking teams are the most prolific. Why? Because they have a message to send. Also, unlike American kiddies, they have no fear of punishment.

compmd 8 years, 12 months ago

For those wondering how defacements are carried out and how the attacker might have chosen the douglas county fair, allow me to introduce you to the average "hacking team".

There are several muslim hacking teams in existence. I am intimately familiar with one team based in Albania that has tried to take out one of my company servers for months. The attacks are not the result of some guy sitting down saying, "Crafty Kansans! I'm gonna get them!" Its a script using google to find sites running particular content managers, default configurations, or outdated services, and the automatically attacking them. The team in this case doesn't care who they hit, just as long as the their message is spread.

This is how most operate.

Disclaimer: I'm not saying for certain this is what happened. This is simply a theory based on extensive experience.

compmd 8 years, 12 months ago

Well said holygrailale. I'm rather fond of zone-h. I also like insecure.org a lot. Security is everyone's responsibility.

By the way, did you figure out what about that server is bothering me so much? I believe it is still in a compromised state. Just because the sites are up doesn't mean it still isn't 0wnz0r3d.

Sigmund 8 years, 12 months ago

pico? no self respecting script-kiddie would use pico!

[root@iDontThinkSo ~]# ssh -vvv dgcountyfair.com OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct 2005 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug2: ssh_connect: needpriv 0 debug1: Connecting to dgcountyfair.com [69.56.139.2] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/identity type -1 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.6.1p2

Really kind of an old version of SSH don't you think? 10 to 1 odds this is how they got in.

Sigmund 8 years, 12 months ago

Oh and 20 to 1 it has a rootkit. They had better do a complete reinstall.

compmd 8 years, 12 months ago

For the record, I use my powers for good.

"my suspicion is that someone's /etc/passwd, /etc/shadow and /etc/group file is now on a system not in Texas."

eh, maybe, but probably not.

"there's a new account in the root group that shouldn't be there. "

possibly, but there is no legal means of determining that.

"Really kind of an old version of SSH don't you think? 10 to 1 odds this is how they got in."

Yes to the first, quite possibly to the second.

"Oh and 20 to 1 it has a rootkit. They had better do a complete reinstall."

I would bet with those odds.

I'm still surprised nobody took note of this: 6666/tcp open melange Melange Chat Server 1.10

What is the most common use of an irc server on a machine that has known to be exploited on a network known for lax security? Botnet controller. Who wants to take bets on that?

Sigmund 8 years, 12 months ago

If I had to guess it is sharing Warez and MP3's, providing a bot for denial of service, and spreading spam. Yeah I cant imagine the chat server either but I was extra suspicious of everything above 4660..

4660/tcp filtered mosmig 4672/tcp filtered rfa 6346/tcp filtered gnutella 6666/tcp open melange Melange Chat Server 1.10 6699/tcp filtered napster Now that you mention it though Melange is "open" ... duh!

Sigmund 8 years, 12 months ago

Should have said I cant imagine the chat server (or any service above 4660) as a "legitimate" service for the douglas county fair. I came to this thread late, sorry.

compmd 8 years, 12 months ago

Don't worry about the fltered ports. Since this is owned by a hosting company those ports are likely filtered by the default firewall rules.

Also, since a few knowledgeable folks seem to have been drawn out, riddle me this: do you see anything odd about mysql on that box? :)

compmd 8 years, 12 months ago

The server in question is actually hosting a few websites in addition to dgcountyfair.com, so that should make a lot more stuff make sense now. ThePlanet is a general purpose hosting company.

Remember, there is a big difference between a closed tcp port and a filtered one.

compmd 8 years, 12 months ago

"anyone who "spams"; that is, sends Uncolicted Commercial Email via stolen boxes is an idiot and ...Anyone who infects another's box or website should be shot at dawn as far as I am concerned."

Amen to that, Marion!

Sigmund 8 years, 12 months ago

Assuming the database (MYSQL) is only there for the webserver (APACHE) and given that they are running on the same machine, there is not a reason to have it accepting connection from the cloud.

3306/tcp open mysql MySQL 4.1.20-standard

I wonder if the County, or the City for that matter, ever has had a really good security audit. No matter how good or bad the IT department is, a second set of eyes never hurts. Given the relative sophistication of the Lawrence Community in this area they could probably get a good scan with areas to focus on and possible resolutions for little or no taxpayer dollars.

compmd 8 years, 12 months ago

Excellent Sigmund! You are correct. There is no good reason for mysql to be accepting connections from anyone other than localhost.

I don't know anything about the county's network, and my familiarity with the city network is limited. They both should be doing pen testing.

Deb Stavin 8 years, 12 months ago

Do any of you frequent posters have your own Web sites? Just wondering if your uncensored opinions are publicly available elsewhere online.

Sigmund 8 years, 12 months ago

Well, you lied to me! ~ Ray Kinsella. 'Field of Dreams'

I have a slightly different opinion of where this attack came from, but would not bet money on it. Because of the defacement and the Douglas County Fair were on the same weekend the timing suggests to me the person responsible is in the area. I distrust coincidence.

I would love to get legal access to that machine and do the forensics on it. Often times script kiddies scripts are flawed and don't quite cover their trails. And generally the author of a script is far more skilled than the person who merely executed it.

compmd 8 years, 12 months ago

oh man, holygrailale, I know Dave Nordlund, Mark Nace, and Craig Paul. I just exchanged some emails with Dave not too long ago. And Craig asked me to be nice on the KU network a few years back. Same timeframe I met Mark. :) I'm old school myself, but clearly there was more to the story, so scanning was naturally the next step.

Sigmund, if you're after forensic analysis of hacks like this, I have plenty of material. One of my servers was fielding as many as 10,000 attacks per day for a while. Message me and I'll send you some of the lovely perl and php that is commonly used, including one that uses google to find its targets. A quick (potential) explanation for the coincidental timing could be explained if there was a timeframe parameter included.

hottruckinmama 8 years, 12 months ago

holy cow. looks like you all had quite a tussle tonight. thats got to be some kind of a record deleted posts even for you rightthinker. i don't know what was posted but i sure can't figure out ljw. the other night there were a couple of really rude comments about the poor lady that got killed at baldwin junction. but they left them alone. i bet whatever was written here couldn't have been half that bad. go figure i guess.

oldgranny 8 years, 12 months ago

One thing Rightthinker is right about. He says you don't know the meaning of the word "nut case" until you go to Texas. Its true. I had the misfortune to live there for several years. Remember the old commercial's for Texas tourism that went something like "Texas. A whole other Country"? Ha. They weren't kiddin'. Give me Kansas any day.

oldgranny 8 years, 12 months ago

You are right on the mark observer. And the disgrace that is in the whitehouse is the worst kind..not even a true Texan or a cowboy..but a want-to-be.

KSChick1 8 years, 12 months ago

so are we just suggesting removal randomly or what the hell was in those posts?

I called the urinal world Sat. AM and reported the DG co fair website had been hacked because when I clicked on the little piggy in their ad on the front page of ljworld.com, it came up Don't War and an email address

of course the yahoo answering the phone got all confused and said it was not their website that got hacked, it was the DG co fair website

?!?huh?!?! isn't that what I said?

thanks for being so on top of it!

LOL

kansasjhawk 8 years, 12 months ago

My God, my people give it a rest!...who cares anymore!

Commenting has been disabled for this item.