Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: bd476

Here's one more of interest that appeared after Bush was reelected.

http://scatoday.net/node/view/3111

East Kingdom web site defaced by protest group
Submitted by Justin on Thu, 2004/11/11 - 16:20. East | Modern Society | SCAtoday.net

Political protesters temporarily defaced the home page of the SCA's East Kingdom earlier today, replacing it with a page of their own creation.

A group of self-proclaimed "cyberterrorists" calling themselves the "Infektion Group" [sic] replaced the home pages of over 100 sites on the same server as the East Kingdom site with their own page protesting the U.S. election results. The defaced page read:
___________________________________________________________
Infektion Group Owned You

CYBER-TERRORISM

The war of the lier Bush feeds the hate
each day grows more and more!

dominusvis@click21.com.br
_________________________________________________________

Below the text was a photographic image of the Brazilian flag. The word "owned" is a term used in hacker and cracker circles to indicate that a site's security has been compromised. Misspelled words, such as "liar" and "infection" in the above, are often intentionally part of so-called "hacker-speak" or "L337-speak" (pronounced elite-speak), a way to present an edgy image. The misspellings may also be due to the page having been created, apparently, by Brazilians, whose native language would most likely be Portuguese.

The click21.com.br domain belongs to a Brazilian company located in Rio de Janeiro, though of course there is no proof that the company knew anything about the attack, since anyone could have put that email address into a web page.

Robin Gallowglass, the East Kingdom Web Minister, says the attackers struck at about 12:53 a.m. US Eastern time, and that he first learned of the attack at about 8:00 a.m. "I was able," he says, "along with my fellow system administrators, to identify the vulnerability that was exploited and plug the hole. The defaced index pages were replaced from backups by approximately 9:30 a.m." Gallowglass says extensive backup precautions saved the day, and that he has an automated backup process that makes archival copies of the web page multiple times per day.

Gallowglass says that an unfortunate default setting in the security of the PHP web programming language was to blame. The PHP software itself had not failed, but the incorrect setting "allowed a file name for a included file to be either a path to a file on the local file system or a remote URL. This allowed the attackers to inject malicious PHP code that allowed them access to all the websites on the server." This sort of remote scripting exploit can happen in many web programming languages, and has been reported in numerous cases for both Linux and Microsoft web servers. In the case of this particular server, it was a Linux machine that was affected. The equivalent Microsoft technology, Active Server Pages (ASP), has been subject to the same kind of error in the past.

Gallowglass says that the server admistrators are careful about security, and blames poor documentation for the fact that this vulnerability "was missed in our periodic security audits." The vulnerable default setting has been changed, and Gallowglass and his colleagues took advantage of the server downtime to upgrade the Apache web server and the PHP programming language to their most recent security patch levels.

Computer security experts say that security is never perfect, in spite of a system owner's best efforts, and that off-site backups of important data are an essential part of site management because these are isolated geographically from the compromised system. In this incident, those off-site backups allowed fast recovery.


20 posted on 02/04/2005 1:42:51 AM PST by NativeTexun ("If you don't live in Texas, you don't live in the United States.")
[ Post Reply | Private Reply | To 17 | View Replies ]

To: NativeTexun
NativeTexun, thank you for posting the informative background material on those cyber fiends.

Here's what I found: on Zone H, Internet Thermometer, Digital Attacks Archive Digital Attacks.

"Attacked by In f e k tion Gr o up: 20680 of which 2257 are single IP and 18423 mass defacements"

The group In f e k tion Gr o up began cracking into websites on January 16, 2005.

The 20,680 illegal website intrusions have occurred since then. There is a list 30 pages long of sites which that group has hacked into, and it appears that most if not all sites use Linux OS.

21 posted on 02/04/2005 2:12:05 AM PST by bd476 (God Bless those in harm's way and bring peace to those who have lost loved ones today.)
[ Post Reply | Private Reply | To 20 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson