A group of hackers attacked and took offline several
sites belonging to credit-card sharing groups, security experts and other hacking communities who made mistakes in basic security.
Administrators of six Websites woke up Christmas morning
to discover their sites had been hacked, according to an online newsletter
published by the hackers themselves on Dec. 25.
In the second issue of "Owned and Exposed," the attackers
listed carders.cc, ettercap, exploit-db, backtrack, inj3ct0r, and free-hack. While
free-hack was taken down for being "lame script kiddies," the other sites had
criminal ties or were security experts who "fail so hard at security that we
wonder why people really take their training courses," according to the e-zine.
Mati Aharoni, the administrator of exploit-db
security-oriented site that catalogs known exploits and vulnerabilities,
admitted to being compromised in a blog post, but said that it was limited.
"Other than our egos, the damage is not severe," Aharoni wrote. The hackers had
posted a copy of the Owned
and Exposed newsletter
on the exploit-db's "papers" section.
After compromising exploit-db, the hackers looked at
backtrack-linux.org, as both sites share a subnet and administrator. It turned
out the same root account and password was used for all Web scripts, WordPress
installations and MySQL database on backtrack. "No wonder why it was super
easy to get a shell," the group wrote. Exploit-db and backtrack-linux was not
As for criminals, the vigilante group went after
carders.cc, a German online forum dedicated to helping criminals trade and sell
stolen financial data. The group shut down the site as part of its inaugural
issue in May, writing, "Carders is a marketplace full of everything that is illegal
and bad," including drugs, weapons and stolen credit card numbers.
After the first attack, the site was offline "for a few
days, but came back as if nothing had happened," with new administrators, new
software and a number of functions disabled, according to the e-zine. The
newsletter didn't detail exactly how the hackers got access to the system, but
noted that it's "hard to harden a system when everything is backdoored."
Once they had access to the box, the group was able to
list all the files on the server, view PHP scripts and access the
configuration files for the MySQL database and WordPress blog. One of the
scripts appears to perform a denial-of-service attack when executed. After
accessing the database and WordPress blogging platform, the attackers deleted
everything from the servers.
Despite claims of taking down (or rm-ed in hacker-speak) the
criminal forum, it appears that Carders is back up, three days later.
Another compromised site, inj3ct0r, claimed to have
hacked Facebook servers in November. Their boasting "was driving us insane" and
their moaning about resulting legal problems "was just too ridiculous for us to
let them continue existing," reads the newsletter.
It appears inj3ct0r were sharing stolen credit card
numbers on file trading site RapidShare and the private messages show they were
hacking exploit-db and other sites. According to the newsletter, the inj3ct0r
servers were missing some critical updates with some software in a half-updated
Another target, Ettercap, was the SourceForge page
hosting the message boards and files for a "white hat" penetration testing
tool. While useful for performing man-in-the-middle attacks, the tool has been
unmaintained for five years, and the group found evidence the site had already
been compromised by someone else. The group warned against downloading anything
from the compromised site.
There is a very important lesson for system
administrators and security teams in these hacks, according to Chester
, a senior security advisor at Sophos. "Nearly all" the victims
had "lapsed" on some security fundamentals, and were exposed through "one
little chink in the armor," Wisniewski wrote.
This was evident during Gawker's massive server compromise
as the company's administrators had been behind critical server patches
and upgrades as well as using the same username and password across
It's very tempting to use
administrator accounts for database and filesystem maintenance, but the e-zine
illustrated how dangerous the practice could be, according to Wisniewski.The attackers are "watchmen, the hackers who quietly
observe the scene," according to the newsletter. They denied being an
"underground rival kiddy group" or a "cyber mafia gang." The goal was to shut
down sites that "spread garbage" across the Internet, the group wrote.