Search
Compliance
Friday 6 December 2024 12:00 PM   Your IP: 18.97.14.80
Structural SEO
Home       SEO Enterprise Blog       Search Compliance       Structural SEO       The Semantic Imperative       About re1y.com      

Enterprise SEO Blog

re1y roll
Gaming Google In The Gaming Industry
Bob Sakayama
2013-03-23 18:27:43
2012 SEO Disasters | Solutions
Bob Sakayama
2012-12-16 14:03:29
Google May Be Quietly Acknowledging Negative SEO
Bob Sakayama
2012-08-30 15:29:12
Unnatural Links Warning
Bob Sakayama
2012-07-25 17:05:11
Penguin Inadvertently Makes Paid Links More Valuable
Bob Sakayama
2012-04-29 14:01:46
Occupy Google
Bob Sakayama
2011-11-04 12:57:49
Google Has Lost The War Against Paid Links
Bob Sakayama
2011-05-07 16:33:19
Google Penalties Now Called Manual Actions
Bob Sakayama
2011-04-23 16:27:14
Google Bomb Today
Ryan Urban
2011-04-11 17:05:11
Penalized Site Seeks Help: papofurado.com
Valmir Fernandes
2011-03-17 17:56:06
Did The Hammer Come Down On Content Aggregators
Bob Sakayama
2011-03-02 22:22:24
Enterprise Search Manipulation
Bob Sakayama
2011-02-19 19:12:08
Google Has A Huge Cloaking Problem
Bob Sakayama
2011-01-21 20:33:20
A Sorry Tale of a Google Penalty in Action
Dr. Marc Pinter-Krainer
2010-12-13 11:46:50
A New Google Penalty
Bob Sakayama
2010-11-28 21:49:40
The Archive Link Magnet
Bob Sakayama
2010-08-12 20:39:05
Coping With The Loss of Link Metrics
Bob Sakayama
2010-07-25 03:10:26
usachatnow.com Penalized
dirtsgood
2010-07-22 15:19:42
Automating Compliance Via CMS
Rev Sale
2010-07-15 22:43:15
Caffeine May Have A Hidden Cost
Bob Sakayama
2010-07-08 11:35:34
Google Penalties And Nuked Domains
Bob Sakayama
2009-11-28 21:09:30
When Google Doesn't Like Your Business Model
dirtsgood
2009-11-09 12:41:20
Search Compliance For Subdomains
Jabaloni
2009-11-09 11:51:10
Google Penalty Solutions - An Example Unwind
Bob Sakayama
2009-11-04 21:21:01
Maintaining Search Compliance via CMS
OneInAmelia
2009-11-03 22:35:15
Still Reeling From The Affiliate Slap
dirtsgood
2009-11-02 22:47:01
Most Popular Penalties
Bob Sakayama
2009-11-01 22:06:52
Link Obfuscation Necessary On New Sites
Rev Sale
2009-11-01 21:46:56
Latest
By: Rev Sale
2010-08-22 18:38:19
In the very early hours of Saturday, 21 August 2010, several dedicated servers related to one client were hacked.

For starters, there was an avoidable vulnerability that was exploited. The servers were newly implemented and did not have cpHulkd enabled. This is the "brute force manager" that locks you out after several failed attempts to log into WHM (WebHost Manager). Repeated failed attempts from an ip results in that ip being blacklisted. If you're running Apache servers this should be a default.

Because of the nature of this client's work, there are powerful, monied interests that have become his adversaries, and who stand to gain by crippling his sites. While we are aware that paranoia runs deep on all things internet, the stakes involved in this one are so high that it is in our client's interest not to be complacent. So yeah, a little paranoia is a good thing.

For this reason, and because we love this work, we spent the weekend reverse engineering the attack and running forensics on the trail.

We woke up to this message posted on many sites this client owned, and some others that were related:

At first sight, it's lol. Nice prank, frat boy. This guy spent a lot of time on this display, and although we only saw this logo, there was an audio/video component that we didn't see - because the French site they had hacked to store the flash & MP3 files had taken those assets down already. This is a proud hacker, folks! Wants the glory.

In case you can't read the banner, here's the text right from their code:

Contactez-Moi A:
DZ.Z3R0 [AT] GMAIL [DOT] COM
DZ.Z3R0 [AT] YAHOO [DOT] COM
DZ-Z3R0 [AT] HOTMAIL [DOT] FR
Pseudonyme de Skype: DZ-Z3R0
Site Web: www.dz-z3r0.com

He or she openly posts a French "Contact Me" message (appropriate for Algeria), a business card, with contact numbers and email addresses on the three search engine's mail systems - and that's where we get paranoid again. These guys are hackers for hire! And we suspect someone hired them.

Because of this text, the hacker actually ranks the attacked sites for the search for "dz.z3ro" thereby getting even more publicity. Assuming these sites have not yet detected the hack, and if enough sites are hacked, there's bound to be plenty of them.

The attacks were coming from these ips
41.200.172.33
41.97.64.186

The ips are Algerian, but always anticipate proxies and a head fake pointing in the wrong direction.

(If you ever have to run forensics, use reliable tools. There's a lot of garbage out there that ranks high: search for "find country by ip" - #1 is selfseo.com/ip_to_country.php, which says our ips are from Japan.)

Do a search for "dz.z3ro". The #1 result takes you to www.sharmakay.com. Searches on the whois data look innocent - the address exists, Sharma appears to be a real person there, so it's likely a hacked site:

Registrant:
AUD Family
17150 University Ave Ste 300
Sandy, Oregon 97055
United States

Domain Name: SHARMAKAY.COM
Created on: 24-May-00
Expires on: 24-May-14
Last Updated on: 18-Mar-06

Administrative Contact:
Kay, Sharma
AUD Family
17150 University Ave Ste 300
Sandy, Oregon 97055
United States
5037300203 Fax -- 5036687722

Domain servers in listed order:
CWPRO1.CROSSWINDS.NET
PRO.CROSSWINDS.NET

And it displays this:

The Algerian Hacker Team seal of approval, bar codes and all. And look at all the hacked sites ranking because of the hack!

Server log tells the story: They brute forced the password on WHM and then did different things on different sites. The constant was the posting of logo.png, and flag.png, plus the script on both index.php and index.html. In some instances they also renamed the index file and left backup.php, a little toxic code we recommend you not download. So far, it appears that's all that was done, and recovery is just replacing a wiped out index file, and removing the detritus.

Technically, they did more than just hack the password, delete, post & rename files. They also did some neat tricks - like running wget to directly pull & post the files from another server they had hacked. So there's command line knowledge behind this.

The script also appears to disable left and right click, but I haven't put time into that yet. Will get to that - we already know way more than we can reveal here about the players and their connections.

But some of what we can reveal is still very interesting. For example, this hacker's very busy - just looking at all the hacked sites in the above search tells you that. Here's another trademark image from a June 2010 hack:

This is a report of a different kind of attack by the same entity, and supposedly tracks back to Nigeria, according to the victim's post http://www.nairaland.com/nigeria/topic-469034.0.html. So it looks like dz.z3ro has at least 2 tricks up that sleeve - brute force and one other - possibly RFI (remote file inclusion) or SQL injection. Not high level chops by any means, but enough to practice graffiti.

Not sure how fearful to be about a flagrant hacker who demands such attention - my gut says this is a bozo, but any bozo who can hack a server is someone to watch, especially if someone is paying for services rendered.


Update I 23 August 2010: Gmail Intrusion

Today, our developer working on the compromised accounts discovered a notice in his Gmail account - warning of an intrusion into the account originating in Algeria:

Algeria (41.200.164.37)
Algeria (41.97.64.186)
Algeria (41.200.173.123)
Algeria (41.200.165.201)

Of these ips, 41.97.64.186 is also where the attack on one of the servers originated.

Couple of things here - One, did you think your Gmail accounts were secure? This is a big question, and the answer here is "NO!" And secondly, although we were told a brute force attacked succeeded on the server, this suggests is was stolen credentials. Looking into this and we're still trying to tie down the timing.


Update II 23 August 2010

dz-z3r0.com is not hosted.

Just tried to contact hacker using the 3 email addresses posted in the hack:

Got failure to deliver on all three email addresses

[DZ.Z3RO@gmail.com]:
74.125.65.27 does not like recipient.
Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Giving up on 74.125.65.27

[DZ.Z3RO@yahoo.com]:
98.137.54.237 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (dz.z3ro@yahoo.com) [0] - mta160.mail.sp2.yahoo.com

[DZ.Z3RO@hotmail.com]:
65.54.188.94 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable. Giving up on 65.54.188.94.

Given this, feeling less paranoid - the email and domain now seem to be just empty brags. DZ, dude, like just when we were starting to respect you it turns out you're just talk...

And you're just like the rest of the graffiti artists I found in this nice big archive of hackers and their victims, along with some very cool hacker art - click the mirror links: (this list is growing fast)

http://www.zone-h.org/archive/published=0/page=1

(note that on 2010/08/24 ViRuS Qalaa is listed as having hacked Google.ae - United Arab Emirates - but they're now back online.)

Blog_id: 21 | Posted: 2010-08-22 18:38:19 | Views (10,298) | Comments (2)  
Comment By: Charlene Gates
re: We Suspect That Someone Paid dz.z3ro To Hack Our Clients Servers
(posted 2010-08-26 21:38:07)

Kudos, Rev, what a great post! Making my IT guys read this. That there is an entire culture forming around hacks is disturbing to say the least. Wonder how significant it is that most are from the mid east.

Comment By: Laura Nowa
re: We Suspect That Someone Paid dz.z3ro To Hack Our Clients Servers
(posted 2010-11-28 22:26:38)

Love the brag site for hacker art! You're absolutely right - it's graffiti!

Latest
Home       SEO Enterprise Blog       Search Compliance       Structural SEO       The Semantic Imperative       About re1y.com      

re1y.com
Enterprise SEO
Google Penalty Solutions
Automation & Search Compliance

Looking for SEO enabled content management systems with structural, semantic optimization built into the cms? You're on the right site. Research identified targets are implemented within the markup, content, and filenames to enable the site to rank as high as possible based upon semantic relevance. 34789366G off site content requirements