For starters, there was an avoidable vulnerability that was exploited. The servers were newly implemented and did not have cpHulkd enabled. This is the "brute force manager" that locks you out after several failed attempts to log into WHM (WebHost Manager). Repeated failed attempts from an ip results in that ip being blacklisted. If you're running Apache servers this should be a default.
Because of the nature of this client's work, there are powerful, monied interests that have become his adversaries, and who stand to gain by crippling his sites. While we are aware that paranoia runs deep on all things internet, the stakes involved in this one are so high that it is in our client's interest not to be complacent. So yeah, a little paranoia is a good thing.
For this reason, and because we love this work, we spent the weekend reverse engineering the attack and running forensics on the trail.
We woke up to this message posted on many sites this client owned, and some others that were related:
At first sight, it's lol. Nice prank, frat boy. This guy spent a lot of time on this display, and although we only saw this logo, there was an audio/video component that we didn't see - because the French site they had hacked to store the flash & MP3 files had taken those assets down already. This is a proud hacker, folks! Wants the glory.
In case you can't read the banner, here's the text right from their code:
He or she openly posts a French "Contact Me" message (appropriate for Algeria), a business card, with contact numbers and email addresses on the three search engine's mail systems - and that's where we get paranoid again. These guys are hackers for hire! And we suspect someone hired them.
Because of this text, the hacker actually ranks the attacked sites for the search for "dz.z3ro" thereby getting even more publicity. Assuming these sites have not yet detected the hack, and if enough sites are hacked, there's bound to be plenty of them.
The attacks were coming from these ips
41.200.172.33
41.97.64.186
The ips are Algerian, but always anticipate proxies and a head fake pointing in the wrong direction.
(If you ever have to run forensics, use reliable tools. There's a lot of garbage out there that ranks high: search for "find country by ip" - #1 is selfseo.com/ip_to_country.php, which says our ips are from Japan.)
Do a search for "dz.z3ro". The #1 result takes you to www.sharmakay.com. Searches on the whois data look innocent - the address exists, Sharma appears to be a real person there, so it's likely a hacked site:
Registrant:
AUD Family
17150 University Ave Ste 300
Sandy, Oregon 97055
United States
Domain Name: SHARMAKAY.COM
Created on: 24-May-00
Expires on: 24-May-14
Last Updated on: 18-Mar-06
Administrative Contact:
Kay, Sharma
AUD Family
17150 University Ave Ste 300
Sandy, Oregon 97055
United States
5037300203 Fax -- 5036687722
Domain servers in listed order:
CWPRO1.CROSSWINDS.NET
PRO.CROSSWINDS.NET
And it displays this:
The Algerian Hacker Team seal of approval, bar codes and all. And look at all the hacked sites ranking because of the hack!
Server log tells the story: They brute forced the password on WHM and then did different things on different sites. The constant was the posting of logo.png, and flag.png, plus the script on both index.php and index.html. In some instances they also renamed the index file and left backup.php, a little toxic code we recommend you not download. So far, it appears that's all that was done, and recovery is just replacing a wiped out index file, and removing the detritus.
Technically, they did more than just hack the password, delete, post & rename files. They also did some neat tricks - like running wget to directly pull & post the files from another server they had hacked. So there's command line knowledge behind this.
The script also appears to disable left and right click, but I haven't put time into that yet. Will get to that - we already know way more than we can reveal here about the players and their connections.
But some of what we can reveal is still very interesting. For example, this hacker's very busy - just looking at all the hacked sites in the above search tells you that. Here's another trademark image from a June 2010 hack:
This is a report of a different kind of attack by the same entity, and supposedly tracks back to Nigeria, according to the victim's post http://www.nairaland.com/nigeria/topic-469034.0.html. So it looks like dz.z3ro has at least 2 tricks up that sleeve - brute force and one other - possibly RFI (remote file inclusion) or SQL injection. Not high level chops by any means, but enough to practice graffiti.
Not sure how fearful to be about a flagrant hacker who demands such attention - my gut says this is a bozo, but any bozo who can hack a server is someone to watch, especially if someone is paying for services rendered.
Update I 23 August 2010: Gmail Intrusion
Today, our developer working on the compromised accounts discovered a notice in his Gmail account - warning of an intrusion into the account originating in Algeria:
Algeria (41.200.164.37)
Algeria (41.97.64.186)
Algeria (41.200.173.123)
Algeria (41.200.165.201)
Of these ips, 41.97.64.186 is also where the attack on one of the servers originated.
Couple of things here - One, did you think your Gmail accounts were secure? This is a big question, and the answer here is "NO!" And secondly, although we were told a brute force attacked succeeded on the server, this suggests is was stolen credentials. Looking into this and we're still trying to tie down the timing.
Update II 23 August 2010
dz-z3r0.com is not hosted.
Just tried to contact hacker using the 3 email addresses posted in the hack:
Got failure to deliver on all three email addresses
[DZ.Z3RO@gmail.com]:
74.125.65.27 does not like recipient.
Remote host said: 550-5.1.1 The email account that you tried to reach does not exist. Giving up on 74.125.65.27
[DZ.Z3RO@yahoo.com]:
98.137.54.237 failed after I sent the message.
Remote host said: 554 delivery error: dd This user doesn't have a yahoo.com account (dz.z3ro@yahoo.com) [0] - mta160.mail.sp2.yahoo.com
[DZ.Z3RO@hotmail.com]:
65.54.188.94 does not like recipient.
Remote host said: 550 Requested action not taken: mailbox unavailable. Giving up on 65.54.188.94.
Given this, feeling less paranoid - the email and domain now seem to be just empty brags. DZ, dude, like just when we were starting to respect you it turns out you're just talk...
And you're just like the rest of the graffiti artists I found in this nice big archive of hackers and their victims, along with some very cool hacker art - click the mirror links: (this list is growing fast)
http://www.zone-h.org/archive/published=0/page=1
(note that on 2010/08/24 ViRuS Qalaa is listed as having hacked Google.ae - United Arab Emirates - but they're now back online.)
Kudos, Rev, what a great post! Making my IT guys read this. That there is an entire culture forming around hacks is disturbing to say the least. Wonder how significant it is that most are from the mid east.
Love the brag site for hacker art! You're absolutely right - it's graffiti!
re1y.com
Enterprise SEO
Google Penalty Solutions
Automation & Search Compliance