On Sunday the 23rd of February 2003 Kevin Mitnicks company site
defensivethinking.com was publicly defaced for the second time this month. This
time however the defacer replaced the homepage with his own political message.
The defacer used the same security vulnerability with Microsoft Frontpage
extensions that was used to gain unauthorized access to the site the first time
by BugBear. (In Windows XP one can simply go into ‘My Network Places' and add a
'Network Place' called www.defensivethinking.com - you are then able with no
password restrictions to edit the site). After checking
Netcraft
it was discovered that defensivethinking.com recently changed hosting
providers again to Fuse Internet as of the 22nd of February which is why the
same vulnerability resurfaced. It is understood this was done as a
temporary measure while they are configuring their own server running *nix.
At approximately 3pm GMT a defacer going by the handle of "DkD[||" gained
unauthorised access to the server hosting
defensivethinking.com, and promptly
defaced it. Soon after the changed page was spotted by a ‘white hat' hacker named
W1nt3rmut3 a
member of DDP (a group
of international hackers), who with the
intention of saving the company any further embarrassment accessed the server in
the same way as the defacer, and replaced the changed front page with the
official version (which had been left in a folder named /temp). Soon
after the defacer returned, and subsequently so did
W1nt3rmut3. Then begun
a cat n. mouse game which was unfortunately won by defacers, as by this time
word had circulated far and wide about the vulnerability. A few defacements
later, and a password appeared on the Front Page component. It is unknown
if the password was the result of the last successful defacement of the site or
if the hosting company implemented it. Whichever it was the result was the
following Portuguese message "fechado para manutencao ninguem mais entra lol" [Google
translation: closed for manutencao they ninguem more enters lol!] being visible
for a period of time before the site was finally redirected to a generic hosting
company 404 page.
Comments on
Zone-H's article
[Mirror] as seen by Rootsecure.net:
Quote: We at Zone-H fighted a little in order to get the mirror of the defacement as
somebody at Defensivethinking was continuosly restoring the original main page
and blocking the IP of our mirroring robot (like to say, if Zone-H doesn't
mirror it, it will get unnoticed... Shhhhh!)
The interesting thing, is that the boys at Defensive Thinking rather that fixing
the configuration mistake (at the moment the full server content can be still
browsable as an extension of your local directory) they were fighting against
our mirrors or against the hacker who was redefacing the mainpage everytime it
got fixed.
* As stated the original page was repeatedly restored by a helpful net
citizen going by the handle W1nt3rmut3,
who Rootsecure.net has been in contact with.
* Zone-H experienced problems mirroring the site from the normal IP address of their
mirror engine based in Estonia, however succeded using a different IP. (Rootsecure.net
recently published details of how to block mirroring by Zone-H after having part
of a honeypot mirrored. - As a side note Zone-H are understood to be actively
investigating the possibilities of using a distributed network with dynamic IP
addresses.)
Archived News Item: Rootsecure.net Tip: If you get your
site defaced, prevent it from being added to the zone-h.com defacements mirror
by banning their IP (194.126.100.126) and 'User Agent' string (Java1.3.1_02) from
your site, therefore preventing their mirror script from working.
An interview held between the defacer "DkD[||" and Rootsecure.net moments after
the incident is available on the following address:
content/temp/dtdefacer_interview.txt
Zip of all mirrors
collected by Rootsecure.net Update: Rootsecure.net
was contacted by a source close to Defensive Thinking with the following 'official statement':
| ---- |
February 23, 2003, 9:00pm
LOS ANGELES, CA – Early this morning, it was brought to our attention, that
the www.defensivethinking.com website was once again compromised, utilizing
a vulnerability in Microsoft's Operating System. The site has always been
maintained by volunteers, and was never maintained or serviced by Kevin
Mitnick, himself.
Following an attack a couple of weeks ago, we put measures in place and
along with assistance from the staff at LabMistress.com, we decided to
convert the site to a Linux/Apache-based web server. During the conversion,
it was necessary to move the site to a hosting company on its current
Microsoft platform. We chose a hosting company in Kentucky called DLHost.com
to host the site temporarily for approximately one week.
This morning when DL Host was contacted and informed of the attacks, we
asked them to disable Front Page extensions on the server. They declined,
because too many of their customers used these extensions. This afternoon,
we propagated the DNS servers to point to the server that is hosting the new
site on Linux. We put up a temporary page stating that the site was closed
during construction, and hope to have all the work completed by Tuesday,
February 25, 2003. At this time, most of the site is currently up, except
for the forums, which have to undergo a conversion due to a change in the
board software. The forums will now be run using UBB Threads by InfoPop. |
Report by Kevin Mitnicks Girlfriend (Darci Wood) on what happened
|