R o o t s e c u r e . n e t
The Security News Site For Systems Administrators & Hackers Friday, 18th April 2014 @ 07:10:15 GMT 
Reports | How defensivethinking.com got "hacked" for a second time
{23rd Feb 2003}
On Sunday the 23rd of February 2003 Kevin Mitnicks company site defensivethinking.com was publicly defaced for the second time this month. This time however the defacer replaced the homepage with his own political message.

The defacer used the same security vulnerability with Microsoft Frontpage extensions that was used to gain unauthorized access to the site the first time by BugBear. (In Windows XP one can simply go into ‘My Network Places' and add a 'Network Place' called www.defensivethinking.com - you are then able with no password restrictions to edit the site).  After checking Netcraft it was discovered that defensivethinking.com recently changed hosting providers again to Fuse Internet as of the 22nd of February which is why the same vulnerability resurfaced.  It is understood this was done as a temporary measure while they are configuring their own server running *nix.

At approximately 3pm GMT a defacer going by the handle of "DkD[||" gained unauthorised access to the server hosting defensivethinking.com, and promptly defaced it. Soon after the changed page was spotted by a ‘white hat' hacker named W1nt3rmut3 a member of DDP (a group of international hackers), who with the intention of saving the company any further embarrassment accessed the server in the same way as the defacer, and replaced the changed front page with the official version (which had been left in a folder named /temp). Soon after the defacer returned, and subsequently so did W1nt3rmut3.  Then begun a cat n. mouse game which was unfortunately won by defacers, as by this time word had circulated far and wide about the vulnerability. A few defacements later, and a password appeared on the Front Page component.  It is unknown if the password was the result of the last successful defacement of the site or if the hosting company implemented it. Whichever it was the result was the following Portuguese message "fechado para manutencao ninguem mais entra lol" [Google translation: closed for manutencao they ninguem more enters lol!] being visible for a period of time before the site was finally redirected to a generic hosting company 404 page.

Comments on Zone-H's article [Mirror] as seen by Rootsecure.net:

Quote: We at Zone-H fighted a little in order to get the mirror of the defacement as somebody at Defensivethinking was continuosly restoring the original main page and blocking the IP of our mirroring robot (like to say, if Zone-H doesn't mirror it, it will get unnoticed... Shhhhh!)

The interesting thing, is that the boys at Defensive Thinking rather that fixing the configuration mistake (at the moment the full server content can be still browsable as an extension of your local directory) they were fighting against our mirrors or against the hacker who was redefacing the mainpage everytime it got fixed.

* As stated the original page was repeatedly restored by a helpful net citizen going by the handle W1nt3rmut3, who Rootsecure.net has been in contact with.

* Zone-H experienced problems mirroring the site from the normal IP address of their mirror engine based in Estonia, however succeded using a different IP. (Rootsecure.net recently published details of how to block mirroring by Zone-H after having part of a honeypot mirrored. - As a side note Zone-H are understood to be actively investigating the possibilities of using a distributed network with dynamic IP addresses.)

Archived News Item: Rootsecure.net Tip: If you get your site defaced, prevent it from being added to the zone-h.com defacements mirror by banning their IP (194.126.100.126) and 'User Agent' string (Java1.3.1_02) from your site, therefore preventing their mirror script from working.

An interview held between the defacer "DkD[||" and Rootsecure.net moments after the incident is available on the following address:
content/temp/dtdefacer_interview.txt

Zip of all mirrors collected by Rootsecure.net

Update: Rootsecure.net was contacted by a source close to Defensive Thinking with the following 'official statement':

---- February 23, 2003, 9:00pm

LOS ANGELES, CA – Early this morning, it was brought to our attention, that the www.defensivethinking.com website was once again compromised, utilizing a vulnerability in Microsoft's Operating System. The site has always been maintained by volunteers, and was never maintained or serviced by Kevin Mitnick, himself.

Following an attack a couple of weeks ago, we put measures in place and along with assistance from the staff at LabMistress.com, we decided to convert the site to a Linux/Apache-based web server. During the conversion, it was necessary to move the site to a hosting company on its current Microsoft platform. We chose a hosting company in Kentucky called DLHost.com to host the site temporarily for approximately one week.

This morning when DL Host was contacted and informed of the attacks, we asked them to disable Front Page extensions on the server. They declined, because too many of their customers used these extensions. This afternoon, we propagated the DNS servers to point to the server that is hosting the new site on Linux. We put up a temporary page stating that the site was closed during construction, and hope to have all the work completed by Tuesday, February 25, 2003. At this time, most of the site is currently up, except for the forums, which have to undergo a conversion due to a change in the board software. The forums will now be run using UBB Threads by InfoPop.
 

Report by Kevin Mitnicks Girlfriend (Darci Wood) on what happened