Many people around the world awoke on Christmas morning with anticipation of gifts under the tree. But that’s not the only thing that was waiting for some of them. A group of hackers known only as the creators of a newsletter called “Owned and Exposed” announced early on Christmas morning that they had compromised six sites and published the details of their deeds in the second edition of their “ezine”.
The attacks largely targetted those they characterized as either “script kiddies” or security experts they wanted to show up for making mistakes in hosting their own websites.
The first to come forward was the administrator of exploit-db.com, a website devoted to cataloging known software exploits and vulnerabilities. Their admin posted a response to the hack on their blog that began: “There’s nothing like having your butt kicked Christmas morning, which is exactly what happened to us today.” At least they are treating it for what it was, a somewhat cruel prank that had in fact exploited some flaws in their site.Another site that was hit was the SourceForge page of ettercapNG. Ettercap is often used for performing man-in-the-middle attacks and has been unmaintained for over five years. The hackers provided evidence that the site had previously been compromised by others and that it may not be prudent to trust anything you have downloaded from the ettercap site.
Most of the other sites that were hit were more controversial and some of them engaged in illegal activity like trading in stolen identities and credit cards. When the first edition of Owned and Exposed was published it documented their takedown of a haven of online criminal activity known as carders.cc. Carders.cc was taken down again in this attack along with free-hack.com and inj3ct0r.com.
Is there a lesson in this story for security professionals? If you read the ezine you will see that nearly all of the sites that were compromised had lapsed on some security fundamentals and were exposed through one little chink in the armor. A series of small mistakes can mean big problems when your adversaries put the pieces together.
For example, the admin at backtrack-linux.org (Same admin as exploit-db.com) used the root account and password for all of their web scripts, WordPress instances, etc. to access their MySQL database.
Next time you are struggling with database and filesystem permissions and are tempted to use the admin account “just for now,” remember this story, and hopefully next Christmas morning you won’t unwrap any unwanted surprises.