hacked by Indonesian hackers


Kubucyber hacked defacementLate yesterday evening a fellow Sophos employee tipped me off that the website had been defaced. While it’s not shocking news that another site of the millions on the internet has been hacked, this one was unusual in that the defacement seemed to be nothing more than an advertisement for the hackers.

Ten years ago hacking for bragging rights was a somewhat common practice, but today most attacks are more silent and are designed to steal information. I poked around to find out more about who was behind the attack and how they are compromising the security of the sites they are attacking.

IRC bot command listThe image and stolen JavaScript code that made up the new home page were stored at a free web host. No surprises there, but I did discover that they had an active IRC network.

The group had planted an IRC bot in a chat channel that they can command to remotely scan networks for vulnerabilities. This provides them with a list of hosts that are vulnerable to SQL injection and other techniques. It appears the bot uses search engines like Google and Bing to find potential targets.

r3cogniz3d's photo from FacebookThe individual who claimed to execute this hack seems relatively unknown, but others in the group are proud enough of their work to publish tales of their exploits. One member, r3cogniz3d, was good enough to post his name and photo publicly on Facebook. He seems to really like the coffee shop Cafe Lampu in Jambi, Indonesia, by the way, so stop by and pay him a visit if you’re in the neighborhood.

My Indonesian is a little rough, but from what I can tell, r3cogniz3d has made it his mission to recruit and teach others how to hack websites through SQL injection and has even posted a video tutorial on YouTube.

So what is the point of all of this? Securing your websites against trivial attacks like those perpetrated by KubuCyber isn’t difficult. The group is simply following a formula to walk in through a door your web developers have left ajar.

When you host a website with a provider, make sure you find out how they will maintain the host operating system and whether they do security audits of the sites they host. It may cost more money to deal with a developer who knows how to properly secure your site, but an ounce of prevention is worth a pound of cure.

For more information on securing your website download our technical paper “Securing Websites” published by SophosLabs. In addition to advice on avoiding SQL injection, this paper talks about establishing a secure foundation for your site and how to deal with external service providers.