[Imc-web] is it me or...
Mike Lehman
rebelmike at earthlink.net
Mon May 2 22:02:06 CDT 2005
Zach,
All I know is that it went down for me when we had the flood of error
messages just after 1:15pm today. As of when I replied to Randall, it
still hadn't come back up, but is OK now.
Maybe I was jumping to conclusions. I know that we had an attempt on the
website a couple of days back (Friday?), where a php command hack was
attempted. Arun said we were OK, because you had the patches applied,
and we didn't go down then -- I feared the worst when what happened
today occurred.
There was a widespread series of attacks on IMCs in the last week or so.
numerous sites have been down. Madison was down, but came back up
earlier today after being off most of the weekend. Here's the story that
is in their Feature section.
Mike Lehman
From:
http://madison.indymedia.org/feature/display/23902/index.php
Right Wing Hackers Target IndyMedia Network
by HackThisSite.org
(No verified email address) Current rating: 0
02 May 2005
Modified: 05/02 17:03 CDT
Right-wing hackers 'g00ns.com' are taking credit for attacking several
IndyMedia websites posting anti-left rhetoric. This explains how to fix
the bugs, who is responsible for the attacks, and how to prevent this
kind of action in the future.
http://www.hackthissite.org/news/view/207
http://indymedia.us/en/2005/04/6718.shtml
http://portland.indymedia.org/en/2005/04/316502.shtml
http://portland.indymedia.org/en/2005/04/316466.shtml
The hacker group 'g00ns' (g00ns.com and g00ns-forum.com) are taking
credit for attacking various indymedia sites including
nyc.indymedia.org, colorado.indymedia.org, michiganimc.org,
arkansas.indymedia.org, newjersey.indymedia.org, and others. On the
website, they released a bunch of extreme right wing rhetoric, accusing
indymedia of being 'anti-republican'.
Attacking an open publishing network means you're attacking freedom of
speech itself. They do not want to participate in the political process
through mature discussion or legal channels. These online fascists need
to be exposed and confronted.
Before we go into who was responsible for these attacks, it is important
to stay on the defensive and to prevent this sort of attack from
happening again. Each IMC needs to rebuild and patch their software,
change passwords, go through server logs + remove backdoors, etc. The
specific vulnerability that was exploited had to do with allowing the
upload malicious PHP files to the media section of the website. This had
been reported several months ago to the dadaIMC support staff, who had
been advised to keep it private until the tech staff of each IMC had
patched their software. It was later published to the dadaIMC website
which contains details of how it was vulnerable and how to fix it.
http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1
Now let's dig some information up about who these g00n fascists are, and
what we could do about it.
They have their WHOIS information protected but we looked closer and
found that the same webserver that hosts g00nz.com also hosts 5 other
websites:
g00ns.com is at 70.84.85.147 http://whois.webhosting.info/70.84.85.147
(hosted by ThePlanet). Other websites: ASSOCIATEDOILS.COM. G00NS.COM.
HACKERSRESOURCE.COM. HARRYPTAYLOR.COM. OGI2.COM. PARTNERSTX.ORG.
ThePlanet.com is a mainstream corporate web hosting service, who would
certainly disapprove that g00ns.com is on their servers. You can email
abuse (at) theplanet.com and legal (at) theplanet.com to report g00ns.com.
All of these sites seem to have been designed by CompleteCreations.com
who does web design and hosting. A WHOIS of their domain reveals the
full name and address:
Geddes, Wesley( wes (at) autoteamspeak.com)
Complete Creations
1314 Dunhill
Pasadena, Texas 77506
United States
(832) 735-4017
On hackersresource.com/register.cfm, the text g00n 777 (Wes) is
displayed . CompleteCreations.com who is run by Wesley Geddes hosts and
is a member of g00ns.com.
On the defaced IMC websites, 'clorox' takes credit for the attacks. We
started looking around about clorox and, big surprise, it turns out it's
the guy from RightWingExtremist.net. He had reported a security flaw in
Centra 7 a while back regarding a XSS error(Very similar to what he had
used to attack IndyMedia months ago:
http://chicago.indymedia.org/newswire/display/48180/index.php).
http://seclists.org/lists/bugtraq/2005/Apr/0156.html
"From: Clorox "
Elac aka awb0t aka Brett Chance from Plano, TX. Haven't you learned your
lesson by now?
In the past, the g00ns have targetted online gaming clan websites, but
since elac had joined up they have started to shift right. Other
defacements the g00ns have committed:
http://www.zone-h.org/en/defacements/filter/filter_defacer=g00ns/
Right Wing Hackers Attack Independent Media Centers
from "Notes from the Hacker Underground" at HackThisSite.org
A number of people have started to organize and attack various
Independent Media Centers as well as a number of other progressive and
leftist websites. In the past, these attacks have ranged from simple xss
attacks which redirect visitors or trashing the filesystem / databases.
The people responsible show no understanding of the ideas behind the
open publishing system IndyMedia, which is free for all users to
participate in the discussion. These actions are not hacking nor
hacktivism: they utilize public pre-written exploits to simply 'shout
the other side down'. An attack on IndyMedia is an attack on free speech
itself. These right-wing extremists need to be confronted and exposed as
the online fascists they really are.
During the Republican National Convention, a group of hackers called
RightWingExtremist.net was formed by Brett Chance(elac, clorox, awb0t,
etc) from Plano TX. This group came out of the ultra conservative
ProtestWarrior.com who advocates disrupting and attacking leftist
organizations. Their actions had started with minor stuff like launching
ddos attacks on NYC IndyMedia. Later they discovered a xss flaw in
dadaIMC that allowed them to post news that would automatically redirect
users to his own website where it would play sounds that said childish
political rhetoric like 'the nazi indymedia wants to destroy israel',
etc. Because of pressure from the online community, Brett from
RightWingExtremist.net closed down the site for several months.
Months later, Jeremy from HackThisSite.org discovered a flaw in dadaIMC
that allowed the upload of malicious PHP files would could be used to
take over the entire server. This announcement was quietly made to
dadaIMC who was urged to keep it private until the tech staff of every
indymedia center was notified and had their scripts patched to protect
themselves. Several other independent IndyMedia centers were notified
and had their code base patched. But before the majority of sites were
patched, DadaIMC posted the vulnerability information on the website,
including instructions on how it can be exploited.
A month later a group calling itself the g00ns.com have attacked and
defaced a dozen indymedia websites using the vulnerability posted to
dadaimc. On the hacked websites, a message calling indymedia 'liars' and
'anti-republicans' were posted. Soon after, hackers and indymedia techs
started working together to fix each other's code and bring backups back
online as well as find information about the g00ns.
The g00ns started out by targetting and attacking online gaming clan
websites, but eventually Elac from RightWingExtremist.net joined up and
started to turn the group farther to the right. When the IndyMedia sites
were hacked, people started to gather information and infiltrate their
organization and soon after all of their private details were released
to the public to show like actions like this will not go unnoticed.
Many other right-wing trolls continue to try to disrupt IndyMedia and
left-wing protest groups. These individuals operate under several
different names including ProtestWarrior.com, RightWingExtremist.net,
FreeRepublic.com, KobeHQ.com, FreeDominion.com,
LittleGreenFootballs.com, and more. Many of these groups are suspected
of being financed operations from governments or corporations similar to
the COINTELPRO program from the 60s and 70s. Common activities range
from flooding message boards, faking votes and reviews in online polls,
releasing personal information of key organizers, spreading false rumors
and scandals, etc.
All IndyMedia centers running DadaIMC are strongly encouraged to patch
their software.
Details on the vulnerability are at:
http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1
http://www.dadaimc.org/support.php?section=xss
[the above article will be featured in the upcoming 'notes from the
hacker underground' zine available from hackthissite.org]
Zachary C. Miller wrote:
> What huh? The IMC website is not down. The site has been working for
> me today. weftfm.org is also fine. There were some network problems
> yesterday. This is the first I've heard of us being "under attack",
> could you provide more details about this attack? I don't want to
> spread fear about hackers when/if we're only experiencing network
> problems.
>
> As soon as I get back to town (next week) I'll be moving us onto our
> shiney new T-1.
>
> Mike Lehman wrote:
>
>>Randall,
>>The IMC website ran into some issues early this afternoon. I don't know
>>what, but the whole IMC network has been under attack the last week or
>>so and attempts were made ealier in the week to hack our site. As of
>>right now, it is still down. I assume the other sites are hosted on the
>>same server and may be down for the same reason.
>>Mike Lehman
>>
>>Randall Cotton wrote:
>>
>>>Is it me or is web service on imsahp completely unresponsive right now? Load
>>>average is fine, network seems to be fine, apache is up and running, but I
>>>can't get a web page for WEFT, AWARE, IMC, etc.
>>>
>>>R
More information about the IMC-Web
mailing list