[Imc-web] is it me or...

Mike Lehman rebelmike at earthlink.net
Mon May 2 22:02:06 CDT 2005 

Zach,
All I know is that it went down for me when we had the flood of error 
messages just after 1:15pm today. As of when I replied to Randall, it 
still hadn't come back up, but is OK now.

Maybe I was jumping to conclusions. I know that we had an attempt on the 
website a couple of days back (Friday?), where a php command hack was 
attempted. Arun said we were OK, because you had the patches applied, 
and we didn't go down then -- I feared the worst when what happened 
today occurred.

There was a widespread series of attacks on IMCs in the last week or so. 
numerous sites have been down. Madison was down, but came back up 
earlier today after being off most of the weekend. Here's the story that 
is in their Feature section.
Mike Lehman

From:
http://madison.indymedia.org/feature/display/23902/index.php
Right Wing Hackers Target IndyMedia Network
by HackThisSite.org
(No verified email address) 	Current rating: 0
02 May 2005
Modified: 05/02 17:03 CDT
Right-wing hackers 'g00ns.com' are taking credit for attacking several 
IndyMedia websites posting anti-left rhetoric. This explains how to fix 
the bugs, who is responsible for the attacks, and how to prevent this 
kind of action in the future.
http://www.hackthissite.org/news/view/207
http://indymedia.us/en/2005/04/6718.shtml
http://portland.indymedia.org/en/2005/04/316502.shtml
http://portland.indymedia.org/en/2005/04/316466.shtml

The hacker group 'g00ns' (g00ns.com and g00ns-forum.com) are taking 
credit for attacking various indymedia sites including 
nyc.indymedia.org, colorado.indymedia.org, michiganimc.org, 
arkansas.indymedia.org, newjersey.indymedia.org, and others. On the 
website, they released a bunch of extreme right wing rhetoric, accusing 
indymedia of being 'anti-republican'.

Attacking an open publishing network means you're attacking freedom of 
speech itself. They do not want to participate in the political process 
through mature discussion or legal channels. These online fascists need 
to be exposed and confronted.

Before we go into who was responsible for these attacks, it is important 
to stay on the defensive and to prevent this sort of attack from 
happening again. Each IMC needs to rebuild and patch their software, 
change passwords, go through server logs + remove backdoors, etc. The 
specific vulnerability that was exploited had to do with allowing the 
upload malicious PHP files to the media section of the website. This had 
been reported several months ago to the dadaIMC support staff, who had 
been advised to keep it private until the tech staff of each IMC had 
patched their software. It was later published to the dadaIMC website 
which contains details of how it was vulnerable and how to fix it. 
http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1

Now let's dig some information up about who these g00n fascists are, and 
what we could do about it.

They have their WHOIS information protected but we looked closer and 
found that the same webserver that hosts g00nz.com also hosts 5 other 
websites:

g00ns.com is at 70.84.85.147 http://whois.webhosting.info/70.84.85.147 
(hosted by ThePlanet). Other websites: ASSOCIATEDOILS.COM. G00NS.COM. 
HACKERSRESOURCE.COM. HARRYPTAYLOR.COM. OGI2.COM. PARTNERSTX.ORG.

ThePlanet.com is a mainstream corporate web hosting service, who would 
certainly disapprove that g00ns.com is on their servers. You can email 
abuse (at) theplanet.com and legal (at) theplanet.com to report g00ns.com.

All of these sites seem to have been designed by CompleteCreations.com 
who does web design and hosting. A WHOIS of their domain reveals the 
full name and address:

Geddes, Wesley( wes (at) autoteamspeak.com)
Complete Creations
1314 Dunhill
Pasadena, Texas 77506
United States
(832) 735-4017

On hackersresource.com/register.cfm, the text g00n 777 (Wes) is 
displayed . CompleteCreations.com who is run by Wesley Geddes hosts and 
is a member of g00ns.com.

On the defaced IMC websites, 'clorox' takes credit for the attacks. We 
started looking around about clorox and, big surprise, it turns out it's 
the guy from RightWingExtremist.net. He had reported a security flaw in 
Centra 7 a while back regarding a XSS error(Very similar to what he had 
used to attack IndyMedia months ago: 
http://chicago.indymedia.org/newswire/display/48180/index.php).

http://seclists.org/lists/bugtraq/2005/Apr/0156.html
"From: Clorox "

Elac aka awb0t aka Brett Chance from Plano, TX. Haven't you learned your 
lesson by now?

In the past, the g00ns have targetted online gaming clan websites, but 
since elac had joined up they have started to shift right. Other 
defacements the g00ns have committed: 
http://www.zone-h.org/en/defacements/filter/filter_defacer=g00ns/


Right Wing Hackers Attack Independent Media Centers
from "Notes from the Hacker Underground" at HackThisSite.org

A number of people have started to organize and attack various 
Independent Media Centers as well as a number of other progressive and 
leftist websites. In the past, these attacks have ranged from simple xss 
attacks which redirect visitors or trashing the filesystem / databases. 
The people responsible show no understanding of the ideas behind the 
open publishing system IndyMedia, which is free for all users to 
participate in the discussion. These actions are not hacking nor 
hacktivism: they utilize public pre-written exploits to simply 'shout 
the other side down'. An attack on IndyMedia is an attack on free speech 
itself. These right-wing extremists need to be confronted and exposed as 
the online fascists they really are.

During the Republican National Convention, a group of hackers called 
RightWingExtremist.net was formed by Brett Chance(elac, clorox, awb0t, 
etc) from Plano TX. This group came out of the ultra conservative 
ProtestWarrior.com who advocates disrupting and attacking leftist 
organizations. Their actions had started with minor stuff like launching 
ddos attacks on NYC IndyMedia. Later they discovered a xss flaw in 
dadaIMC that allowed them to post news that would automatically redirect 
users to his own website where it would play sounds that said childish 
political rhetoric like 'the nazi indymedia wants to destroy israel', 
etc. Because of pressure from the online community, Brett from 
RightWingExtremist.net closed down the site for several months.

Months later, Jeremy from HackThisSite.org discovered a flaw in dadaIMC 
that allowed the upload of malicious PHP files would could be used to 
take over the entire server. This announcement was quietly made to 
dadaIMC who was urged to keep it private until the tech staff of every 
indymedia center was notified and had their scripts patched to protect 
themselves. Several other independent IndyMedia centers were notified 
and had their code base patched. But before the majority of sites were 
patched, DadaIMC posted the vulnerability information on the website, 
including instructions on how it can be exploited.

A month later a group calling itself the g00ns.com have attacked and 
defaced a dozen indymedia websites using the vulnerability posted to 
dadaimc. On the hacked websites, a message calling indymedia 'liars' and 
'anti-republicans' were posted. Soon after, hackers and indymedia techs 
started working together to fix each other's code and bring backups back 
online as well as find information about the g00ns.

The g00ns started out by targetting and attacking online gaming clan 
websites, but eventually Elac from RightWingExtremist.net joined up and 
started to turn the group farther to the right. When the IndyMedia sites 
were hacked, people started to gather information and infiltrate their 
organization and soon after all of their private details were released 
to the public to show like actions like this will not go unnoticed.

Many other right-wing trolls continue to try to disrupt IndyMedia and 
left-wing protest groups. These individuals operate under several 
different names including ProtestWarrior.com, RightWingExtremist.net, 
FreeRepublic.com, KobeHQ.com, FreeDominion.com, 
LittleGreenFootballs.com, and more. Many of these groups are suspected 
of being financed operations from governments or corporations similar to 
the COINTELPRO program from the 60s and 70s. Common activities range 
from flooding message boards, faking votes and reviews in online polls, 
releasing personal information of key organizers, spreading false rumors 
and scandals, etc.

All IndyMedia centers running DadaIMC are strongly encouraged to patch 
their software.

Details on the vulnerability are at:

http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1
http://www.dadaimc.org/support.php?section=xss

[the above article will be featured in the upcoming 'notes from the 
hacker underground' zine available from hackthissite.org]

Zachary C. Miller wrote:

> What huh? The IMC website is not down. The site has been working for
> me today. weftfm.org is also fine. There were some network problems
> yesterday. This is the first I've heard of us being "under attack",
> could you provide more details about this attack? I don't want to
> spread fear about hackers when/if we're only experiencing network
> problems.
> 
> As soon as I get back to town (next week) I'll be moving us onto our
> shiney new T-1.
> 
> Mike Lehman wrote:
> 
>>Randall,
>>The IMC website ran into some issues early this afternoon. I don't know 
>>what, but the whole IMC network has been under attack the last week or 
>>so and attempts were made ealier in the week to hack our site. As of 
>>right now, it is still down. I assume the other sites are hosted on the 
>>same server and may be down for the same reason.
>>Mike Lehman
>>
>>Randall Cotton wrote:
>>
>>>Is it me or is web service on imsahp completely unresponsive right now? Load
>>>average is fine, network seems to be fine, apache is up and running, but I
>>>can't get a web page for WEFT, AWARE, IMC, etc.
>>>
>>>R

More information about the IMC-Web mailing list