Advertisement
Home
Saturday, 22 November 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  8778  71.58%
Win 2003  1950  15.90%
Win 2000  722  5.89%
Solaris 9/10  402  3.28%
FreeBSD  226  1.84%
Other  185  1.51%

Total attacks: 12263 of which 4619 single ip and 7644 mass defacements

Polls
Should Zone-H continue mirroring defacements? (floods will be purged)
 
Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
ZONE-H In Numbers
 News: 14559
 Advisories: 11
 Managers: 1
 Administrators: 1
 Super Administrators: 3
 Operators: 3
 Registered Users: 38288
 Downloadable Files: 3888
 Digital Attacks: 2981160
 Attacks On Hold: 2267
 Online Users: 131
Syndicate
Visitors' Map
Highlight on most recent attacks
jiefanglu.gov.cn/zkn.txt by ZoRRoKiN       ytjj.gov.cn/zkn.txt by ZoRRoKiN       bislig.gov.ph by Ashiyane Digital Security Team       prefeiturajoseraydan.com.br by Fatal Error       semag.taquarussu.ms.gov.br by Fatal Error       pmsaltodolontra.com.br by Fatal Error       cmirituia.com.br by Fatal Error       pmriobrancodoivai.com.br by Fatal Error       prefeituraborrazopolis.com.br by Fatal Error       pmcurionopolis.com.br by Fatal Error       
Latest advisories
Latest on Digital Warfare
Latest on Geopolitics
The GNOME incident [UPDATED] PDF Print E-mail
User Rating: / 8
PoorBest 
Written by Marcelo dos Santos de Almeida   
Sunday, 25 June 2006

gnomeToday, at 1:27:43 AM GMT+2 Zone-H received a notification of an incident occured to a website accredited to the GNOME Project. The attack has been carried on by brasilian cracker group Spykids

The GNOME Project is an effort to create a complete, free and easy-to-use desktop environment for users, as well as a powerful application development framework for software developers. GNOME is part of the GNU Project, and is Free Software (sometimes referred to as Open Source software).

The incident (a classic defacement) occurred to a GNOME subdomain, http://i18n-status.gnome.org which is an alias pointing to a website which is tracking the translation status of all the GNOME localized language distribution.

The incident, by itself would not be critical if only the  attacked website would not be hosted on the same server of the Commercial Linux Association of Denmark from which  legitimate users can download the latest localized releases of various Linux flavour (Ubuntu, Mandriva, Suse, Keldix and Fedora Core)...

This reminds us of the infamous Debian apt-get repository incident dating back a few month ago, where attackers managed to upload altered Ruby programming language packages. A similar incident dating back to 2003 was reported by the Debian.org crew where several Debian servers got compromised and backdoored with the suckKIT rootkit.

Given that Spykids crackers reported to Zone-H that the attack methodology was "Attack against the administrator/user (password stealing/sniffing), whether true or not, we suggest all the Danish users to hold on downloading anything from that server until a full check will eventually disclose if the distributions were effected by backdoors or not.

[UPDATE]

For everybody's sake, we mailed both GNOME and  KLID.DK warning about the incident:

-------- Original Message --------
Subject: From Zone-H.org: incident report
Date: Sun, 25 Jun 2006 12:03:42 +0200
From: Roberto Preatoni (SyS64738) www.zone-h.org < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >
Reply-To: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Organization: www.zone-h.org
To: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it This e-mail address is being protected from spam bots, you need JavaScript enabled to view it This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
CC: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Dear Sirs,

we received at 1:27:43 AM GMT+2 notification of an incident (http://www.zone-h.org/index2.php?option=com_mirrorwrp&id=4199062 -still up) occurred to an alias (http://i18n-status.gnome.org) hosted on the same server of the Commercial Linux Association of Denmark fromwhich  legitimate users can also download the  latest localized releasesof various Linux flavour (Ubuntu, Mandriva, Suse, Keldix and Fedora Core).
In this view, and also in view of the fact the attackers notified us, whether true or not, that the intrusion happened after stealing administrative passwords, we suggest you to run a rootkit check on theLinux distributed images available on that server, just to keep everybody safe from nightmares.

Best regards

Roberto Preatoni www.zone-h.org

**********************************************************

Later on, we received such answer:

 

-------- Original Message --------
Subject: Re: From Zone-H.org: incident report
Resent-Date: Sun, 25 Jun 2006 14:20:43 +0200,    Sun, 25 Jun 2006 14:21:57 +0200
Resent-From: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ,    This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Resent-To: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ,    This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
Date: Sun, 25 Jun 2006 13:41:32 +0200
From: Keld Jørn Simonsen < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >
To: Roberto Preatoni (SyS64738) www.zone-h.org < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >
CC: This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ,    This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ,    This e-mail address is being protected from spam bots, you need JavaScript enabled to view it ,    This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
References: < This e-mail address is being protected from spam bots, you need JavaScript enabled to view it >

Thanks for notifying us. It was some old files that we had not removed, from an incident 10 nov 2005. They got access to write index.htmlfiles then, nothing else, and we closed the hole (unsecure awstats)and restored all our index files from backup the same day. The filein question is from a tree that is sopposed to be generated daily(daily translation statistics), and in november it was already outdated, so the script was not run.  I have removed the files now.b

best regards

keld 

**********************************************************

Uhm.... after such statement (strange keeping evindence of "old incidents" on a server from which people are downloading Linux versions), we decided to run a check on our archives in a range of two days more and two days less than the "presumed" date of the incident but we found nothing related to that danish server:

09/11/2005 5:34:03,SPYKIDS,http://www.adcu.com.au,203.94.177.15,

09/11/2005 17:51:08,SPYKIDS,http://www.bling.com.br,200.203.13.13

10/11/2005 0:35:49,SPYKIDS,http://www.fzampieri.com.br,200.168.19.104

10/11/2005 0:38:50,SPYKIDS,http://bsmnt.tecnolinux.com.br,200.168.19.104

10/11/2005 0:42:10,SPYKIDS,http://mergulhadores.com.br,200.168.19.104

10/11/2005 0:45:33,SPYKIDS,http://support.clevercom.com.br,200.168.19.104

10/11/2005 0:46:54,SPYKIDS,http://tecnolinux.com.br,200.168.19.104

10/11/2005 0:50:26,SPYKIDS,http://www.clevercom.com.br,200.168.19.104

12/11/2005 19:56:38,SPYKIDS,http://www.provib.de,83.64.218.179

12/11/2005 21:54:23,SPYKIDS,http://www.williamlee.hk,203.194.149.86

As you see, no trace of such incident is present in our archives. To be sure, we also run a full check on our 1,561,804 record archive to see if we had instances on that particular IP address (217.116.227.117) but once again, no entries were found.

So we reached Spykids asking details about the introsion but they declared that the deface html was their and was indeed 8 months old, but they never hacked that server. 

At this point we leave you the duty to build up your own opinion on this incident, Zone-H did everything on its side. 

 

 


Comments Index (Total Messages: 2)
more info Written by Guest on 2006-06-26 11:58:16
Re: more info Written by Guest on 2006-07-04 19:23:07

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org - Unrestricted Information
Joomla! is Free Software released under the GNU/GPL License.
 Top!