A group of hackers recently attacked and took offline several websites belonging to credit-card sharing groups, security experts, and other hacking communities that had neglected basic security practices.
On Christmas morning, the administrators of six websites discovered their sites had been hacked. According to a newsletter published by the hackers on Dec. 25, the second issue of "Owned and Exposed" listed carders.cc, ettercap, exploit-db, backtrack, inj3ct0r, and free-hack as compromised sites. Free-hack was targeted for being "lame script kiddies," while the other sites had criminal ties or were security experts criticized for their poor security practices, as noted in the e-zine.
Mati Aharoni, the administrator of exploit-db, a site cataloging known exploits and vulnerabilities, admitted the breach in a blog post but mentioned that the damage was minimal. "Other than our egos, the damage is not severe," Aharoni wrote. The hackers posted a copy of the Owned and Exposed newsletter on exploit-db’s "papers" section.
After compromising exploit-db, the hackers targeted backtrack-linux.org, as both sites shared a subnet and administrator. They found the same root account and password used for all web scripts, WordPress installations, and MySQL databases on backtrack. "No wonder why it was super easy to get a shell," the group wrote. However, exploit-db and backtrack-linux were not taken offline.
The vigilante hackers also targeted carders.cc, a German online forum for trading and selling stolen financial data. The group shut down the site in its inaugural issue in May, describing it as "a marketplace full of everything that is illegal and bad," including drugs, weapons, and stolen credit card numbers.
After the first attack, carders.cc was offline for a few days but returned with new administrators, software, and some disabled functions, according to the e-zine. The newsletter did not detail how the hackers accessed the system but mentioned it’s "hard to harden a system when everything is backdoored."
With access to the server, the hackers could list all files, view PHP scripts, and access configuration files for the MySQL database and WordPress blog. One script appeared to perform a denial-of-service attack when executed. After accessing the database and WordPress platform, the attackers deleted everything from the servers. Despite this, carders.cc was back online three days later.
Another compromised site, inj3ct0r, had claimed to have hacked Facebook servers in November. The newsletter noted that their boasting and complaints about resulting legal issues "was just too ridiculous for us to let them continue existing." The inj3ct0r servers lacked critical updates, with some software in a half-updated state.
Ettercap, another target, hosted message boards and files for a "white hat" penetration testing tool on SourceForge. While useful for man-in-the-middle attacks, the tool had been unmaintained for five years, and the group found evidence it had already been compromised. The hackers warned against downloading anything from the site.
These hacks highlight a crucial lesson for system administrators and security teams, according to Chester Wisniewski, a senior security advisor at Sophos. "Nearly all" the victims had "lapsed" on some security fundamentals, exposing them through "one little chink in the armor," Wisniewski wrote. This was also evident during Gawker's massive server compromise, where administrators lagged behind critical patches and used the same credentials across multiple systems. Wisniewski stressed the danger of using administrator accounts for database and filesystem maintenance, as illustrated by the e-zine.
