Tuesday, January 23, 2007

Zone-H got defaced

Defacement archive Zone-h has itself been defaced,

I got this info posted on echo official mailing list sent by Charlie Crespo (our old friends from singapore also a member of SIG^2, hi cecil), the defacement are still on hold till i wrote this post (january, 23rd 2007: 21.10 WIB), in december 2006 zone-h also got defaced.

As i know they are running "apache web server" on linux Operating System and using "Customize" Joomla Content management system.

Updated (Januari, 24th 2007)

Confirmation from R.Preatoni about zone-h.org defacement at zone-h official page
Have you recently seen a different Zone-H when trying to access our pages? Magic of DNS redirection.

It appears that Saudi Arabia crackers managed to get the passwords of our registrar (our registrant panel to be precise), accessed the domain management page and changed the DNS entries, pointing the zone-h domain to an IP address belonging to the crackers on which they mounted the page you saw in the last 48 hours.

48 hours!?! So long it took to take contact with the registrar (they work only through email communication), explain the problem to 8 different people then finally getting a reset of our credentials, taking the domain back in control.

On the funny side, the same problem happened to Google in its German version which yesterday evening was redirected to a different page (different owner actually). In this case (automatic German/English translation) the trick was a bogus domain transfer request that a German provider accepted without explicit authorization from Google Inc. (silence-consense).

What a day! We are so glad we deserve so much of attention.

PS: you will soon find the mirrors in our DB as even though Zone-H wasn't hacked, from the users' point of view it appeared defaced, as only a few users realized they weren't visiting the actual Zone-H server. From the historycal point of view exactly the same incident happened to the Al jazeera sat tv network website, where a hacker managed to trick the registrar to send him the domain control passwords after sending a bogus passport copy during the ID verification process, subsequently changing Al Jazeera's DNS pointing to a different server.

p.s: thats why ive seen a "funny" script at the "Defacement page" yesterdays is the icon linking to zone-h.it
link rel="shortcut icon" href="http://www.zone-h.it/images/favicon.ico"
well .. well, as an attacker you just need to find the weakest link, isnt it?