The chronicle of an attack!

A Hacker can attack his own community? At the 1st August the site has been defaced by a group of crackers known under the name of eMP3R0r_TEAM. Their page has been online for about 2 hours before the site has been restored back. This attack has been successfully due to a misconfiguration of the shared server of a well known Italian internet service provider that hosts our pages which is for several days has exposed the home location of thousands of users to attacks by crackers! Fortunately was the only site to have been defaced, but has not ruled out that other data has been stolen for future attacks at other sites. Our analysis has identified more than 5000 vulnerable accounts!

As you know BackBox is a community that part of the Free/Open Source Software, simply developing a Linux distribution, and would not have expected such an attack. We do not adhere to any side that would define us as a subject of attack. A hacker has valid reasons to attack a specific entity, would do it for moral principles, ethical and ideological. Assuming that a hacker will never attacked a proper communities in our case we are dealing with a group of unstable that running random attacks as soon as they detect any known vulnerability on any web portal.

Of course even if what happened was truely sad we had not discouraged and not lose heart. After restoring back online our web site we start to investigate to get further information. We have analyzed step by step the entire attack process by reverse and we were able the gathered useful information (including personal detail) about attackers.

The “dreaded” eMP3R0r_TEAM is a group of iranian activists who carry out attacks randomly on whole potential vulnerable web sites by targeting mostly European sites. During our investigation and analysis we were able to obtain the complete details of the man who personally performed the attack (nick iM4n) and we collected a variety of tests that confirmed his identity. Just to make you some idea of ​​a character who loves to dress brand, Tissot watches wears expensive, attends ski resorts of Uludag (Turkey) and has some very expensive computer equipment (laptop lenovo generation, etc..). The character that we dealing with is Amir Hosein, born in on 21/10/1983 in Hell (Tehran) Iran. He works full-time on IT security and he seems to be the head of a small team.

Returning to the technical aspects of the attack…

The issue has had dramatic implications for how it was managed by the our ISP. As we talking about a hosting shared in that case the responsibility of what happened is completely belong to ISP. Despite our repeated emails, the ISP has snubbed the entire story by not providing any kind of support and also denying us to access log to our site!

The attack began through one of the website with a Joomla installation insecure that reside on server where our site located. The crackers violating this CMS site and have uploaded a webshell with which they were able to read the home directory. Strangely, for several days the home directory of all hosts on the shared server could be navigated easily by any user by allowing them also to read the configuration files. After heaving read the data relating to the installation of our forum (SMF) and using the same webshell they have changed the MySQL database records for the account admin and then getting administrative privileges/access to the forum. By obtaining the highest privileges there were quite easy for them to uploading a backdoor into the home of through which they were able to modify the index.php file of our site.

After having confirmed the information above specified, by demonstrating how the data of all users of provider were exposed (and we were doing the entire job for provider), the provider have finally decided to pay attention to us and only after 5 days (since when we have noticed to them this issue) they were able to correct this vulnerabilities by setting correctly privileges for each user on server.

In on of their statement that they sent to us they says that after a careful analysis we have confirmed the vulnerability, which was occurred after an upgrade to a newer version of php. In short, the permissions of the public_html directory of “some accounts” were set up with incorrect values ​… (?)

The whole event/process is incredible… “a few accounts” as they say, are actually more than 5000 sites hosted on their servers. Since now the provider have no released any official declaration regardin! An “oversight” of this magnitude should be made ​​known as soon as possible in order to give users the ability to backup their data and change the passwords of their sites.

Actually (I mean right now), it seems to be not accessible/readable anymore the user home directories from neighbor/other accounts. That’s why we have decided to release this news after the issue has been fixed. We would like to get further attention of our provider to remain vigilant, it is possible that the crackers are in possession of other information that could compromise the security of the entire server again.

Regarding eMP3R0r_TEAM must be said that they’ve been kindly after all, by not causing big harm. By the way, an attack like this certainly not honored.

That is only the first part of our investigation…