LebGeeks

Padre

Member

tayyar.org hack

around 8pm tayyar.org got defaced for some time and then it was all chaos, between defaced and not so normal site.
now it's back up and running
here are some screenshots taken by a freind of mine

admin edit: to whom it may concern, nor Padre or LebGeeks is responsible for the act represented in the following picture.

cant upload the rest now, maybe later.

mezin

Member

Re: tayyar.org hack

kewl !!

mir

Member

Re: tayyar.org hack

well Padre.. u did it again  ...

There was also a DOS on the site

well regardless of political opinion
I believe that this kind of stuff conflicts with the values of the ppl doin it
ano. there should be respect w democracy and those kind of values
and defacing kinda conflicts with the above values
and really.. no one can shut anyone up in leb

anyway..maybe they should have put some kind of message on the site.. or add a pop up or something
not a complete deface

rolf

Member

Re: tayyar.org hack

cool
was there a dos on lfpm.org?

samer

Admin

Re: tayyar.org hack

Am I a predictor or what? While i was on the site at ~4PM yesterday, I noticed a database error and figured something is messing up with their web site. At first I thought it might be database overload because of the high-traffic the site is getting. But soon after I realized something was wrong..

Looks like zone-h didn't mirror it! Oh well.. too bad.
Oh and, I don't want this conversation to turn into politics.

Padre

Member

Re: tayyar.org hack

no .... NOT ME
sorry about that, bass this time it's not me :)

battikh

Member

Re: tayyar.org hack

it was 12:57pm and a wednesday 3and rfi2ak when it was around 8pm and a thursday in lebanon? using a proxy in saudi arabia? today is rainy 3ando? he has a toshiba? seems it has plenty of ram.

samer

Admin

Re: tayyar.org hack

It wasn't a DoS but if it were, I think it would be attackted by hundreds (thousands?) of zombies rather than a single computer doing it. That is, if he (or they?) did not use a vuln that leads to a DoS attack.

Padre

Member

Re: tayyar.org hack

there wasn't any DDos ....it was a deface
and i think the admin had to restart the machine for some checks
i received that email in a forward. so dont really know who the original guy is.
bass how did u know about the ram ?

battikh

Member

Re: tayyar.org hack

i did'nt  bass eno he opens a lot of windows and has many plugins if firefox and has a lot of stuff in his taskbar and runs at the same time WoW

enno applications in taskbar+5 tabs in firefox+plugins+windows media player+7 conversation windows in msn+4 internet explorer windows showing pictures+paint+WoW+he takes a 1440x900 screenshot

Last edited by battikh (January 26 2007)

mir

Member

Re: tayyar.org hack

hide IP : 212.138.64.144

the proof he has lot of ram is that he is using 4 ie7 windows
media player

that means he has lot lots lots of ram to be able to run those
and since he never considered alternatives.. than.. it makes u think so

battikh

Member

Re: tayyar.org hack

teh hide IP: 212.138.64.144:80 is a saudi proxy if i'm not wrong.

and the 4 IE7 windows are 4 different windows, not tabs, so each one could even contain more than 1 tab

Last edited by battikh (January 26 2007)

Padre

Member

Re: tayyar.org hack

yeah correct

ache4-0.jed.isu.net.sa (212.138.64.144)

    212.138.64.0 - 212.138.70.255
Internet Service Unit ISU

    KACST ROLE
Saudi Network Information Center, ISU
King Abdulaziz City for Science and Technology,
P.O.Box 6086, Riyadh 11442, Saudi Arabia.
+9661 481 3933
+9661 481 3254

samer

Admin

Re: tayyar.org hack

Padre, i was establishing the link between battikh's reply and the one Mir made :)

There was also a DOS on the site

seems it has plenty of ram.

===>

I think it was a DDoS by hundreds (thousands?) of zombies rather than a single computer doing it.

battikh

Member

Re: tayyar.org hack

tayyeb, now we know that the guy:
-uses win XP
-has a toshiba laptop
-should have at least 1GB of ram
-uses a proxy in saudi arabia
-uses firefox and IE7
-have a 1440x900 screen resolution (using an external LCD screen? a docking station?)
-chats a lot
-uses google web accelerator

but still 1 problem:
if the defacement happenned on thursday at 19:00 beirut time (depending on tayyar's site), how come it's still wednesday 3ando? is he a person comming from a parallel universe?

Padre

Member

Re: tayyar.org hack

lol...think about time zones...

battikh

Member

Re: tayyar.org hack

i did, but it makes more than the maximum.
eno on his computer: wednesday 12:57pm
attack on tayyar's site: thursday 19:00pm
wich makes a difference of 30h and (la 7add 3elmeh) there is not a GMT-28
i'm still on my first deduction, he lives in a parallel universe

Padre

Member

Re: tayyar.org hack

ok then maybe the page was opened, and then screen shots were taken later :)
or the date was modified.
anyway, i dont think that the guy that sent the pic , is the one that hacked the site

MegaCool

Member

Re: tayyar.org hack

Maybe the date and time properties are just wrong,because I visited the site at 21:06 and it was still hacked.

Last edited by MegaCool (January 26 2007)

Padre

Member

Re: tayyar.org hack

yeah probably.
anyway, i would be interested to know how this was done. scince im sure lots of ppl were trying to deface the site and it must be pretty secure. so let's come up with "how-to" for this one. any ideas ?

samer

Admin

Re: tayyar.org hack

Sure Padre :)

Notice the ad for sleep comfort? i'd say the attacker injected the new page using an sql injection vulnerability..

or, another scenario, a little bit more complicated:

attacker knowns the webmaster is using a known cms,  he discovered a cross site scripting vuln, sent him a poisoned URI that automagically replaces the homepage's content with his. But as I said, it's a bit more complex and requires knowledge of the underlying system tayyar is using. So I doubt someone took the time to do it for something IMHO, a bit stupid (since a defacement brings nothing of value).

samer

Admin

Re: tayyar.org hack

here's the server config:

Apache/1.3.37 (Unix)
mod_auth_passthrough/1.8
mod_log_bytes/1.2
mod_bwlimited/1.4
PHP/4.4.4
FrontPage/5.0.2.2635.SR1.2
mod_ssl/2.8.28
OpenSSL/0.9.7a

openSSL seems outdated, but it seems most of the vulns are for DoS/Crashing purposes.
I didn't check the other stuff, maybe later..

btw, the guy that is hosting their web site is on my MSN contact list, i'll try to contact him for further investigation :)

Padre

Member

Re: tayyar.org hack

yeah please do :)
as for their CMS, they built it. i dont think they are using any premaid cms as i can't see any know CMS signature in the code, but maybe im wrong.
as for the injection, it is possible. well i guess the most plausible. but from what i checked, it's kinda hard to inject smth into their code. duno, but maybe it's just me.

mezin

Member

Re: tayyar.org hack

you can also tell from the picture that he had a headache and that he was abused as a child

but one thing puzzles me though... where did he hide his pointer ? i'm tempted to consider top right ... what do you guys think ?

Padre

Member

Re: tayyar.org hack

pointer ? what pointer ?