You are not logged in.
around 8pm tayyar.org got defaced for some time and then it was all chaos, between defaced and not so normal site.
now it's back up and running
here are some screenshots taken by a freind of mine
admin edit: to whom it may concern, nor Padre or LebGeeks is responsible for the act represented in the following picture.
cant upload the rest now, maybe later.
kewl !!
well Padre.. u did it again ...
There was also a DOS on the site
well regardless of political opinion
I believe that this kind of stuff conflicts with the values of the ppl doin it
ano. there should be respect w democracy and those kind of values
and defacing kinda conflicts with the above values
and really.. no one can shut anyone up in leb
anyway..maybe they should have put some kind of message on the site.. or add a pop up or something
not a complete deface
cool
was there a dos on lfpm.org?
Am I a predictor or what? While i was on the site at ~4PM yesterday, I noticed a database error and figured something is messing up with their web site. At first I thought it might be database overload because of the high-traffic the site is getting. But soon after I realized something was wrong..
Looks like zone-h didn't mirror it! Oh well.. too bad.
Oh and, I don't want this conversation to turn into politics.
no .... NOT ME
sorry about that, bass this time it's not me :)
it was 12:57pm and a wednesday 3and rfi2ak when it was around 8pm and a thursday in lebanon? using a proxy in saudi arabia? today is rainy 3ando? he has a toshiba? seems it has plenty of ram.
It wasn't a DoS but if it were, I think it would be attackted by hundreds (thousands?) of zombies rather than a single computer doing it. That is, if he (or they?) did not use a vuln that leads to a DoS attack.
there wasn't any DDos ....it was a deface
and i think the admin had to restart the machine for some checks
i received that email in a forward. so dont really know who the original guy is.
bass how did u know about the ram ?
i did'nt bass eno he opens a lot of windows and has many plugins if firefox and has a lot of stuff in his taskbar and runs at the same time WoW
enno applications in taskbar+5 tabs in firefox+plugins+windows media player+7 conversation windows in msn+4 internet explorer windows showing pictures+paint+WoW+he takes a 1440x900 screenshot
Last edited by battikh (January 26 2007)
hide IP : 212.138.64.144
the proof he has lot of ram is that he is using 4 ie7 windows
media player
that means he has lot lots lots of ram to be able to run those
and since he never considered alternatives.. than.. it makes u think so
teh hide IP: 212.138.64.144:80 is a saudi proxy if i'm not wrong.
and the 4 IE7 windows are 4 different windows, not tabs, so each one could even contain more than 1 tab
Last edited by battikh (January 26 2007)
yeah correct
ache4-0.jed.isu.net.sa (212.138.64.144)
212.138.64.0 - 212.138.70.255
Internet Service Unit ISU
KACST ROLE
Saudi Network Information Center, ISU
King Abdulaziz City for Science and Technology,
P.O.Box 6086, Riyadh 11442, Saudi Arabia.
+9661 481 3933
+9661 481 3254
Padre, i was establishing the link between battikh's reply and the one Mir made :)
There was also a DOS on the site
seems it has plenty of ram.
===>
I think it was a DDoS by hundreds (thousands?) of zombies rather than a single computer doing it.
tayyeb, now we know that the guy:
-uses win XP
-has a toshiba laptop
-should have at least 1GB of ram
-uses a proxy in saudi arabia
-uses firefox and IE7
-have a 1440x900 screen resolution (using an external LCD screen? a docking station?)
-chats a lot
-uses google web accelerator
but still 1 problem:
if the defacement happenned on thursday at 19:00 beirut time (depending on tayyar's site), how come it's still wednesday 3ando? is he a person comming from a parallel universe?
lol...think about time zones...
i did, but it makes more than the maximum.
eno on his computer: wednesday 12:57pm
attack on tayyar's site: thursday 19:00pm
wich makes a difference of 30h and (la 7add 3elmeh) there is not a GMT-28
i'm still on my first deduction, he lives in a parallel universe
ok then maybe the page was opened, and then screen shots were taken later :)
or the date was modified.
anyway, i dont think that the guy that sent the pic , is the one that hacked the site
Maybe the date and time properties are just wrong,because I visited the site at 21:06 and it was still hacked.
Last edited by MegaCool (January 26 2007)
yeah probably.
anyway, i would be interested to know how this was done. scince im sure lots of ppl were trying to deface the site and it must be pretty secure. so let's come up with "how-to" for this one. any ideas ?
Sure Padre :)
Notice the ad for sleep comfort? i'd say the attacker injected the new page using an sql injection vulnerability..
or, another scenario, a little bit more complicated:
attacker knowns the webmaster is using a known cms, he discovered a cross site scripting vuln, sent him a poisoned URI that automagically replaces the homepage's content with his. But as I said, it's a bit more complex and requires knowledge of the underlying system tayyar is using. So I doubt someone took the time to do it for something IMHO, a bit stupid (since a defacement brings nothing of value).
here's the server config:
Apache/1.3.37 (Unix)
mod_auth_passthrough/1.8
mod_log_bytes/1.2
mod_bwlimited/1.4
PHP/4.4.4
FrontPage/5.0.2.2635.SR1.2
mod_ssl/2.8.28
OpenSSL/0.9.7a
openSSL seems outdated, but it seems most of the vulns are for DoS/Crashing purposes.
I didn't check the other stuff, maybe later..
btw, the guy that is hosting their web site is on my MSN contact list, i'll try to contact him for further investigation :)
yeah please do :)
as for their CMS, they built it. i dont think they are using any premaid cms as i can't see any know CMS signature in the code, but maybe im wrong.
as for the injection, it is possible. well i guess the most plausible. but from what i checked, it's kinda hard to inject smth into their code. duno, but maybe it's just me.
you can also tell from the picture that he had a headache and that he was abused as a child
but one thing puzzles me though... where did he hide his pointer ? i'm tempted to consider top right ... what do you guys think ?
pointer ? what pointer ?