Hacking the Kuffar

Since the world of Islam at large got incensed over the Danish Mohammad Cartoon's of Blasphemy there has been a marked increase in cyber attacks on Western leaning websites. These have been a combination of website defacements and Distributed Denial of Service (DDoS) attacks.

Some of the more prominent bloggers, and quite a few of the smaller ones, have been subjected to this sort of treatment for failing to submit to Islamic intimidation fast enough. Michelle Malkin and Aarons Rantblog have compiled a list of over 100 blogs that have been affected by such attacks, the Counter Terror Blog has even covered portions of this activity.

The details of how such attacks can occur with such apparent ease and frequency are often unknown to the average reader (or blogger) and they probably couldnt make sense of it if they did know. This is not meant to slight those people in any way, only to put this post in the proper context before I get to the meat of the matter. Computer Security to some is some kind of "black art" that only malicious hackers can perform, this is a mistaken perception of reality. In some cases it takes very little skill to develop a sizeable botnet for use as a DDoS platform or deface any number of webpages. Some vulnerabilties are so easily exploited a relatively unskilled individual, with some trial and error, can crack a webserver for defacement in no time at all. All that is really needed is a little bit of computer skill, some spare time and here's the biggest requirement, no threat of legal prosecution.

There are quite a few areas of the world such as the former Soviet Republics, the Middle East and the bulk of Asia where cyber attackers need not fear retribution from Law Enforcement for their deeds. The Governments really don't have the means to restrict such activity and probably don't have the desire to restrict it if they could. Take for example the case of John William Racine II, a Web Designer in California who defaced Al-Jazeera's website after the start of the Iraq War. He was prosecuted and convicted, fired from his job, fined a hefty sum and now carries a criminal record, no such future awaits the aspiring cyber-jihadi. I'm not saying there isn't a coordinated jihadist threat on the Internet, I just don't think it's the prelude to Armagedden that some would have the public believe.

Now, as grim as this may sound it doesnt mean the good guys are doing thier part either, there are a number of groups and individuals making an effort at combating such miscreants on the web.The Honeynet Project has an excellent writeup on Tracking Botnets and the Shadowserver group is currently tracking 200 or more botnets, there are also multiple other groups involved in similiar activity. If you have been the victim of such an attack recently you may want to volunteer your server logs to the local FBI office or CERT group for analysis, every bit of information helps.

As an added bonus to this article I'll present you with a real life example of just how easy this sort of cyber attack really is. This may get a bit technical so stay with me here, you'll be glad you did. A few days ago I surfed over to Little Green Footballs and ran across this article regarding Iranian President Mahmoud Ahmadinejad's online Weblog. As I read through the article I noticed that the web page in reference had a big long URL string like "http://www.president.ir/eng/ahmadinejad/messages/". The first thing that comes to my mind when I see that is "I wonder if the admin disabled directory indexing on the webserver?". If a visitor is able to index directories on a webserver you can view all of the files in a given directory, ie: if you removed the "/messages/" from the URL you should be able to see all files in the "/eng/ahmadinejad" directory in list form. Here's what an intentional directory index looks like over at CPAN.

This is an excellent way to data-mine a website and just view the raw files contained in each directory, however, webserver admins will typically disable the indexing feature. So I removed the "/messages/" part of the URL and discovered quickly that directory indexing is disabled on that server. But, the resulting "403 Forbidden" error page from the Apache webserver told me what the major installed software versions were, this is also typically disabled but the site admin either overlooked it or did not realize it's value.

The "403 Forbidden" page told me this:

Apache/2.0.47 (Unix) PHP/4.3.9 Server at http://www.president.ir Port 80

Now, that may not look like much but anyone with an inkling of information security experience will immediately see that the webserver is Apache2, the Operating System is Unix and PHP is installed. That's all fairly unimportant except that PHP/4.3.9 has multiple remotely exploitable vulnerabilities. We can't be "certain" of any vulnerability without a bit of probing on the server and I'm not going there for this demonstration so we'll just keep it fairly generalized.

That being said, let's have a quick look at available options with PHP 4.3.9. The venerable Packetstorm website lists many PHP 4.3.9 exploits that could be used here. With a little time and the right tools the website of el Presidente could be just as hacked as Aarons Rantblog recently was.

The information above is provided for educational purposes and i hope it took some of the mystery out of the whole thing for you.

As always, questions and comments are welcome.


6 Responses to “Hacking the Kuffar”

  1. lostson Says:

    Hehe promoting dirty deeds are we ?

  2. Very nice post, Blackflag!

  3. Aaron, I read over at Malkins that you had security types working on this already. I’d be interested to know what they find out in reagrds to the point of entry.

    For proof of concept only ;)


  4. I feel this is one of the most vital information for me. And i am satisfied studying your article. But should remark on few normal things, The site style is ideal, the articles is actually excellent :D. Just right task, cheers.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: