ic
11-02-2005, 03:39 AM
[Johannesburg, 9 February 2005] - The local version of an international hacking Web site has been defaced by a group of rival hackers, analysts say.
According to IT security information network Zone-h, the defacement of the local 2600 site was carried out by the �Simiens group�, and has rated the incident as a high-profile defacement.
The defacement took place on 4 February, but the site is once again up and running today, says Dino Covotsos, owner of local security company Telspace.
�2600 focuses on hacking and hacking-related issues; they also release a quarterly 2600 magazine to the public. Obviously it is a bonus for hackers to get into high-profile sites like this and deface them,� he says.
�However, it is true that over the past few months the local 2600 hacking site has been neglected and not updated as it should have been.�
Covotsos says it is the same server that was affected in a recent attack in which 200 South African sites were defaced. �However, this time it was a singular defacement and it was done by a different hacking group, which leads me to believe it was a separate security issue that gave them access to the server.�
The Simiens group is well known in hacking circles, and is reported to have been responsible for 2 593 single IP attacks and 21 868 mass defacements. (http://tinyurl.com/6t4y5)
I`m not going to deny my fault at the recent defacement of 2600.co.za. As Administrator for the site the ultimate onus is on me to ensure the site was not compromised. I failed to do this, but be sure I`ve learnt a number of lessons from this episode.
1) Always keep a very close eye on what your web hosting provider is doing on the server. This defacement was a direct result of the installation of outdated web statistics software on the server. The particular version of this software is known to have a number of security flaws. I should have checked this and pushed my provider to update immediately.
2) I should have implemented a strategy to continually assess the site to make sure no page had been tampered, with a warning message being delivered to myself in the event of an anomaly.
3) I put myself in a situation where I did not have full control over the machine the site was hosted on. As a security administrator I should never have done this. This decision was however made with bandwidth consideration in mind as I could not afford to host this site on my own server without incurring a high bandwidth/hosting cost.
4) If I had been ensuring regular content updates to the site I would have become aware of the problem sooner, possibly limiting any potential effect of a system compromise.
Anyway, it’s time to wipe the egg off my face, and get started redesigning the site engine and setup, finding a better hosting solution and putting in place protections as above to defend the site - its been a long time coming, hopefully this was the event to spur me on to kick off that process.http://www.dnsreport.com/tools/dnsreport.ch?domain=2600.co.za
Anyone ever heard of IDWS before, seems to be the hosting company for 2600.co.za, but maybe not at the time of the attack, difficult to say bcos the SOA Serial # is non-conformant - 2870243467.
According to IT security information network Zone-h, the defacement of the local 2600 site was carried out by the �Simiens group�, and has rated the incident as a high-profile defacement.
The defacement took place on 4 February, but the site is once again up and running today, says Dino Covotsos, owner of local security company Telspace.
�2600 focuses on hacking and hacking-related issues; they also release a quarterly 2600 magazine to the public. Obviously it is a bonus for hackers to get into high-profile sites like this and deface them,� he says.
�However, it is true that over the past few months the local 2600 hacking site has been neglected and not updated as it should have been.�
Covotsos says it is the same server that was affected in a recent attack in which 200 South African sites were defaced. �However, this time it was a singular defacement and it was done by a different hacking group, which leads me to believe it was a separate security issue that gave them access to the server.�
The Simiens group is well known in hacking circles, and is reported to have been responsible for 2 593 single IP attacks and 21 868 mass defacements. (http://tinyurl.com/6t4y5)
I`m not going to deny my fault at the recent defacement of 2600.co.za. As Administrator for the site the ultimate onus is on me to ensure the site was not compromised. I failed to do this, but be sure I`ve learnt a number of lessons from this episode.
1) Always keep a very close eye on what your web hosting provider is doing on the server. This defacement was a direct result of the installation of outdated web statistics software on the server. The particular version of this software is known to have a number of security flaws. I should have checked this and pushed my provider to update immediately.
2) I should have implemented a strategy to continually assess the site to make sure no page had been tampered, with a warning message being delivered to myself in the event of an anomaly.
3) I put myself in a situation where I did not have full control over the machine the site was hosted on. As a security administrator I should never have done this. This decision was however made with bandwidth consideration in mind as I could not afford to host this site on my own server without incurring a high bandwidth/hosting cost.
4) If I had been ensuring regular content updates to the site I would have become aware of the problem sooner, possibly limiting any potential effect of a system compromise.
Anyway, it’s time to wipe the egg off my face, and get started redesigning the site engine and setup, finding a better hosting solution and putting in place protections as above to defend the site - its been a long time coming, hopefully this was the event to spur me on to kick off that process.http://www.dnsreport.com/tools/dnsreport.ch?domain=2600.co.za
Anyone ever heard of IDWS before, seems to be the hosting company for 2600.co.za, but maybe not at the time of the attack, difficult to say bcos the SOA Serial # is non-conformant - 2870243467.