|
|
|
|
Thursday Evening Outage
Posted on Tuesday, October 18 @ 16:16:35 EDT by admin
|
On October 13th at 7:40pm a hacker out of Saudi Arbia exploited a vulnerability in the primary AthensGuy.com web server and hijacked all customer website entry pages with an anti-war on terror message. We responded within an hour and were able to remove the defacement immediately but the majority of websites were down for 3 hours and 20 minutes.
If you are a long term customer of ours, you know this is not a common occurrence for us, so we wanted to make sure we provided a detailed
explanation to you.
Time Index of Events:
| 6:47 pm | Hacker did a search to find servers with a particular calendar
program that they could exploit. (A client had that program installed on their website.) |
| 7:39 pm | They used the calendar program to gain enough access to upload
their page over our customers' home pages. |
| 9:17 pm | We removed the program and website page they uploaded and brought the server down. |
| 11:02 pm | Web Server was patched, websites restored, and web server brought back online. |
Attacker Network Description:
I queried the Internet network authority and here is the description of the
network used to illegally access the server:
"Part of this IP block has been used for proxy/cache service at the
National level in Saudi Arabia. All Saudi Arabia web traffic will come from
this IP block."
Damages and Threats:
Based on all the evidence we gathered, it appears that a single program was
downloaded and run. The program was used to overwrite the website entry
pages. There is no evidence that any other sub-systems were accessed or
corrupted. It was obvious that the hackers had no intention of causing widespread damage. They wanted to get their anti-war message out and have a little fun at our and our customers expense.
Prevention Measures:
Security is never absolute but it can be applied in layers to increase
strength. Our servers log several hack-in attempts every single day. This
is common on Internet addressable servers. Here are the minimal steps we
have or are taking to prevent future hack-ins.
- Patched targeted Web Calendar program.
- Secured use of download tools used by hacker on server.
- Patched OS.
- Secured area used to execute web page modification.
- Blocking Saudi Arabia networks from server. Possible other known problem countries.
- We will also add some more layered monitoring to attempt to identify breaches as soon as they occur.
If you have any concerns or questions that are not answered in this email, please feel free to contact us directly. Please keep in mind that visitors to your site would not have even known of this issue unless they visited it
during the small window on Thursday night. Our logs show that this is one of our lower online
activity times. We apologize for any inconvenience or questions you may
have received if you had visits to your site during that time. We can only promise that we will continue to do everything in our power to maintain security in the future.
Frequency of Internet Hacking
Website defacement is not a new activity nor is it isolated to our service.
In an interview after USATODAY.com's website was defaced, Marty Linder of the Computer Emergency Response Team Coordination Center said, "Defacement of Web sites happens all the time." The center is partially funded by the federal government and charged with helping protect the nation's computer infrastructure.
Years ago Lindner's department kept track of defacements. Now defacements are so frequent they no longer are novel enough to bother with recording.
|
| |
 Printer Friendly
|
|
|
