GST strikes again, this time in both English & Greek!
Digital Forensics and Security | Comments (3)
Just prior to hitting the pillows, a traceback arrived for my inspection from the PHP++ blog.
Fish (the author of the said blog) reports that the GST stroke again, this time defacing a “I don’t know where the hell they found that”-type website, as reported in the following blog post and left a message in both the Greek and the English languages (with a rather helpful JavaScript button to point you to your preferred language).
The Greek language version of the text is surprisingly well-written, compared to the CERN one (different author, perhaps?). The English language version is written in the typical Just-out-of-highschool-Greeks-writing-in-the-English-language style.
In it, summarily stated, they rant and rave about the following: The “hack” of Greekhackers.gr by some lame Turkish group (and the lameness of the whole Greece vs Turkey thing (which I too think is too lame for the 21st century)), their previous defacement of one of the CERN’s LHC webservers and the media coverage (foreign and Greek) on the whole issue, followed by some standard “greets and shouts to” some site and the security scene.
I won’t translate, this time, as you have both versions at your disposal through the screenshots of the starting page, the Greek language page and the English language page.
My only comment is the following: Looking at the source code of the page, which I’m linking here, I can see that the GST logo was linked from the following address “http://www.cere.gr/upload/logoGST.png” ( where it appears as <img src=”http://www.cere.gr/upload/logoGST.png”>) which belongs to the Center for Russia and Eurasia (http://www.cere.gr/).
This possibly indicates that the attackers used CERE’s webserver as a possible staging area for at least part of their attack. Which would possibly mean that we’re dealing with two compromises. The one at http://www.aegeanportal.org and the one at http://www.cere.gr. I cannot, of course, in any way/shape/form confirm this is truly the case, as I do not have access to either of the said servers, but it seems a viable hypothesis to make. So, it might be prudent for the administrators of both web-sites to at the very least have a look at their webserver/hosting space logfiles for possible traces of the attackers. It might also be prudent to check the webserver logfiles for IP addresses accessing the info.html file in the first 5-10 minutes since the file was placed there (check filename timestamps for the exact dates/times/etc, and compensate for read/write/access times depending on the OS the servers are running).
I should note, here, that in my personal opinion, website defacement is nothing more than an act of vandalism (in the same way sprayed messages on busses etc are vandalism).
I should also note that, again in my personal opinion, the whole CERN LHC defacement was blown WAY out of proportion by the international media/press. This, and ONLY this, is why I stayed up half the night translating! And, to make matters worse, the Greek press/media further disgraced themselves by mistranslating the already mistranslated articles instead of reading the page which was, after all, written in the Greek language.
DarkSYN @ November 30, 2008