GST strikes again, this time in both English & Greek!
Digital Forensics and Security
Just prior to hitting the pillows, a traceback arrived for my inspection from the PHP++ blog.
Fish (the author of the said blog) reports that the GST stroke again, this time defacing a “I don’t know where the hell they found that”-type website, as reported in the following blog post and left a message in both the Greek and the English languages (with a rather helpful JavaScript button to point you to your preferred language).
The Greek language version of the text is surprisingly well-written, compared to the CERN one (different author, perhaps?). The English language version is written in the typical Just-out-of-highschool-Greeks-writing-in-the-English-language style.
In it, summarily stated, they rant and rave about the following: The “hack” of Greekhackers.gr by some lame Turkish group (and the lameness of the whole Greece vs Turkey thing (which I too think is too lame for the 21st century)), their previous defacement of one of the CERN’s LHC webservers and the media coverage (foreign and Greek) on the whole issue, followed by some standard “greets and shouts to” some site and the security scene.
I won’t translate, this time, as you have both versions at your disposal through the screenshots of the starting page, the Greek language page and the English language page.
My only comment is the following: Looking at the source code of the page, which I’m linking here, I can see that the GST logo was linked from the following address “http://www.cere.gr/upload/logoGST.png” ( where it appears as <img src=”http://www.cere.gr/upload/logoGST.png”>) which belongs to the Center for Russia and Eurasia (http://www.cere.gr/).
This possibly indicates that the attackers used CERE’s webserver as a possible staging area for at least part of their attack. Which would possibly mean that we’re dealing with two compromises. The one at http://www.aegeanportal.org and the one at http://www.cere.gr. I cannot, of course, in any way/shape/form confirm this is truly the case, as I do not have access to either of the said servers, but it seems a viable hypothesis to make. So, it might be prudent for the administrators of both web-sites to at the very least have a look at their webserver/hosting space logfiles for possible traces of the attackers. It might also be prudent to check the webserver logfiles for IP addresses accessing the info.html file in the first 5-10 minutes since the file was placed there (check filename timestamps for the exact dates/times/etc, and compensate for read/write/access times depending on the OS the servers are running).
I should note, here, that in my personal opinion, website defacement is nothing more than an act of vandalism (in the same way sprayed messages on busses etc are vandalism).
I should also note that, again in my personal opinion, the whole CERN LHC defacement was blown WAY out of proportion by the international media/press. This, and ONLY this, is why I stayed up half the night translating! And, to make matters worse, the Greek press/media further disgraced themselves by mistranslating the already mistranslated articles instead of reading the page which was, after all, written in the Greek language.
DarkSYN @ November 30, 2008
It’s sad and hilarious at the same time. The administrators of those pages probably have no idea about what has happened. And of course, the GST doesn’t condemn ANY actions made by Greek teams. As if they do not know how many of them are racist and deface Turkish, Albanian, Bulgarian, Former-Yugoslavian (or however one wishes to call them) pages for fun.
At the same time, one of the main editors of so-called neo-geek hacking magazine they mentioned is running around like crazy posting everywhere about how cool GST is. The same guy that teaches the newborns how to do an sql inj without knowing sql and how to crack cd protection using assembly without knowing assembly, standard mainstream script kiddie attitude.
What’s the saddest thing, that actually bugs me about the whole thing, is that all of these people, GST/”hackers”/whatever-you-want-to-call-them, do actually create part of the Greek e-world – at least when they decide to stop defacing and be a bit creative. They make sites and administrate servers themselves. It’s easy to hack with milw0rm exploits random or left-to-die sites. I have seen how people like them work. And I was once a teenager as well. They _are_ what they condemn. Why? Because they spend their time doing nonsense. Cause, with the page still being online, I fail to see how they did something creative or altruistic or just important.
However, when they do create something, it’s as buggy, insecure and, why not, ugly as the things they mock. And many of them sometimes also work for companies and commercial projects. And they spend maybe a day or two on each project, not caring about security and quality, just to get a couple of hundreds of euros from their employer. Anything other than that is not important – they have sites to deface and be Someone. And this, combined of course with the existence of the hundreds of “developers” who are bored to learn anything, is the reason there are practically almost no real security specialists in Greece, nor good web developers. Cause security needs time and attention. And if you spend half your day searching how to show off and destroy stuff, it’s sure you can’t offer such time and attention. The only time they really care about security is when they want to protect their communities during the ddos wars.
Why am I reminded of an alpha male monkey in a tree screaming at another alpha male monkey in a neighbouring tree?
It’s sad and hilarious at the same time that almost any “expert” has a different opinion about these “very?” actions. On the other hand, ok, opinions are like a bottom; everybody’s got one.
).
The only serious remarks I ‘ve ever seen that one could get a global idea of what is going on down there..!!, is this Blog.
Written by Mr DarkSyn.
I really don’t thing that all these defaces are more or less serious than other defaces (business as usual
The hard part, for a person who wants to get the real msg behind this, is to know the whole story, or at least more than 70% of it.
If you don’t know it probably you will end-up with some wrong conclusions, focusing on the tree and loosing the forest.
PS: Be argus-eyed… like the writer!