Just putting up what information I ascertained before the site went completely down.Looks like the group involved has been working on this since at least late Febuary according to the date on the Pastebin files, guess it time for Leveson to invest some time into investigating website hacking too.
The server itself ran Apache 2.2.14 - out of date (Recommended is 2.2.22). Advisories
Clues as to a Wordpress backend:
The nail in the coffin that this is a group going after the site for a while though:
- A 'wp-content' exists, with further subdirectories holding images
- A response from the search on the website stated "Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!"
- This comment on the website: "<!-- This site is optimized with the Yoast WordPress SEO plugin v1.0.3 - http://yoast.com/wordpress/seo/ -->"
- This link also told us what the search backend was, and its version"<link rel="stylesheet" id="faceted-search-css" href="http://www.levesoninquiry.org.uk/wp-content/plugins/bang-faceted-search/faceted-search.css?ver=3.2.1" type="text/css" media="all">"
http://pastebin.com/jfxqZQQr
This shows someone found the Wordpress login to the site. Not only that, it has a password reset feature.
Given that, it is my opinion that the most likely way the got into it was through Wordpress. Be it through a vulnerability in the search engine or weakness in the password authentication system.
Surprised that the HTTPS section was up for so long.
UPDATE
Another Something Awful forum member pointed out directory listings were allowed on the Leveson Inquiry website,
I have to admit, I noticed the wp-content folder and subfolders allowed directory listing a while ago. Didn't tell anyone, it was useful for checking when new stuff had been uploaded. They've fixed it now though.zlyche replies:
They allowed directory listing? Ouch. No wonder this ended up happening. Basic security seems to have gone the wayside there. Given the speed at which the site was brought back up I'd hasten to say that it was a weak password. When I state a weakness in the password authentication system this also includes the credentials of the user itself.Some pretty poor security by the Leveson website team there.
As said, the time the site has taken to get back up shows that the administrators do not believe it to be a vulnerability in the site itself. If it were the case, the site would not be back to its current state so soon. To that end, its likely that they simply changed the password. Emphasising this point is that the Wordpress Login area is still present.
UPDATE 2
Something Awful forum member zlyche has done a bit more investigating:
I did a tiny bit more legwork. Here is the limited information so far:
Starting from the 12th the group start mentioning #OpLeveson. Later posts that evening show that the group, having confirmed their capacity to takedown the site, are re-enacting it as a show of power.
- 15:00 - UKAnonymous2012 (declared associate of AnonATeam) claims #TANGODOWN on levesoninquiry.co.uk
- 15:51 - First mention of the site being hacked on SA
- 16:13 - First mention of the site being hacked on IRC
They seem to have a tendency to use DDoS-based attacks, reminiscent of most Anon approaches to websites. Given how the site looked earlier however, a removal of files seemed to have occurred. That is, a blank root directory was shown. Encouraging this over another possibility - dns poisoning - is that when the HTTP version of the site was down in this regard, the HTTPS version was still up.
Read into it what you will, however information must be obtained on when precisely the site went down. I was under the misunderstanding that this was at 14:46~, which would have been significantly earlier than AnonATeam's announcement. However I cannot find a reference to this.
It seems very likely that someone involved in the DDoS operation over the weekend was involved in this attack. Focus was already on the site by the group, and if one of them got overenthusiastic and successfully gained access it would explain events somewhat. This could be proven wrong with identical attempts at access on the other targeted websites - showing an M.O of the group rather than of a specific individual within.
No comments:
Post a Comment