Friday, June 6. 2008
Another Malaysian Government Website Bites the Dust
The screenshot above is of http://www.geocities.com/nmapx/manifesto.txt. It reads:
A special officer to Datuk Seri Abdullah Ahmad Badawi confirmed the
incident and said it was an "unsuccessful hacking attempt".
"What happened is that someone copied the URL (the site's address) and cloned it
to make it look like the real site.
Special Officer?
There is nothing special about you just the same as the rest of those
lazy adminz
UBAH GAYA HIDUP ... Lancau ahh
You cant stop the unstoppable!!
The attacker is obviously referring to this news on NST regarding the hack "attempts" on PMO website.
And then followed by some output from the server that was hacked. The website (read the output below to see what it is) has the same vulnerability as The Prime Minister's Office website, in that it allows remote URL inclusion. But in this case, the attacker has taken a step further - he/she was able to execute commands via the remote URL inclusion, and subsequently gained shell access to the server. Check out the output below:
[@web ~]$ w 16:38:42 up 16:42, 2 users, load average: 0.22, 0.15, 0.11 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT root pts/0 172.17.27.60 09:11 7:27m 0.03s 0.01s tail -f access_log [@web ~]$ uname -a Linux web 2.6.9-5.EL #1 Wed Jan 5 19:22:18 EST 2005 i686 i686 i386 GNU/Linux [@web ~]$ cat /etc/*ease Red Hat Enterprise Linux AS release 4 (Nahant Update 4) [@web ~]$ cat /etc/hosts # Do not remove the following line, or various programs # that require network functionality will fail. 127.0.0.1 web.heritage.gov.my web localhost.localdomain localhost www www.heritage.gov.my 172.16.10.2 web web.heritage.gov.my www www.heritage.gov.my #172.16.10.7 murad #172.16.10.9 zuraihan
The first command was to show list of users currently logged in. The administrator (root) was logged on, and he was monitoring the webserver's access log file (tail -f access_log).
The second and third command were to get version name of the kernel (2.6.9????) and the distribution. And finally, an output from the /etc/hosts file.
The attacker could have just defaced, deleted, or wreak any kinds of havoc but he chose to deliver another message.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
you call that defacement? that is just a lamest url inclusion ever.
and the "hacker" have not reach anything deeper than that.
not because he won't and trying to be nice and leave some lame "defacement" page. Its because he cant. How do you expect that url inclusion hacker can do this = The attacker could have just defaced, deleted, or wreak any kinds of havoc but he chose to deliver another message.
haha this a joke from malaysian security people. That why kau semua bisa gomeng2 gomeng sajaaaa (ombong kosong seperti murai)
and the "hacker" have not reach anything deeper than that.
not because he won't and trying to be nice and leave some lame "defacement" page. Its because he cant. How do you expect that url inclusion hacker can do this = The attacker could have just defaced, deleted, or wreak any kinds of havoc but he chose to deliver another message.
haha this a joke from malaysian security people. That why kau semua bisa gomeng2 gomeng sajaaaa (ombong kosong seperti murai)
Bro "laucau" and "kimak hack konon", that has NOT been added to defacement archive or tagged as .gov.my defacement. The PMO thing is just a bad joke. Read properly before you comment. Do read comment by unknownimous.
Yes that right... just some lame kid saying that he hack this and that but heck, he would not be able to hack anything from the site....
just some url inclusion and you are a hacker? fuck off retard!
just some url inclusion and you are a hacker? fuck off retard!
Yup... another problem in government website. Talking about their sites, they're all poorly made. Rubbish information, bad design, bad navigation. I wonder they could hire someone who can really make website. Else, it really headache viewing their websites.
the output shown that the attacker has gained access to the system i.e. heritage aka KeKKwa and able to execute command as normal user.
indeed,the website is still vulnerable to rfi,trust me.the attacker could have just decafed the website.
indeed,the website is still vulnerable to rfi,trust me.the attacker could have just decafed the website.
jeng jeng jeng! enter skali web services awarded a rm300M contract to fix and host all .gov.my website. hosting it in an idc that caught fire poof. ontop of that our tax money still kena bayar the lazy gomen sysadmins that only knows howto speed dial vendor jer.. bazir duit looh
FYI, the "url" parameter problem in pmo.gov.my still persists.
Apparently, they try to fix the problem by checking the prefix value of 'url' query parameter, and only allow URL that starts with 'http://www.pmo.gov.my' to be displayed in the iframe.
This won't solve the problem, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
Perhaps, a better workaround would be using an internal hash table of (id, url) and only accept 'id' as query parameter, rather than URL?
Apparently, they try to fix the problem by checking the prefix value of 'url' query parameter, and only allow URL that starts with 'http://www.pmo.gov.my' to be displayed in the iframe.
This won't solve the problem, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
Perhaps, a better workaround would be using an internal hash table of (id, url) and only accept 'id' as query parameter, rather than URL?
Did the attacker gets the root account? well he sure can't delete his track in the log directory...
The w, uname -a, cat /etc/*ease, cat /etc/hosts is just a fake. The fella just want to make fool of us
With the right code you actually can run those code on webserver.. well depends how rich feature provide on the server of course 
It is up to you bro ... This is call cross site scripting .. it shows a vulnerable in the web programming .
The concern is , if this kind of small problem is happen , how about others .
The concern is , if this kind of small problem is happen , how about others .
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia defaced hitbsecconf joomla! hitb web vulnerability malaysia defacement
Recent Entries
Defaced - http://www.webschool.com.my
Defaced - http://cic.jobsmalaysia.gov.my
Defaced - http://cuil.com.my
Defaced - http://www.photodelivery.com.my/cart/
Defaced - http://webapp.uthm.edu.my
Defaced - http://www.afm.org.my
Hacked - http://www.crsm.org.my
Defaced - belianiaga.com
Defaced - teddymarry.com
Mass defacement on BaitulBytes Hosting
February 8 2010
Defaced - http://cic.jobsmalaysia.gov.my
February 8 2010
Defaced - http://cuil.com.my
February 8 2010
Defaced - http://www.photodelivery.com.my/cart/
February 8 2010
Defaced - http://webapp.uthm.edu.my
February 8 2010
Defaced - http://www.afm.org.my
February 5 2010
Hacked - http://www.crsm.org.my
February 4 2010
Defaced - belianiaga.com
February 3 2010
Defaced - teddymarry.com
February 3 2010
Mass defacement on BaitulBytes Hosting
February 3 2010
