Information Warfare: StrategyPage Server Stormed

Archives

December 17, 2005: StrategyPage doesn't just report on Cyber War, sometimes we get caught in the middle of it. We got an electronic nastygram from China recently when, as we were installing a new server, at a hosting site (to improve response time, and lessen the workload on the volunteer staffers who maintain the server). There was a gap of a few days between the time the new server went online, and the hardware firewall (which is a bear to configure) got installed. Into that opening, some Chinese hackers got onto the server and tried to take it over. Actually, it was unclear what they were trying to do, but they did it at 2 AM, when one of our techies was trying to get onto the server to do some database maintenance, the hack attempt was noticed. There ensued a duel between our two guys and the Chinese. The Chinese lost, and we found out they were Chinese when we examined the tools and documents they left behind once they were locked out. Based on that, and the fight they put up, it appears it may have been a training exercise. When China trains its Internet warriors, it sends them out on training missions, to get into a vulnerable server and do the sort of things (like planting a rootkit) that one would do in preparation for a Cyber War. Of course, they could have just been part of a criminal gang, collecting zombie machines to use for extortion and other illegal Internet activities. But they way they were not all business when they were caught, and seemed a little green, indicated someone on some kind of training mission. Their tools and entry methods were more typical of a well equipped hacking enterprise. Actually, it could also have been a very elaborate bot (an automated hacking program). It did leave some code behind, and some modifications to some of our news databases. Whatever it was, it was apparently not completely set up before we cut off the hacker access and deleted stuff that was left on our server. We reformatted and reloaded from backups and were back in business in a few hours.

All this during the last week of November, and, after three unsuccessful attacks, someone got in and modified out main page. They did this by installing an encrypted Javascript Trojan that would try to infect client machines (this sometimes triggered a virus alarm with some anti-virus programs). The Javascript was poorly written, and the Trojan was unable to carry out this infection. The Trojan concept was clever enough, tt was included in an <iframe> tag which basically allows a web page to be included on another webpage - in this case, ours. The other webpage was hosted on a server called freewebs.com, but the hacker hacker webpage was gone, removed by the hosting service, by the time we went looking for it (about 12 hours after our page was hacked).

Those hackers have not been back. We piled up additional defense and tripwires, to hold us until the hardware firewall went online last week. None of these attacks got close to any customer data, which is kept on a separate server (at another location, there are actually three physically very separate servers running StrategyPage.)

As a practical matter, no server on the planet, that is connected to the Internet, is invulnerable to an attack. But if you put up stout enough defenses, you reduce the number of hackers skillful enough to get through, and increase the chances of the attacker getting caught. That's how financial institutions, which are the most attacked targets, maintain their defenses. The most skilled hackers want to avoid arrest, so they tend to avoid taking on these heavily defended servers. There are plenty of less well defended targets, and that's who the hackers are now going after. Well, except for one fellow, who we've tracked back to Montevallo University in Montevallo, Alabama. So, either we have a student from there doing this or (more likely) they have a school PC that was taken over by a hack, and turned into a zombie. He's hammering, futilely, at port 1305 on our main server. The hardware firewall just notes this for us, and life goes on.

 

X

ad

Help Keep Us From Drying Up

We need your help! Our subscription base has slowly been dwindling.

Each month we count on your contributions. You can support us in the following ways:

  1. Make sure you spread the word about us. Two ways to do that are to like us on Facebook and follow us on Twitter.
  2. Subscribe to our daily newsletter. We’ll send the news to your email box, and you don’t have to come to the site unless you want to read columns or see photos.
  3. You can contribute to the health of StrategyPage.
Subscribe   Contribute   Close