As many of you may know, the OkinawaResource index page was recently vandalized. We say "vandalized" because capitalizing on a widely published exploit is not hacking. And, although defacing websites is immature and defunct, at least it motivated us to finally get rid of phpNuke.
Some of you may be asking why the "hacker" vandalized this site.... The "hacker" entered "web site engine s code is copyright © 2003 by php-nuke" into Yahoo.com. The vandal was searching for the exploitable version of the phpNuke Web Site Content Management Software...not our site. Many of you may not know that the exploit used is extremely simple and common, indeed almost hackneyed. Futhermore, anyone with a computer can do it. A simple cut and paste of some borrowed code to add an image and a simple marquee and whalla!
We truly apologize for any distress this may have caused anyone, but we assure you it has not affected the restructuring of the site in the least. It was, in essence, an immature child with a computer and not much else. As assurance that this matter has been dealt with fully, we have included the important information and actions taken below for you to review.
- First, we removed phpNuke altogether. Furthermore, we verified, deleted the injected information and secured the SQL db.
- Second, we reported the vandal. (See below.)
- Raw log entry with the vandal's IP address.
-------
85.99.24.224 - - [23/Jan/2006:05:56:42 -0500] "GET / HTTP/1.1" 200 2934 "http://search.yahoo.com/search?p=Web+site+engine%27s+code+is+Copyright+%C2%A9+2003+by+PHP-Nuke&ei=UTF-8&fl=0&x=wrt" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
-------
- The vandal's ISP information.
-------
inetnum: 85.99.24.0 - 85.99.31.255
netname: TurkTelekom
descr: ADSL-ALC-Kadikoy-Dynamic Pool
country: tr
admin-c: TTBA1-RIPE
tech-c: TTBA1-RIPE
status: ASSIGNED PA "status:" definitions
mnt-by: as9121-mnt
source: RIPE # Filtered
role: TT Administrative Contact Role
address: Turk Telekom
address: Bilisim Aglari Dairesi
address: Aydinlikevler
address: 06103 ANKARA
phone: +90 312 313 1950
fax-no: +90 312 313 1949
e-mail: abuse@ttnet.net.tr
admin-c: BADB3-RIPE
tech-c: ZA66-RIPE
tech-c: ZA196-RIPE
tech-c: LA109-RIPE
tech-c: NO638-RIPE
nic-hdl: TTBA1-RIPE
mnt-by: AS9121-MNT
source: RIPE # Filtered
% Information related to '85.99.0.0/17AS9121'
route: 85.99.0.0/17
descr: TurkTelecom
origin: AS9121
mnt-by: AS9121-MNT
--------
- The letter we wrote to the ISP. We also included all log entries involving the vandal.
-------
Dear Sir/Madame.
On 23 January 2006, OkinawaResource Organization's website was defaced by
one of your customers. An archive of the defaced page is available at
http://www.zone-h.org/defacements/mirror/id=3268396/.
The IP recorded in the raw log is 85.99.24.224. I have attached a text
file with all of the entries for this IP.
Any assistance/corrective action you lend is more than appreciated.
--------
It is now up to Turk Telecom as to whether they will take action against the vandal.
Again, we apologize to those adversely affected. The upside is that the site was in the process of being restructured and this act has only hastened the work with that.