TechCrunch, the popular blog founded by Michael Arrington in 2005 that profiles technology start ups with posts about their products and company news, was the victim of a website defacement that has effectively taken the site down for a period of three hours at time of writing. The site initially went down a little after 1 am EST with a message of “Hi” on the homepage, and for a while seesawed between coming back up, being newly defaced, and showing a “We’ll be back shortly” message.
There is no word yet of how the attack took place, however, all appearances suggest that access was gained to the TechCrunch content itself as opposed to being a DNS redirect, or something similar, as happened to Twitter and Baidu recently. The fact that TechCrunch uses the WordPress blog application has led to speculation that the problem may be an exploit in the popular blogging platform.
At 1:20 am EST TechCrunch was down with the message “Hi” on the homepage.
It then showed this link:
From there the site came back up briefly and went back to the “We’ll be back shortly” message.
It was taken over again as shown below, then returned to the “We’ll be back shortly” message.
The site finally seem to become stable after 3am EST with a final message from TechCrunch on the homepage:
Earlier tonight techcrunch.com was compromised by a security exploit. We're working to identify the exploit and will bring the site back online shortly.
The site (18.104.22.168) that the homepage was linked to appears to be a warez site hosted in Roubaix, France, hosted by ISP Ovh Systems. TechCrunch is of course hosted by Rackspace.com, which was recently in the news because of the role their servers played in the ‘Aurora’ attack on Google.
The word warez is a self referential term in communities that deal with the underground distribution of pirated content (software, music, movies, etc.). The dupeDB site appears to be a torrent and rapidshare download site containing links to movies, music, cracked software, and so forth.
Other Attacks with DupeDB.com
The attack directs to the same web site as a brief takeover of forums of the Neowin.net technology news website on December 27th of last year. In that case, a Meta redirect was injected sending users from neowin.net to dupedb.com. The same issue also afflicted the Flyertalk forum on December 27th, and the Sprint Users forum on December 15th.
The Meta tag redirect injected into Neowin.net’s forums:
<meta content="0; URL=http://dupedb.com/" http-equiv="Refresh"/>
No details have emerged on exactly how TechCrunch was taken over, the evidence does not suggest a DNS redirect from what we were able to see. That said TechCrunch uses WordPress (just like us), which a security professional once jokingly referred to as a dropper because of the number of security problems the platform has had. That’s hardly unique to WordPress, the platform is very much a victim of its own popularity, its inherent complexity as a publishing platform, and the fact that plugin integration is community driven thus soemtimes introducing security problems. These three things are all positives, but do introduce security considerations.
Pursuing the theory of a possible WordPress issue, CrunchGear, a site in the TechCrunch Network, has its readme.html file available stating the WordPress version installed, and its /admin authentication page is accessible here for password guessing.
Now that TechCrunch is back up, we can see that their readme file is also available, as well as their WordPress login screen (which is awkwardly behind webserver authentication, but still accessible if you cancel out of the login dialogue. Its entirely possible someone brute forced the password, there are scripts available to do this for WordPress.
Another question comes up as to whether TechCrunch just updated their WordPress install. In speaking to security pro Dan Tentler, the WordPress version on the readme.html file was 2.8.4 earlier tonight. Now it reads 2.9.1, the current version of WordPress.
There’s no evidence that anyone involved with DupeDB is actually responsible for the attack, however there is no real attribution in the defacement, and this would drive traffic to the warez web site.
Either way, we expect TechCrunch, who has provided extensive coverage of other site compromises, to be just as up front in analyzing how their own site was cracked.
We’ll provide updates as they become available.
Filed Under: Web Site Defacement