TechCrunch, the popular blog founded by Michael Arrington in 2005 that profiles technology start ups with posts about their products and company news, was the victim of a website defacement that has effectively taken the site down for a period of three hours at time of writing. The site initially went down a little after 1 am EST with a message of “Hi” on the homepage, and for a while seesawed between coming back up, being newly defaced, and showing a “We’ll be back shortly” message.

There is no word yet of how the attack took place, however, all appearances suggest that access was gained to the TechCrunch content itself as opposed to being a DNS redirect, or something similar, as happened to Twitter and Baidu recently. The fact that TechCrunch uses the WordPress blog application has led to speculation that the problem may be an exploit in the popular blogging platform.

At 1:20 am EST TechCrunch was down with the message “Hi” on the homepage.

The first message showing up on TechCrunch.

It then showed this link:

The first link to DupeDB.com as 'rapidshare downloads'.

From there the site came back up briefly and went back to the “We’ll be back shortly” message.

We'll be back soon.

It was taken over again as shown below, then returned to the “We’ll be back shortly” message.

Taken over again, this time with another link to dupedb.com.

The site finally seem to become stable after 3am EST with a final message from TechCrunch on the homepage:

Earlier tonight techcrunch.com was compromised by a security exploit.

We're working to identify the exploit and will bring the site back online shortly. 

DupeDB.com

The site (91.121.221.39) that the homepage was linked to appears to be a warez site hosted in Roubaix, France, hosted by ISP Ovh Systems. TechCrunch is of course hosted by Rackspace.com, which was recently in the news because of the role their servers played in the ‘Aurora’ attack on Google.

The word warez is a self referential term in communities that deal with the underground distribution of pirated content (software, music, movies, etc.). The dupeDB site appears to be a torrent and rapidshare download site containing links to movies, music, cracked software, and so forth.

DupeDB.com site.

DupeDB has its own Twitter account and online forum as well.

Other Attacks with DupeDB.com

The attack directs to the same web site as a brief takeover of forums of the Neowin.net technology news website on December 27th of last year. In that case, a Meta redirect was injected sending users from neowin.net to dupedb.com. The same issue also afflicted the Flyertalk forum on December 27th, and the Sprint Users forum on December 15th.

The Meta tag redirect injected into Neowin.net’s forums:

<meta content="0; URL=http://dupedb.com/" http-equiv="Refresh"/>

Finally

No details have emerged on exactly how TechCrunch was taken over, the evidence does not suggest a DNS redirect from what we were able to see. That said TechCrunch uses WordPress (just like us), which a security professional once jokingly referred to as a dropper because of the number of security problems the platform has had. That’s hardly unique to WordPress, the platform is very much a victim of its own popularity, its inherent complexity as a publishing platform, and the fact that plugin integration is community driven thus soemtimes introducing security problems. These three things are all positives, but do introduce security considerations.

Pursuing the theory of a possible WordPress issue, CrunchGear, a site in the TechCrunch Network, has its readme.html file available stating the WordPress version installed, and its /admin authentication page is accessible here for password guessing.

Now that TechCrunch is back up, we can see that their readme file is also available, as well as their WordPress login screen (which is awkwardly behind webserver authentication, but still accessible if you cancel out of the login dialogue. Its entirely possible someone brute forced the password, there are scripts available to do this for WordPress.

Another question comes up as to whether TechCrunch just updated their WordPress install. In speaking to security pro Dan Tentler, the WordPress version on the readme.html file was 2.8.4 earlier tonight. Now it reads 2.9.1, the current version of WordPress.

There’s no evidence that anyone involved with DupeDB is actually responsible for the attack, however there is no real attribution in the defacement, and this would drive traffic to the warez web site.

Either way, we expect TechCrunch, who has provided extensive coverage of other site compromises, to be just as up front in analyzing how their own site was cracked.

We’ll provide updates as they become available.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• Baidu.com the Latest Victim of Iranian CyberArmy

A group called the Iranian Cyber Army has, fresh off the heels of their DNS attack on Twitter last month, hijacked the domain of Chinese search engine Baidu.com. Baidu is one of the most popular web sites in the world, a NASDAQ 100 multimedia company headquartered in Beijing that indexes over 740 million web pages for search and provides music and video content. The company employs over 6,000 people, has a 77% market share for search in China, and has annual revenue of about $200mm. For about three hours they were an advertising platform for a hacktivist group supporting the fundamentalist Islamic regime in Iran.

Such digital attacks for political purposes are sometimes referred to as hacktivism, usually defined as “the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends”.

The IP address baidu.com pointed to temporarily routed to 174.121.0.7 in Houston Texas when we pinged it, to a site hosted via ISP ThePlanet.com. The site normally shows hosts in Beijing, China, hosted by China Unicom (example: 202.108.22.5 is back up now). It appeared last night that the defacement site was hosted at a couple of different places.

The site as it appeared for about three hours today:

The site served up at baidu.com earlier.

Baidu.com as it normally appears:

Baidu.com, normally.

Two other domain names are referenced on the page: cyberarmyofiran.com and ircarmy.com. The first, IP 70.35.29.162, shows hosting by Netfirms in Markham Ontario in Canada. The second, ircarmy.com, is at IP 69.147.83.188, showing hosting by Yahoo in Sunnyvalue, California.

This is the same group responsible for the attacks on Twitter and mowjcamp.org last month, Twitter having gone down for a while the evening of December 17th. During the attack on Twitter a bad actor used an id and password assigned to Twitter to log in to the administrative portal of managed DNS service provider Dyn.

DNS Services

At the time that Baidu.com was being redirected, we were seeing different SOA and NS results for the Baidu.com domain name. A simple script was used to look at this data:

$ sh dnsbaidu.com
[baidu.com]----------------------
---[resolver.qwest.net]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
ns3.baidu.com.
ns2.baidu.com.
dns.baidu.com.
ns4.baidu.com.


---[4.2.2.2]---
---[SOA]---
---[NS]---


---[4.2.2.3]---
---[SOA]---
dns204.a.register.com. root.register.com. 2010011108 28800 7200 604800 14400
---[NS]---
dns050.c.register.com.
dns204.a.register.com.
dns010.d.register.com.
dns190.b.register.com.


---[8.8.8.8]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[8.8.4.4]---
---[SOA]---
dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200
---[NS]---
dns.baidu.com.
ns2.baidu.com.
ns3.baidu.com.
ns4.baidu.com.


---[208.67.222.222]---
---[SOA]---
ns1.coolhandle.com. server.pronethosting.net. 2010011101 86400 7200 3600000 86400
---[NS]---
ns2.coolhandle.com.
ns1.coolhandle.com.

We were seeing even more interesting results when using a DNS tool called Squishywishywoo. The results are below and I have attached the full output in: baidu-dnscheck.pdf

50.0% of queries will be returned by 174.121.0.2 (ns2303.hostgator.com)
baidu.com.  86400   IN  SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
                    2010011202  ; Serial
                    86400   ; Refresh
                    7200    ; Retry
                    3600000 ; Expire
                    86400 ) ; Minimum TTL
50.0% of queries will be returned by 174.121.0.3 (ns2304.hostgator.com)
baidu.com.  86400   IN  SOA ns2303.hostgator.com. dnsadmin.gator1152.hostgator.com. (
                    2010011202  ; Serial
                    86400   ; Refresh
                    7200    ; Retry
                    3600000 ; Expire
                    86400 ) ; Minimum TTL

Out of all the DNS results, only Google (8.8.8.8) and Qwest (resolver.qwest.net) return correct answers for Baidu’s NS records. The others, OpenDNS (208.67.222.222), Level 3 (4.2.2.3 & 4.2.2.2), and Squishywishywoo returned incorrect results.

We are able to check for the correct expected results by looking at the WHOIS data provided by register.com. Register.com is the service that the Baidu.com domain was registered with and is the definitive authority for that domain.

definitive
Registrant: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f37850a14115101201f9483195f63@domaindiscreet.com


Registrar Name....: Register.com 
Registrar Whois...: whois.register.com 
Registrar Homepage: www.register.com 

Domain Name: baidu.com 
Created on..............: 1999-10-11 
Expires on..............: 2014-10-11 

Administrative Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f376a0a14115100199c0316d64ebb@domaindiscreet.com


Technical Contact: 
Domain Discreet 
ATTN: baidu.com 
Rua Dr. Brito Camara, n 20, 1 
Funchal, Madeira 9000-039 
PT 
Phone: 1-902-7495331 
Email: 036f37860a14115101c8a6d69ced14a8@domaindiscreet.com


DNS Servers: 
ns3.baidu.com
ns2.baidu.com
ns4.baidu.com
dns.baidu.com

In directly querying the listed authoritative servers with the dig command, we are able to display the data that the rest of the world should be seeing.

dig @220.181.37.10 baidu.com SOA                                                                                       (~/tmp/new)

; <<>> DiG 9.6.0-APPLE-P2 <<>> @220.181.37.10 baidu.com SOA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26843
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;baidu.com.         IN  SOA

;; ANSWER SECTION:
baidu.com.      7200    IN  SOA dns.baidu.com. sa.baidu.com. 2010011101 300 300 2592000 7200

;; AUTHORITY SECTION:
baidu.com.      86411   IN  NS  dns.baidu.com.
baidu.com.      86411   IN  NS  ns2.baidu.com.
baidu.com.      86411   IN  NS  ns3.baidu.com.
baidu.com.      86411   IN  NS  ns4.baidu.com.

;; ADDITIONAL SECTION:
dns.baidu.com.      300 IN  A   202.108.22.220
ns2.baidu.com.      300 IN  A   61.135.165.235
ns3.baidu.com.      300 IN  A   220.181.37.10
ns4.baidu.com.      300 IN  A   220.181.38.10

;; Query time: 308 msec
;; SERVER: 220.181.37.10£53(220.181.37.10)
;; WHEN: Tue Jan 12 00:17:03 2010
;; MSG SIZE  rcvd: 202

The key thing to note is the SOA serial number 2010011101. When a recursive DNS server such as Google’s 8.8.8.8 receives a request for Baidu.com and it does not have that data in its DNS cache, it will proceed down the DNS hierarchy to find the authoritative DNS server for the domain and request the needed data. The authoritative DNS server will return the requested data and the current serial number, which in this case is 2010011101. The recursive DNS server will return the cached results, but after a timeout period it will go back to the authoritative DNS server, send the serial number it has in the cache, and ask if it needs an update on the date. The authoritative DNS server will then compare the request and internal number to see if there needs to be an update.

The issue with this comes into play in our data above; OpenDNS’s results show an SOA serial number of 2010011101, which is correct, but also contain the wrong NS server entries for Baidu.com. When OpenDNS goes and asks the authoritative DNS server if it needs to update data it will be told no due to the matching SOA records; thus, it will continue returning bad DNS data until the authoritative DNS server changes the serial number.

With this data in mind, we would ascertain that the changes were initially made at .com level, most likely through Register.com to point the Baidu.com domain name to DNS servers controlled by the attackers. When we dug into DNS records, Register’s were corrected, but the cached bad records out on the other DNS servers still existed. While we can’t confirm this with certainty, the data found in DNS would lead to this conclusion.

A recommendation to Baidu.com’s DNS administrators is to update their serial numbers to something higher than 2010011202 as that has been the highest serial number we have see on any DNS server. This will force cached servers to update their records to the proper entries.

Translation of the Text

The text is Persian and translates roughly to:

"Iranian (Persian) Cyber Army, is formed (and is on the move), in protest for the meddling of the foreign and
 Zionist sites in our countries domestic affairs and broadcasting of false news and inciting of conflict."

The text in the middle says “Dear Hussein”, perhaps in reference to Imam Hussein.

A similar sentiment to the messages present in the attack on Twitter.

Baidu

The name Baidu comes from an 800 year old Chinese poem written during the Song Dynasty. The poem compares the search for retreating beauty amid chaotic glamor with the search for one’s dream impeded by life’s obstacles. And we have ‘Google’.

Finally

While pressured to intervene as a response to Iran’s nuclear ambitions, China has for the most part stayed clear of speaking out on the subject. Businesses in China have served as intermediaries for products imported from Iran that are then shipped to U.S. firms, in violation of U.S. economic sanctions against Iran. For these reasons, it is unclear how attacking a Chinese search engine fits into the strategy of this hacktivist pro-Iranian government group. It may have just been that baidu.com was an opportunity to spread their message on a high profile web site.

Related Posts:

• Newsweek Reports Zombie Invasion
• Going After BP
• Congressional Web Site Defacements Follow the State of the Union
• Umm…TechCrunch? Defacement Two in 24 Hours
• TechCrunched – TechCrunch the Victim of a Defacement

• <3 <3 <3 @T3ETH NXT TIME REALNESS PIC A BETTER PASSWORD!!!! PVNKS UNITE!!!
• <3 LADY GAGA – NO HATE INTENDED!!!! CAN’T WAIT 4 THE MONSTER BALL!!!!
• …butt LADY GAGA RULEZ THE WORLD!!!!! Warhol are you listening?!!
• I swear my dick is not as big as T33TH’S!!!! POPWRLDSUCKZ!!! PUNX UNITE!!!! <3
• GAGA PEECE FOR LYFE!!!
• Hay my babies!!! LOVE GAGA??? LOVE T33TH!!! http://www.myspace.com/teethdance

Strange tweets showing up in Lady Gaga's tweetstream.

London band Teeth.

The London band T3eth, suspected of hacking the account.

Anonymous?

The lone offensive tweet references the Internet hoax that suggested Lady Gaga was a hermaphrodite, perpetuated initially by the Youtube video below and a fake quote:

It’s not something that I’m ashamed of, just isn’t something that I go around telling everyone. Yes. I 
have both male and female genitalia, but I consider myself a female. It’s just a little bit of a penis 
and really doesn’t interfere much with my life. The reason I haven’t talked about it is that it’s not a 
big deal to me. Like come on. It’s not like we all go around talking about our vags. I think this is
a great opportunity to make other multiple gendered people feel more comfortable with their bodies. 
I’m sexy, I’m hot. I have both a poon and a peener. Big f*cking deal. 
- Attributed to Lady Gaga

I only bother including the video, because it contains a reference to another famous Internet group: Anonymous. No conspiracy, its just amusing to see Guy Fawke in the beginning of the video hanging out with the Lady Gaga crowd.

Anonymous hanging out at the Lady Gaga concert.

Members of Anonymous protesting scientology.

Britney

On Friday, Britney Spears appeared to be letting us in on a previously unknown penchant for devil worship:

The appearance of the Britney Spears Twitter account on Friday.

Why is this News?

Celebrities having their Twitter accounts cracked doesn’t seem like a new problem, and indeed Britney did report herself dead via Twitter back on June 28th. But there is a difference, and that is that many of the openings for easily brute forcing the Twitter password via the web site have closed. Note I said easily, don’t spam the comments with speculation on how the account was compromised (unless its high quality speculation), we know quite well that Twitter is still far from security nirvana.

Twitter has been slowly closing loop holes in their authentication process over the course of this year. Back in September we pointed out the reCAPTCHA implementation on login that shows up when you enter too many bad authentication attempts, a key difference in the process from when the rash of prominent account break-ins occurred earlier in the year (including the notable crack of a Twitter admin’s account). Twitter has more recently started to lock out accounts for an hour when they provide too many bad passwords (a lousy idea from a security perspective, but we’ll get into that some other time).

In Breaking Twitter we showed how Twitter rate limits were not enforced as advertised in their API documentation, allowing brute force of passwords via the API. Well that hole has somewhat closed (we’ll touch on that in a future post as well).

Now in the Lady Gaga case, Teeth seems to be admitting that they successfully guessed the password, so fair enough for that one. What about the Britney case? Because what was once a very obvious avenue of attack (point password brute forcing tool and click) has become a little less obvious. Maybe its someone in her entourage, or Kevin Federline?

PoPo Zao.

Update

• Lady Gaga had this to say today: “Seems as though my twitter was hacked yesterday. I could be angry, except I secretly love how psychotically smart my fans are.”
• It looks like Lady Gaga’s password was: JustDance1. Explains why it was easy to guess, that’s the title of one of her initial hit songs. Hopefully she doesn’t fall into the category of using the same password on every web site.

References

• Gnash Your Teeth
• Lady Gaga’s Twitter hacked?

Related Posts:

• Persistent XSS on Twitter.com
• James Lipton says “Don’t tweet your junk”
• “Hi. This you?? LOL” Twitter Attack Snares Kevin Mitnick
• Facebook’s Faith: A New Scareware Attack
• Breaking Twitter (authentication)