Well, well, well, what do we have here, DRDO hacked, alongwith few other key Indian government websites targeted by an Algerian Hacker.
Does this surprise me? No, is the apt answer.
The List of sites hacked by SanFour25 alongwith the timeline of notifications to Zone-H
2012-10-06 17:16:18 NZ https://www.capricourt.co.nz/tmp/Dz.php --START-- 2012-10-29 23:31:34 CR https://conference.circom-regional.eu/Dz.php 2012-10-29 23:31:34 CR https://publicmediasee.org/Dz.php 2012-10-29 23:54:16 IN https://iii.gov.in/tmp/Dz.php 2012-10-29 23:57:19 IN https://www.rac.gov.in/experts/Dz.php 2012-10-30 00:07:18 IN https://policewb.gov.in/wbp/counter.txt 2012-10-30 00:09:09 IN https://www.diu.gov.in/departments/Dz.php 2012-10-30 00:14:11 IN https://gpra.nic.in/writereaddata/Dz.php 2012-10-30 00:32:43 IN https://birapdbt.nic.in/video/Dz.php 2012-10-30 01:00:18 IN https://rciregistration.nic.in/rehabcouncil/Dz.txt --END--
Judging from the time-taken to issue a notification to Zone-H , it seems all these hacks most probably happened in a time span of 90 mins. which includes the Croatian websites.
Since, Croatian servers were also hacked during the same time-period, I am all the more confident that the modus-operandi of the hacker was to use known vulnerabilities , search for them either using Google dorks or ShodanHQ and implement these attacks.
Secondly, as the homepage was not touched upon, and files were uploaded, the most probable entry point would have been through form-submits. One surprising factor is the absence of reverse-shell, or has it not been disclosed? This is one question whose answer is still awaited.
As for the admins/programers of these servers , the same old story is being repeated:
1: No Updates
2: Improper Sanitization
3: IPS/WAF/Apache modsecurity
Some of you may argue that, how can I make such claims about the timeline and deduce that all these servers were hacked in a time-span of 90 min? and I would say “Elementary My Dear Watson, elementary.”
As for Data-Loss/Data-Theft, I would rather wait for an official explanation, rather than go off the tangent, thinking about the sensitiveness of these organizations, their impact, how many systems were compromised etc etc.
However, I hope, this was good enough warning bell or a wake-up call to NIC and Indian CERT.
[Note to Spammers]
My humble request to you – Do not SPAM, all the messages are approved before being made visible. Save me the task of “Bulk Delete”
