Subscribe

Hack binge on SA Linux sites

By Tracy Burrows, ITWeb contributor.
Johannesburg, 05 May 2003

A hacker successfully hacked into 53 South African Web sites on Friday, says IT security and e-commerce attorney Reinhardt Buys.

The hacker, called F3PN, hacked the sites between 8.31am and 8.59am on Friday, setting a new daily South African record.

All the attacked Web sites are running on a Linux operating system through a single server. All the domains were registered in the name of a company called Vukanet, says Buys.

"We`ve never seen a local attack of this magnitude before. This person or group of persons succeeded in destroying more than 50 Web sites in less than half an hour."

Buys says the hacker only targeted Web sites in the .co.za domain. No other Web sites were attacked during the course of the day.

He says it is highly unusual to see so many sites running on Linux coming under attack. "We do not see a lot of Linux hacks. On average, about 20% of daily worldwide hacks are done on Linux computers."

After the attack, all the affected sites had the same message from the hacker: "F3PN 0wnz By FaiSCa_ 0wnz b0x !!"

Only a handful of the affected sites - mlasset.co.za, partnet.co.za, iso2000.co.za, safarifeeds.co.za, victoriaplace.co.za and anyjob.co.za - were up and running by this morning.

The sites that were hacked included: unica.co.za, rudsatours.co.za, edgeproduction.co.za, einstein.co.za, equadoor.co.za, groundsconsult.co.za, hittube.co.za, galleryclearing.co.za, iabacus.co.za, fouroaks.co.za, icp.co.za, ideasman.co.za, imberbe.co.za, phashasha.co.za, ndawo.co.za, musgravecomp.co.za, itempowerment.co.za, nitropromotions.co.za, incentivewise.co.za, lesserkestrel.co.za, jojotanks.co.za, learnmaths.co.za, pigbrother.co.za, ppmgroup.co.za, jamescaird.co.za, marlen.co.za, megatour.co.za, rmaa.co.za, saqi.co.za, timbercity.co.za, scg.co.za, tiqms.co.za, tubulartrack.co.za, topnet.co.za, thebigdoor.co.za, ultimategh.co.za, vukanet.co.za, anyplace.co.za, aidaprogram.co.za, bangani.co.za, afritrade.co.za, alltrans.co.za, anyrent.co.za.

Alastair Otter, editor of African open source news site Tectonic, says that while the number of sites involved is high, the incident is not exceptional.

"Many hosting service providers typically house a number of sites on one machine by using a Web server capable of serving virtual domains. If this single machine is compromised and the attacker gains root access, they are very quickly able to deface all the Web sites housed on that machine within minutes of gaining control.

"The fact that the hacker was able to deface 53 local Web sites in less than 30 minutes suggests that this was indeed the case," he says.

To systematically break into more than 50 computers within 30 minutes, and gain control of them, is a near impossible task - unless the individual sites were hosted on identical machines with the same vulnerability across all of them.

Otter says the fact that the sites were hosted on a Linux machine does not automatically make them more secure than any other.

"Typically Linux is a more secure hosting platform than most others, with Linux now one of the most popular Web hosting platforms and the Apache Web server, another open source application, by far the most commonly used server. It is home to more than 60% of the Internet`s Web sites.

"But as the operating system grows in popularity, so does its vulnerability," he says. "The open source community is renowned for being quick to respond to bugs and security risks but if those fixes are not applied, the hosting machine is as vulnerable as any other."

Related stories:
Hack attack defaces Web sites
Hackers deface SA sites for fun
Hacker continues trail of malice

Share