Hacker tracking site falls prey to ThePike

A well-known Web site that tracks defacements on other sites by hackers such as PoizonB0x was itself defaced yesterday by a hacker going under the name of ThePike.

Alldas.de is one of a shrinking number of sites that track a growing number of defacements. At the end of May a similar site, called Attrition.org, said it would stop tracking Web site defacements because the volunteer staff can no longer keep up with the volume.

The administrators of Alldas.de acknowledged their vulnerability to hackers: "Nothing is 100 percent secure," they said in a statement, "and today we managed to realise that our security wasn't as good as we thought."

The first sign that the site had been compromised appeared at 3.44pm on Tuesday when a message appeared saying, simply: "Alldas.de got cracked". About a minute later it disappeared again.

In an unusually candid explanation of what happened, the administrators said: "Well, the user fooled our scripts to mirror [aapje.kijkt.tv] a defacement which included an image tag to a .php file which got mirrored that way. After it got mirrored, it was used to execute commands on the server [as an unprivileged user]. It was a clever way to exploit it, a way we overlooked."

Mirroring refers to copying the code of a tagged page to preserve a facsimile of it in the Alldas archive.

The administrators said no higher access levels were reached and the reason why he only added things to the database was "probably because higher system access could not be gained by them". The attacker explained in an email how and what he did on the server shortly after the administrators had figured it out themselves by going through log files.

According to Alldas.de, the hacker said in his message: "I had no intention to clear your database or to root your server. No attempt to do this has been made." However, the administrators said that after examining their log files, the hacker had in fact attempted to gain root access by, among other thing, trying to download and install bindshells on the server.

At the end of the message, the hacker said: "To the alldas people: keep up the good work but please don't underestimate the educational role you can play as being an organisation loved by script kids. In a few minutes you will receive a mail about how to fix your security. I do not have any intention to cause harm to you."

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.