Hackers compromise govt websites

Although April fools has passed, a number of government system administrators may wake up today finding the joke is still on them as they find their websites are defaced or have security holes.

Although April Fools Day has passed, a number of government system administrators may have woken up this morning to find the joke is still on them, since their websites have been defaced or have had security holes highlighted.

Hacker "alsa7r" leaves their calling card on the Bourke council's website
(Screenshot by Michael Lee/ZDNet Australia)

Over the weekend, hackers hit the websites of NSW Bourke Shire Council, the WA Shire of Cue, the WA Government's Public Sector Management (PSM) Program and the Victorian North East Victorian Regional Waste Management Group (Nevrwaste).

A hacker going by the alias alsa7r broke into the Bourke council and Nevrwaste sites, while another hacker called Mr.XHat claimed responsibility for Cue council and the WA PSM sites.

While Bourke council's main website was left untouched, alsa7r left a calling card, demonstrating that he or she had the ability to upload files to the council's webserver and indicating that the string of attacks is part of a hacking challenge. It has since been removed. Nevrwaste, meanwhile, had been less lucky, since the the main site was replaced with just the hacker's name, and an additional calling card was left on the web server.

This morning, Cue council's website contained the message, "Security is a joke! Your box owned by Mr.XHat", although the site's administrators have now restored it to its former condition.

WA PSM also appears to have restored its website completely, but Nevrwaste was still showing signs that security issues have not been addressed.

The message left by hacker "Mr.XHat" on the website of the Shire of Cue this morning
(Screenshot by Michael Lee/ZDNet Australia)

Hackers have compromised government websites in the past, but have not always defaced the front page of such sites to avoid detection. One such case occurred earlier this year when two hackers, in two separate incidents, both left calling cards on the Governor General's website, demonstrating that over a period of at least 10 months, it had been vulnerable.