Revenge hack put 5.5 million domain names allegedly at risk

One Adobe ColdFusion zero-day, a VPS host, a network security scanner, 5.5 million domain names, and one IRC server — that's the cost of a hacking group obtaining revenge on a bunch of script kiddies.
Written by Michael Lee, Contributor

Amid hacking group Hack the Planet's (HTP) claims that 5.5 million domain names had been compromised, and several domain registrars had been hacked, Name.com and Melbourne IT have stepped forward to confirm that they have been breached.

Last month, virtual private server company Linode issued password resets after an attack on one of its customers, but the issue now appears to be larger than a single hacking attempt.

HTP has claimed that the attack on Linode was only part of a chain of hacks on several organisations. Its motive was to get revenge on another group of hackers that had attacked it and impersonated a hacker going by the name of ac1db1tch3z — the same hacker who was responsible for exposing a vulnerability in 64-bit Linux machines.

HTP alleges that it was able to track its attackers down to SwiftIRC, and claimed that it uses Linode for its name servers, making that its next target. The group's plan was to go even higher up the chain, compromising Linode's domain registrar, Name.com, and setting up a man-in-the-middle attack to capture login details when users tried to use their credentials at whatever site the hacking group pointed Linode.com to.

While Name.com did not acknowledge whether HTP was responsible, it admitted that it had discovered a security breach that was "motivated by an attempt to gain information on a single, large commercial account at Name.com".

"Customer account information, including usernames, email addresses, and encrypted passwords and encrypted credit card account information, may have been accessed by unauthorized individuals," Name.com told its customers via email.

Logs from HTP's attack appear to back up claims that it could have compromised the domain names for not only Linode, but also several other organisations, including Deviant Art and 9gag. The logs only indicate hashed passwords, however, meaning that only accounts with weak passwords might possibly be breached.

Attack logs showing hashed passwords for a number of popular domains, including Deviant Art and 9gag.
Image: Screenshot by Michael Lee/ZDNet

HTP claims that along with attacks on a number of other registrars, it could have compromised 5.5 million domain names across Name.com, Xinnet, Melbourne IT, and Moniker.

The dumped information from the attack includes the contents of web directories and the /etc/passwd file on two of Melbourne IT's servers.

Melbourne IT told ZDNet that it was aware of the incident, without naming whether HTP was the responsible party.

"The attacker managed to gain limited access to a low-level server, which hosts content for one of Melbourne IT's non-retail websites, but hosts no customer data nor sensitive company data," a spokesperson for the company said.

"Our investigations have found there is no evidence of any data loss, and no evidence of unauthorised access to any other Melbourne IT system.

"Our investigations are continuing, and we have taken proactive precautions to heighten our security posture while this investigation is completed."

Melbourne IT was compromised by Anonymous Australia last year, due to a different ColdFusion flaw. It ultimately affected one customer: AAPT. The Privacy Commission is currently undertaking an investigation to determine whether either company breached the Privacy Act.

Moniker told ZDNet that none of the information published was retreived using its registrar platform and that the information itself was only relevant to a public-facing site. 

"The published file does not contain any access or information related to or about Moniker customers, their accounts or their domains," a spokesperson for the company said in an email.

ZDNet contacted Xinnet for comment, but had not received a response at the time of writing.

From here, the group changed tactics, foregoing a man-in-the-middle attack and going after Linode directly, using a previously unknown vulnerability in Adobe ColdFusion. This matches its previous claims and Linode's response to the breach. HTP has since released the code used to exploit the vulnerability, and Adobe has issued a hotfix for it.

HTP's access to Linode also gave it access to Nmap.org, the site behind the network security scanner, and also host to a number of information security mailing lists. Nmap author Gordon Lyon, also known online as Fyodor, acknowledged the attack earlier last month in a post to the Nmap Development mailing list.

He wrote, "Someone compromised our hosting provider (Linode) and used that access to break into some of our virtual private server (VPS) systems.

"Interestingly, our web referrer logs show that the attacker first visited us by following a link on [a] Quora page listing Linode's most prominent customers."

"I guess they hacked Linode, and then went looking for well-known sites to go after. Perhaps we should be flattered to have made the list, but we're not. Linode says the intruder messed around with our account, but left their other customers alone."

HTP's release includes a 16GB dump of what it alleges is Nmap.org's home directory.

Linode has since rolled out two-factor authentication to protect accounts. It uses the time-based one-time password algorithm, meaning tokens can often be generated in the same authentication apps used for Dropbox, Amazon Web Services (AWS), and Google accounts instead of users having to download a separate app.

Updated on May 13, 2013 at 9.58am AEST: Added comment from Moniker.

Editorial standards