Right Wing Hackers Target IndyMedia

HackThisSite.org, 02.05.2005

Right-wing hackers 'g00ns.com' are taking credit for attacking several IndyMedia websites posting anti-left rhetoric. This explains how to fix the bugs, who is responsible for the attacks, and how to prevent this kind of action in the future.

 http://www.hackthissite.org/news/view/207
 http://indymedia.us/en/2005/04/6718.shtml
 http://portland.indymedia.org/en/2005/04/316502.shtml
 http://portland.indymedia.org/en/2005/04/316466.shtml

The hacker group 'g00ns' (g00ns.com and g00ns-forum.com) are taking credit for attacking various indymedia sites including nyc.indymedia.org, colorado.indymedia.org, michiganimc.org, arkansas.indymedia.org, newjersey.indymedia.org, and others. On the website, they released a bunch of extreme right wing rhetoric, accusing indymedia of being 'anti-republican'.

Attacking an open publishing network means you're attacking freedom of speech itself. They do not want to participate in the political process through mature discussion or legal channels. These online fascists need to be exposed and confronted.

Before we go into who was responsible for these attacks, it is important to stay on the defensive and to prevent this sort of attack from happening again. Each IMC needs to rebuild and patch their software, change passwords, go through server logs + remove backdoors, etc. The specific vulnerability that was exploited had to do with allowing the upload malicious PHP files to the media section of the website. This had been reported several months ago to the dadaIMC support staff, who had been advised to keep it private until the tech staff of each IMC had patched their software. It was later published to the dadaIMC website which contains details of how it was vulnerable and how to fix it.  http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1

Now let's dig some information up about who these g00n fascists are, and what we could do about it.

They have their WHOIS information protected but we looked closer and found that the same webserver that hosts g00nz.com also hosts 5 other websites:

g00ns.com is at 70.84.85.147  http://whois.webhosting.info/70.84.85.147 (hosted by ThePlanet). Other websites: ASSOCIATEDOILS.COM. G00NS.COM. HACKERSRESOURCE.COM. HARRYPTAYLOR.COM. OGI2.COM. PARTNERSTX.ORG.

ThePlanet.com is a mainstream corporate web hosting service, who would certainly disapprove that g00ns.com is on their servers. You can email  abuse@theplanet.com and  legal@theplanet.com to report g00ns.com.

All of these sites seem to have been designed by CompleteCreations.com who does web design and hosting. A WHOIS of their domain reveals the full name and address:

Geddes, Wesley( wes@autoteamspeak.com)
Complete Creations
1314 Dunhill
Pasadena, Texas 77506
United States
(832) 735-4017

On hackersresource.com/register.cfm, the text g00n 777 (Wes) is displayed . CompleteCreations.com who is run by Wesley Geddes hosts and is a member of g00ns.com.

On the defaced IMC websites, 'clorox' takes credit for the attacks. We started looking around about clorox and, big surprise, it turns out it's the guy from RightWingExtremist.net. He had reported a security flaw in Centra 7 a while back regarding a XSS error(Very similar to what he had used to attack IndyMedia months ago:  http://chicago.indymedia.org/newswire/display/48180/index.php).

 http://seclists.org/lists/bugtraq/2005/Apr/0156.html
"From: Clorox "

Elac aka awb0t aka Brett Chance from Plano, TX. Haven't you learned your lesson by now?

In the past, the g00ns have targetted online gaming clan websites, but since elac had joined up they have started to shift right. Other defacements the g00ns have committed:  http://www.zone-h.org/en/defacements/filter/filter_defacer=g00ns/


Right Wing Hackers Attack Independent Media Centers
from "Notes from the Hacker Underground" at HackThisSite.org

A number of people have started to organize and attack various Independent Media Centers as well as a number of other progressive and leftist websites. In the past, these attacks have ranged from simple xss attacks which redirect visitors or trashing the filesystem / databases. The people responsible show no understanding of the ideas behind the open publishing system IndyMedia, which is free for all users to participate in the discussion. These actions are not hacking nor hacktivism: they utilize public pre-written exploits to simply 'shout the other side down'. An attack on IndyMedia is an attack on free speech itself. These right-wing extremists need to be confronted and exposed as the online fascists they really are.

During the Republican National Convention, a group of hackers called RightWingExtremist.net was formed by Brett Chance(elac, clorox, awb0t, etc) from Plano TX. This group came out of the ultra conservative ProtestWarrior.com who advocates disrupting and attacking leftist organizations. Their actions had started with minor stuff like launching ddos attacks on NYC IndyMedia. Later they discovered a xss flaw in dadaIMC that allowed them to post news that would automatically redirect users to his own website where it would play sounds that said childish political rhetoric like 'the nazi indymedia wants to destroy israel', etc. Because of pressure from the online community, Brett from RightWingExtremist.net closed down the site for several months.

Months later, Jeremy from HackThisSite.org discovered a flaw in dadaIMC that allowed the upload of malicious PHP files would could be used to take over the entire server. This announcement was quietly made to dadaIMC who was urged to keep it private until the tech staff of every indymedia center was notified and had their scripts patched to protect themselves. Several other independent IndyMedia centers were notified and had their code base patched. But before the majority of sites were patched, DadaIMC posted the vulnerability information on the website, including instructions on how it can be exploited.

A month later a group calling itself the g00ns.com have attacked and defaced a dozen indymedia websites using the vulnerability posted to dadaimc. On the hacked websites, a message calling indymedia 'liars' and 'anti-republicans' were posted. Soon after, hackers and indymedia techs started working together to fix each other's code and bring backups back online as well as find information about the g00ns.

The g00ns started out by targetting and attacking online gaming clan websites, but eventually Elac from RightWingExtremist.net joined up and started to turn the group farther to the right. When the IndyMedia sites were hacked, people started to gather information and infiltrate their organization and soon after all of their private details were released to the public to show like actions like this will not go unnoticed.

Many other right-wing trolls continue to try to disrupt IndyMedia and left-wing protest groups. These individuals operate under several different names including ProtestWarrior.com, RightWingExtremist.net, FreeRepublic.com, KobeHQ.com, FreeDominion.com, LittleGreenFootballs.com, and more. Many of these groups are suspected of being financed operations from governments or corporations similar to the COINTELPRO program from the 60s and 70s. Common activities range from flooding message boards, faking votes and reviews in online polls, releasing personal information of key organizers, spreading false rumors and scandals, etc.

All IndyMedia centers running DadaIMC are strongly encouraged to patch their software.

Details on the vulnerability are at:

 http://www.dadaimc.org/mod/software/alerts/dadaIMC/index.php?alert=1
 http://www.dadaimc.org/support.php?section=xss

[the above article will be featured in the upcoming 'notes from the hacker underground' zine available from hackthissite.org]





Email this article to someone >>

Make a quick comment on this article >>