Syrian Electronic Army Defaces 41 Web sites, One UK Government Web site
The Syrian Electronic Army (SEA) has claimed responsibility for defacing 41 websites, 23 of which have the top level domain name .uk.
The SEA also claimed responsibility for defacing one UK government website (Okehampton Town Council Web site at http://www.okehampton.gov.uk). The claims of responsibility appeared on the SEA Facebook page on June 27, 2011, and one day later on the SEA official website. On its Web site, the SEA announced that it hacked the “British” sites “because of the bad stand of the British government on Syrian” and “to send a message to the British people that we refuse any interference in our internal affairs.”
The defacement text on the websites read:
Dear Great British People … we are sorry to destroy your sites, but your government’s policies and the interfere in our Interior affairs forced us to hack your official sites so you will be able to listen to our voices live from Syria , we love our country and we love our President Bashar al Assad and we will not allow anyone to interfere in our Internal Affairs
The defacement text was signed by two SEA hacking affiliates: SaQeR SyRia and THE PRO. A “friend”, N0N3, is also mentioned (See Figure 1).
- Figure 1: Defacement text
We verified that all of the listed .uk websites were indeed defaced as of June 28, at 4:00 am GMT.
24 of the Web sites, including www.okehampton.gov.uk, are hosted on the single IP 188.8.131.52 on a UK-based server. The Web sites primarily seem to be online businesses and blogs, with no obvious political content aside from the government site.
Seven of the domain names did not resolve to an IP address at the time that we checked. This may be due to the sites being null routed after the defacement. However, since none of the sites are present in Google’s cache except one, which only shows an empty directory listing, it seems more likely that they are simply unused domains that the attackers associated with a particular IP.
Another IP address, 184.108.40.206, corresponds to five of the domains, and the remaining six are on distinct IPs (See Figure 2).
- Figure 2: Defacements by IP and TLD
The SEA also listed a URL, http://www.art.edu.ge/gov-uk.JPG, which is a screenshot of the defaced Okehampton Town Council Web site; the site is being hosted on a Georgian university network and does not seem to be otherwise defaced.
The SEA posted a video clip to YouTube which showed how some of the Web exploits happened. We examined the video and found that the SEA seems to use the software ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE to have backdoor access to the targeted web server and to find further security vulnerabilities.
“ConnectBack Backdoor Shell” is a very simple Perl script that gives a reverse shell to the attacker. Regular shells require users to connect inbound to the server for command line access, while reverse shells connect outbound to the attacker but still provide the attacker interactive access. This is useful when the attacker can get a program to run on the targeted machine (e.g. uploading a file) but does not have shell access. It can also be used to circumvent firewalls as the connection is outbound from the target, not inbound.
This backdoor shell is short and simple compared to more sophisticated tools that encrypt or hide communications. About 20 lines of Perl, it connects to a listening port, sends machine information, and then acts as a relay between the connection made to the attacker and the system running the program. The program has been publicly posted since at least 2004, and has been re-claimed by other authors (by changing the name field) at least six times, including by “LorD of IRAN HACKERS SABOTAGE”, which is shown in the video.
We were also able to confirm that at least 34 of the servers are running cPanel, WebHost Manager, and either Apache or LiteSpeed Web Server. This suggests that the attackers may have found an exploit for a particular vulnerable server configuration and ran a scanner tool to find targets.
More Opposition Facebook Pages Compromised
On June 28, the SEA claimed responsibility for compromising 16 opposition Facebook pages including one that campaigned to have the SEA Facebook page shutdown. The SEA said infiltrating opposition pages is part of its operation to “cleanse Facebook from hostile content.” As in the case with previously compromised pages, the SEA has replaced the logos of the pages with its own and started posting pro-regime, pro-president messages and graphics. Anti-regime and pro-revolution postings continue to appear.
URL List of the Defaced Web sites
- Figure 3: Screenshot of the SEA’s claim of responsibility as it appeared on its Facebook page