Monday, 14 May 2012

Was the Leveson website hacked through a weakness in WordPress? - UPDATE 2

This afternoon is appears that the Leveson Inquiry website has been under attack by hackers, forum poster zlyche on Something Awful has a theory on how it may have been done:

Just putting up what information I ascertained before the site went completely down.
The server itself ran Apache 2.2.14 - out of date (Recommended is 2.2.22). Advisories

Clues as to a Wordpress backend:

  • A 'wp-content' exists, with further subdirectories holding images
  • A response from the search on the website stated "Welcome to WordPress. This is your first post. Edit or delete it, then start blogging!"
  • This comment on the website: "<!-- This site is optimized with the Yoast WordPress SEO plugin v1.0.3 - http://yoast.com/wordpress/seo/ -->"
  • This link also told us what the search backend was, and its version"<link rel="stylesheet" id="faceted-search-css" href="http://www.levesoninquiry.org.uk/wp-content/plugins/bang-faceted-search/faceted-search.css?ver=3.2.1" type="text/css" media="all">"
The nail in the coffin that this is a group going after the site for a while though:

http://pastebin.com/jfxqZQQr

This shows someone found the Wordpress login to the site. Not only that, it has a password reset feature.

Given that, it is my opinion that the most likely way the got into it was through Wordpress. Be it through a vulnerability in the search engine or weakness in the password authentication system.

Surprised that the HTTPS section was up for so long.
Looks like the group involved has been working on this since at least late Febuary according to the date on the Pastebin files, guess it time for Leveson to invest some time into investigating website hacking too.

UPDATE

Another Something Awful forum member pointed out directory listings were allowed on the Leveson Inquiry website,
I have to admit, I noticed the wp-content folder and subfolders allowed directory listing a while ago. Didn't tell anyone, it was useful for checking when new stuff had been uploaded. They've fixed it now though. 
 zlyche replies:
They allowed directory listing? Ouch. No wonder this ended up happening. Basic security seems to have gone the wayside there. Given the speed at which the site was brought back up I'd hasten to say that it was a weak password. When I state a weakness in the password authentication system this also includes the credentials of the user itself.

As said, the time the site has taken to get back up shows that the administrators do not believe it to be a vulnerability in the site itself. If it were the case, the site would not be back to its current state so soon. To that end, its likely that they simply changed the password. Emphasising this point is that the Wordpress Login area is still present.
Some pretty poor security by the Leveson website team there.

UPDATE 2

Something Awful forum member zlyche has done a bit more investigating:
I did a tiny bit more legwork. Here is the limited information so far:

Starting from the 12th the group start mentioning #OpLeveson. Later posts that evening show that the group, having confirmed their capacity to takedown the site, are re-enacting it as a show of power.

They seem to have a tendency to use DDoS-based attacks, reminiscent of most Anon approaches to websites. Given how the site looked earlier however, a removal of files seemed to have occurred. That is, a blank root directory was shown. Encouraging this over another possibility - dns poisoning - is that when the HTTP version of the site was down in this regard, the HTTPS version was still up.

Read into it what you will, however information must be obtained on when precisely the site went down. I was under the misunderstanding that this was at 14:46~, which would have been significantly earlier than AnonATeam's announcement. However I cannot find a reference to this.

It seems very likely that someone involved in the DDoS operation over the weekend was involved in this attack. Focus was already on the site by the group, and if one of them got overenthusiastic and successfully gained access it would explain events somewhat. This could be proven wrong with identical attempts at access on the other targeted websites - showing an M.O of the group rather than of a specific individual within.

1 comment: