---------- Forwarded message ---------- Date: Mon, 30 Jul 2001 02:05:03 -0600 (MDT) From: security curmudgeon <jerichoat_private> To: defaced-commentaryat_private Subject: [defaced-commentary] Two CNET.com machines defaced On July 27 & 28, 2001, two machines were compromised and defaced on the cnet.com network. The first machine (abv-sfo1-ws5.cnet.com) was defaced by a defacer/group known as "g0thic milk" on the 27th. The following day, a group known as "MIH" (Men In Hack) defaced a second machine (abv-sfo1-ws10.cnet.com) on the same subnet. Both machines were identified as running Windows NT by staff members at Safemode.org during the mirroring. According to CNET (http://www.cnet.com/aboutcnet/0-13611.html?tag=ft): CNET Networks, Inc. (Nasdaq: CNET), is the global source of information and commerce services for the technology industry. As a top 10 Internet company with established Web sites in 25 countries and content in 18 languages, CNET Networks connects buyers, sellers and suppliers throughout the IT supply chain with award-winning content via the Web, wireless devices, television, radio and print. Its respected brand portfolio includes CNET, ZDNet, mySimon, News.com, Computer Shopper magazine, and CNET Radio, as well as CNET ChannelServices, including CNET DataServices and CNET ChannelOnline. The company's vision is to educate and empower people and businesses by unlocking the potential of the technology world to make things easier and faster, and by helping them make smarter buying decisions. The implications of such a compromise are interesting to say the least. If the defacements were only a small part of the intrusion, or perhaps came at the end of a long period of compromise, it would be impossible to even speculate the damage that could have been done. With millions of users a month viewing the CNET news, downloading software from their archives or relying on their stock quotes, a Subversion of Information (SoI) attack would have been incredible. Mirror: http://www.safemode.org/mirror/2001/07/27/abv-sfo1-ws5.cnet.com/ Mirror: http://www.safemode.org/mirror/2001/07/28/abv-sfo1-ws10.cnet.com/ A list of hosts on the same subnet. Of interest, the machine names imply that a wide variety of services such as mail, stock? quotes, news, search engine and more could also have been compromised. 64.124.237.3 => abv-sfo1-osr1.cnet.com 64.124.237.4 => abv-sfo1-osr2.cnet.com 64.124.237.5 => abv-sfo1-cat3508-1.cnet.com 64.124.237.6 => abv-sfo1-cat3508-2.cnet.com 64.124.237.7 => abv-sfo1-cat6509-1.cnet.com 64.124.237.8 => abv-sfo1-cat6509-2.cnet.com 64.124.237.9 => abv-sfo1-7206-1.cnet.com 64.124.237.10 => abv-sfo1-7206-2.cnet.com 64.124.237.15 => abv-sfo1-js1.cnet.com 64.124.237.16 => abv-sfo1-alteon2.cnet.com 64.124.237.17 => abv-sfo1-alteon1.cnet.com 64.124.237.18 => abv-sfo1-osr1-switch.cnet.com 64.124.237.19 => abv-sfo1-osr2-switch.cnet.com 64.124.237.21 => abv-sfo1-san-mon1.cnet.com 64.124.237.24 => abv-sfo1-he-dp1.cnet.com 64.124.237.25 => abv-sfo1-he-mail1.cnet.com 64.124.237.27 => abv-sfo1-he-news1.cnet.com 64.124.237.28 => abv-sfo1-he-alt1.cnet.com 64.124.237.29 => abv-sfo1-he-alt2.cnet.com 64.124.237.55 => abv-sfo1-proxy1.cnet.com 64.124.237.56 => abv-sfo1-proxy2.cnet.com 64.124.237.58 => abv-sfo1-nw-finder.cnet.com 64.124.237.59 => abv-sfo1-quote.cnet.com 64.124.237.61 => abv-sfo1-preapp.cnet.com 64.124.237.62 => abv-sfo1-app.cnet.com 64.124.237.64 => abv-sfo1-nsrev1.cnet.com 64.124.237.65 => abv-sfo1-nsrev2.cnet.com 64.124.237.66 => abv-sfo1-nsrev3.cnet.com 64.124.237.67 => abv-sfo1-nsrev4.cnet.com 64.124.237.72 => abv-sfo1-mail1.cnet.com 64.124.237.73 => abv-sfo1-in-mx1.cnet.com 64.124.237.74 => abv-sfo1-quote1.cnet.com 64.124.237.75 => abv-sfo1-quote2.cnet.com 64.124.237.80 => abv-sfo1-nw-harvester1.cnet.com 64.124.237.81 => abv-sfo1-nw-harvester2.cnet.com 64.124.237.82 => abv-sfo1-nw-finder1.cnet.com 64.124.237.83 => abv-sfo1-nw-finder2.cnet.com 64.124.237.86 => backtrack.cnet.com 64.124.237.92 => abv-sfo1-collectionbuilder.cnet.com 64.124.237.94 => abv-sfo1-dc1.cnet.com 64.124.237.96 => abv-sfo1-review.cnet.com 64.124.237.97 => abv-sfo1-nw-db-ha2.cnet.com 64.124.237.99 => abv-sfo1-backup-db-ha2.cnet.com 64.124.237.101 => abv-sfo1-swh.cnet.com 64.124.237.104 => abv-sfo1-nw-db-replicate1.cnet.com 64.124.237.106 => abv-sfo1-nw-db-report1.cnet.com 64.124.237.108 => abv-sfo1-awh-hist1.cnet.com 64.124.237.110 => abv-sfo1-nw-db-ha1.cnet.com 64.124.237.111 => abv-sfo1-ad-db-ha1.cnet.com 64.124.237.113 => abv-sfo1-au-db1.cnet.com 64.124.237.114 => abv-sfo1-backup-db-ha1.cnet.com 64.124.237.118 => abv-sfo1-monitor1.cnet.com 64.124.237.144 => www.help.com 64.124.237.145 => www.savvysearch.com 64.124.237.146 => www.search.com 64.124.237.148 => abv-sfo1-redirect.cnet.com 64.124.237.149 => feed.search.com 64.124.237.153 => webservices.cnet.com 64.124.237.156 => internetservices.cnet.com 64.124.237.159 => auctions1.cnet.com 64.124.237.170 => abv-sfo1-preapp1.cnet.com 64.124.237.171 => abv-sfo1-preapp2.cnet.com 64.124.237.172 => abv-sfo1-app1.cnet.com 64.124.237.173 => abv-sfo1-app2.cnet.com 64.124.237.174 => abv-sfo1-app3.cnet.com 64.124.237.175 => abv-sfo1-app4.cnet.com 64.124.237.192 => abv-sfo1-ss4.cnet.com 64.124.237.193 => abv-sfo1-ss5.cnet.com 64.124.237.194 => abv-sfo1-ss6.cnet.com 64.124.237.195 => abv-sfo1-ss7.cnet.com 64.124.237.196 => abv-sfo1-ss8.cnet.com 64.124.237.197 => abv-sfo1-ss9.cnet.com 64.124.237.198 => abv-sfo1-ss10.cnet.com 64.124.237.199 => abv-sfo1-ss11.cnet.com 64.124.237.200 => abv-sfo1-ss12.cnet.com 64.124.237.201 => abv-sfo1-ss13.cnet.com 64.124.237.202 => abv-sfo1-ss14.cnet.com 64.124.237.203 => abv-sfo1-ss15.cnet.com 64.124.237.204 => abv-sfo1-ss16.cnet.com 64.124.237.205 => abv-sfo1-ss17.cnet.com 64.124.237.206 => abv-sfo1-ss18.cnet.com 64.124.237.207 => abv-sfo1-ss19.cnet.com 64.124.237.208 => abv-sfo1-he1.cnet.com 64.124.237.209 => abv-sfo1-he2.cnet.com 64.124.237.212 => abv-sfo1-redirect1.cnet.com 64.124.237.213 => abv-sfo1-redirect2.cnet.com 64.124.237.214 => abv-sfo1-redirect3.cnet.com 64.124.237.215 => abv-sfo1-redirect4.cnet.com 64.124.237.216 => abv-sfo1-ss20.cnet.com 64.124.237.217 => abv-sfo1-ss21.cnet.com 64.124.237.218 => abv-sfo1-ss22.cnet.com 64.124.237.219 => abv-sfo1-ss23.cnet.com 64.124.237.220 => abv-sfo1-ss24.cnet.com 64.124.237.230 => abv-sfo1-survey.cnet.com 64.124.237.245 => abv-sfo1-ws1.cnet.com 64.124.237.246 => abv-sfo1-ws2.cnet.com 64.124.237.247 => abv-sfo1-ws3.cnet.com 64.124.237.248 => abv-sfo1-ws4.cnet.com 64.124.237.249 => abv-sfo1-ws5.cnet.com 64.124.237.250 => abv-sfo1-ws6.cnet.com 64.124.237.251 => abv-sfo1-ws7.cnet.com 64.124.237.252 => abv-sfo1-ws8.cnet.com 64.124.237.253 => abv-sfo1-ws9.cnet.com 64.124.237.254 => abv-sfo1-ws10.cnet.com - The information and commentary is Copyright 2001, by the individual author. Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this mail are not necessarily the opinion of all Attrition staff members. Commentary Archive: http://www.attrition.org/security/commentary/ The Attrition Mirror: http://www.attrition.org/mirror/attrition/ Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html Contacting Attrition Staff: staffat_private To subscribe to Defaced Commentary, send mail to majordomoat_private with "subscribe defaced-commentary" in the BODY of the mail (without quotes). To unsubscribe, include "unsubscribe defaced-commentary" in the BODY of the mail. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 06:04:13 PDT