[ISN] [defaced-commentary] Two CNET.com machines defaced

From: InfoSec News (isnat_private)
Date: Tue Jul 31 2001 - 00:35:50 PDT

  • Next message: William Knowles: "(no subject)"

    ---------- Forwarded message ----------
    Date: Mon, 30 Jul 2001 02:05:03 -0600 (MDT)
    From: security curmudgeon <jerichoat_private>
    To: defaced-commentaryat_private
    Subject: [defaced-commentary] Two CNET.com machines defaced
    
    
    On July 27 & 28, 2001, two machines were compromised and defaced on
    the cnet.com network. The first machine (abv-sfo1-ws5.cnet.com) was
    defaced by a defacer/group known as "g0thic milk" on the 27th. The
    following day, a group known as "MIH" (Men In Hack) defaced a second
    machine (abv-sfo1-ws10.cnet.com) on the same subnet. Both machines
    were identified as running Windows NT by staff members at Safemode.org
    during the mirroring.
    
    According to CNET (http://www.cnet.com/aboutcnet/0-13611.html?tag=ft):  
    CNET Networks, Inc. (Nasdaq: CNET), is the global source of
    information and commerce services for the technology industry. As a
    top 10 Internet company with established Web sites in 25 countries and
    content in 18 languages, CNET Networks connects buyers, sellers and
    suppliers throughout the IT supply chain with award-winning content
    via the Web, wireless devices, television, radio and print. Its
    respected brand portfolio includes CNET, ZDNet, mySimon, News.com,
    Computer Shopper magazine, and CNET Radio, as well as CNET
    ChannelServices, including CNET DataServices and CNET ChannelOnline.
    The company's vision is to educate and empower people and businesses
    by unlocking the potential of the technology world to make things
    easier and faster, and by helping them make smarter buying decisions.
    
    The implications of such a compromise are interesting to say the
    least.  If the defacements were only a small part of the intrusion, or
    perhaps came at the end of a long period of compromise, it would be
    impossible to even speculate the damage that could have been done.
    With millions of users a month viewing the CNET news, downloading
    software from their archives or relying on their stock quotes, a
    Subversion of Information (SoI) attack would have been incredible.
    
    Mirror: http://www.safemode.org/mirror/2001/07/27/abv-sfo1-ws5.cnet.com/
    
    Mirror: http://www.safemode.org/mirror/2001/07/28/abv-sfo1-ws10.cnet.com/
    
    A list of hosts on the same subnet. Of interest, the machine names
    imply that a wide variety of services such as mail, stock? quotes,
    news, search engine and more could also have been compromised.
    
    64.124.237.3 => abv-sfo1-osr1.cnet.com
    64.124.237.4 => abv-sfo1-osr2.cnet.com
    64.124.237.5 => abv-sfo1-cat3508-1.cnet.com
    64.124.237.6 => abv-sfo1-cat3508-2.cnet.com
    64.124.237.7 => abv-sfo1-cat6509-1.cnet.com
    64.124.237.8 => abv-sfo1-cat6509-2.cnet.com
    64.124.237.9 => abv-sfo1-7206-1.cnet.com
    64.124.237.10 => abv-sfo1-7206-2.cnet.com
    64.124.237.15 => abv-sfo1-js1.cnet.com
    64.124.237.16 => abv-sfo1-alteon2.cnet.com
    64.124.237.17 => abv-sfo1-alteon1.cnet.com
    64.124.237.18 => abv-sfo1-osr1-switch.cnet.com
    64.124.237.19 => abv-sfo1-osr2-switch.cnet.com
    64.124.237.21 => abv-sfo1-san-mon1.cnet.com
    64.124.237.24 => abv-sfo1-he-dp1.cnet.com
    64.124.237.25 => abv-sfo1-he-mail1.cnet.com
    64.124.237.27 => abv-sfo1-he-news1.cnet.com
    64.124.237.28 => abv-sfo1-he-alt1.cnet.com
    64.124.237.29 => abv-sfo1-he-alt2.cnet.com
    64.124.237.55 => abv-sfo1-proxy1.cnet.com
    64.124.237.56 => abv-sfo1-proxy2.cnet.com
    64.124.237.58 => abv-sfo1-nw-finder.cnet.com
    64.124.237.59 => abv-sfo1-quote.cnet.com
    64.124.237.61 => abv-sfo1-preapp.cnet.com
    64.124.237.62 => abv-sfo1-app.cnet.com
    64.124.237.64 => abv-sfo1-nsrev1.cnet.com
    64.124.237.65 => abv-sfo1-nsrev2.cnet.com
    64.124.237.66 => abv-sfo1-nsrev3.cnet.com
    64.124.237.67 => abv-sfo1-nsrev4.cnet.com
    64.124.237.72 => abv-sfo1-mail1.cnet.com
    64.124.237.73 => abv-sfo1-in-mx1.cnet.com
    64.124.237.74 => abv-sfo1-quote1.cnet.com
    64.124.237.75 => abv-sfo1-quote2.cnet.com
    64.124.237.80 => abv-sfo1-nw-harvester1.cnet.com
    64.124.237.81 => abv-sfo1-nw-harvester2.cnet.com
    64.124.237.82 => abv-sfo1-nw-finder1.cnet.com
    64.124.237.83 => abv-sfo1-nw-finder2.cnet.com
    64.124.237.86 => backtrack.cnet.com
    64.124.237.92 => abv-sfo1-collectionbuilder.cnet.com
    64.124.237.94 => abv-sfo1-dc1.cnet.com
    64.124.237.96 => abv-sfo1-review.cnet.com
    64.124.237.97 => abv-sfo1-nw-db-ha2.cnet.com
    64.124.237.99 => abv-sfo1-backup-db-ha2.cnet.com
    64.124.237.101 => abv-sfo1-swh.cnet.com
    64.124.237.104 => abv-sfo1-nw-db-replicate1.cnet.com
    64.124.237.106 => abv-sfo1-nw-db-report1.cnet.com
    64.124.237.108 => abv-sfo1-awh-hist1.cnet.com
    64.124.237.110 => abv-sfo1-nw-db-ha1.cnet.com
    64.124.237.111 => abv-sfo1-ad-db-ha1.cnet.com
    64.124.237.113 => abv-sfo1-au-db1.cnet.com
    64.124.237.114 => abv-sfo1-backup-db-ha1.cnet.com
    64.124.237.118 => abv-sfo1-monitor1.cnet.com
    64.124.237.144 => www.help.com
    64.124.237.145 => www.savvysearch.com
    64.124.237.146 => www.search.com
    64.124.237.148 => abv-sfo1-redirect.cnet.com
    64.124.237.149 => feed.search.com
    64.124.237.153 => webservices.cnet.com
    64.124.237.156 => internetservices.cnet.com
    64.124.237.159 => auctions1.cnet.com
    64.124.237.170 => abv-sfo1-preapp1.cnet.com
    64.124.237.171 => abv-sfo1-preapp2.cnet.com
    64.124.237.172 => abv-sfo1-app1.cnet.com
    64.124.237.173 => abv-sfo1-app2.cnet.com
    64.124.237.174 => abv-sfo1-app3.cnet.com
    64.124.237.175 => abv-sfo1-app4.cnet.com
    64.124.237.192 => abv-sfo1-ss4.cnet.com
    64.124.237.193 => abv-sfo1-ss5.cnet.com
    64.124.237.194 => abv-sfo1-ss6.cnet.com
    64.124.237.195 => abv-sfo1-ss7.cnet.com
    64.124.237.196 => abv-sfo1-ss8.cnet.com
    64.124.237.197 => abv-sfo1-ss9.cnet.com
    64.124.237.198 => abv-sfo1-ss10.cnet.com
    64.124.237.199 => abv-sfo1-ss11.cnet.com
    64.124.237.200 => abv-sfo1-ss12.cnet.com
    64.124.237.201 => abv-sfo1-ss13.cnet.com
    64.124.237.202 => abv-sfo1-ss14.cnet.com
    64.124.237.203 => abv-sfo1-ss15.cnet.com
    64.124.237.204 => abv-sfo1-ss16.cnet.com
    64.124.237.205 => abv-sfo1-ss17.cnet.com
    64.124.237.206 => abv-sfo1-ss18.cnet.com
    64.124.237.207 => abv-sfo1-ss19.cnet.com
    64.124.237.208 => abv-sfo1-he1.cnet.com
    64.124.237.209 => abv-sfo1-he2.cnet.com
    64.124.237.212 => abv-sfo1-redirect1.cnet.com
    64.124.237.213 => abv-sfo1-redirect2.cnet.com
    64.124.237.214 => abv-sfo1-redirect3.cnet.com
    64.124.237.215 => abv-sfo1-redirect4.cnet.com
    64.124.237.216 => abv-sfo1-ss20.cnet.com
    64.124.237.217 => abv-sfo1-ss21.cnet.com
    64.124.237.218 => abv-sfo1-ss22.cnet.com
    64.124.237.219 => abv-sfo1-ss23.cnet.com
    64.124.237.220 => abv-sfo1-ss24.cnet.com
    64.124.237.230 => abv-sfo1-survey.cnet.com
    64.124.237.245 => abv-sfo1-ws1.cnet.com
    64.124.237.246 => abv-sfo1-ws2.cnet.com
    64.124.237.247 => abv-sfo1-ws3.cnet.com
    64.124.237.248 => abv-sfo1-ws4.cnet.com
    64.124.237.249 => abv-sfo1-ws5.cnet.com
    64.124.237.250 => abv-sfo1-ws6.cnet.com
    64.124.237.251 => abv-sfo1-ws7.cnet.com
    64.124.237.252 => abv-sfo1-ws8.cnet.com
    64.124.237.253 => abv-sfo1-ws9.cnet.com
    64.124.237.254 => abv-sfo1-ws10.cnet.com
    
    -
    The information and commentary is Copyright 2001, by the individual author.
    Permission is granted to quote, reprint or redistribute provided the text is not
    altered, and the author and attrition.org is credited. The opinions expressed
    in this mail are not necessarily the opinion of all Attrition staff members.
    
    Commentary Archive: http://www.attrition.org/security/commentary/
    The Attrition Mirror: http://www.attrition.org/mirror/attrition/
    Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
    Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
    Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html
    
    Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
    Contacting Attrition Staff: staffat_private
    
    To subscribe to Defaced Commentary, send mail to majordomoat_private
    with "subscribe defaced-commentary" in the BODY of the mail (without
    quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
    the BODY of the mail.
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 06:04:13 PDT