Anatomy of a Hack
Ok, I did a little research on the Hack that happened over the weekend to JChava and Psych X.
The freeweb7.com domain is registered to:
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FREEWEB7.COM
Created on: 11-Mar-07
Expires on: 20-Jan-18
Last Updated on: 20-Jan-08
Administrative Contact:
, 68db9a580a1e672a01ea36ea361e9edb@domaindiscreet.com
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
1-902-7495331
Technical Contact:
, 68db9a7b0a1e672a01265c6cece872bc@domaindiscreet.com
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
1-902-7495331
Domain servers in listed order:
NS2.FREEWEB7.COM
NS1.FREEWEB7.COM
The prefix that the hackers addes is xbox360news. This was probably never, ever a valid web site. The hackers have hacked and replaced the 404 Page Not Found error message with some custom java script that comes up as 404.jsp when you crawl the site.
This script redirects to a subdomain of acsyndication.com, which is registerd to:
ADS-CLICK
20 rte de pr?-bois
geneve, GENEVE 1215
Switzerland
Registrar: DomainPeople, Inc.
Domain Name: acsyndication.com
Created on .............Mon Oct 16 13:15:17 2006
Expires on .............Thu Oct 16 16:15:17 2008
Record last updated on .Fri Jul 13 10:54:15 2007,
Administrative Contact:
ADS-CLICK
Pascal Rossini
20 rte de pr?-bois
geneve, GENEVE
1215, CH
( )41227917380
()
pascal.rossini@ads-click.com
Technical Contact:
ADS-CLICK
Administrator DNS
1 N State Street
12th Floor
Chicago, IL
60602, US
(1312)2362132
()
administrator@siteprotect.com
Domain servers in listed order:
ns.dfi.innet.ch 195.70.1.100
ns.innet.ch 195.70.10.100
From this site a script is run automatically. My Firewall vendor won't even let me look at the site, it is blocked as malicious when I try to draw up the script. The prefix of the site is acnetwor.flux. - this may be another hacked domain. Nonetheless, it runs the script on the victim PC.
While I can't tell you exactally what is happening, here are my thoughts on what is happening. Microsoft didn't put much security into the file system on the XBOX 360, certainly not a Firewall of any type, and I doubt the did anything to encrypt user data on the hard disk drives of the XBOX 360. The software kernel of the 360 is just some customized code from other Microsoft OSes, leaving it with the same well known venrubilities. A smart hacker could easily figure out how to exploit the XBOX 360, then create a fairly generic script to scan the local network, find the XBOX and pull and send the information. The whole process would probably take less than a minute, and certainly fewer than five minutes, long before you suspected antyhing was going on in your network.
This is a very scary prospect for XBOX 360 users. Be sure to call Microsoft @ 1-800-4MY-XBOX today to get your information protected with your secret question. Then tell them you want to open a ticket requesting that the security on the XBOX be improved.
We should also consider removing all the user information from our accounts on the XBOX as this information does not appear to be secure. Only placing it there if they requrie us, and then doing something to make it stand out oddly if ever used.
I've sent the info out to a buddy that might be able to figure things out a little further. Until then, be extra careful where you browse.
The freeweb7.com domain is registered to:
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
Registered through: GoDaddy.com, Inc. (http://www.godaddy.com)
Domain Name: FREEWEB7.COM
Created on: 11-Mar-07
Expires on: 20-Jan-18
Last Updated on: 20-Jan-08
Administrative Contact:
, 68db9a580a1e672a01ea36ea361e9edb@domaindiscreet.com
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
1-902-7495331
Technical Contact:
, 68db9a7b0a1e672a01265c6cece872bc@domaindiscreet.com
ATTN: freeweb7.com
P.O. Box 278
Yarmouth, Nova Scotia B5A 4B2
Canada
1-902-7495331
Domain servers in listed order:
NS2.FREEWEB7.COM
NS1.FREEWEB7.COM
The prefix that the hackers addes is xbox360news. This was probably never, ever a valid web site. The hackers have hacked and replaced the 404 Page Not Found error message with some custom java script that comes up as 404.jsp when you crawl the site.
This script redirects to a subdomain of acsyndication.com, which is registerd to:
ADS-CLICK
20 rte de pr?-bois
geneve, GENEVE 1215
Switzerland
Registrar: DomainPeople, Inc.
Domain Name: acsyndication.com
Created on .............Mon Oct 16 13:15:17 2006
Expires on .............Thu Oct 16 16:15:17 2008
Record last updated on .Fri Jul 13 10:54:15 2007,
Administrative Contact:
ADS-CLICK
Pascal Rossini
20 rte de pr?-bois
geneve, GENEVE
1215, CH
( )41227917380
()
pascal.rossini@ads-click.com
Technical Contact:
ADS-CLICK
Administrator DNS
1 N State Street
12th Floor
Chicago, IL
60602, US
(1312)2362132
()
administrator@siteprotect.com
Domain servers in listed order:
ns.dfi.innet.ch 195.70.1.100
ns.innet.ch 195.70.10.100
From this site a script is run automatically. My Firewall vendor won't even let me look at the site, it is blocked as malicious when I try to draw up the script. The prefix of the site is acnetwor.flux. - this may be another hacked domain. Nonetheless, it runs the script on the victim PC.
While I can't tell you exactally what is happening, here are my thoughts on what is happening. Microsoft didn't put much security into the file system on the XBOX 360, certainly not a Firewall of any type, and I doubt the did anything to encrypt user data on the hard disk drives of the XBOX 360. The software kernel of the 360 is just some customized code from other Microsoft OSes, leaving it with the same well known venrubilities. A smart hacker could easily figure out how to exploit the XBOX 360, then create a fairly generic script to scan the local network, find the XBOX and pull and send the information. The whole process would probably take less than a minute, and certainly fewer than five minutes, long before you suspected antyhing was going on in your network.
This is a very scary prospect for XBOX 360 users. Be sure to call Microsoft @ 1-800-4MY-XBOX today to get your information protected with your secret question. Then tell them you want to open a ticket requesting that the security on the XBOX be improved.
We should also consider removing all the user information from our accounts on the XBOX as this information does not appear to be secure. Only placing it there if they requrie us, and then doing something to make it stand out oddly if ever used.
I've sent the info out to a buddy that might be able to figure things out a little further. Until then, be extra careful where you browse.
0 Comments:
Post a Comment
<< Home