[iwar] [fc:'Terror.Killers'.Go.On.Site.Defacement.Spree]

From: Fred Cohen (fc@all.net)
Date: 2001-10-09 17:25:48


Return-Path: <sentto-279987-2818-1002673411-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Tue, 09 Oct 2001 18:10:08 -0700 (PDT)
Received: (qmail 14301 invoked by uid 510); 10 Oct 2001 01:07:54 -0000
Received: from n32.groups.yahoo.com (216.115.96.82) by 204.181.12.215 with SMTP; 10 Oct 2001 01:07:54 -0000
X-eGroups-Return: sentto-279987-2818-1002673411-fc=all.net@returns.onelist.com
Received: from [10.1.1.223] by n32.groups.yahoo.com with NNFMP; 10 Oct 2001 00:26:28 -0000
X-Sender: fc@big.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_4_1); 10 Oct 2001 00:23:31 -0000
Received: (qmail 661 invoked from network); 10 Oct 2001 00:23:31 -0000
Received: from unknown (10.1.10.142) by 10.1.1.223 with QMQP; 10 Oct 2001 00:23:31 -0000
Received: from unknown (HELO big.all.net) (65.0.156.78) by mta3 with SMTP; 10 Oct 2001 00:25:48 -0000
Received: (from fc@localhost) by big.all.net (8.9.3/8.7.3) id RAA28598 for iwar@onelist.com; Tue, 9 Oct 2001 17:25:48 -0700
Message-Id: <200110100025.RAA28598@big.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Tue, 9 Oct 2001 17:25:48 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:'Terror.Killers'.Go.On.Site.Defacement.Spree]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

'Terror Killers' Go On Site Defacement Spree 
By Brian McWilliams, Newsbytes, 10/9/2001
<a href="http://www.newsbytes.com/news/01/170957.html">http://www.newsbytes.com/news/01/170957.html>

More than a dozen Web sites, many of them American, were vandalized
today apparently by a group of vigilante hackers calling itself Young
Intelligent Hackers Against Terrorism (YIHAT). 

The attackers replaced the home page of 13 sites with a graphic showing
the YIHAT logo and a text message, which included this statement:
"YIHAT's mission is focused on one topic: Kill the money sources of
terror."

A hacker using the nickname RaFa took credit for the defacements in the
source code of the defaced pages.  RaFa is the name used by a former
member of World of Hell, a group that has defaced hundreds of Web sites
this year. 

The YIHAT defacements, most of which were still viewable this morning,
contained a link to Kill.net, a Web site operated by Kim Schmitz, a
German hacker who founded YIHAT. 

Neither RaFa nor Schmitz were immediately available for comment on the
defacements. 

In retaliation for the Sept.  11 terrorist attacks on America, RaFa last
month defaced a site owned by Aon Corp., an insurance firm with offices
in the World Trade Center that lost 200 employees in the attacks.  In an
e-mail to Newsbytes in September, RaFa said the defacement of the Aon
site was "an accident."

Among the sites defaced today was Tarjema.com, which is registered to a
resident of Washington state, Timothy Gregory. 

"The only reason I can think of for the defacement would be the fact
that my domain name is Arabic.  It means 'translation,'" said Gregory,
who said the site focuses on Arabic translation and Unix administration. 
Other YIHAT victims include Abooks.com, an online bookshop operated by a
company in North Carolina.  An Austrian site, Salzburg-info.co.at, which
featured Web cams of the city of Salzburg, was also vandalized with the
YIHAT message. 

Last week, Schmitz claimed that YIHAT breached the name server and
firewall of the AlShamal Islamic Bank in Sudan and collected data from
the accounts of Osama bin Laden and the Al Qaeda terrorist organization. 
Schmitz, who provided no proof of his claims, said at the time that he
turned the purloined information over to the FBI.  The FBI declined to
confirm that, or to comment. 

Officials from CheckPoint, the Israeli manufacturer of the firewall
allegedly used by the bank, said they do not believe the hacking
occurred.  Representatives of ActiveISP, the Norwegian company that
hosts the Shamalbank.com site, said the hosting firm has not suffered
any security breaches. 

All the sites defaced by RaFa today appear to be running the Apache Web
server and PHP-Nuke, a web portal system written in the PHP scripting
language. 

YIHAT's defacements are mirrored by the Interrorem archive here: <a
href="http://www.interrorem.com/defaced/index.php3?grpq=YIHAT">http://www.interrorem.com/defaced/index.php3?grpq=YIHAT>
. 


------------------------ Yahoo! Groups Sponsor ---------------------~-->
Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide!
http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:54 PST