How Al-Qaida Site Was Hijacked

From: alerts@theMezz.com
Date: 2002-08-12 16:59:22 

Return-Path: <cybercrime-alerts-bounce@freelists.org>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Mon, 12 Aug 2002 17:10:14 -0700 (PDT)
Received: (qmail 27828 invoked by uid 510); 12 Aug 2002 23:58:47 -0000
Received: from freelists-180.iquest.net (HELO turing.freelists.org) (206.53.239.180) by all.net with SMTP; 12 Aug 2002 23:58:47 -0000
Received: from turing.(none) (localhost [127.0.0.1]) by turing.freelists.org (FreeLists Mail Multiplex) with ESMTP id 6BE9994337; Mon, 12 Aug 2002 19:03:23 -0500 (EST)
Received: with ECARTIS (v1.0.0; list cybercrime-alerts); Mon, 12 Aug 2002 19:02:51 -0500 (EST)
Delivered-To: cybercrime-alerts@freelists.org
Received: from pop018.verizon.net (pop018pub.verizon.net [206.46.170.212]) by turing.freelists.org (FreeLists Mail Multiplex) with ESMTP id 9C5E494230 for <cybercrime-alerts@freelists.org>; Mon, 12 Aug 2002 19:02:50 -0500 (EST)
Received: from VAIO ([129.44.209.188]) by pop018.verizon.net (InterMail vM.5.01.05.09 201-253-122-126-109-20020611) with ESMTP id <20020812235930.PACF8228.pop018.verizon.net@VAIO> for <cybercrime-alerts@freelists.org>; Mon, 12 Aug 2002 18:59:30 -0500
Message-ID: <200208121959220960.09D4230E@outgoing.verizon.net>
X-Mailer: Calypso Version 3.30.00.00 (4)
Date: Mon, 12 Aug 2002 19:59:22 -0400
From: alerts@theMezz.com
To: cybercrime-alerts@freelists.org
Subject: How Al-Qaida Site Was Hijacked 
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-archive-position: 130
X-ecartis-version: Ecartis v1.0.0
Sender: cybercrime-alerts-bounce@freelists.org
Errors-To: cybercrime-alerts-bounce@freelists.org
X-original-sender: alerts@theMezz.com
Precedence: normal
Reply-To: cybercrime-alerts@freelists.org
X-list: cybercrime-alerts
X-Spam-Status: No, hits=-100.5 required=5.0 tests=RATWARE,NO_REAL_NAME,SUPERLONG_LINE,USER_IN_WHITELIST version=2.20
X-Spam-Level: 



* subscribe at http://techPolice.com
 

How Al-Qaida Site Was Hijacked 
By Patrick Di Justo WIRED.COM
2:00 a.m. Aug. 10, 2002 PDT 


A Maryland hacker used simple Web tools like whois and traceroute -- as well as online translation software and an anti-cybersquatting service -- to take over the domain name of al-Qaida's website. And he's ready to do it again. 

Jon Messner, the Internet entrepreneur who perpetrated the recent domain hijacking, used SnapName's Snapback service to obtain ownership of the domain www.alneda.com. 
 

Since at least March 2001, al-Qaida has been using Al Neda ("The Call") as its official Internet headquarters. 

The switch in ownership was made on July 16, after the owners of alneda.com deleted its registration from an ISP in Malaysia. Messner believes this was in preparation to establish Al Neda on another server. 

"It was a slippery bastard, but I've got it now," Messner laughs. "I own alneda.com." 

Al Neda contained editorials by major al-Qaida leaders, some of them explicit calls for action and justification of terrorist activities. There was a message board, containing relatively innocuous messages believed to be coded signals. 

There was also a multimedia section containing pictures, audio files and videos of Osama bin Laden. 

Earlier this year, Al Neda was being hosted on a server farm in Kuala Lumpur. Messner believes the United States government pressured the Malaysians to drop www.alneda.com from its site a few months ago. 

When al-Qaida deleted the domain from Malaysia, Messner struck. "After they pushed it out of the Malaysian registry... in that split second the domain became exposed, and Snapback... put my info in there," Messner said. 

Now Messner was listed as Al Neda's owner. 

At that point, Messner put up a copy of the original al-Qaida website on his new domain, with one subtle difference. "I put very simple CGI tracking on the site, so for five days I could trace back to nearly every hostile Islamic message board and website on the Internet." 

Messner used the Arabic translation software on Ajeeb.com to read the messages left on his new website. 

"The context of the messages was all, 'Praise Allah, The Call is back online,'" Messner said. 

For five days, visitors believed www.alneda.com was still the real al-Qaida site. Then at 4:30 a.m. on July 20, a message was posted to an Islamic message board by the person who had regularly maintained the actual Al Neda website. 

"He told them it was a trap, not to go there, the infidels were tracking their information, they had taken control of the domain and stay away." 

After that, Messner realized, "The jig was up." 

With his cover blown, there was no sense keeping the decoy up anymore, so Messner replaced the website with a picture of the Great Seal of the United States and the phrase, "Hacked, tracked and now owned by the USA." 

That same morning, Messner says, the real al-Qaida website appeared temporarily at www.news4arab.org, which has since gone down. 

Messner hypothesizes that the next incarnation of al-Qaida's website will be on www.drasat.com. 

"Drasat.com is where all the videos on alneda.com were located," says Messner. "When Al Neda got shut down a few months ago, at one point the website appeared wholly on drasat.com." 

The status of drasat.com seems to be in flux. Its DNS was changed Thursday night to point to two new servers, NS3.XAZDNS.COM and NS4.XAZDNS.COM, which are registered through Everyone's Internet of Houston. 

Ali Al-Ali of Saudi Arabia is listed as the owner of drasat.com. 

"To me, this activity indicates that they intend to put something on it," Messner said. "If I was to bet, that's where it would appear." 

When Messner took control of alneda.com, he immediately contacted federal authorities. "The frustrating part was that it took me five days to actually talk to someone (in the FBI) who had a working knowledge of the Internet, and by that time the opportunity was gone. 

"I had an exact duplicate of their site up. And they thought it was theirs." 

Messner's motive? He said he made a decision after Sept. 11: "I was going to use every skill I had to screw up the terrorists' communication in any way I could." 

FBI agents from the Baltimore field office eventually visited Messner's office but asked him not to disclose what they had discussed. FBI officials could not be reached for comment. 

Messner has taken some precautions with his prize. "We've been rotating the website among different servers with a round-robin DNS, because they have been shooting it down pretty regularly," he said, laughing. 

One slightly jarring note: A man identifying himself as Michalis Michael, calling from a number in Cyprus, left a message at Messner's office on July 23, claiming that he owned the alneda.com domain and demanding it back. Messner never returned the call. 

"I didn't really want to talk to him," Messner said. 

http://www.wired.com/news/culture/0,1284,54455,00.html

--
This was sent to you from http://theMezz.com
To Subscribe/Unsubscribe go to http://techPolice.com
http://www.theMezz.com/cybercrime/archive

*** TECH NEWS AT http://theMezzenger.com ***



 


--This communication is confidential to the parties it is intended to serve--
Fred Cohen		Fred Cohen & Associates.........tel/fax:925-454-0171
fc@all.net		The University of New Haven.....http://www.unhca.com/
http://all.net/		Sandia National Laboratories....tel:925-294-2087


------------------------ Yahoo! Groups Sponsor ---------------------~-->
4 DVDs Free +s&p Join Now
http://us.click.yahoo.com/pt6YBB/NXiEAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT