Last week, we featured an interview with Sys GhosT of self-described Muslim hacktivist crew The Intrud3rs, discussing their September defaces of a number of NASA web pages and French University sites. Sys GhosT claimed that the hacks were motivated by Muslim pride: the US, he said, created ISIS and ISIS made Muslims look bad. As for the French Universities, well, they were prejudiced against Muslims, so they had to be attacked. The hacks were simple defaces of single pages, with no indication of any lasting damage, serious security breach, or database leakage.
Last night, they struck again, and after a close look at the deface, another clue has emerged about their possible motivation.
This time they chose for their victim non-Muslim-hating web developer Juan Gallardo. At around 9pm, Gallardo posted to the Facebook group for 2600, the Hacker Quarterly, with the above image and “Dafuq is this?”
“It” was a deface by the Intrud3rs, and it was across all of his sites. Within two hours, he’d fixed the sites and written up a quick guide to recovery for future victims, posted to Medium. “Seems that they have a script that just adds or overwrites the index.html and the index.php,” he told us. “All of my affected sites had a index.php as the homepage, but I found a new index.html site in there as well with the same code.”
The Medium post explains further:
Hopefully you kept backups. Now just delete the index.html page if your site runs on php, then restore your previous code on that page. If you have a static page with just html then overwrite the changes on that page.
If you have a WordPress site just login through your hosts panel, go into your file manager, then delete the index.html site. Go into your index.php file and delete everything there then paste the index.php file from your version of WordPress. This should be easy to find as WordPress is an open source project. Try this link https://core.svn.wordpress.org/branches/
Go to his tutorial for more details, including the specific code.
Zone-H doesn’t list any archived hacks for Prosox1337, but since these are often self-reported, and Gallardo sure isn’t going to do it, these might materialize once the Intrud3rs get around to it. We can verify at least two of Gallardo’s sites were compromised, and are not now.
It appears the hack/deface only targets pages designated “index” so there could well be another defence: to not have a page by that name and fly under the Intrud3r radar.
In the name of full disclosure, and to help web devs protect against future attacks, Gallardo has posted the sourcecode for the deface to Pastebin. The sound is streamed from a hidden YouTube video, and the code itself contains a few nuggets like “we love GaZA.”
Interestingly, there’s also a hidden link to an ad service, so it appears that every view on a defaced page is (illicitly) making the Intrud3rs some ad bucks, without actually displaying the ad itself. Could THIS be the real reason for the hacking spree? Not hacktivism at all, but ad revenue? If I were Ilimyakuza.net, I’d have a stern word with those hackers.