[defaced-commentary] Two CNET.com machines defaced

[InfoSec News <isn () c4i org>]

---------- Forwarded message ----------
Date: Mon, 30 Jul 2001 02:05:03 -0600 (MDT)
From: security curmudgeon <jericho () attrition org>
To: defaced-commentary () attrition org
Subject: [defaced-commentary] Two CNET.com machines defaced


On July 27 & 28, 2001, two machines were compromised and defaced on
the cnet.com network. The first machine (abv-sfo1-ws5.cnet.com) was
defaced by a defacer/group known as "g0thic milk" on the 27th. The
following day, a group known as "MIH" (Men In Hack) defaced a second
machine (abv-sfo1-ws10.cnet.com) on the same subnet. Both machines
were identified as running Windows NT by staff members at Safemode.org
during the mirroring.

According to CNET (http://www.cnet.com/aboutcnet/0-13611.html?tag=ft):  
CNET Networks, Inc. (Nasdaq: CNET), is the global source of
information and commerce services for the technology industry. As a
top 10 Internet company with established Web sites in 25 countries and
content in 18 languages, CNET Networks connects buyers, sellers and
suppliers throughout the IT supply chain with award-winning content
via the Web, wireless devices, television, radio and print. Its
respected brand portfolio includes CNET, ZDNet, mySimon, News.com,
Computer Shopper magazine, and CNET Radio, as well as CNET
ChannelServices, including CNET DataServices and CNET ChannelOnline.
The company's vision is to educate and empower people and businesses
by unlocking the potential of the technology world to make things
easier and faster, and by helping them make smarter buying decisions.

The implications of such a compromise are interesting to say the
least.  If the defacements were only a small part of the intrusion, or
perhaps came at the end of a long period of compromise, it would be
impossible to even speculate the damage that could have been done.
With millions of users a month viewing the CNET news, downloading
software from their archives or relying on their stock quotes, a
Subversion of Information (SoI) attack would have been incredible.

Mirror: http://www.safemode.org/mirror/2001/07/27/abv-sfo1-ws5.cnet.com/

Mirror: http://www.safemode.org/mirror/2001/07/28/abv-sfo1-ws10.cnet.com/

A list of hosts on the same subnet. Of interest, the machine names
imply that a wide variety of services such as mail, stock? quotes,
news, search engine and more could also have been compromised.

64.124.237.3 => abv-sfo1-osr1.cnet.com
64.124.237.4 => abv-sfo1-osr2.cnet.com
64.124.237.5 => abv-sfo1-cat3508-1.cnet.com
64.124.237.6 => abv-sfo1-cat3508-2.cnet.com
64.124.237.7 => abv-sfo1-cat6509-1.cnet.com
64.124.237.8 => abv-sfo1-cat6509-2.cnet.com
64.124.237.9 => abv-sfo1-7206-1.cnet.com
64.124.237.10 => abv-sfo1-7206-2.cnet.com
64.124.237.15 => abv-sfo1-js1.cnet.com
64.124.237.16 => abv-sfo1-alteon2.cnet.com
64.124.237.17 => abv-sfo1-alteon1.cnet.com
64.124.237.18 => abv-sfo1-osr1-switch.cnet.com
64.124.237.19 => abv-sfo1-osr2-switch.cnet.com
64.124.237.21 => abv-sfo1-san-mon1.cnet.com
64.124.237.24 => abv-sfo1-he-dp1.cnet.com
64.124.237.25 => abv-sfo1-he-mail1.cnet.com
64.124.237.27 => abv-sfo1-he-news1.cnet.com
64.124.237.28 => abv-sfo1-he-alt1.cnet.com
64.124.237.29 => abv-sfo1-he-alt2.cnet.com
64.124.237.55 => abv-sfo1-proxy1.cnet.com
64.124.237.56 => abv-sfo1-proxy2.cnet.com
64.124.237.58 => abv-sfo1-nw-finder.cnet.com
64.124.237.59 => abv-sfo1-quote.cnet.com
64.124.237.61 => abv-sfo1-preapp.cnet.com
64.124.237.62 => abv-sfo1-app.cnet.com
64.124.237.64 => abv-sfo1-nsrev1.cnet.com
64.124.237.65 => abv-sfo1-nsrev2.cnet.com
64.124.237.66 => abv-sfo1-nsrev3.cnet.com
64.124.237.67 => abv-sfo1-nsrev4.cnet.com
64.124.237.72 => abv-sfo1-mail1.cnet.com
64.124.237.73 => abv-sfo1-in-mx1.cnet.com
64.124.237.74 => abv-sfo1-quote1.cnet.com
64.124.237.75 => abv-sfo1-quote2.cnet.com
64.124.237.80 => abv-sfo1-nw-harvester1.cnet.com
64.124.237.81 => abv-sfo1-nw-harvester2.cnet.com
64.124.237.82 => abv-sfo1-nw-finder1.cnet.com
64.124.237.83 => abv-sfo1-nw-finder2.cnet.com
64.124.237.86 => backtrack.cnet.com
64.124.237.92 => abv-sfo1-collectionbuilder.cnet.com
64.124.237.94 => abv-sfo1-dc1.cnet.com
64.124.237.96 => abv-sfo1-review.cnet.com
64.124.237.97 => abv-sfo1-nw-db-ha2.cnet.com
64.124.237.99 => abv-sfo1-backup-db-ha2.cnet.com
64.124.237.101 => abv-sfo1-swh.cnet.com
64.124.237.104 => abv-sfo1-nw-db-replicate1.cnet.com
64.124.237.106 => abv-sfo1-nw-db-report1.cnet.com
64.124.237.108 => abv-sfo1-awh-hist1.cnet.com
64.124.237.110 => abv-sfo1-nw-db-ha1.cnet.com
64.124.237.111 => abv-sfo1-ad-db-ha1.cnet.com
64.124.237.113 => abv-sfo1-au-db1.cnet.com
64.124.237.114 => abv-sfo1-backup-db-ha1.cnet.com
64.124.237.118 => abv-sfo1-monitor1.cnet.com
64.124.237.144 => www.help.com
64.124.237.145 => www.savvysearch.com
64.124.237.146 => www.search.com
64.124.237.148 => abv-sfo1-redirect.cnet.com
64.124.237.149 => feed.search.com
64.124.237.153 => webservices.cnet.com
64.124.237.156 => internetservices.cnet.com
64.124.237.159 => auctions1.cnet.com
64.124.237.170 => abv-sfo1-preapp1.cnet.com
64.124.237.171 => abv-sfo1-preapp2.cnet.com
64.124.237.172 => abv-sfo1-app1.cnet.com
64.124.237.173 => abv-sfo1-app2.cnet.com
64.124.237.174 => abv-sfo1-app3.cnet.com
64.124.237.175 => abv-sfo1-app4.cnet.com
64.124.237.192 => abv-sfo1-ss4.cnet.com
64.124.237.193 => abv-sfo1-ss5.cnet.com
64.124.237.194 => abv-sfo1-ss6.cnet.com
64.124.237.195 => abv-sfo1-ss7.cnet.com
64.124.237.196 => abv-sfo1-ss8.cnet.com
64.124.237.197 => abv-sfo1-ss9.cnet.com
64.124.237.198 => abv-sfo1-ss10.cnet.com
64.124.237.199 => abv-sfo1-ss11.cnet.com
64.124.237.200 => abv-sfo1-ss12.cnet.com
64.124.237.201 => abv-sfo1-ss13.cnet.com
64.124.237.202 => abv-sfo1-ss14.cnet.com
64.124.237.203 => abv-sfo1-ss15.cnet.com
64.124.237.204 => abv-sfo1-ss16.cnet.com
64.124.237.205 => abv-sfo1-ss17.cnet.com
64.124.237.206 => abv-sfo1-ss18.cnet.com
64.124.237.207 => abv-sfo1-ss19.cnet.com
64.124.237.208 => abv-sfo1-he1.cnet.com
64.124.237.209 => abv-sfo1-he2.cnet.com
64.124.237.212 => abv-sfo1-redirect1.cnet.com
64.124.237.213 => abv-sfo1-redirect2.cnet.com
64.124.237.214 => abv-sfo1-redirect3.cnet.com
64.124.237.215 => abv-sfo1-redirect4.cnet.com
64.124.237.216 => abv-sfo1-ss20.cnet.com
64.124.237.217 => abv-sfo1-ss21.cnet.com
64.124.237.218 => abv-sfo1-ss22.cnet.com
64.124.237.219 => abv-sfo1-ss23.cnet.com
64.124.237.220 => abv-sfo1-ss24.cnet.com
64.124.237.230 => abv-sfo1-survey.cnet.com
64.124.237.245 => abv-sfo1-ws1.cnet.com
64.124.237.246 => abv-sfo1-ws2.cnet.com
64.124.237.247 => abv-sfo1-ws3.cnet.com
64.124.237.248 => abv-sfo1-ws4.cnet.com
64.124.237.249 => abv-sfo1-ws5.cnet.com
64.124.237.250 => abv-sfo1-ws6.cnet.com
64.124.237.251 => abv-sfo1-ws7.cnet.com
64.124.237.252 => abv-sfo1-ws8.cnet.com
64.124.237.253 => abv-sfo1-ws9.cnet.com
64.124.237.254 => abv-sfo1-ws10.cnet.com

-
The information and commentary is Copyright 2001, by the individual author.
Permission is granted to quote, reprint or redistribute provided the text is not
altered, and the author and attrition.org is credited. The opinions expressed
in this mail are not necessarily the opinion of all Attrition staff members.

Commentary Archive: http://www.attrition.org/security/commentary/
The Attrition Mirror: http://www.attrition.org/mirror/attrition/
Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
Contacting Attrition Staff: staff () attrition org

To subscribe to Defaced Commentary, send mail to majordomo () attrition org
with "subscribe defaced-commentary" in the BODY of the mail (without
quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
the BODY of the mail.

-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.