Kevin Mitnick suffers classic Web defacement (NSFW)
by Steve Ragan - Jun 29 2009, 18:14Update:
Kevin Mitnick e-mailed to explain that his server was not compromised in any way.
During a follow-up phone call with Kevin and Dave Wykofka, representing Hostedhere, which is Mitnick’s hosting provider, we were told that the vandals were able to crack Hostedhere’s DNS cluster. This level of compromise allowed the vandals to modify the A record of kevinmitnick.com and mitnicksecurity.com, pointing them to another host under their control. Essentially, Mitnick said, this is a classic DNS redirect. It also fully explains the domain behavior depending on how the URL was entered.
At this stage, Hostedhere has offered all the security to Mitnick that it can. In the aftermath of this redirect attack, Mitnick has said he will be parting ways, on mutual terms, with Hostedhere. Since news of the attack broke early this morning, Mitnick has received a handful of offers from various hosting providers. However, his one requirement is that they are able to deal with the level of risk his name will bring to the network. His sites are targets, so anyone hosting him will have to be fully aware of this.
As for how the DNS cluster was compromised, Hostedhere would not speculate on the issue or say what information it has. If it does issue a statement on the matter, we will update this story accordingly.
Original story follows:
Before Web sites were compromised to spread Malware, the typical form of attack was defacement. As a prank, in the main, what would happen is an attacker would make changes to a site's layout, such as add images or text, in order to make a statement, embarrass someone, or simply prove the attack could be done.
Bearing that in mind, it would appear that Kevin Mitnick, an ex-hacker turned security consultant, has suffered from a rather grotesque defacement.
In an e-mail to the Full Disclosure mailing list early on Monday, the following subject line appeared: “Kevin Mitnick the security [professional extraordinaire] got mantrained.”
And, someone using a Hush Mail account, wrote that, “[it] appears that all of [Kevin Mitnick's] sites have been replaced with a pornographic image which shows him having buttseckz with 3 other men.”
The image, which The Tech Herald will not publish in its original form, but in the censored format below, is openly obscene.
The links reportedly defaced include: kevinmitnick.com and mitnicksecurity.com, which were both working at the time this article was posted. [They have since been restored to working order.] However, only http://kevinmitnick.com showed the actual defacement, the other site was free of any alterations.
However, there would appear to be more to the story, because http://www.kevinmitnick.com showed no defacement at all. (Notice the added WWW) While that could be a simple DNS or configuration issue on the server, we have asked someone from Mitnick Security to provide comment. If they do we will update this report accordingly. [See update as to why the A records were acting funny.]
This is not the first time Mitnick's sites have come under attack. In 2006, his sites were defaced by vandals from Pakistan, who gained access to them after compromising his hosting provider. According to Mitnick’s statements at the time, the vandals gained access to the server hosting his sites, and while they had access to the entire box, only his sites were defaced.
Another interesting nugget of information regarding the 2006 defacements is that Hostedhere was the hosting provider hacked. According to DNS records, that's the same provider hosting Mitnick's site now. We have asked Hostedhere for an official comment.
Want regular updates from The Tech Herald? Follow us on Twitter.
Interested in a more interactive TTH? Join our Facebook Group.
Comment on this Story