The Anti Security Movement Hacked



	Antisec for lulz - exposed (anti-sec.com) From: "Glafkos Charalambous" <info () infosec org uk> Date: Thu, 31 Dec 2009 19:38:40 +0200 ------------------------------------------------------------------------------------- __ .__ _____ _____/ \|_\|__\| ______ ____ ____ \__ \ / \ __\ \|/ ___// __ \_/ ___\ / __ \\| \| \ \| \| \|\___ \\ ___/\ \___ (____ /___\| /__\| \|__/____ >\___ >\___ > \/ \/ \/ \/ \/ no more [0x00] [Introduction] [0x01] [Forensics] [0x02] [Target Profiling & Lulz] [0x03] [ownage.net - prosec] [0x04] [vitalspeeds - prosec] [0x05] [makosolutions - prosec] [0x06] [holeinthewallhosting - prosec] [0x07] [darkmindz - zf05] [0x08] [Backdoor RCE] [0x09] [SEO Optimizing] [0x10] [Reporting] [0x11] [Attachments] [0x12] [Conclusion] [0x13] [Greetz] _______ _______ _______ \ _ \ ___ __\ _ \ \ _ \ / /_\ \\ \/ / /_\ \/ /_\ \ \ \_/ \> <\ \_/ \ \_/ \ \_____ /__/\_ \\_____ /\_____ / \/ \/ \/ \/ hai:] .___ __ .___ __ .__ \| \| _____/ \|________ ____ __\| _/_ __ _____/ \|_\|__\| ____ ____ \| \|/ \ __\_ __ \/ _ \ / __ \| \| \_/ ___\ __\ \|/ _ \ / \ \| \| \| \ \| \| \| \( <_> ) /_/ \| \| /\ \___\| \| \| ( <_> ) \| \ \|___\|___\| /__\| \|__\| \____/\____ \|____/ \___ >__\| \|__\|\____/\|___\| / \/ \/ \/ \/ What you are about to read is the complete destruction of the "Anti-Sec" group. An organization known as "ProSec" contacted us with reports containing information about the entire group and how it was operating. We don't know who they are, they appear to be well-funded and top notch security experts and what they have done against the group is invaluable to us and others that they have and or would have been targeted. ProSec did want me to portray a message that organizations similar to the Anti-Sec will and are currently being targeted by the movement. ProSec already has access to a number of them and are continuously monitoring and gathering more information about the various groups and will release information when applicable. No longer should whitehats fear these groups, as soon as an individual is targeted, they will target right back. This is a warning shot to those out there that target us. I want to thank ProSec for the work that they continue to do and understand why this movement is so important to the security community. On the 4th of June 2009, a group named "Anti-Sec" decided to expose Astalavista group after they successfully exploited what was rumored to be a Litespeed 0day exploit which in reality does not exist. After looking up on this more and more, a couple of days later we found out that the responsible person behind this attack was a Saudi-Arabian with the nickname RoMeO, so we decided to let the other Astalavista staff know about our findings. Joao Pontes, one of the senior Astalavista administrators decided to warn his friend RoMeO about it and as you will notice below Joao Pontes (rorkty) knew from the beginning that Astalavista group was compromised by his closest friend and decided to do nothing about it. Later, on the 9th of June one of my dedicated hosting servers, running a couple of websites was targeted by the same "Anti-Sec" group providing fake and misleading information to the public. The reason that we decided to start looking into this subject, was to see how and why my dedicated hosting server was compromised despite the fact that it was secure enough to provide access to the outside world. Below is a list of some security measures that had been taken to ensure no unauthorized access permitted: 1) Firewall Protection 2) Brute Force Detection and Prevention 3) Kernel Hardening 4) Apache, PHP, SQL Hardening 5) SSH Hardening 6) Wheel access group for su 7) Chrooted Jail Shell 8) Web Application Firewall 9) Network Intrusion Detection 10) Host Intrustion Detection 11) Hidden daemon versions 12) Rootkit Detection 13) DoS Protection 14) All private sites hosted, audited for bugs 15) Root Access Alert 16) Etc Unfortunately the interval between compromisation of the server until the alert reports came to our attention was not enough to prevent the attack. After our research and the information provided by the ProSec group we came to the conclusion that the server was either hit by an 0day exploit or through my dedicated server provider makosolutions.com which later on it shows that they were backdoored. Utilizing passive and active reconnaissance methods resulted to large information acquisitions which provided us with means for linking together certain information and shade more light on who we are about to target and research for the attacks that took place under the "Anti-Sec" label. In this log file you will read a limited version of the information gathered and provided, since the most important parts are being kept private in order to be analyzed by the proper authorities. -------------------------------------------------------------------------------------

Fermer