Cryptome hacked

Eugen Leitl eugen at
Tue Feb 14 08:29:03 PST 2012

Whistleblowing platform used to spread malware logo

Whistleblowing platform has been hacked and used to spread
malware. Unknown perpetrators gained access to the server and used the Black
Hole 12 exploit toolkit to infect all of its HTML pages (of which there are
many thousands). The JavaScript toolkit identifies a user's browser and
operating system before attempting to exploit a range of vulnerabilities to
inject malicious code onto their system.

In this case, Black Hole appears to have been configured only to attack
Internet Explorer. A log file containing around 2,900 IP addresses was found
on the server and may offer some indication of the number of systems

It is not clear how the attackers were able to penetrate the server. The team has published a harmless extract of the malicious code and
is asking for assistance in analysing it. Some initial thoughts have already
been received. One user has suggested that the attacker may have used the
WebDAV interface to modify the HTML files.

The team is currently busy disinfecting the affected files,
around 80% of which are now back online.

More information about the Testlist mailing list