At first I was warned by the IDS alerts via an urlquery.net scan, that made me put the url into a special html viewer which gave away the hack.
The ip could be further verified as belonging to a misused server at a VirusWatch listing, where several domains had been defaced.
Then I did some research on those that performed that specific defacement and got to this group of Italian teenager script kiddies that used this tool,
described here: http://www.vulnerabilityassessment.co.uk/cge.htm (link author Kevin Orrey) to perform their online hoologanism.
If you google “blackangels hacked” you see the connecting pattern is “cisco networking kit flaws probed by streams of code”.
To-day a lot of sites do not have even minimal server and websoftware security and are to be easily hacked or injected with malware.
I posted this to underline the importance of bringing Suricata/Emerging Threats/Snort rule IDS into the scanning of urls to come to an earlier detection of particular issues,
Thanks. Anytime you need a favor in the dog supplies world, send me a PM. That’s all I got. Or if you have car trouble in MS, we’ll get you taken care of – Rob Snell
The days that you could let the dogs out on defacers are gone, now we have other methods ;D
Hope you could spread the heads-up to small retailers depending on cisco, that they are aware of the illegit use of this pentesting tool in the hands of script kiddies,
Most of the folks I know are using Yahoo! Store, but I have some friends with clients using “cheap” hosting and that seems to come back and bite them. I’ll put the word out. THANKS SO MUCH! – r
Or if you have car trouble in MS, we’ll get you taken care of – Rob Snell