Intervjun är gjord över Internet Relay Chat (IRC) av Anti Online. Då vissa delar av intervjun skulle bli mer eller mindre obegripliga i en översättning, publiceras den på sitt originalspråk. WHH = White House Hacker AOL = Anti Online WHH - it was just phf/ufsrestore WHH - :P AOL - vulnerable to phf WHH - it was.. yeah.. AOL - they are running Solaris??!?!? WHH - yeah WHH - www1 is solaris7 WHH - there isn´t much email on the system WHH - this is /var/mail WHH - # ls -lFa WHH - total 18 WHH - drwxrwxrwt 3 root mail 512 May 10 04:30 ./ WHH - drwxr-xr-x 26 root sys 512 Apr 27 10:00 ../ WHH - drwxrwxr-x 2 root mail 512 May 7 18:57 :saved/ WHH - -rw-rw---- 1 root mail 6079 May 10 04:30 root WHH - # WHH - root just has some crontab sheet in it WHH - they have tripwire running on the boxes... WHH - it seems to be an insecurity for them WHH - cause its ftping over between the boxes WHH - and the password is sniffable.. AOL - what time was the box hacked WHH - -- TCP/IP LOG -- TM: Mon May 10 00:50:04 -- WHH - PATH: s002.whitehouse.gov(33821) => athena.whitehouse.gov WHH - STAT: (ftp)Mon May 10 00:50:05, 10 pkts, 57 bytes [TH_FIN] WHH - DATA: USER webadm WHH - : WHH - : PASS pavar0t% WHH - : WHH - : CWD /TripWire WHH - : WHH - : TYPE I WHH - : WHH - : QUIT WHH - : WHH - : WHH - -- WHH - box was hacked about 11:30 or so PST last night I think WHH - wait no.. it was before that.. AOL - last night meaning May 9th ? WHH - like.. about 9 pm PST WHH - I missed x-files cause this was more important :P AOL - May 9th 9 PM PST? WHH - yeah WHH - that tcplog was 8:50 PST.. so it must been owned slightly before that.. WHH - ya WHH - k.. AOL - the www1 server is linked to www ? WHH - its one of two servers hosting the page.. WHH - # nslookup www.whitehouse.gov WHH - Server: ns5.psi.net WHH - Address: 38.8.5.2 WHH - Name: www.whitehouse.gov WHH - Addresses: 198.137.240.91, 198.137.240.92 WHH - # WHH - the two IPs are www1 and www2 WHH - okay.. WHH - the page should replace http://www.whitehouse.gov for over 1/2 the people at 6am pst.. WHH - I´ll have it try to steal www2´s ip.. WHH - so a few people who dns www to the other server will get this one anyways AOL - ok AOL - why the particular attack on whitehouse.gov? WHH - because it was easily exploitable... and was pretty high profile AOL - Were there any political reasons? personal reasons? WHH - okay... well the thing is.. WHH - altomo and lyp0x came to me telling me that they found a phfable site w/ my scanner WHH - and that it was whitehouse.gov WHH - so I rooted it.. WHH - and am posting thier html... WHH - so.. the message is mainly altomo´s. WHH - it wasn´t specifically targeted for an attack, so it wasn´t a political reason. AOL - oh okay WHH - as for personal reasons.. it always feels good to get into a high profile place. AOL - alright WHH - well, pretty much.. once it known that that site was vulnerable, it was already rooted to me.. at least, just a couple minutes away. WHH - since it was solaris 7, and vulnerable.. WHH - I just assumed that they recently upgraded thier software, and that they assumed it would be more secure with recent distobutions of thier OS and server software WHH - which is normally a big mistake WHH - everything was pretty much a default installation WHH - the main problem was deciding when to post the page... wait to long... you might lose access when the admins gain a clue... to it too fast, no one will know.. everyone would be a WHH - sleep... and we would also miss out on a great sniffing opertunity.. WHH - being on a network w/ lots of .gov and all.. could possibly lead to something like the president´s email address password WHH - (the whitehouse.gov mail exchanger is on the next class C) AOL - yeah okay WHH - heh.. looks like someone else is trying to own them by guessing passwords WHH - -- TCP/IP LOG -- TM: Mon May 10 07:40:33 -- WHH - PATH: 202.99.48.134(1117) => oa00005851(ftp) WHH - STAT: Mon May 10 07:41:42, 18 pkts, 101 bytes [TH_FIN] WHH - DATA: USER administrator WHH - : PASS white WHH - : USER ftp WHH - : USER administrator WHH - : PASS whiteadmin WHH - : USER admin WHH - : PASS ftp WHH - : WHH - -- WHH - hah :P Hackaren bifogade även en lista över de användare som existerade på vita husets webserver. bing: Bing Feraren orion: Christopher Adams webadm: Web Administrator cadams: Christopher Adams bartho_m: Mark Bartholomew monty: Monty Haymes debra: Debra Reid connie: Connie Colabatistto bill: William Hadley