

Cryptome Attacked and Censored by Webcom and Network Solutions - state
http://cryptomeorg.siteprotect.net/webcom-netsol-attack.htm

======
acqq
The site actually had at least one infected php file at the moment it was
blocked by Network Solutions and John admits that. It would be interesting to
know how long the file was in that state. It certainly appears that John
doesn't do some regular patching of the software that drives his site.

The reason they blocked the site was to make him _upgrade the whole
infrastructure and clean all the possibly infected files_ and they state that
in their e-mail:

[http://cryptomeorg.siteprotect.net/netsol-
violation.htm](http://cryptomeorg.siteprotect.net/netsol-violation.htm)

"It appears you are running vulnerable PHP that has allowed your account to be
controlled by an attacker. You will need to remove all PHP files from your
hosting account and update your content to a more secure system. Failure to do
so will result in your account remaining suspended.

Example hacked content found on your account (NOTE: _This is just an example
and all hacked files will need removal; we cannot provide a full listing of
your hacked content_ ):

/data/13/1/84/46/1247698/user/1330594/htdocs/xxx/xxxxxxxxxx/xxxxxxx.php

This can be caused by code vulnerabilities in an existing content-management
system (CMS) or other script that has been compromised. The most common cause
is an outdated, hacked CMS such as Joomla, Drupal, or WordPress. To rectify
this issue, you will need to secure your CMS. If your site is a CMS, you will
need to update the code/script(s) via FTP."

What he notifies them then is just

"The offending file has been removed.

/data/13/1/84/46/1247698/user/1330594/htdocs/xxxxxxxxxxx/xxxxxxxx/xxxxxx.2.php"

Thanks for careful monitoring."

It was obviously not enough of maintenance needed for his server. The minimum
expected would be to confirm that other PHP files were checked and were found
to be clean. Maybe some of the files installed but not used should be removed.
Of course he has the right to never update the software for his site, but then
the hosting provider also has the right to block the site, limiting the
chances for further infections.

Interestingly, it seems that John believes that Network Solutions should
maintain the software side of his site. In 2010:

[http://arstechnica.com/business/2012/02/breaches-galore-
as-c...](http://arstechnica.com/business/2012/02/breaches-galore-as-cryptome-
hacked-to-infect-visitors-with-malware/)

"Cryptome founder John Young said in an e-mail that he believes the attackers
were able to infect his website with a poisoned PHP file by exploiting a
weakness in security or server software provided by Network Solutions, which
hosts the Cryptome website."

If he really uses web.com, they have a pitch like this:

[http://web.com/hosting/unix.aspx](http://web.com/hosting/unix.aspx)

"Simple Blog Set Up With Web.com: Log into your Web.com Account to manage your
Web Hosting / Visit the Open Source Library within the hosting control panel /
Install a WordPress® blog on your website with a single click"

Is it possible that after that one click, the software is never updated by
Network Solutions? How are such sites supposed to be managed then?

~~~
pyre
Thanks for the link to the NetSol Violation email. The link on the article is
broken.

~~~
acqq
Anybody knows what John is supposed to maintain on his site? Is the upgrade of
the software the responsibility of his provider?

cryptome.org seems to currently run Apache 2.2.22, whereas 2.2.27 is the most
recent in the 2.2 branch.

------
driverdan
Typical hyperbolic writing from John. I'd be pissed too if one of my hosts
pulled down sites without notice and didn't restore them quickly after
resolution but saying it was "attacked" and "censored" are ridiculous.

~~~
AJ007
Consider the nature of his site makes Cryptome a massive target for state
sponsored hacking, among others. even a site with experienced staff is going
to have challenges. Since he has been running Cryptome for free since the 90s
be sure to support their Kickstarter, even if you only agree 50%.

------
state
What I find surprising about this is the configuration Cryptome is running. I
would have expected them to be in a data center in Iceland or on a box in
John's closet.

------
spacemanmatt
If every site with some bad PHP were taken down with such force... well... so
much for the internet.

