
TechCrunch Hacked - jmtame
http://www.techcrunch.com/2010/01/26/techcrunch-hacked/
======
rms
Well played, anonymous hacker. I even respect your lack of political
posturing.

For when this gets fixed, right now techcrunch.com is an empty html page that
contains <a href="<http://nottherealurl.com/> title="rapidshare
downloads">rapidshare downloads</a>

Edit: now it is a blank html page that contains only "hi". Someone from HN
rehacked it? Or it's about to be fixed.

~~~
NZ_Matt
It was linking to dupedb .com when I looked a minute ago. Now all I see is
text saying hi

~~~
timdorr
Looks like it's switching around depending on what backend their load balancer
throws you to. It's jumping around for me, which suggests they don't have any
session affinity. Interesting, but I guess it's not required for their kind of
app.

~~~
mahmud
_site_ , for their kind of site.

~~~
olefoo
These days, that's a distinction without a difference. All websites that
couldn't usefully be delivered as PDFs are applications by definition.

~~~
Skeuomorph
Techcrunch could be delivered as a PDF. I get it on my Kindle.

Just as most new web sites are not startup companies, most existing web sites
are not apps.

The distinction and difference is that a software application helps a user
perform manipulation or transformation of data as useful work.

Most websites, despite simple interactivity (e.g. search), are still published
as "content" for consumption within a content access application, not for
manipulating work|play|creative output.

~~~
jrp
And the comments on the posts are built into a PDF?

~~~
mahmud
Who reads TechCrunch comments? they're worse than youtube, at least youtubers
are not self-promoting.

------
NZ_Matt
It has just been hacked again....

The html: <title>LOL HACKED</title>

<center><h1><b>WHAT A FUCKING USELESS HACK ISN'T IT?
BLEH.</b></h1></center><br>

<h1><a href="<http://dupedb.com/> title="rapidshare
downloads">[http://dupedb.com/</a></h1><br>](http://dupedb.com/</a></h1><br>);

~~~
jmtame
once you're lucky, twice you're good

------
chaosmachine
One day too early, if they were going for maximum damage.

~~~
cmelbye
Yeah, he/she/they definitely should have done this on Wednesday at 10:00 AM
(or whenever the Apple event is) if they were looking to cause any sort of
damage.

~~~
gcheong
Test run?

------
jsz0
I heard Mike Arrington actually developed all the IP for the hack. True fake
story.

------
kyro
At one point, the source said <!-- WP Super Cache is installed but broken. The
path to wp-cache-phase1.php in wp-content/advanced-cache.php must be fixed!
-->

------
melvinram
Hope they have backups and don't loose data. As much as I hate that their
quality has gone down, I hate to see someone's hard work get killed by
something like this.

~~~
jrockway
Maybe people will finally stop using the duct-taped spaghetti called
"wordpress".

~~~
olefoo
What would you suggest as an alternative?

~~~
NateLawson
Jekyll outputing a static HTML blog, with Disqus for comments. I have a rule
of no dynamic content on my webserver.

<http://jekyllrb.com/>

(Yes, my blog is currently hosted at wordpress.com, but I'm evaluating Jekyll
as part of the next round of server migrations. I started with wordpress.com
years ago when I didn't want to run WP on my own server, but wanted the ease
of a blog.)

~~~
olefoo
That's not a bad rule. I've actually been considering using sphinx
<http://sphinx.pocoo.org/> for my blog reboot. Mostly because I'd like to
offer visitors a choice of formats, read bits and pieces on the web or grab
the whole thing as a PDF or reasonably priced e-book.

~~~
est
from my experience, wordpress itself is quit solid, most vulnerability are
from third party plugins.

~~~
NateLawson
"It's safe because I haven't been hacked yet." Meanwhile, pretty much everyone
in the security community running Wordpress on their own sites got hacked via
it in 2008-9.

------
tmsh
<http://twitter.com/arrington/status/8230803684>

------
jgrahamc
Wasn't me: [http://www.jgc.org/blog/2009/07/techcrunch-skating-on-
thin-i...](http://www.jgc.org/blog/2009/07/techcrunch-skating-on-thin-
ice.html)

Will be interesting to hear the details. TC has done a lot to secure their
site, but they were using WordPress.

------
petercooper
Correct me if I'm wrong.. but did I just see an interstitial ad page when
going to that link?

------
jasonrojas
<http://www.techcrunch.com/wp-cache-phase1.php?plugin=shell> whooops?

~~~
buro9
That's very possibly the vector.

If you can place a .php file in the plugins directory located here:
<http://www.techcrunch.com/plugins/>

And then if you call the script as per your example, then it appears that
plugin is loaded (and evaluated).

Someone else more versed in PHP might want to cast their eyes over the
wordpress plugin to see whether I'm right:
<http://wordpress.org/extend/plugins/wp-super-cache/>

But it appears it's a case of globals not being checked prior to use:
<http://php.net/manual/en/security.globals.php>

So at first glance and with limited info... it's a plugin. Not that this
surprises me, I still use vBulletin and I spend a lot of time code-reading the
plugins for that before I use them. Mostly to make sure they don't do silly
things like have SQL inside a loop over potentially lots of items, but also
for the obvious security holes.

register_globals is an old one though, should be disabled:
<http://drupal.org/node/222343>

~~~
olefoo
They had register_globals on? @_@

I hope they go for the radical openness option and do a full public post-
mortem. A teachable moment like this should not be wasted.

register_globals was known to be a bad idea in 1999 for crying out loud.

~~~
raffi
_phew_ I don't feel bad now. I wrote a HTML preprocessor in 1999 to allow PHP-
like embedding of Perl in webpages. It did the equivalent of register globals.
I still have it up on my website but with a big warning that says "this has
known security issues, don't use it". At least someone else made the same
mistake around that time :)

------
lut4rp
About time they shifted to Drupal. WP seems to be going down on security
pretty bad.

~~~
TheBranca18
Does TC have programmers? Why then would they use Drupal? Drupal for
programmers is some of the most horrible code I've ever come across. Hey let's
look at this back trace of THOUSANDS of functions.

-Unfortunately responsible for maintaining a Drupal install at work...

~~~
timdorr
Thousands of functions? Then you're doing it wrong. Drupal has the best
documented API and tons of extensibility. Unless you're trying to change what
Drupal is at its core, doing stuff is never impossible or even that difficult.
Make sure you're using Devel: <http://drupal.org/project/devel>

~~~
TheBranca18
Unfortunately I'm stuck with Drupal 6. And if you do a backtrace in any custom
module there will literally be thousands of functions listed. It may have
'tons of extensibility' but at least Drupal 6 is a cluster mess. Sure it may
give less experienced programmers ability to do things quickly but as a more
experienced programmer I find the rigidity of it to be stifling.

~~~
lut4rp
As an engineer, I won't take your argument of "thousands" of functions in a
custom module. Also, yes, Drupal is far more complex than any other CMS
because it's _not_ a CMS. It's more like a framework you use to build your own
mini-CMS. You can customize it to your needs a _lot_ more than WP.

------
dryicerx
I am surprised this news wasn't posted on TechCrunch before... oh wait.

------
imok20
Really? Let's call this "cracked," not "hacked" – we're only furthering the
misunderstanding by using the incorrect term here, too.

~~~
houseabsolute
How about hackers everywhere give up on reclaiming this term. It's not going
to happen. That way I don't have to see this post on every single story about
malicious intrusion that comes up on social news sites.

~~~
imok20
The difference is that this site is called "Hacker News."

~~~
andrew1
I appreciate that whoever runs the site can call it whatever they like, but I
wish they hadn't chosen 'Hacker News'. I know that it's my own prejudices at
play here but it's simply embarrassing to have 'Hacker News' staring out from
the top of my browser window. It's so ridiculous I can't even bring myself to
say it, when I discuss links with a friend who also checks this site the
conversation starts with 'did you see that article about X on the, er, the
YCombinator news site?'.

~~~
InclinedPlane
Also note that it's possible for a single word to have multiple meanings
depending on context, this includes even opposite meanings with opposite
connotations. In the context of news.yc.com the term "hacker" generally has a
different meaning than the term has elsewhere, especially in the context of
unauthorized, malicious intrusion into a computer system.

Similarly a term such as "killer" may have an extremely negative connotation
in the context of a grisly homicide yet the same word may have a positive
connotation and a completely different meaning (dominant, superlative,
desirable) in other connotations. Such is the dynamic, flexible, and adaptive
nature of language (outside the realm of the pedant).

~~~
numbchuckskills
Main Entry: hack·er Pronunciation: \ˈha-kər\ Function: noun Date: 14th century

1 : one that hacks 2 : a person who is inexperienced or unskilled at a
particular activity <a tennis hacker> 3 : an expert at programming and solving
problems with a computer 4 : a person who illegally gains access to and
sometimes tampers with information in a computer system

Three out of four possible Merriam-Webster definitions are negative.

~~~
awa
Only the 4th one seems negative to me... 1) is neutral (since hack has atleast
1 +ve meaning), is positive and 2) is as similar to inexperienced/unskilled
whose connotation is context dependent(imho)

------
karteek
Did Apache behind TechCrunch always add "X-Pad=avoid browser bug" header ?

Apparently few Apache 1.x installations use to send this header as part of
some fix for few versions Netscape.

Edit: TC seems to acknowledge the hack now. Also, the header X-Pad is missing
now.

"Earlier tonight techcrunch.com was compromised by a security exploit.

We're working to identify the exploit and will bring the site back online
shortly."

------
amvp
Visitors should be awake that visiting tc.com rightnow is equivalent to
visiting an suspicious, untrustred site. It could serve malicious content that
takes advantage of unknown vunerabilities even on fully patched systems...
although i'd hope the hn audience is savvy enough to know this.

~~~
dotBen
"Visitors should be awake that visiting tc.com rightnow is equivalent to
visiting an suspicious, untrustred site"

Surely that's the case every day???

LMFAO

~~~
dotBen
WOW, de-karma'd for that!

Someone needs to find a sense of humor.

------
drenei
Who ever is behind this is changing the html page, 4 mintues ago it was <a
href="<http://dupedb.com/> title="rapidshare downloads">rapidshare
downloads</a>. Now the source says "hi". Strange times.

------
noarchy
Is TechCrunch simply preparing to merge with Twitter, at last?

------
tumpak
well this sucks.

but i feel the hack was done today instead of tomorrow to let them know the
hackers displeasure on something. but not to really hit them when it
matters... (which is tomorrow for apple presentations )

maybe its just a warning perhaps.

I am sure techcrunch is working on this...

wordpress systems are pretty stable but all systems have a loophole.. on many
systems, you can't avoid the hacking because it is the human errors (or
negligence)

~~~
BrandonWasHere
More likely it was an automated attack carried out by bots. I'm still putting
my money on the recent rash of non-secure FTP exploits (client side).

~~~
dangrossman
This was no automated attack. The page was updated with a series of what could
only be hand written messages as TC tried to overwrite what the hacker was
uploading. At one point the whole page turned to "o_O".

------
melvinram
Now it's back. Restored. Glad nothing disappeared.

~~~
vaksel
all I'm seeing is "we'll be back shortly" it could be the hacker changing it

~~~
NZ_Matt
<http://www.techcrunch.com/page/1/> is working

~~~
DougBTX
Not from here

~~~
NZ_Matt
It was earlier before techcrunch went down the second time.

------
leelin
I sure hope this isn't the case, but everyone saying 'outage would caused more
damage Wed. morning' might get their wish.

------
paulitex
And.... We're back.

Now, how long til we get Arrington's spin?

~~~
riffraff
30 mins later, no we're not

------
mrclark411
No word from them: <http://twitter.com/techcrunch>

~~~
NZ_Matt
Daniel Brusilovsky is on the case: <http://twitter.com/TechCrunch/team>

------
wesley
back up. Looks like they even found the time to add interstital ads on
techcrunch.com.. (Direct link: <http://www.techcrunch.com/welcome.html>)

------
sankara
As of now, TC is back. There is no mention of what went wrong though.

------
DaveHanna
redirected me first time to <http://www.twply.com/> then it came up next time
with "hi"

~~~
CalmQuiet
A page which politely invites you to enter your Twitter user name & pw. [ I
politely declined. ]

------
todd3834
now it says, "We'll be back shortly."

~~~
JBiserkov
we ? "Tech Crunch" : "The crackers"

~~~
Devilboy
whoever wins I guess

------
faramarz
Could be a widespread WP security hole..

~~~
mahmud
Never attribute to a platform bug what can be explained by misconfiguration.

------
suhail
yep.

------
Technophilis
Was techcrunch hosted in indonesia or is this a DNS attack ?
<http://bit.ly/5QgDUa>

~~~
kierank
That is wrong.

------
sucuri2
That shows how bad security is on most places… The bad guys just need to find
1 mistake to get in, while we have to protect at all places.

That’s why covering all angles is important…

\--dd <http://sucuri.net>

~~~
NateLawson
Advertise much?

~~~
sucuri2
yeah, yeah... couldn't resist

