Defaced Commentary - Two CNET.com machines defaced

UPDATE: On July 27, 2001, webservices.cnet.com was defaced by ChonkEYE as well.

On July 27 & 28, 2001, two machines were compromised and defaced on the cnet.com network. The first machine (abv-sfo1-ws5.cnet.com) was defaced by a defacer/group known as "g0thic milk" on the 27th. The following day, a group known as "MIH" (Men In Hack) defaced a second machine (abv-sfo1-ws10.cnet.com) on the same subnet. Both machines were identified as running Windows NT by staff members at Safemode.org during the mirroring.

According to CNET (http://www.cnet.com/aboutcnet/0-13611.html?tag=ft): CNET Networks, Inc. (Nasdaq: CNET), is the global source of information and commerce services for the technology industry. As a top 10 Internet company with established Web sites in 25 countries and content in 18 languages, CNET Networks connects buyers, sellers and suppliers throughout the IT supply chain with award-winning content via the Web, wireless devices, television, radio and print. Its respected brand portfolio includes CNET, ZDNet, mySimon, News.com, Computer Shopper magazine, and CNET Radio, as well as CNET ChannelServices, including CNET DataServices and CNET ChannelOnline. The company's vision is to educate and empower people and businesses by unlocking the potential of the technology world to make things easier and faster, and by helping them make smarter buying decisions.

The implications of such a compromise are interesting to say the least. If the defacements were only a small part of the intrusion, or perhaps came at the end of a long period of compromise, it would be impossible to even speculate the damage that could have been done. With millions of users a month viewing the CNET news, downloading software from their archives or relying on their stock quotes, a Subversion of Information (SoI) attack would have been incredible.

Mirror: http://www.safemode.org/mirror/2001/07/27/abv-sfo1-ws5.cnet.com/

Mirror: http://www.safemode.org/mirror/2001/07/28/abv-sfo1-ws10.cnet.com/

A list of hosts on the same subnet. Of interest, the machine names imply that a wide variety of services such as mail, stock? quotes, news, search engine and more could also have been compromised.

64.124.237.3 => abv-sfo1-osr1.cnet.com
64.124.237.4 => abv-sfo1-osr2.cnet.com
64.124.237.5 => abv-sfo1-cat3508-1.cnet.com
64.124.237.6 => abv-sfo1-cat3508-2.cnet.com
64.124.237.7 => abv-sfo1-cat6509-1.cnet.com
64.124.237.8 => abv-sfo1-cat6509-2.cnet.com
64.124.237.9 => abv-sfo1-7206-1.cnet.com
64.124.237.10 => abv-sfo1-7206-2.cnet.com
64.124.237.15 => abv-sfo1-js1.cnet.com
64.124.237.16 => abv-sfo1-alteon2.cnet.com
64.124.237.17 => abv-sfo1-alteon1.cnet.com
64.124.237.18 => abv-sfo1-osr1-switch.cnet.com
64.124.237.19 => abv-sfo1-osr2-switch.cnet.com
64.124.237.21 => abv-sfo1-san-mon1.cnet.com
64.124.237.24 => abv-sfo1-he-dp1.cnet.com
64.124.237.25 => abv-sfo1-he-mail1.cnet.com
64.124.237.27 => abv-sfo1-he-news1.cnet.com
64.124.237.28 => abv-sfo1-he-alt1.cnet.com
64.124.237.29 => abv-sfo1-he-alt2.cnet.com
64.124.237.55 => abv-sfo1-proxy1.cnet.com
64.124.237.56 => abv-sfo1-proxy2.cnet.com
64.124.237.58 => abv-sfo1-nw-finder.cnet.com
64.124.237.59 => abv-sfo1-quote.cnet.com
64.124.237.61 => abv-sfo1-preapp.cnet.com
64.124.237.62 => abv-sfo1-app.cnet.com
64.124.237.64 => abv-sfo1-nsrev1.cnet.com
64.124.237.65 => abv-sfo1-nsrev2.cnet.com
64.124.237.66 => abv-sfo1-nsrev3.cnet.com
64.124.237.67 => abv-sfo1-nsrev4.cnet.com
64.124.237.72 => abv-sfo1-mail1.cnet.com
64.124.237.73 => abv-sfo1-in-mx1.cnet.com
64.124.237.74 => abv-sfo1-quote1.cnet.com
64.124.237.75 => abv-sfo1-quote2.cnet.com
64.124.237.80 => abv-sfo1-nw-harvester1.cnet.com
64.124.237.81 => abv-sfo1-nw-harvester2.cnet.com
64.124.237.82 => abv-sfo1-nw-finder1.cnet.com
64.124.237.83 => abv-sfo1-nw-finder2.cnet.com
64.124.237.86 => backtrack.cnet.com
64.124.237.92 => abv-sfo1-collectionbuilder.cnet.com
64.124.237.94 => abv-sfo1-dc1.cnet.com
64.124.237.96 => abv-sfo1-review.cnet.com
64.124.237.97 => abv-sfo1-nw-db-ha2.cnet.com
64.124.237.99 => abv-sfo1-backup-db-ha2.cnet.com
64.124.237.101 => abv-sfo1-swh.cnet.com
64.124.237.104 => abv-sfo1-nw-db-replicate1.cnet.com
64.124.237.106 => abv-sfo1-nw-db-report1.cnet.com
64.124.237.108 => abv-sfo1-awh-hist1.cnet.com
64.124.237.110 => abv-sfo1-nw-db-ha1.cnet.com
64.124.237.111 => abv-sfo1-ad-db-ha1.cnet.com
64.124.237.113 => abv-sfo1-au-db1.cnet.com
64.124.237.114 => abv-sfo1-backup-db-ha1.cnet.com
64.124.237.118 => abv-sfo1-monitor1.cnet.com
64.124.237.144 => www.help.com
64.124.237.145 => www.savvysearch.com
64.124.237.146 => www.search.com
64.124.237.148 => abv-sfo1-redirect.cnet.com
64.124.237.149 => feed.search.com
64.124.237.153 => webservices.cnet.com
64.124.237.156 => internetservices.cnet.com
64.124.237.159 => auctions1.cnet.com
64.124.237.170 => abv-sfo1-preapp1.cnet.com
64.124.237.171 => abv-sfo1-preapp2.cnet.com
64.124.237.172 => abv-sfo1-app1.cnet.com
64.124.237.173 => abv-sfo1-app2.cnet.com
64.124.237.174 => abv-sfo1-app3.cnet.com
64.124.237.175 => abv-sfo1-app4.cnet.com
64.124.237.192 => abv-sfo1-ss4.cnet.com
64.124.237.193 => abv-sfo1-ss5.cnet.com
64.124.237.194 => abv-sfo1-ss6.cnet.com
64.124.237.195 => abv-sfo1-ss7.cnet.com
64.124.237.196 => abv-sfo1-ss8.cnet.com
64.124.237.197 => abv-sfo1-ss9.cnet.com
64.124.237.198 => abv-sfo1-ss10.cnet.com
64.124.237.199 => abv-sfo1-ss11.cnet.com
64.124.237.200 => abv-sfo1-ss12.cnet.com
64.124.237.201 => abv-sfo1-ss13.cnet.com
64.124.237.202 => abv-sfo1-ss14.cnet.com
64.124.237.203 => abv-sfo1-ss15.cnet.com
64.124.237.204 => abv-sfo1-ss16.cnet.com
64.124.237.205 => abv-sfo1-ss17.cnet.com
64.124.237.206 => abv-sfo1-ss18.cnet.com
64.124.237.207 => abv-sfo1-ss19.cnet.com
64.124.237.208 => abv-sfo1-he1.cnet.com
64.124.237.209 => abv-sfo1-he2.cnet.com
64.124.237.212 => abv-sfo1-redirect1.cnet.com
64.124.237.213 => abv-sfo1-redirect2.cnet.com
64.124.237.214 => abv-sfo1-redirect3.cnet.com
64.124.237.215 => abv-sfo1-redirect4.cnet.com
64.124.237.216 => abv-sfo1-ss20.cnet.com
64.124.237.217 => abv-sfo1-ss21.cnet.com
64.124.237.218 => abv-sfo1-ss22.cnet.com
64.124.237.219 => abv-sfo1-ss23.cnet.com
64.124.237.220 => abv-sfo1-ss24.cnet.com
64.124.237.230 => abv-sfo1-survey.cnet.com
64.124.237.245 => abv-sfo1-ws1.cnet.com
64.124.237.246 => abv-sfo1-ws2.cnet.com
64.124.237.247 => abv-sfo1-ws3.cnet.com
64.124.237.248 => abv-sfo1-ws4.cnet.com
64.124.237.249 => abv-sfo1-ws5.cnet.com
64.124.237.250 => abv-sfo1-ws6.cnet.com
64.124.237.251 => abv-sfo1-ws7.cnet.com
64.124.237.252 => abv-sfo1-ws8.cnet.com
64.124.237.253 => abv-sfo1-ws9.cnet.com
64.124.237.254 => abv-sfo1-ws10.cnet.com

---
© 1999, 2000, 2001 Copyright Brian Martin
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and attrition.org is credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.