From: http://erratasec.blogspot.com/2009/11/climate-hack-used-open-proxies.html
More details are emerging about the "Climategate" hack. It appears that the hacker used an "open proxy" in order to hide the origin of the attack. However, the hacker may have made a mistake, and a review of the logs at RealClimate and ClimateAudit may reveal his/her identity.
As this post describes, the hacker made a comment to a ClimateAudit blog post from IP address 82.208.87.170. If we Google that IP address, we see that it is indeed an open proxy. We don't know the hacker's real IP address.
An "open proxy" is a machine that has been misconfigured to forward requests back out to the Internet. Hackers constantly rescan the Internet looking for these open proxies, usually HTTP proxies at ports 80, 8080, and 3127, or SOCKS at port 1080. Hacker websites maintain lists of active misconfigured proxies. When hackers want to be anonymous, they choose one of these proxies at random, they configure their web browser to go through the proxy. In this manner, anything they do appears to come from the proxy's IP address, and not from the hacker's IP address.
You can use this open proxy yourself to hide your identity. In Firefox, go to "Tools", "Options", "Adanced", "Network", "Settings" to open the proxy dialog box. Then do a "Manual proxy configuration", setting the "HTTP Proxy" to 82.208.87.170, and the port to 8080.
After that, you should be able to browse the Internet just fine (albeit slowly). I went to the Google search page, but was redirected to the Russian version. Open proxies are a great way to see how the rest of the world browses the Internet.
However, there is a flaw. Most proxies also forward the original IP address as a separate field in the web request. I set my browser to the above proxy, and looked at the resulting HTTP request headers. I found the proxy added the header "X-Forwarded-For:" with my original IP address.
Most web server logs ignore the "X-Forwarded-For:" header, which means that this information is lost forever. However, if RealClimate or ClimateAudit has some advanced logging enabled, then they might be able to discover the original IP address.
The RealClimate website (which was attacked by the hacker) makes this claim:
The use of a turkish computer would seem to imply that this upload and hack was not solely a whistleblower act, but one that involved more sophisticated knowledge.
This is not true. Using open proxies requires no sophisticated knowledge at all - as this blog post shows.
So, the timeline appears to be:
•Oct 12: somebody sends the same e-mails to BBC journalist Paul Hudson.
•Nov 12: sometime after this data, the hacker grabs the files and puts them into a ZIP.
•Nov 17 6:20am: Hacker uploads the file to http://www.realclimate.org/FOIA.zip from an IP address "somewhere in Turkey".
•Nov 17 7:24am: Hackers posts a comment to the ClimateAudit blog saying "A miracle just happened" with a link back to the RealClimate ZIP file. Hacker proxied through 82.208.87.170:8080.
•Nov 17 "a few hours later": RealClimate admins discover the hack and remove the file.
•Nov 19: Hackers posts file to open FTP server in Russia.
•Nov 19: Hacker posts to Air Vent blog pointing to the FTP ZIP. Hacker uses proxy 212.116.220.100:443, an open proxy in Saudi Arabia.
RealClimate hasn't said exactly how their website was "hacked into". I'm guessing a PHP bug found by an average webapp scanner. Their Archive page appears broken, giving the following raw PHP code instead. I assume that's where the hacker broke in:
Archives by Month: Archives by Category:
UPDATE: Commenters at ClimateAudit point out a simpler explanation of the RealClimate hack: several of the people at CRU post at RealClimate. The hacker could simply have pretended to be one of those people requesting to reset the password, then intercepted the e-mail with the new password. This is a common hack: once you have access to a person's e-mail account, you can probably get the password an every other account (banking, blogging, facebook, twitter, etc.) that uses that e-mail address.
No comments:
Post a Comment