Hackers Hit Symantec, ImageShack, But Not PayPal

Despite threats, Anonymous did not take down Facebook or Zynga on Monday. But other hackers detailed their own exploits, releasing employee credentials and source code.

Mathew J. Schwartz, Contributor

November 6, 2012

5 Min Read

Who Is Hacking U.S. Banks? 8 Facts

Who Is Hacking U.S. Banks? 8 Facts

Who Is Hacking U.S. Banks? 8 Facts (click image for larger view and for slideshow)

November 5 came and went without Facebook or mobile game developer Zynga seeing their websites get taken down by promised online attacks executed by the Anonymous hacktivist collective.

In the run-up to the Guy Fawkes Night holiday -- celebrated annually in Britain and featured in the 2005 film "V for Vendetta," from which Anonymous borrows its trademark mask -- multiple Anonymous factions had promised to take down various websites, presumably via distributed denial of service (DDoS) attacks. They also threatened to release a broad swatch of Zynga's mobile games for free. None of that came to pass.

Monday was, however, a notable day for hacking attacks that didn't involve Anonymous. In particular, hacking group Hack The Planet Monday released a Pastebin post with data that the group claimed to have stolen from ImageShack, Symantec, and ZPanel. As part of the hacking "zine" the group released, it said there was also "a heap of personal information that is claimed to belong to some people that are close to the infosec and anonymous scene," which the group said it hadn't had time to fully review.

[ For more on Anonymous's threatened Guy Fawkes Day takedowns, see Anonymous Threatens Zynga, Facebook Takedowns. ]

The leaked Symantec data appears to have involved a breached database containing email addresses and apparent password hashes for 3,195 employees.

A Symantec spokesman, reached via email, said the company is investigating the alleged breach. "Symantec is aware of the claims being made online," he said. "We take each and every claim very seriously and have a process in place for investigating each incident. Our first priority is to make sure that any customer information remains protected. We are investigating these claims and have no further information to provide at this time."

Meanwhile, Hack The Planet claimed that its ImageShack hack was much more extensive than the Symantec breach: "ImageShack has been completely owned, from the ground up. We have had root and physical control of every server and router they own. For years." The group also listed, tongue in cheek, nine factors it found that illustrated "the hardened security on all of ImageShack's equipment." Among them: running "all MySQL instances as root," having outdated kernels from 2008 or earlier, hard-coding passwords into numerous files, and having "a firewall that allows outgoing backconnects." The hacking group also released a large amount of data supposedly stolen from ImageShack, including lists of file permissions and source code.

ImageShack didn't immediately respond to an emailed request for comment about whether the leaked data was genuine, or whether attackers had also deleted the site's blog, which now resolves to a page with a "not found" error.

According to Hack The Planet, its Pastebin post also includes zero-day exploit code for ZPanel, which is a free, open source Web hosting control panel for Windows, Unix, and Linux. "We have a Zero Bug attacking all the login and overlay files," Hack The Planet said, noting that the exploit code can be used to reset root passwords in the system remotely and without authentication. Interestingly, the code's author is listed as "joepie91," which is the handle of a hacker previously associated with LulzSec.

Tuesday, however, ZPanel's head developer and project leader, Bobby Allen, said in a ZPanel forum post that the exploited flaw was patched almost three months ago. "We was (sic) made aware of this bug several months back by our professional security firm 'WebSec' and we have already released a fix of which is implemented in version 10.0.1 of ZPanel," he said. "We can therefore only assume that 'Anonymous' was 'hacking' version 10.0.0 of ZPanel of which we have already released a fix for." (Again, Hack The Planet, not Anonymous, has claimed credit for the attack.) That fix was issued on August 14, 2012.

What about PayPal? Cyber War News had originally reported that the list of sites exploited by Hack The Planet included PayPal, but it later corrected that report to note that PayPal hadn't been targeted. Similarly, a PayPal spokeswoman said via email, "It appears that the exploit was not directed at PayPal after all, it was directed at a company called ZPanel." PayPal said it's found no evidence that it was hacked, or that any of its employees' data was obtained or released, as was originally reported.

That's contrary to this Monday statement issued via the Anonymous Press Twitter channel: "Paypal hacked by Anonymous as part of our November 5th protest." That post linked to a PrivatePaste file, which has since been removed, but according to news reports, Anonymous claimed to have breached 18,000 PayPal usernames and passwords. By Tuesday, however, the consensus was that the breached data belonged to another organization -- perhaps ImageShack. Was the Cyber War News report responsible for Anonymous channels getting their own news wrong?

Still, all wasn't quiet Monday on the bona fide Anonymous data breach front. Notably, the Anonymous Intelligence Agency (aka Par:AnoIA) released what it said was a preview of a "dump of internal files from the Organization for Security and Cooperation in Europe," which it said highlighted attempted election manipulation in last week's Ukrainian elections.

But the failure of so many threatened Anonymous attacks to materialize led Cult of the Dead Cow official "Oxblood Ruffin" to dub Guy Fawkes Day as "the Anonymous version of April Fools."

Attackers are increasingly using a simple method for finding flaws in websites and applications: They Google them. Using Google code search, hackers can identify crucial vulnerabilities in application code strings, providing the entry point they need to break through application security. In our report, Using Google To Find Vulnerabilities In Your IT Environment, we outline methods for using search engines such as Google and Bing to identify vulnerabilities in your applications, systems and services--and to fix them before they can be exploited. (Free registration required.)

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights