Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

How Was 1337day.com Hacked?

Today, in the morning when i browsed to 1337day.com (The famous exploit buying/selling database), I was shocked to see 1337day defaced by famous turkish hacker group named "Turkguvenligi", In past Turkguvenligi has been responsible for defacements of lots of famous websites. Here is what appeared when i came across 1337day.com


On their defacement page, they told that they had asked 1337day to ban a fake user with author id =5819 but they refused to do so, As i browsed to http://www.1337day.com/author/5819, i website was first appeared to be inaccessible, later it showed the following message:


However, i used their mirror site 1337day.org to access the author link, Here is the screenshot:


By looking at the author name "Agd_Scorp", i understood the whole point of the dispute, Agd_Scorp is a well known hacker and founding member of "Turkguvenligi", He is responsible for lots of high profile defacements, If you take a look at his Zone-h record, it's pretty impressive, he has history of hacking into domain registrars.

It appears to me that some known was submitting exploits with the name of Agd_Scorp, They asked 1337day team to remove it, however they refused to remove it. Therefore they defaced their website.

How was 1337day.com hacked?

There have been issues in the past where 1337day, injectors etc and their mirror websites were hacked, but in all of those cases, their servers were never compromised, it was their domain registrar Moniker.com, which got compromised by the attackers.

The attackers, compromised moniker.com and changed their dns servers to their own dns servers, a story matching Google Pakistan hack, The 1337day team later confirmed on their facebook that their domain registrar was the victim of their attack not their DNS servers.

They have also asked webmasters not to invent stories that their server was hacked. They say it's impossible, I don't agree with them on this point. Even most secure systems can be compromised.

On performing a WHOIS lookup, I came to know that they have actually switched their hosting account from Moniker.com to hostgator.com


I have confirmed with hostgator that the dns servers for websitewelcome belong to them. We, will update you as soon as we have more information. 
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.