News from the Hacker War Front: Is the H4CK1NG FOR G1RL13Z Gang on the Rampage Again?



Jan. 13, 2001, computer criminals assaulted NETHOLLYWOOD. A group calling itself G1RL13Z FOR H4CK1NG took credit for the attack. This may be the group that in the past called itself "H4CK1NG FOR G1RL13Z."

Server compromised was gaucho.nethollywood.net, a Red Hat Linux 7.0 web server that provides e-commerce including shopping carts,processing of credit card data and shell accounts for many customer web sites. They placed a defacement at the Techbroker.com web site which included illegally intercepted email.

Intruders attempted to delete all log files and installed a root kit. Some logs files were overwritten a number of times.

Many log files from auditing programs were recovered using the Linux undelete command or by using strings with grep. Some log files were overwritten multiple times in an attempt to expunge them from the hard drive. The FBI has taken the hard drive devoted to /var (repository of all log files) for hardware-level data recovery.

The owner of NETHOLLYWOOD, Sydney Urshan, has vowed to bring the attackers to justice. A team of computer forensics experts assembled by Happy Hacker's Carolyn Meinel are providing their services to Urshan pro bono. Early indications are that Urshan has done an excellent job of preserving evidence, perhaps most significantly by devoting a separate hard drive to /var.

A concentrated effort to break into NETHOLLYWOOD has been underway since Aug. 2000. Any ISP that offers as extensive services as NETHOLLYWOOD -- especially shell accounts -- would have a difficult time staving off determined attackers forever. Click here for an example of material grepped from Urshan's logs documenting these attempts.

Shout outs to Greggory Peck, who works in penetration testing at KPMG, and Dennis Bateman for assisting Urshan in setting up ways to trap any criminals who might break in. Prof. Larry Liebrock, Associate Dean for Technology at the McCombs Business School at the University of Texas at Austin, is assisting with forensics research into this case. Liebrock offers a "Clinic in Systems Security Practices." The course is taught in Austin, Texas at the McCombs Business School and other venues. To participate in one of these clinics, please call (512)475-8085 or email: trainers@bus.utexas.edu
Back Home