Friday, July 8, 2011

German federal police got pwnd...

A server used by the german federal police & border patrol, Bundespolizei & Zoll, got hacked at least 2 days ago. (06.07.2011)

Responsible for the hack is the european (mostly german) "NoName Crew" (Server drops conn, probably hammered)
Dump:
dl.nn-crew.cc


In their statement about that hack they say:
" Data preservation, Bundestrojaner [A trojan, like the US CIPAV], biometric passports.. Even law enforcement agencies say, the current laws are more than enough to catch criminals.

We are [Rem.: german people] no terrorists, but everyone of us has something to hide. We want to secure our privacy and our rights, given by the constitution.
Because of the massive misuse of surveillance, we will fight against such behavior. This has to stop.

The bad guys know how to hide their tracks, your methods will not stop them.
[Note: The police illegally catched/recorded cellphone data and conversations of a whole city district at an Anti-Nazi Demonstration]
The release contains most of the GPS tracking software, including firmware for the used devices.
Also:
  • Different Programs used to visualize the data (Incl. a google Maps key)
  • The PATRAS GPS analysis Software / Interface (GPS2Cell Systems)
  • A complete SQL Backup of the recent car-surveillances, including movement data, phone numbers for data transfer and for audio etc.
  • Internal documents how to get some software working, how to patch some things and misc. information
  • etc. . .
The server used was an Windows OS (x64) with XAMPP installed.



A first look showed some serious security flaws.

  • All passwords to access the web interface are saved in clear-text. Also, they appeared in several logs in cleartext.
    Sorry, but that's just stupid.

In one htdocs/include file ( named: config.php1 ) the credentials for an surveillance interface were saved.
  • Username: "root"
  • Password: ""
The uploaded Filezilla Configurations also showed and user account with a 4 digit password.
Not, it was not 1234 ;)

One PDF shows information how to fix a serious flaw in the PATRAS Srv / XAMPP.
Apparently, they forgot to shut down the PHPMyAdmin Interface for external access. 02/11

According to the screenshots, provided by NN-Crew, I think they used an SQL Injection vulnerability to compromise the system.
Or, a targeted attack at one of the admins. D.L. has a facebook profile, so, with a little bit SE and a lot of guts, they might have infected his machine.


A Bundespolizei spokeswoman confirmed the breach in an interview.
It's one of the first, big cases for the new founded national cyber defense center.



This and other screenshots of the used php-shells show, they had access to more data than they released in their dump. So, the release should be seen as a "warning shot", i guess.