Monday, August 22, 2011

GEMA hacked by anonymous

The GEMA (A german music copyright watchdog) has been hacked a few hours ago by @THE_SENQU / @AnonyPwnies

Several hours the website has been defaced with a Youtube apology screen, like we have seen many times before. (Sorry, this song... etc.)

It says:
"Sorry, this page isn't (not only) available in germany, because it could link to a company for which ANONYMOUS didn't release the necessary "freedom rights". We are sorry. NOT!"

The hackers released a ~17 MB (~350 MB unzipped) SQL-Dump file @ multiple OCHs.
Pic related.
( dump_p-www-direkt.gema.de_interP1_16-07-2011-05-53-34.rar )

Funny about this:
Over one month ago, a unkown person attacked the website successfully. (SQL Injection).
He released some user names and passwords. Pastebin

Last night all GEMA printers had been attacked, too. The attackers changed / set a random password. "Have fun, setting up the printers. But please use a password this time!"

Right now ( ~16:30) it's still defaced. Or to be more precise it's routed to a HTML-Pastebin ( )

"The hackers claim to have stolen a massive amount of GEMA data"

Background music: "Portal - Credits song 'Still alive'

"The GEMA is an association, which represents the copyright musicians and songwriters."
So a translation states. In fact, the GEMA is more like a surveillance agency with shady (nearly gestapo-like) methods to find and bring down potential copyright violaters.

Inside GEMA


17:22 - The battle still continues..
Sometimes the visitors are redirected to the pasteHTML page, sometimes they just get a "503 - service temporary unavailable" message.
The gema IT "experts" managed to put the website back on 5 times, but without solving the security issue.

Link GEMA Statement

17:40 - Video message released / fifth defacement.

We are anonymous. Since you didn't follow our last call we are forced to attack your website. Have a nice day. P.S.: IF the admins would spent more time with security then with WoW (World of Warcraft) this attack possibly wouldn't be that effective. thanks for your support!

23:17 - Hack "documentation"

It all started with a SQL Injection vulnerability and went to #root on XX virtual machines.
Sometimes the password was the username, sometimes it was just "bla" (Webserver)

Big "documentation" picture:


Internal NMap Scans