GEMA hacked by anonymous

The GEMA (A german music copyright watchdog) has been hacked a few hours ago by @THE_SENQU / @AnonyPwnies




Several hours the website has been defaced with a Youtube apology screen, like we have seen many times before. (Sorry, this song... etc.)

It says:
"Sorry, this page isn't (not only) available in germany, because it could link to a company for which ANONYMOUS didn't release the necessary "freedom rights". We are sorry. NOT!"

The hackers released a ~17 MB (~350 MB unzipped) SQL-Dump file @ multiple OCHs.
Pic related.
( dump_p-www-direkt.gema.de_interP1_16-07-2011-05-53-34.rar )



Funny about this:
Over one month ago, a unkown person attacked the gema.de website successfully. (SQL Injection).
He released some user names and passwords. Pastebin


Last night all GEMA printers had been attacked, too. The attackers changed / set a random password. "Have fun, setting up the printers. But please use a password this time!"


Right now ( ~16:30) it's still defaced. Or to be more precise it's routed to a HTML-Pastebin ( http://pastehtml.com/view/b4pzxvn2x.html )

"The hackers claim to have stolen a massive amount of GEMA data"
computer.t-online.de

Background music: "Portal - Credits song 'Still alive' http://www.youtube.com/v/Y6ljFaKRTrI

"The GEMA is an association, which represents the copyright musicians and songwriters."
So a translation states. In fact, the GEMA is more like a surveillance agency with shady (nearly gestapo-like) methods to find and bring down potential copyright violaters.


Inside GEMA

---

Update:

17:22 - The battle still continues..
Sometimes the visitors are redirected to the pasteHTML page, sometimes they just get a "503 - service temporary unavailable" message.
The gema IT "experts" managed to put the website back on 5 times, but without solving the security issue.

Link GEMA Statement


17:40 - Video message released / fifth defacement.

Translation:

We are anonymous. Since you didn't follow our last call we are forced to attack your website. Have a nice day. P.S.: IF the admins would spent more time with security then with WoW (World of Warcraft) this attack possibly wouldn't be that effective. thanks for your support!
http://www.youtube.com/watch?v=Kq4R0Bv6xws

Video:




23:17 - Hack "documentation"

It all started with a SQL Injection vulnerability and went to #root on XX virtual machines.
Sometimes the password was the username, sometimes it was just "bla" (Webserver)
UserDump

Big "documentation" picture:

http://img7.imagebanana.com/img/w4ro8rt2/gemahack2.png

Links:

Internal NMap Scans
http://pastebin.com/KNYP6J0f
http://pastebin.com/vD2Rc4CB

German federal police got pwnd...

A server used by the german federal police & border patrol, Bundespolizei & Zoll, got hacked at least 2 days ago. (06.07.2011)

Responsible for the hack is the european (mostly german) "NoName Crew" (Server drops conn, probably hammered)
Dump:
dl.nn-crew.cc


In their statement about that hack they say:

" Data preservation, Bundestrojaner [A trojan, like the US CIPAV], biometric passports.. Even law enforcement agencies say, the current laws are more than enough to catch criminals.

We are [Rem.: german people] no terrorists, but everyone of us has something to hide. We want to secure our privacy and our rights, given by the constitution.
Because of the massive misuse of surveillance, we will fight against such behavior. This has to stop.

The bad guys know how to hide their tracks, your methods will not stop them.
[Note: The police illegally catched/recorded cellphone data and conversations of a whole city district at an Anti-Nazi Demonstration]

The release contains most of the GPS tracking software, including firmware for the used devices.
Also:

• Different Programs used to visualize the data (Incl. a google Maps key)
  
• The PATRAS GPS analysis Software / Interface (GPS2Cell Systems)
  
• A complete SQL Backup of the recent car-surveillances, including movement data, phone numbers for data transfer and for audio etc.
  
• Internal documents how to get some software working, how to patch some things and misc. information
• etc. . .
  

The server used was an Windows OS (x64) with XAMPP installed.

---

A first look showed some serious security flaws.

• All passwords to access the web interface are saved in clear-text. Also, they appeared in several logs in cleartext.
  Sorry, but that's just stupid.
  

In one htdocs/include file ( named: config.php1 ) the credentials for an surveillance interface were saved.

• Username: "root"
• Password: ""

The uploaded Filezilla Configurations also showed and user account with a 4 digit password.
Not, it was not 1234 ;)

One PDF shows information how to fix a serious flaw in the PATRAS Srv / XAMPP.
Apparently, they forgot to shut down the PHPMyAdmin Interface for external access. 02/11

According to the screenshots, provided by NN-Crew, I think they used an SQL Injection vulnerability to compromise the system.
Or, a targeted attack at one of the admins. D.L. has a facebook profile, so, with a little bit SE and a lot of guts, they might have infected his machine.


A Bundespolizei spokeswoman confirmed the breach in an interview.
It's one of the first, big cases for the new founded national cyber defense center.



This and other screenshots of the used php-shells show, they had access to more data than they released in their dump. So, the release should be seen as a "warning shot", i guess.