Friday, September 19, 2008

Sanlu's website hacked again

提示:因网络封锁,请中国大陆网友点击此 网页 查看屏幕截图,谢谢!
NOTE:Due to Internet filtering, Mainland China visitors please click this post to view the screenshots.

Sanlu Group, the manufacturer which produced most tainted dairy products in recent China milk scandal, suffered the second wave of attack to its website early morning today. As the result, Sanlu this morning shut down its ASP.NET web application with leaving a static plain-text homepage only showing two official letters from Sanlu management to the public.

In the first wave of attack, Sanlu's website was totally shut down for several days after the homepage's title "Sanlu Group" (三鹿集团) was changed to "The Melamine Group" (三聚氰胺集团) by a Chinese hacker. It was reported that the homepage was even became a chat room of the hackers. According to Netcraft, its last shutdown was on 12 Sept 2008.

The hacked website was running IIS 6.0 on Windows Server 2003, with a vulnerable ASP.NET search module talking to a Microsoft SQL Server at the backend. It's why the hackers could inject a comment at Sanlu News (三鹿新闻) showing in the homepage, and add one more product name "Melamine" (三聚氰胺) at their Products page.


The hacked Sanlu Group homepage retrieved at 05:14 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Hoho, came here just for fun, missed good time, will go after walking around here."


The hacked Sanlu News page retrieved at 05:12 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Hoho, came here just for fun, missed good time, will go after walking around here. The website is injection vulnerable, and should be fixed."


The hacked Products Show page retrieved at 05:17 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Products Show: Melamine"


The hacked Products Show page retrieved at 05:17 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Products Show: Melamine Bowl, Product Class: Congee, Product Series: Bowl"


The Official Letters homepage retrieved at 14:15 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Website closed due to large amount of visit. Please accept our apology."


The reloaded Sanlu News page retrieved at 18:03 on 19 Sept 2008 (Beijing Time)
The highlighted message reads in English:
"Page not displayed. You have attempted to run a CGI, ISAPI, or other executable program from a directory that does not allow executables to run."

It's HTTP Error 403.1 - Forbidden, which means Sanlu's web master has denied anonymous access to any object under the virtual directories of their website. Only two files are now accessible: index.html and bg.jpg (the background file).

No comments: