August 27, 2012

Analyzing the Team GhostShell Attacks

Why did they do it?  They claim it was payback for law enforcement arresting hackers. 

How did they do it?  Mostly via SQL injection.  Looking at the data dumps reveals the use of the tool SQLmap, one of two main SQL injection tools typically deployed by hackers.   Here’s a picture from one of the data dumps showing SQLmap:


For more on these tools, click here.

How much data was taken?  Hard to count and verify.  Some of the breached databases contained more than 30,000 records.

What type of data was taken?

  • Admin login info.
  • Username/passwords.  And the passwords show the usual ‘123456’ problem.  However, one law firm implemented an interesting password system where the root password, ‘law321’ was pre-pended with your initials.  So if your name is Mickey Mouse, your password is ‘mmlaw321’.   Worse, the law firm didn’t require users to change the password.  Jeenyus!
  • Files/documents.  A very large portion of these files come from content management systems (CMS) which likely indicates that the hackers exploited the same CMS with a vulnerability in it that allowed a hacker to target it.  However, a lot of the stolen content did NOT include any sensitive information.

Who was targeted?

  • Banks—Credit history and current standing is a very noticeable part of the data stolen.
  • Consulting firms
  • Government agencies
  • Manufacturing firms.


Authors & Topics:

Share on LinkedIn


A Google Dork Scanner was likely the tool to locate the targets and validate vulnerabilities in an automated fashion. SQLmap was then used to dump the databases off the validated targets. Its important to note that for a successful SQLmap exploitation, you need to have a vulnerability first. On that note, it is worth mentioning this blog post:

From my perspective, they more likely to use Google dork scanner of SQLmap since most of the targeted URLs appear to be GET param. SQLmap has weakness on POST method.

Like g33cko said, most of the targets run PHP or even LAMP.

I would suggest that they've probably used dork scanners to identify the targets. All the attacked applications are PHP. Take a look at the attack URLs.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.