ProPakistani Tracks Hacking Attempts, Attackers got Exposed

Highlights

  • ProPakistani faced hacking attempt
  • ProPakistani remained down due to a WordPress Bug
  • Attacker was traced by ProPakistani team
  • Mr.c0d3r, who allegedly launched DOS on ProPakistani is Lahore based
  • He is allegedly involved in defacing Rehman Malik’s website, FIA, Geo NEWS and various other websites
  • Its Pakistan’s first case study on hackers that has been traced with all the forensic procedures being followed, systematically.

Details

As you may know, on January 18th, 2009 at 11:15 PM, ProPakistani website stopped responding web requests. Most of the visitors were given a 500 html error – also database connection error.

We were able to bring back a optimized form of ProPakistani pretty soon, however ProPakistani server remained critical for next 48 hours – During which, we remained down for some time for maintenance.

We thank our visitors, who remained intact with us during all this and showed their tremendous concern though emails, phone calls, Facebook queries and so on.

We had promised our readers that we will public everything regarding the down time, cause for the problem and other relating information.

ProPakistani faced Hacking Attempt

The news is that ProPakistani had an unsuccessful hacking attempt, and attacker remained un-successful in defacing ProPakistani. However, he managed to do a DOS attack.

Good News: We Have traced the Hacker

Good News is that we have tracked the attacker, with all the proofs. Its first time in history of Pakistan that a hacker had been traced with all the forensic procedures being followed, systematically.

Security Operations were lead by renowned Muhammad Ali Raza. We thank Sohaib Ather for his extra ordinary services for Database and Server Optimization during this.

Below are complete details for your information only.

What had happened?

Immediately, after the attack was launched at 11:15, we thought it was a usual SQL server crash; however, server reboot and Dabatase repair and optimization didn’t work and crashed again very soon.

Database tables kept crashing, despite re-boots and repairs, even backup got crashed when restored. With-in first 30 minutes we had known that this is not software or database glitch, and it was some external attack.

ProPakistani servers are DDoS proof, so there were little chances that someone was launching a DDoS attack. After diagnosis, we were able to determine that was a DOS attack, instead of DDoS attack.

It happened due to a WordPress Bug!

We identified that WordPress version 2.9.1 is vulnerable from DOS attack. Bug lays in its coding that uses cache stressing with random parameter on multiple requests. WordPress has been notified about the issue; however, bug is still pending resolution. But we have secured ourselves, thanks to alternate technologies.

How Attacker Impacted?

The web requests (from attacker) were not coming from multiple hosts rather it were coming from a single host with random parameter on multiple web requests (dozens of them per second). These requests were of bad or long SQL requests, ending up with a database crash.

As the bug was in its core of WordPress so we couldn’t pull WordPress down. We had to come up with different solution. We tried moving the entire server to a new place, did tons of Database optimization, server optimization and all other options that we could avail.

While Shoaib Ather and his team were busy with database and server optimization, Ali Raza remained busy with tracing the route of attacker. He was able to trace back to the attacker successfully. However, information that we got was pretty shocking for us.

On 20th January, 2009 ProPakistani was working back with normal broadcast.

Who was Attacker?

Note: We didn’t penetrate into any personal computer/system, and used all publically available information for tracking.

We only had source IP at that time (through our Apache Error Logs).

Source IPs of attacker included:

When sought, these IPs were registered in the name of an American ISP. When inquired, ISP was kind enough to give us the name of company who had been allotted these IPs.

As per American ISP, these IPs were registered in the name of a company called, ImageFi (www.imagefi.com). While IPs were mapped against the same VPS that hosted www.imagefi.com

American ISP also confirmed us traffic routing from above mentioned IPs to ProPakistani.PK – they assured us they will provide us logs, if asked.

WHOIS of www.imagefi.com revealed that [email protected] had the ownership of one of those domains.

It was further shocking for us when we found out other websites that are hosted on same VPS, check below screen shot for proof…!

When searched on Google, Mr.c0d3r was found as a crew member of pakbugs.com. However, reportedly, he is no more associated with Pakbugs.

Digging further into Google, we disproved more interesting facts about this mr.c0d3r. He is running a torrent portal and trace leads us to India.

Googling this email [email protected] revealed tons of other information and soon we were able to find out that this guy is not from India.

When you Google with this particular query “mr.c0d3r country:PK” its shows that he has involvement with a local blog and forum.

So this mr.c0d3r is the guy who owns PKforums and PkReaders.com

We already have notified NR3C, with all the proofs and details to do the prosecution.

We do have all server logs saved. We do have phone numbers and address details of this person too. Will be given to concerned authorities during investigation.

This case study has been prepared by ProPakistani team.

Special thanks to Fahad Aziz and Sohail Abid for their support

Tech reporter with over 10 years of experience, founder of ProPakistani.PK


  • I dont Understand the Purpose of Hacker…they can just Irretate the People who Entertain multi people & give Strong Information…..what have Hacker Problem with that….
    they can do this work just for Fun!!!
    Shame Hackers People…..
    Well Done Propakistan Team

    • Aa well mr Rizwan no one did any thing wd 0ut purpose actually taking down any server or Blog indicate hacker want something special that rank in ur blog or server .. I am against Ddos because I am a victim. .

  • Good investigation! :)

    Its no secret WordPress comes wit a lot of security vulnerabilities.

    Seems the hacker uses same names everywhere and this is why its so easy to find his contact details.

    What Pakistani authorities one should contact in such scenario?

    • WordPress is indeed a open source project but this doesn’t mean that its not secure. The reason of using it because its flexible to our need.

      it wasn’t easy at all. 1st trace lead us to India then i thought that they are two person sharing same name but after hours passed things started to get interested.

  • Awesome Propakistani team! hats off…seems like these so -called code junkies just want to show off and nuffin else…hope cyber crime div takes good care of them.

  • Welldone! Excellent work.

    We come to know a loophole in WordPress 2.9.1.

    The positive thing was that if he tells about the loophole to WordPress team rather than he utilizes the WordPress weakness.

    Be Positive.

  • This case study has been done by ProPakistani team and we are “prude” to have such minds with us. what does it mean?

    By the way it’s really fantastic

  • What a moron script kiddie, to attack a website of his own nation.

    The saying “Allah Ganjey Ko naakhun ne de” fits right on such kinda of n00b wanna-be hackers.

  • So India is involved here too?
    And, this bloody piece of shit has roots in India?
    ..
    We need to be notified when that swine is behind bars and reveal how he has roots in India.
    ..
    Best wishes for ProPakistani and its team.

  • You should move your website to another platform as wordpress is open source and its code is easily available giving hackers the ability to find bugs in it and then launch attack on it.

    • Open Source software is the second meaning of ‘secure’ software. Security issues found are fixed very fast, besides, you let the whole world find issues in your software, that way most overlooked issues are pointed out one way or another and are instantly fixed.

      Compare that to closed source software where the team has to find itself issues with software and they can’t find all issues in their software which lead to some hacker finding an issue and then breaching security by taking advantage of that knowledge.

  • He is just immature he use only one id and ip so he get caught or traced otherwise if he use Zombies it is impossible to trace him … i am not saying what he did is right, just commenting :)

  • Dear ProPakistani Team, these attacks were not from us. Please double check, your this statement is totally wrong!!
    “While IPs were mapped against the same VPS that hosted http://www.imagefi.com

    Please check that:

    — PING imagefi.com (66.96.237.228) 56(84) bytes of data. —
    64 bytes from 66-96-237-228.hostnoc.net (66.96.237.228): icmp_seq=1 ttl=55 time=115 ms
    64 bytes from 66-96-237-228.hostnoc.net (66.96.237.228): icmp_seq=2 ttl=55 time=120 ms
    64 bytes from 66-96-237-228.hostnoc.net (66.96.237.228): icmp_seq=3 ttl=55 time=120 ms
    64 bytes from 66-96-237-228.hostnoc.net (66.96.237.228): icmp_seq=4 ttl=55 time=120 ms

    ImageFi.com is my domain and it is hosted with IP 66.96.237.228 and none of these mentioned IPs include my sites.

    And yes all these sites are mine, as you mentioned above, and most of them are on same IP as for imagefi.

    And regarding the reported IPs, anyone can buy a server/vps hosting by simply putting domain name as “www.imagefi.com” and host name with same or whatsoever he wants.
    Like one can also buy a server with host name and domain name as google.com or propakistani.pk but that does not mean that google or propakistani are actually being hosted on that server.
    For that you need to park your domains there, but you can see none of my domains are there.

    So how anybody can claim this that it was from us?
    We have nothing to do with ProPakistani, and we heartily respect the team propakistani, as i myself am a permanent reader of ProPakistani and i ahve no intentions to do all this.

    • BTW, such a lame investigation has been projected as an extremely professional one. Lolz at these guys who say they are security experts. Knoing buzz word and googling doesn’t make you professionals.

  • Hi,

    Thanks for your detail information.

    Same case i was caught in 2009 when our client website was hacked and when i detail worked, check logs everything and then contact to that ISP when the Culprit used and we catch the detail logs from ISP and finally the person was in Defence Area Karachi.

  • admin/amir: I could not find any connection b/w 66.96.237.228 (imageFi.com) and the three IPs you claim to be the attackers source. Searching http://ws.arin.net/whois/ for those IPs shows that they belows to three different ISP. So I do not understand how did you link them to imagefi?

    • We have put forward what we had collected, charging someone, and doing the investigation is not our part. We have a govt authority for that matter

      • yes exactly…. but statements like
        – Mr.c0d3r, who allegedly launched DOS on ProPakistani is Lahore based
        – Good News is that we have tracked the attacker, with all the proofs.

        mean you really think c0d3r is really behind it and for that you really have some solid proofs which you have not shared with us. Because the proof you mentioned above do not prove any relationship b/w imagefi and the three attacker IPs.

        Anyway, I hope that you will keep us updated about any new development. Best of luck.

        • bro, allegation by definition is: An allegation (also called adduction) is a claim of a fact by a party in a pleading, which the party claims to be able to prove. Allegations remain assertions without proof, until they can be proved

          • “Good News is that we have tracked the attacker, with all the proofs.” ….

            and what about the above statement …. I assume by “attacker” here you meant “mr.c0d3r” …. or no?

            you should have said that “we have tracked the suspected attacker” ….. right :-)

            anyway, if these are all of your proofs which you have shared with us then I am sorry it is a wrong allegation .. but at least it is a starting point, I hope you find you actual culprit :-)

              • ok ac you wish and 1 more congrates for you for why guess…..

                a hacker can find valun. in site and then hacked it but at this time the hacked can’; fin any valun. so he can do a final and esay action and it can do any one include not an hacker so its means your site “SECURITY LEVEL IS HIGH”

                Congratulation :)

  • Of course mr.c0d3r and his “Good Fellas” (as mentioned in http://imstudent.net/) are notorious but the proof you had mentioned above does not prove them guilty :-)
    By the way … I am not one of his “Good Fellas” :-)

    • “When sought, these IPs were registered in the name of an American ISP. When inquired, ISP was kind enough to give us the name of company who had been allotted these IPs.

      As per American ISP, these IPs were registered in the name of a company called, ImageFi (www.imagefi.com). While IPs were mapped against the same VPS that hosted http://www.imagefi.com

      American ISP also confirmed us traffic routing from above mentioned IPs to ProPakistani.PK – they assured us they will provide us logs, if asked.

      WHOIS of http://www.imagefi.com revealed that [email protected] had the ownership of one of those domains.”

      “And regarding the reported IPs, anyone can buy a server/vps hosting by simply putting domain name as “www.imagefi.com” and host name with same or whatsoever he wants.
      Like one can also buy a server with host name and domain name as google.com or propakistani.pk but that does not mean that google or propakistani are actually being hosted on that server.
      For that you need to park your domains there, but you can see none of my domains are there.”

      Have you ever seen a person which had done some mishap and then accept it !? and have you every seen some hacker comes and give justification ? like when a person caught that much red hand then i don’t think he will accept the charges.

      Plus why he fear that much like if this is the mr.c0d3r, he had already defaced lots of sites and nobody touched him then why he fear this time ?.

      About this IP connection read both post and you will get idea whats happening here.

      Peace

      • If you check … I am the first one to say “good job” in reply to this post … but only after reading the reply from mr.c0d3r, I realize that there is always two sides of coin :-) so I search myself and (may be I have limited knowledge) could not find any connection b/w imagefi and other three IPs (which you claim are the source of attackers).

        You claim in this post that all three IPs belong to one ISP in USA but http://ws.arin.net/whois/ is telling a different story

        I am not saying the mr.c0d3r is innocent. He and his friends might be behind all this but I guess you have jumped to the conclusion too soon (with very limited proofs)

        • Shahzad bahi – ips that attacked ProPakistani belongs to a company called imagefi.com

          ISPs provide complete information, including credit card, name, billing dates and other info to law enforcement agencies. So, if mr.c0d3r didn’t do this – it will be proven, let’s not worry about him.

        • If you translate those words in urdu may be then you will understand the statement. see the reports above then see what he said here then make simple connection.

          OK you want to do search then start with those attacking ips what will be your next step come up with some good case study at least Propakistani team had provided everything here so start investigation.

          Let me clear you here the IP address which was used as they had showed here is a vps (virtual private server)and if you buy one you have to provide lots of info and not all the information comes out when you perform whois query. No company can share full info without any serious issue like this one. I had the same problem some time ago and when i tried to get information from service provider they asked me authenticity that i am the owner of a site where attacker had attempt attack.

          So as above report shows that VPS provide gave them info that those vps was bought by mr.c0d3r and the info he shared with that company that time gets you to the domain name which is “http://www.imagefi.com/”.

          This is what understand here with all those information above and previous experience.

          If you are the filling the case against someone you only have to give some minor proof you don’t give all of them at same time may be they hadn’t shared everything to public.

          hope i got it right and explained it well.

          Peace

  • about this so-called “mr.c0d3r” he has been injecting into Mysql’s of many poor Pakistani Webmasters.

    He did hacked many IPB forums hosted on insecure Linux Severs with some Unsecure functions opened.
    In short he has caused Loss to many Online Websites.

    Best Revenge should be, he should be caught, and Slapped with Heavy Fines, so he fears before doing it again.

  • Very well done. I hope that the WP releases the patch for the bug soon. It would be great if you please share the remedy you implemented, so that other bloggers could secure their sites before the patch.

    regards

    Ghazala from TPS

    • Ghazal it wasn’t easy for us to avoid this attack, bug is not new it was circulating underground from November may be they got there hands on 18 and feeling exited they lunched it without thinking.

      Remedy took us 48Hrs of hard work from tweaking WordPress code to server administration skills and database kungfu. Feel free to ask anything will be delighted to give some advise professionally.

  • my cousin’s site was also hacked last week by Real Cod3r and Shamoon we managed to track his IP, the hacker made a rar file containing whole site back-up.Aamir are u taking any legal action against the hacker?

    • Actually this was the thing which consume most of our time. We thought that may be there are sharing same name this is all but when we dig more and get deeper results where authentic.

  • Nice googling but having my share of experience in this field, I would say the evidence in insufficient for proving someone guilty, here is what the article tries to prove.

    1) mr.c0d3r is a bad guy.. he defaces websites and may or may not be a part of pakbugz crew.

    2) The domains registered for imagefi.com is under the name of mr.c0d3r.
    ————————————–
    3) The attack originated from some IP pool which was allocated to some company called imagefi.
    ————————————–

    There seems some problem at this point. Any one can register an account giving imagefi as a company name. as you can see imagefi IS NOT HOSTED on the IP’s you provided, (don’t know if it was previously) You can’t accuse some one just because of his past records (although there is high probability.. :P). It is a different case if you have got all the information from the VPS provider about the member registered against the ip host; including complete co-relation of the financial records aka (credit card info) if that matches you have a strong case if not.. more investigation and proof is required. I wont go to this extant of accusing some one… That is just my openion

    • You are simply dragging the attention other way, despite the fact you accepted it yourself that probability is pretty high that mr coder did all this.

      Besides, I don’t know any other group in Pakistan doing such dirty work. downing propakistani could give them all time high recognition.

      mr coder himself accepted the ownership of above mentioned domains, meaning that he is no more a hidden person, he himself revealed all the truth to the world.

      Even if they didn’t attack propakistani, just in case, he is highly wanted by FIA. So whatever the case is he should be punished for his evil work.

      Some may say that he did all this for fun, but what if he start exploiting your stock exchange data, other sensitive data? Will it be fun even then? Let’s stop them before they are unstop able.

      • meray bholay bhai waseem ….. ap bohat juldi her cheez ko such maan letay ho …. yahan koi bhee aa ker kisi ke naam se kuch bhee post ker de to ap yakeen ker letay ho ke woah usi real banday na lika ho ga … agher ap inhi cheezaon ko prove bana ker kisi ko guilty sabet kerna chahtay ho to phir I think propakistani team has very solid proofs :-)

        wese mr.c0d3r jo bhee hai … bara hi na samujh hai .. aik to woah her jagha same naam use ker raha hai … 2nd apna pura biodata , home address etc. us ne net per rakha hai …. aur hamari FIA itni nikami hai ke is ke bawajood un ko woah nahi mil raha …. :-)

    • Sam nice point, same question was asked by other readers. let me put this more clearly here by giving some examples,

      you bought 2 cars. and for registration of both the cars you have provided your mobile num home address or anything that link back to you. if somethings goes wrong, that is some accident, and you leave that car. when police or any person try to trace what had happened he will start trace from what you have left.

      In this web attack case he left IPS from where attack was launched.

      When we tried to trace him we asked service provider that what was the registration details and then they gave us this domain name and other info which we cannot disclose here. then we tried our best to trace his and this is what the results are.

      Hope this will clear your mind and others

  • There are many groups that does all this in pk. but its just the better ones are always
    not publicly known just because they are better at hiding themselves its always the script kiddies that get caught.
    We are in an industry where anonymity is fame… I am no lawyer to any one here but in my opinion the information provided (technically .. at least publicly) does not stand a case if he has a good lawyer.
    But on the other hand in PK you can be proved guilty for hacking even if you don’t know how to operate a computer … :P.
    I strongly agree on the fact that even if he has not attacked this forum he has defaced other websites shown in the snapshot of report, the evil doer should be prosecuted period..

    The work done is surely appreciated and is a very good initiative. It provides motivation for others to conduct similar research and make it public to increase awareness.

  • what a script kiddie :) rofl ….nice nice if you get to know this guy why not tell FIA about it he was involved with rehman maliks website u know

  • Bohat ghalt baat…pakar kar to acha kaam kiya magar hamein aise logon ki Qadar karni chahiye k wo kitne zabardast mind k person hein…i love peoples like that …coz they have outclass mind.. i Love u C0d3r

  • meri taraf se bohat zabardast kiss c0d3r k liye Q K aise logon ki me bohat Qadar karta hoon …

    u have outclass mind brother

  • Amir bhai,

    Few questions in my mind:-

    1-do you have any timeline being given to you by FIA for that investigation and appropriate action?

    2-Will you share / post publically what FIA guys share with you? / will you share FIA investigation report with us?

  • lolz its sounds funny……that a hacker starts doing DOS with a vps behind its personal information :D well i think you must ask some CISP Expert to check or let the NR3C decide

  • Ltd feature videos

    Watch more at LTD

    close
    >