Dozens of High Profile Pakistani Websites Are Vulnerable to Hacking: Indian Hacker

Fraud ManAn Indian hacker, named as Zero, has exposed over a dozen high profile Pakistani websites – which are vulnerable and hack-able.

At the moment, we don’t know much about Zero due to insufficient information available about him, however, according to a source in hacker’s community, Zero is apparently from India.

Before we go into further details, here is a selected list of exposed websites:

  • http://www.whatmobile.com.pk/
  • http://www.phonebook.com.pk
  • http://www.gallup.com.pk/
  • http://www.onlinenews.com.pk/
  • http://www.awt.com.pk/
  • http://www.unapakistan.org.pk/
  • http://www.psf.gov.pk
  • http://www.commerce.gov.pk
  • http://www.competitiveness.org.pk/
  • http://www.smeda.org.pk/
  • http://www.shifa.com.pk/

According to Zero above mentioned websites, along with many others are exposed to hacking or other vulnerabilities due insecure hosting infrastructure and badly written scripts.

He partially defaced few of above given websites, in addition to this, he also released the Database username/passwords of the web portals on an Indian news website.

According to local hackers, 85 percent Pakistani website are exposed to hacking, which includes banks, telecom companies, ISPs, blogs, forums with government websites at top of the list.

By the way, LulzSec (a group that recently hacked Sony, PBS, US Senate, the CIA, Minecraft and League of Legends), in an announcement yesterday said that they enjoyed hacking Pakistani websites the most. Check below what LulzSec said:

<ee> best old injection i had that doesn’t work anymore

<ee> was on some pakistani gov site

<ee> that was apparently tied into military

<ee> apparently their air defence pass was 445566

This shows that our government and semi government web servers are secured with such basic passwords.

twitter

Another thing which should be taken under consideration is the lack of responsibility we bear in ourselves, for instance, an insider told us that IT department had sensed the flaw in awt.com.pk, but they couldn’t take any measure to safeguard it – as high-ups didn’t give them a go ahead.

Ethical hackers are calling the need for security enhancement for Pakistani websites, to make sure that we live in a secure cyber world.


  • Can i add one more website here? Dunya TV’s website is also one of them. And some gov’s too.

    All are vulnerable to SQLi.

    Zero seems to be wrong here:

    “According to Zero above mentioned websites, along with many others are exposed to hacking or other vulnerabilities due insecure hosting infrastructure”

    Most common vulnerability in Pakistani websites is SQLi.

    • Ahsan Javed the thing is that most of the sites are vulnerable to many things like xss, csrf, sqli, system misconfiguration, easy password and network etc. The important part is every thing is vulnerable not only dunya TV but almost every news channel web site including dawn, samma, aaj, ary, geo etc and almost every gov installation too plus financial sector. Its like we are handing over our cyber space to those attackers to play and if we dont take this seriously then it will be late.

      • Yes I agree with you, cause all of them are somehow getting news from DB using simple id request.

  • admin

    I think its time to ask our security guys to re-scan our own servers too :P

  • Saeed

    Admin – Please first check your wordpress themes updates if any quickly update it.

    Most hackers come from these vulnerabilities and i know government websites they will not take any action.

    • there ware some vulnerabilities in WordPress but it were not in theme’s they were in some plug-ins if i am not wrong.

  • Junaid

    Hey guys! Cool down, nothings gonna happen.. This hack thing is just a fun, hackers hack and webmasters restore. And if you tighten your security, then also remember that “There is an equal and opposite reaction to every action”
    So, if google can be hacked, anything can be…

    • Saeed

      Mr.Junaid – U mean sit relax for site restoration.

      Take some action if vulnerabilities on your website then try to remove.

    • FYI: it wasn’t google that was hacked, infact the name server got rooted and was redirected to other place.

      Google’s isn’t child’s play at all :) ever wondered why LulzSec or Anonymous aren’t trying their skills there?

  • Saeed

    one more thing and im sure you guys working perfectly.

    – Always connect your server by SSH/VPN.
    – delete wordpress admin user
    – change your DB prefix
    – complexity on password
    – Always check mysql sessions when over time kill the session.

    I hope you already looking these small issues.

    Saeed

  • Saqlain

    Well we (the nation) have kept our National Interest Vulnerable……Hope some creative, some spirit may rise starting from shielding our vulnerabilities on net and may lead into our National Horizon and National Interest…

  • darkstar

    SQL injection is such a basic attack??still pak web developers are such [email protected]#$ards!!!
    btw admin where did you find the conversation in which they said they like hacking paki web sites most??

  • Jamal

    Can we see the complete list of sites.

    I hope my site is not included in that list.

  • Ameer Hamza

    Where are Pakistani hackers they should do this work and help the admins to fix them as the government is not going to do any thing ..

  • Salam, it’s gud bze paki r very sellfesh and try to not share hacking knowledge with new generation, pk people don’t know that’s what means hack. This message only for whoes know hacking not for all.
    Why hacker not hack ur site, it’s ur friend.
    ProPakistani hotmail com

  • waqas

    Even The Recent Past Most High Profile Website Hacked By Pakbugs .

    I think Admin Are Sleeping to badly .

  • There is nothing new !!
    Same this happens on a very famous forum where one of indian listed about 200 pakistani site (some famous was included too ) then another indian requested him to remove that bcz by doing so he is going to start war another time !!

    I think now it is responsiblity of government and other departments to take some measurement for security ,atleast put some security ,i know it members which are incharge in gov departments are JAAHIL but KAB TAK !!

  • To most of the lame Comments here by random people i would like to add something here 1st hacking is a art its not easy its not hard but it has the power which really comes with great responsibilities, as per i am aware about the cyber crime law a person cannot point out a flaw of any particular site its an offense which has punishment of custody or fine or both.

    2nd Information is free for all others had learn by them self no one was there or will be there to teach anyone about offensive skills, learn it learn it by hard way google it read books and start to educate your self.

    3rd about the guy who said that paki hackers should help our local web masters or administrators, tell me why should we have to help someone or to protect someone which him self don’t want to be saved. its there job to protect infrastructure they get paid to protect. If they are not doing there jobs then its time for young generation to take there places but wait again our education system is designed to teach us bookish knowledge to just pass a test paper again i am not saying that we don’t have good people among us but we don’t have many either.

    There is a war going on you can see West they are trying soo hard to fight against cyber criminals but still they cant win this game why because the dark side is getting stronger day by day. its not here yet but it will and when it will there will be lot of mess and there wont be anyone to clean this whole mess.

    Peace.

    • tweety

      @3rd part:

      its all about corruption!

  • tweety

    well,

    these indian guys had no other choice than to make a fake list!

    paki hackers are very active these days!

    they never made such lists to show on news!

    they make such lists on zone-h.com

    proud of you guys!

  • Shahid Saleem

    so many of hacking problems go away if you stop using php. switch to ruby on rials or djanga!

  • Me also getting bored of that PHP thing,

    What is Djang :D

  • For those of you, who not knows about the how know of protecting web servers but still running blog or e-commerce website, should go for Cloudflare, service is free also improves your website loading time and save your servers from the direct hacks of hackers! :-) one more thing, WordPress can be easily hack, if its running on any out dated plugin not a theme file :) also mostly Pakistani websites not blogs can be easily hack because of SQLi

  • Majeed

    I think if you dig the little history, Pakis hacker have the record to hacked indian website , maximum site in small stretch of time. in 2001 and 2002 hundred of indian sites hacked by pakis hackers, then indian name pak gov.com or somehting like that and hacked it and announced tht thay hacked pak gov website, really stupid of them..

  • no site is secure in this cyberworld..so if u think u can be secure in cyberworld then its ur imagination……if any 1 web on server has vuln then whole server is at risk….

  • Owais Chishti

    Every action has it equal and opposite reaction

  • Owais Chishti

    Every action has equal and opposite reaction

  • Would any one of you specialist guys give us suggestions to improve web or server security?

    I Appreciate if ProPakistani also wrote about security enhancement, specially for wordpress sites.

  • Sraza

    Some Point from 15 Yrs exp System Manager.
    1) Never use Micro shit Windows Server for Production.

    2) Always use Stable Release of Linux (my fav. Debian GNU Linux and Redhat Enterprise Linux. Never use Centos/Ubuntu/Fedora core).

    3) Never open additional Ports on server. check open ports through nmap utility.

    4) never install phpmyadmin in ur system. my preference is to give DB access to localhost only. disable all sshd login for root. create a normal user with password of 15 chracters (use http://www.freepasswordgenerator.com)

    5) connect mysql client through ssh tunneling to the server using that user and pass for db access.

    6) use winscp to upload your web files to home folder of the server. than from putty move the files to web dir.

    7) use Firewall like Shorewall to safeguard your server. only open inward and out going ports which are req. (80/443/25 for mail delivery).

    8) in php.ini disable additional features which are not required.

    9) never use Webpanel Like Plesk or WHM Cpanel etc.

    10) always update the system software from reliable and stable Repositories only. and Admin panel of your application should also bind to your server IP as below.

    in apache configuration bind Access to Admin Directory with IP of your Server. than restart apache, open putty put your server IP and in Tunnel option in the left pane use destination dynamic and source to 8080 and open putty. use your linux username password.
    Now you have SSH tunnel with port 8080 to your server. open your web browser and put socks proxy localhost and port 8080. now open your Admin Panel. it would open. but if you disconnect Your Putty this will never been accessed through internet.

    11) for saving Mysql DB. make additional subinterface for private Ip like 10.1.1.10
    restart the network service and check if it is working. add this ip to shorewall/iptables to access to port 3306.
    open Mysql through root and make another user with name [email protected]. give all root access to this new root user. now drop all privileges to [email protected]

    from Mysql Client use SSH tunnel to establish connection than use user [email protected] and ur password. on Shell use mysql -h10.1.1.10 and -p to access your database. use same connection string with all your database. and never make any database with [email protected] login always use [email protected] user to make database so ur new user will also use same database user “[email protected]” to connect to database. and secure ur Application configuration file from web access through permission or htpasswd file.

    for any questions Please let me know.
    [email protected]

  • Shavonne Boruff

    Finally a Blog Worth Reading