How we hacked the JC hacker

By Richard Burton and Jessica Elgot, January 21, 2010
Follow Jessica on Twitter

Special branch are investigating an attempt by pro-Palestinian hackers to compromise the JC website.

Police were passed vital clues about the identity of the hacker after an investigation by the company’s IT experts revealed the source of the attack.

The site was suspended briefly on Sunday evening after the home page displayed a Palestinian flag and an antisemitic message in broken English and Turkish, which stated the hack to be the work of “Palestinian Mujaheeds”.

Scores of readers had spotted it and either phoned or sent emails and text messages. Many more responded by Tweeting or posting Facebook messages, and by Monday, it was discussed on international news wires.

The hacker had been clever enough to find an innocent way into the site by installing what looked like an image but was in fact a PHP (web programming) file which contained a full “hacker’s toolbox” — capable of seeking and exploiting any potential security weaknesses in servers.

Having managed to burrow deeper, two further files were uploaded, one being a PERL script which contained a “Trojan”, a file that lies dormant until activated.

The other was a binary file which exploits a weakness in the operating system and allows a non-trusted user to obtain root level access.

Why us?

The reach of the JC’s website is as wide as its pages are comprehensive.

It contains arguably the most fulsome record of Jewish history in the world, with its 170-year-old archive and vast library of images and videos representing all aspects of Jewish life.

It also serves as a central hub for comment and debate, hosting some of the biggest names in the Jewish world on its blogging and social networking platform. And its news pages are up-to-the-minute.

Hundreds of files were then overwritten and replaced with HTML code containing the rogue message, one of which targeted the code that pointed to the home page.

The hacker accessed the site a second time, although did not act. He was probably checking to see what corrective action we had taken. At the time, we were still working to patch the leak.

We were able to download and replicate his toolbox — and discovered a series of clues as to his identity, including an IP address registered to TurkTelecom, an email address and a hacker’s forum to which he belongs. Police have full details of these.

The JC Wikipedia entry was updated shortly after the hack at 5.22pm, although examination of the IP addresses involved suggests this was not linked to the attack. Pro-Palestinian hackers have an emerging cyber-presence. A similar message was placed on the home page of the Israeli weather site Israelweather.il.

In 2001 a virus known as an “Injustice Worm” bombarded the email of Israeli MKs, and in 2009 the US Military website was attacked with an image of a Palestinian protester in front of an Israeli tank.

JC Editor Stephen Pollard said: “Only those without the confidence to win an argument resort to such tactics. And it was a pretty self-defeating attempt to silence us. “

In fact, the hacker did us a favour. The site received its highest ever number of hits the day after the attack.

Last updated: 3:54pm, January 21 2010