Article on an anonymous attack on a small German Webhoster in order to deface a far-right conspiracy theorist’s pages [Translation in comments]
# ProSite … oh my, that’s not a hoster.
Actually, we only wanted access to Attila’s [Attila Hildman, German far right conspiracy theorist, currently on the run] site … but what Anons then found at ProSite is actually unbelievable for a “professional hoster”. But anyway – attilahildmann.de we got.
We are still a bit pissed on the Denic [manager of the .de domain], because they made it so easy with attilahildmann.de, so we don’t want to let the matter rest. Then we have to do everything ourselves.
That’s why some Anons went to Attila’s hoster and searched for … um … infos.
They found some and finally got access to Attila’s site. Small defacement …
But what is that at ProSite? This is a noodle sieve, but not a hoster.
ProSite is a hosting brand of Speedbone Internet & Connectivity GmbH in Berlin. With a balance sheet total in 2019 of 634,000 euros, thus none of the really big hosters. The company operates its own data center in the Alboin-Kontor, and in addition to the ProSite hosting offers, one can also find colocation and server housing offers.
Not the industry giant … but not the most secure small hoster either.
# The ProSite security hole
Usually, when trying to get to a target’s website data, you go the direct route and look for security holes. If there are none there, some grab the server neighbor. At some point, they find a site, infiltrate it, and with good hosters, that’s the end. Jailed environment, isolation of one customer space from the other, secured database servers. The end.
This is also the case with ProSite. Accessing a server via a website with a vulnerable Joomla installation, there is no way through to Attila’s web space with customer number 5000120334. Attila’s site was initially safe. So in the beginning.
But instead you suddenly have full access to ProSite. So not to a little bit of ProSite, but really to ProSite:
to all databases as “root”, you can shimmy from database to database, without security restrictions, without obstacles, for example, to the access control to the data center; to the account management system, where everything is managed that you can manage accounts, including blocking;to the ticket system, through which you can read all complaints, requests and problems of customers;to the climate control of the data center … without words; to the webcams; to the internal Mattermost system … okay, not directly, but to its database … but employees like to send passwords through it; to customer data … to personal, unsecured and unencrypted customer data.
That was actually the biggest shock: free access to customer data.
But not only to master data, but also to credit card data.
The year is 2021, and for several years now the DSGVO [european data privacy laws] has demanded state-of-the-art security for personal data, and by most this is understood to mean encrypted transmission and storage.
In addition, there is the PCI-DSS standard.
Behind the acronym PCI-DSS (Payment Card Industry Security Standard) is a security standard for credit card data that is binding for all institutions that process cardholder data or store credit card data. This data security standard was developed by American Express, Mastercard, Visa Inc, JCB International and Discover Financial Services. Its goal is to protect online merchants and end customers from fraudulent attacks, card misuse and theft. PCI certification is required whenever a locally executed checkout form developed in-house is used.
But even if the add-on payment processing software used by the online store accepts credit card data on its own server, PCI certification is essential – e.g. Visa or Mastercard PCI compliance. The same applies if a store operator stores cardholder data in its own systems. Retailers and service providers who store, transmit, or process credit card transactions must comply with the regulations. If they do not comply, they may be subject to penalties, restrictions, or ultimately banned from accepting credit cards.
ProSite has screwed up the matter of protecting credit cardholder data in accordance with PCI-DSS. ProSite stores customers’ credit card data with name, card number, expiration date, provider and – take a deep breath – the CVC code in a single database table in its own systems. Nothing protects the data from access once you’re in the system.
So, ProSite, in the end we now have everything we need, we were actually only interested in one customer. Now you should not hesitate any longer and directly make a self-disclosure. And if you cancel Attila’s contract, we will also tell you how we did it.
Anyway… Attila sounds a bit desperate … in his mail to the support.
But we answered him.
Yes, we can answer, because ProSite’s system is infiltrated to the max. We have blocked the access to the administration tool, we have blocked the access to the datacenter and we have made some changes in the administration. The customer login is also not working right now. We have not touched the customer sites and databases. That is, those customers who are not named Attila Hildmann. We have avoided collateral damage as much as possible.
But ProSite will take a while …
By the way, the managing director of Speedbone Internet & Connectivity GmbH is Ulrich Malte Eckardt … We don’t know the gentleman, but others have had a look, so we’ll quote that. […]
And only because Attila will probably claim nonsense now: This was a pure Anonymous Germany action, neither was Kai Enderes involved nor was he informed, we neither need his support nor his okay for something like this. That Hildmann still doesn’t understand what it means to have a faceless collective as an opponent … quite sad.
Translated with http://www.DeepL.com/Translator (free version)
Save my name, email, and website in this browser for the next time I comment.
This site uses Akismet to reduce spam. Learn how your comment data is processed.
To register please enter your E-Mail address then click on the Sign-Up button (Your E-Mail address will be confidential).