Aug 10 2008

Chinese hackers eating Chinese hackers…with a side of government

Published by at 4:48 pm under Hacker Hunting,Hackers Talking

This is the official Chinese government website for Longgang Emergency Management:

This is also the official Longgang Emergency Management website, when you add xiaozi.html:

You would think, with the recent earthquake in Sichuan and the ongoing Olympics, that government websites dealing with emergency management would be inspected rather thoroughly. Not so much. Google spiders crawling the internet, show that the website has been hacked since at least 31 July 08.

Is it unusual for a Chinese hacker to attack their own government’s website? The first-generation of Chinese hackers had very strict rules about not hacking inside China but the current crop doesn’t seem to adhere to the same code. Doing a pull on Zone-h.com.cn, gives 1,952 known Chinese government websites that have been hacked. A fairly large number of those attacks appear to be carried out by Chinese hackers.

So, from the URL extension on the hacked page of the Longgang Emergency Management website, who or what is a xiaozi? It is a who, or to be more precise, a him.

Meet Network Boy (Wanglu Xiaozi):

Blog name: Network boy’s BLog Hacker
Site admin nickname: Network boy
Age: 18
Birthday: 13 December 1989
Sex: Male
Blood type: B
Zodiac sign: Virgo
Address: Wulumuqi, Xinjiang
Personal quote:
Hobbies:

Not to get in a battle over Zodiac signs but isn’t someone born on 13 December a Sagittarius? Maybe something to do with the Chinese Lunar Calendar but trying to figure it out hurts my head about as much as International Date Line conversion. I have Chinese friends I give birthday gifts to five times a year just to be on the safe side. Moving on.

Going through Netboy’s website reveals that government websites are not his only target, he also has an affinity for fellow hacker websites as well.

1) First target, zgmuma.com (China’s Trojan Base):

According to Netboy, he was bored and went to his favorite hacker site (hackol.com) to study but the website was down. He did notice a link toward the bottom of the page that connected to zgmuma.com and for reasons unmentioned decided to see if he could break into the site. Zgmuma.com is another Chinese hacker website that boasts the largest collection of online game trojans around. It also provides hacker training.

I have to give Netboy credit, he provides a step-by-step account of his exploits, to include screen shots and the tools used to perform reconnaissance on the intended victim. With this one he was able to find a fatal flaw in the server to crack. While Netboy was breaking into zgmuma, his buddy, who goes by the name of Ice Sugar, contacted him to say that he had gained access to cnhacker.com and posted a hacked page:

Ice Sugar passed over the info on cnhacker.com to Netboy, who said he also posted a hacked page on the site.

2) Second target, an81.cn (The Dark Hacker Group):

Netboy was able to gain access to this website because they were using Dvbbs8.1. He was thankful that it was not 8.2, because then he would not have been able to gain access to the backstage shell. Using Thunder (unclear) he was able to discover the site admin’s password, 6423987, after making several manual guesses. He also used an ASP trojan during the process but I couldn’t begin to tell you what he was talking about; didn’t understand much of the technical jargon.

3) Third target, www.163???.com (Hacker)

Netboy really liked the design of this website and consider it difficult to break but still managed. Once again, he takes you through his very methodical system of cracking the website and I wish I was able to translate it but can’t. Some of you people who are more on the tech side might be able to gather what he did even better than me by the screen shots.

For whatever reason, he decided to hide the target’s URL but it only took about a minute to find the site, www.163xjs.com.  Wasn’t able to access the site due to a “directory listing denied” message. However, Google’s cache was not so particular about who peeked:

Even though the imagery is absent, it is clearly the same website.

4) Fourth target, hacker98.cn

Lot of stuff on this hack too but I’m getting bored and you get the point. He hacks other Chinese hacker websites.

Conclusion: At the end of each of these attacks, Netboy posts an invitation for other skilled people to join his group. So, this all may be just to gain recruits by proving he is better than the other groups out there.

2 responses so far

2 Responses to “Chinese hackers eating Chinese hackers…with a side of government”

  1. Waffaon 13 Aug 2008 at 7:44 am

    Well, would not wanna piss off him :D

  2. antichriston 27 Aug 2008 at 10:13 am

    Hey maybe they-
    Personally if I wanted to recruit hackers to my (Govt) team (or jail) I’d hack a few government websites (with their co-operation?) and then do a few of the ‘hacker’ sites. Very easy to do if you are the government. It would make you look like a hacker hero.
    Of course that probably wouldn’t work with anyone who’d studied history even as far back as the Berkeley days, but the average nerd is not going to be up on that sort of thing are they?