GhostShell Hacker Outfit Breaches Web Servers, Dumps Sensitive Info

Posted on

A hacker group known as GhostShell started posting links to database dumps extracted as a result of hacking different web servers.

The public messages of the hackers simply announce the target that was breached and offer URLs to multiple public paste sites where the data dump has been published.

Some of the data exposed is sensitive in nature

The information leaked depends from one target to another, but it looks like one can find anything from email addresses, usernames for different online services, addresses, phone numbers and dates of birth to hashed and plain text passwords, or personally identifiable information (PII).

GhostShell did not disclose the method of compromise, but security researchers at Symantec believe that access to the data is obtained through SQL injection attacks and poorly configured PHP scripts.

Given the large number of websites popped, the hackers could rely on an automated tool that scans for vulnerabilities. Security experts say that in previous attacks in 2012 they relied on an SQL injection tool called SQLmap.

GhostShell Hacker Outfit Breaches Web Servers, Dumps Sensitive Info
GhostShell Hacker Outfit Breaches Web Servers, Dumps Sensitive Info

The list of breaches does not seem to follow a particular pattern, as the hacked websites appear to be unrelated to one another as far as activity sector and country are concerned. In the latest posts, though, sites with South Korean TLD are more predominant.

Recommendations for users and database admins

The recommendation for users is to make sure that account passwords are strong and unique, and to turn on two-factor authentication for any online service that supports the feature.

Symantec advises database administrators to maintain their systems updated and to apply filters to user input.

“Data entered by users should be filtered for context, for example, an email address should only contain characters normally found in email addresses. This will seriously hamper the bad guys’ attempts at conducting SQL injection attacks,” the security company says in ablog post on Tuesday.

On the same note, database privileges should be limited by context so that a login field can access only the database that stores credentials and not other type of information.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s