on
Security Networks
AntiHackerlink Hacking Artifact from 2003
It’s not really a secret that among Indonesian tech company founders, Wenas Agusetiawan and Juny Maimun have a legendary status in the underground hacking communities especially in the 1990s and the 2000s.
In 2000, Wenas Agusetiawan was arrested for unauthorized network intrusion into NUS’ network. He was active under the handle hC- (short for “Hantu Crew” where “hantu” is an Indonesian word for “ghost”), as mentioned in this Wikibooks page.
Juny Maimun (more commonly referred to as Acong) was also covered by a news site in 2010 as a hacker who already got into countless of servers, using bagan as his hacker handle.
Wenas Agusetiawan is now primarily known as one of the co-founders of Tiket.com, a major Indonesian online travel agent. Meanwhile, Juny Maimun is primarily known as the founder of Indowebster and Maxindo. Indowebster used to be a popular online forum in Indonesia back in the 2000s and early 2010s, and Maxindo is an ISP.
Both of them used to be in a local underground hacking group called AntiHackerlink, and they used to hang out in an IRC channel called #antihackerlink on DALnet IRC.
I don’t have any personal ties with them, aside from having the opportunity to meet Juny Maimun once in 2012 where he was together with the late Arif Wicaksono, another AntiHackerlink member known with the handle sakitjiwa (which means “mental illness” in English). But one of the people who taught me cybersecurity (and mentored me in many ways) used to hang out in the same underground community as them. I’m not going to name the person here since they never even mentioned the name of AntiHackerlink community or the handle they used during their illegal hacking days (I think I might have figured it out already though).
What I meant to do in this post is to document a hack by AntiHackerlink in 2003, as I happened to stumbled upon an evidence of the hack happening in an old mailing list archive.
The following is the full text of the archived message.
List: incidents
Subject: Re: Possible google hack
From: <rsavage () nandomedia ! com>
Date: 2003-01-07 22:28:37
[Download RAW message or body]
Your proxy was probably hacked, not google's.
--
Rory Savage, Senior Systems Administrator
Nando Media: www.nandomedia.com
email: rsavage@nandomedia.com
aol im (PiasElihU)
919-836-5987 (Office)
On Tue, 7 Jan 2003, Johnson, April wrote:
> I've run into something most unusual in my proxy cache from last night: This
> was what appeared if I used my proxy to view www.google.com. It *could* be
> that my proxy cache was hacked, or some kind of dns spoofing/corruption
> occured between here and there. But has anyone else heard/seen this?
>
> Ping for www.google.com resolves to 216.239.33.101 - from the proxy console.
>
> The google site with a black background and the text
>
> Touch by cassablanca
>
>
> Gratz To
>
> s2c botaks [M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver
> frozenghost Gir4ff3 AxAL
>
> #IndoHackerLInk@DAL.Net #AntiHackerLink@DAL.Net #RealCyber@DAL.net
>
>
> I've included the source as follows... It doesn't look all that clean.
>
>
> -April Johnson (CISSP, MCSE, CCNP)
> Network Operations - Security
> Seattle Public Schools
> apjohnson@seattleschools.org
> 206.252.0353
>
> "Give a kid a fish, and he eats for a day; teach a kid to fish, and he eats
> for a lifetime."
>
> ----------------------------------------------------------------------------
> -
>
>
>
>
>
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD><TITLE>Touch By cassablanca</TITLE> <META
> http-equiv=Content-Type content="text/html; charset=windows-1252">
> <"CHECK_FOR_VIRUSES"_STYLE .F1 {
> FILTER: glow(Color=#FF8000,Strength=10); WIDTH: 250px; HEIGHT: 200px
> } .F2 {
> FILTER: glow(Color=#00FF00,Strength=10); WIDTH: 250px; HEIGHT: 200px
> } .F3 {
> FILTER: glow(Color=#0080FF,Strength=10); WIDTH: 250px; HEIGHT: 200px
> } ></"CHECK_FOR_VIRUSES"_STYLE>
>
> <"CHECK_FOR_VIRUSES"_SCRIPT language=JavaScript>
> <!-- Original: CodeLifter.com (support@codelifter.com) -->
> <!-- Web Site: http://www.codelifter.com -->
>
> <!-- This script and many more are available free online at -->
> <!-- The JavaScript Source!! http://javascript.internet.com -->
>
> <!-- Begin
> var rate = 1000
> // do not edit below this line
> var i = 0;
> var F = 'F1';
> function doThing() {
> if (document.getElementById&&document.all) {
> ok = true;
> i++;
> if (i==1) F = 'F1';
> if (i==2) F = 'F2';
> if (i==3) F = 'F3';
> YammaYamma.className = F;
> if (i > 2) i = 0;
> timer = setTimeout('doThing()', rate);
> }
> }
> // End -->
> </"CHECK_FOR_VIRUSES"_SCRIPT>
> <META content="Microsoft FrontPage 5.0" name=GENERATOR></HEAD> <BODY
> text="#ffffff" bgColor="#000000" "CHECK_FOR_VIRUSES"_onload="doThing()"><!-- STEP \
> THREE: Copy this code into the BODY of your HTML document --> <CENTER> <TABLE \
> cellSpacing=0 cellPadding=10 width=401 height="69">
> <TBODY>
> <TR>
> <TD width="401" height="69">
> <CENTER><FONT face="Monotype Corsiva" color=#ffffff>
> <P id=YammaYamma><B><font size="7">Touch by </font> </B></FONT><B>
> <font size="7" face="Monotype Corsiva"
> color="#ffffff">cassablanca</font></B><FONT face=Courier color=#ffffff
> size=10>
> </P></FONT></CENTER></TD></TR></TBODY></TABLE></CENTER>
> <P align="center"><B><FONT face=Terminal color=#00ff00 size=5>Gratz
> To</FONT></B></P> <P align="center"><FONT face="Comic Sans MS" color=#ff0000
> size=4>s2c botaks
> [M2C] Junkist DewaLangit SpaceGhostz Ghostz bagan Escuver frozenghost
> Gir4ff3
> AxAL</FONT></P>
> <P align="center"><FONT face="Monotype Corsiva" color=#ff0000 size=5><FONT
> color=#ffffff></a></a></FONT>
> </font><FONT face="Monotype Corsiva"
> size=5>#IndoHackerLInk@DAL.Net</font></a></a> </FONT> </font> <font
> face="Monotype Corsiva" size="5"> #AntiHackerLink@DAL.Net
> #RealCyber@DAL.net</A></font><font face="Monotype Corsiva" color="#ff0000"
> size="5"></HTML><font face="Monotype Corsiva"
> size="5"></a></font></font></P><!-- text below generated by server. PLEASE
> REMOVE
> --></"CHECK_FOR_VIRUSES"_object></"CHECK_FOR_VIRUSES"_layer></div></span></"CHECK_FOR_VIRUSES"_style></noscript></table></"CHECK_FOR_VIRUSES"_script></apple
> t><"CHECK_FOR_VIRUSES"_script language="JavaScript"
> src="http://us.i1.yimg.com/us.yimg.com/i/mc/mc.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
> language="JavaScript"
> src="http://domainpending.com/js_source/geov2.js"></"CHECK_FOR_VIRUSES"_script><"CHECK_FOR_VIRUSES"_script
> language="javascript">geovisit();</"CHECK_FOR_VIRUSES"_script><noscript><img
> src="http://visit.webhosting.yahoo.com/visit.gif?us1040932987" border=0
> width=1 height=1></noscript> <IMG
> SRC="http://geo.yahoo.com/serv?s=76001085&t=1040932987" ALT=1 WIDTH=1
> HEIGHT=1>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
I cleaned up the HTML code of the “defaced Google” from the email and opened it as a HTML file on a browser to see what the person saw back on 7 January 2003 when they thought Google was hacked. Here it is.
I also uploaded the static “defaced Google” page here. As you can see, bagan is listed as one of the people involved in the attack. That should be Juny Maimun.
Now, why am I documenting this? One reason is that the story of this hack was told to me as a case study by the AntiHackerlink member who taught me cybersecurity back when I was a student.
They never told me it was something they did for real, they just told me that there was a case where someone tried to open www.google.com and saw a defaced web page. This person then thought that Google was hacked, but in reality the one that got hacked was the DNS server. When the person opened www.google.com, the DNS resolver didn’t respond with Google’s IP address and gave the person the IP address of the hacked site instead.
I think what I found was the remains from the exact story they used as a case study when teaching me network security fundamentals 15 years ago. Hence, I think it’s worth documenting for personal reasons, and probably worth documenting for other people to see as a historical artifact of early 2000s’ Indonesian underground hacking scene also.
References
‘hacker’ Indonesia Tertangkap Di Singapura
Sejarah Internet Indonesia/Juli 2000 hC di adili di Singapura