All information in this report was collected in December 2011.
In November 2011, several websites were subject to DNS hijacking and server intrusion by the same attacker.
A number of prominent web developers were targeted including CSS Tricks and David Walsh, who discuss the details of the attack better than I can. Soh Tanaka never got his domain name back; as of March 2012, It is still controlled by the attacker and is now registered through Moniker Privacy Services.
Web developers were not the only target. Other stolen domains include a Shi'a online community, an Egyptian radio station, and (I suspect) an Arab hacking website owned by one of the attacker's buddies.
I believe that the attacker is the Arab hacker known as Dr.EXE aka dr_pc based on similarities in the whois data used by both hackers. I found no evidence of the involvement of other hackers, although it is possible that the attacker showed the attack to his friends and they were egging him on. I found no further clues as to this person's identity.
Another researcher, who posted to Pastebin before I began this investigation (and strongly biased my work), identified the attacker as the Pro Hackers group and specifically the hacker using the alguidy e-mail address. I believe Pro Hackers to be the name used by one hacker (alguidy), that he is be uninvolved in this event except to the extent that Dr.EXE hijacked his domain name also, and that he is a friend of Dr.EXE who may have been in communication with Dr.EXE over internet channels as the attack occured.
I do not know if Dr.EXE attends Kharkiv University or if the references to Kharkiv in domain whois are a red herring. Kharkiv has a course in information security which would attract a hacker's attendance and harassment, and its public student rolls list one attendee with an Arab-derived name. No evidence could be found connecting this person to Dr.EXE.
Access to the victims' DNS registrar accounts was probably obtained through either of a keylogger, through account passwords stored in the victim's email (accessed by a keylogger), or by a direct attack on the registrars' systems. One victim, Chris Coyier of css-tricks, reported that the attacker also compromised multiple services he used with different passwords. This strongly suggests the use of a keylogger on the victims' personal computers.
No information could be found as to the initial attack method. Several potential attack methods include:
The common attack vector may have been something else that I have not thought of.
The attacker does not believe that he will be caught. As evidence, the attacker used his real phone number in his whois information.
The attacker is an experienced programmer/sysadmin who is well-connected to the hacking community and is at least tangentially connected to the criminal hacking community. As evidence, the attacker is believed to have used a variety of attacks; targeted developer-oriented web sites; asked for money from at least one victim; and gave up quickly when confronted.
Only David Walsh reported being contacted by the attacker with a demand for money. This is probably because the attacker heard of Walsh's high-profile Twitter campaign. The attacker was probably encouraged by his buddies to attempt to blackmail Walsh.
The primary motivation was lolz. The attacker was probably studying javascript and modern web development at the time and decided to hit a large number of high-profile targets that the attacker would have been familiar with. In addition, the attacker hit one of his buddies' sites and Shi'a Chat. This was done for fun, not for money.
Attacker's claimed information for Soh Tanaka web site:
Owner:
8oc
(465350)
Bakulina 12
Kharkiv, Kharkiv 61166
Austria
Phone: +38.0630587225
Email: xD@hotmail.com
Since the attacker volunteered this information, it is unlikely to be real and there is a potential that it is intended to direct investigators to an innocent person.
8oc has no meaning that I can gather.
The number (465350) appears to be a counter that changes between contacts, possibly to prevent simple searches on the owner; or it may have been added by the registrar as a record ID.
12 Bakulina is an apartment building near Kharkiv National University in the Ukraine. The university includes a Computer Science department that has a course in "Security of Information and Telecommunication Systems". The staff all appears to be Eastern European while other evidence suggests that the attacker (or the attacker's patsy) is Arab. It is possible that the attacker is a student or an IT employee of the school, or may have a vendetta against a student or employee of the school.
Austria bears no relation to any other information I can gather, and there is no reason it would be included in relation. It could be that Austria appears early in an alphabetical list of countries, or the country code AT may have a meaning to the attacker, or the attacker may have forgotten which country Kharkiv University is in. If the attacker has a sense of humour, this might be the only true information.
The telephone number listed, +38.0630587225, is a mobile phone number with a Ukraine country code. It may belong to somebody who the attacker wishes to annoy.
Emails used by the attacker for DNS registration include xD@hotmail.com and forserver@yahoo.com. This latter email address leads to a registration for xp10.biz, identifying the owner of forserver@yahoo.com as a Libyan:
Registrant ID: CR21224960 Registrant Name: ahmed ali Registrant Organization: libya Registrant Address1: ksa Registrant City: baha Registrant Postal Code: 1456 Registrant Country: LIBYAN ARAB JAMAHIRIYA Registrant Country Code: LY Registrant Phone Number: +212.553792555 Registrant Facsimile Number: +216.553792555 Registrant Email: forserver@yahoo.com Name Server: NS21.APTHOST.COM Name Server: NS22.APTHOST.COM Created by Registrar: GODADDY.COM, INC. Last Updated by Registrar: GODADDY.COM, INC. Last Transferred Date: Thu Jun 11 16:01:02 GMT 2009 Domain Registration Date: Sun Jan 30 18:30:17 GMT 2005 Domain Expiration Date: Sun Jan 29 23:59:59 GMT 2012 Domain Last Updated Date: Sat Oct 24 02:32:56 GMT 2009
There also exists an Arabic-language xp10.com with fake whois info and DNS handled by dnsxp10.com, also with fake whois info.
The website hosted at xp10.com is a hacker site.
Copyright c 2011 [Xp10-Team] - Template designed by HeShAm-HaCkErS Templates & Supplied by: www.xp10.com
A member of xp10 is learning Javascript and web development, as one of the included Javascripts includes a comment referencing web developer sites:
http://www.sohtanaka.com/web-design/examples/drop-down-menu/ http://www.noupe.com/tutorial/drop-down-menu-jquery-css.html http://css-tricks.com/examples/DiggHeader/
Two of these domains were stolen in the recent attack.
The site also presents a flash file xp10.swf in a hidden iframe which I'm not going to open while there is an unpatched flash exploit in the wild. [Side note: My freeware flash decompiler automatically runs anything it loads. Can someone suggest a better one?]
The site includes an Arabic-language forum hosted on vBulletin.
xp10.com is hosted at IP address 74.63.195.9 by 24shells.net, a Pennsylvania company, which sublets its IP space from Limestone Networks, a Texas company. The server itself is likely to be in or near Dallas, judging by a traceroute:
12 xe-0-2-0.mpr1.dfw1.us.above.net (64.125.27.213) 49.508 ms 49.416 ms 49.392 ms 13 64.125.188.182.t00822-03.above.net (64.125.188.182) 49.742 ms 49.679 ms 49.619 ms 14 te6-1.bdr2.core2.dllstx3.dallas-idc.com (208.115.192.62) 50.575 ms 49.970 ms te6-1.bdr2.core1.dllstx3.dallas-idc.com (208.115.192.58) 49.868 ms 15 ge0-2.vl7.cr01-54.dllstx3.dallas-idc.com (208.115.252.134) 50.161 ms ge0-1.vl6.cr01-54.dllstx3.dallas-idc.com (208.115.252.130) 51.075 ms ge0-2.vl7.cr01-54.dllstx3.dallas-idc.com (208.115.252.134) 51.158 ms 16 162-200-115-208.reverse.lstn.net (208.115.200.162) 49.716 ms 49.822 ms 49.967 ms 17 9-195-63-74.reverse.lstn.net (74.63.195.9) 49.792 ms 49.697 ms 49.744 ms
("dfw" is likely Dallas-Fort Worth, "dallas" is obvious, and light travels at 186,000 miles per second or 186 miles per ms)
The xp10 group has a Screencast account called HeShAm.HaCkErS's Library with four tutorials:
Metasploit is a well-known software for combining exploits and rootkits. Evilgrade is software that pretends to be an update service for other software, allowing the direct upload of malicious software to clients.
Hesham Hackers also has a myspace page with links to videos and linking to its home page at the now-defunct info-ar.com domain. They also have a Facebook page.
The anonymous pastebin linked the attackers to Pro Hackers, which may be the same group as xp10.
ProHacker under alguidy@hotmail.com has done security research, finding and reporting a vulnerability in the PHP freeware Advanced Poll Module in 2006.
alguidy@hotmail.com hacked a Libyan newspaper on February 2007 in the name of PrO HaCkErS and security-arab.net, a site created in 2007 by a user posting under the name rUnViRuS, according to the Internet Archive. The hacked page said "HackEd by Libya". It can be assumed that alguidy is a Libyan, and I believe that he and rUnViRuS are the same person.
The original security-arab.net page copied a Surreal Media gaming clan template, listing web proxies under "Last Matches" and listing "WonZ" -- apparently recently hacked sites -- under "Gaming Servers". rUnViRuS wrote with an Arab Nationalist tone, writing of using hacking knowledge to empower the Arab race. Before that, security-arab.net held a blank page with the text "pro hackers".
alguidy was already using proxies in July 2004, when he used a Norway IP address to post a "Hacked By" message on a random web forum.
alguidy also uses the addresses anti_hacker@hotmail.com and spy@live.no.
Al-Jazeera's forum was hacked by Dr.EXE and Pro HackerS in 2009. They used the e-mail addresses phpshell@hotmail.com and alguidy@hotmail.com.
Dr.EXE is an influential individual in the Arab hacking scene. He is given greetz on so many hacked pages by different people that I think he is an experienced Arab hacker that the others look up to for advice and education. He has worked with Pro Hackers in the past. I initially doubted that he was involved in this event due to his behaviour profile, but the evidence discussed later would change my mind.
Dr.EXE also uses the handle dr_pc and is associated with the phpshell@hotmail.com account.
In 2008, xp10 participated in a contest with other hacking groups to see how many sites they could break into, chiefly Iranian web sites but the groups also attacked each other.
ProHackers, Electr0n, dr_pc, and minyar called themselves Anti Hacker.
The whois information of xp10.biz may have been added by the same attacker hijacking that site's DNS along with the other known victims. Here is what is known about the attacker.
oca (247158) Bakulina 12 Kharkiv, - 61166 Ukraine Phone: +38.0630587225 Email: forserver@yahoo.com Administrative Contact, Billing Contact: Oca
Owner:
8oc
(465350)
Bakulina 12
Kharkiv, Kharkiv 61166
Austria
Phone: +38.0630587225
Email: xD@hotmail.com
Updated 05-dec-2011
admin-c-firstname: Feras admin-c-lastname: Hasan admin-c-street1: Bakulina 12 admin-c-pcode: 11313 admin-c-city: Keta admin-c-ccode: AU admin-c-phone: +41.234234234234x44 [obviously fake] admin-c-email: moya.server@gmail.com
Owner: oca (247001) Bakulina 12, Kharkiv, Keta 61166. Austria Phone: +61.4354353455. [obviously fake] Email: forserver@yahoo.com Technical Contact: oca (247002) Bakulina 12, Kharkiv, Keta 61166
Possibilities:
REGISTRANT CONTACT INFO Protected Domain Services - Customer ID: NCR-3590174 P.O. Box 6197 Denver CO 80206 US Phone: +1.7202492374 Email Address: 8oc.com@protecteddomainservices.com $ dig 8oc.com any ; <<>> DiG 9.8.1 <<>> 8oc.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6018 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;8oc.com. IN ANY ;; ANSWER SECTION: 8oc.com. 14400 IN A 184.173.218.234 8oc.com. 86400 IN NS ns2.8oc.com. 8oc.com. 86400 IN NS ns1.8oc.com. 8oc.com. 86400 IN SOA ns1.8oc.com. server.8oc.com. 201 1121501 86400 7200 3600000 86400 8oc.com. 14400 IN MX 0 8oc.com. ;; ADDITIONAL SECTION: 8oc.com. 14400 IN A 184.173.218.234 Hosting locations 184.173.218.234 - ns1.8oc.com and server.8oc.com 184.173.218.233 - ns2.8oc.com
It's possible that the attacker has rented 184.173.218.232/29 or /30. Whois finds a ThePlanet /15 there. RobTex claims the IP is sublet by SoftLayer.
8oc appears to be a music site that the attacker may have broken into. 8oc has a link to a blog that appears to contain cloned content from elsewhere, also about pop stars.
It is possible that the hacking was a bungled attempt at SEO for 8oc.com. Via css-tricks: "In my index.php file in the root (effects the entirety of WordPress) a link was added to 8oc.com."
As already mentioned, Dr.EXE uses the phpshell@hotmail.com email address.
linkp.net was registered in 2009. As of May 2010, linkp.net was registered to Feras Hasan using Dr.EXE's phpshell@hotmail.com address and a street address of "Wall Street, KharKiv".
Post time: Tuesday, 19 May 2009 (Creation time) Updated Date: Thursday 20 May 2010 Expiration date: Thursday 19 May 2011 Administrative Contact: Linkp Feras Hasan (L@Linkp.net) +1.35345435 Fax: Wall Street KharKiv, 61166 UA Technical Contact: Feras Hasan (Phpshell@hotmail.com)
The phpshell address registered 9ae.org as Mosa Ali from Dubai. This is likely to be false information.
Name:mosa Ali Registrant Organization:lol Registrant Street1:dubai,ae Registrant City:dubai Registrant State/Province:AE Admin Email:phpshell@hotmail.com Created On:17-Oct-2009 14:31:54 UTC Last Updated On:17-Dec-2009 03:58:34 Postal Code:2424 Tech Country:AE Tech Phone:+971.971505434235
"Mosa Ali" from "AE, SA" using forserver@yahoo.com registered qirlz.com on 06 Feb 2008 through Haladomain.
Mosa Ali (forserver@yahoo.com) 00971500000000 Ae AE, AE 12345 SA
There appear to be numerous Arab hacker groups calling themselves some variant of XP-10. The significance of this name is unknown. This particular group is also known as Security Arabs, AnTi HaCkEr, and "Libya, PalStine & Jordan HackerS".
Also known as Pro HackerS, rUnViRuS, Anti Hacker
Emails:
Possible name: Ahmed Ali
The organizer of xp10 and the host of the xp10 forums. Arab. Nationalist opinions in his youth. Likely from Libya. In the security scene since 2004; now a veteran hacker, likely in mid-20s after starting as a teenager circa 2004.
He was the first person to be publicly accused of the attack, but I do not believe him to be the attacker.
Also known as dr_pc
Emails:
Possible name: Mosa Ali or Fares Hasan
Usually cited in greets or as an assistant hacker, although he has done some hacks of his own. Likely to be the most experienced hacker of the group. Probably a member of more than one hacker team. Has teamed up with alguidy to deface a few websites.
He has been a member of the PLO hacking forum soqor.net since 2004.
This makes me believe that he is the attacker.
Electr0n has done some independent work, hacking the websites of Libya domain registrar and phone company during the rebellion of 2011.
There is a chance that Dr.EXE is the same person as Pro Hackers, or that he shares the forserver@yahoo address with that person. I believe them to be two different people.
It is possible for lesser known members Electr0n and minyar to be one of the known team members. If this is the case, Electr0n would be an alias for alguidy and minyar would be a new alias for Dr.EXE. It is equally possible that they are relatively new group members with a lower public profile.
There remains the possibility that the attacker is neither person and that the relations to Dr.EXE are coincidental and/or planted by the attacker.
The War Intel page on Hackers Pal associates Dr.EXE with the names Crack3r, Webcracker, gacker, Sp1der_Net, Black AttaCk, and MiniMan. These are the names to the right of Dr.EXE in one set of greets. It is not uncommon for page defacers to greet their own alternate nicknames.
Sp1der_Net was actively finding PHP exploits in 2006 and did some page defacement in 2006-2007. Sp1der_Net then used the name hitham hitham of Palstine HackerS Team or Hackers Pal, giving greets to SoQoR.Net.
As of 2010: Sp1der_Net searched for help learning Python:
"i know php but i don't know python ... i need a function in php that doing converting shellcode to alphanumeric code"
I cannot find evidence to support or rebut the association of Sp1der_Net with Dr.EXE. The name Hitham sounds like the name Hesham used by Hesham Hackers but this may be a coincidence.
User name : awak
Real Name : Mohamed
Age : 20 (as of 2006)
Sex : Male
Nationality : Egyptian
Language : Arabic - English
Alias : T3rr0risT - Egyptian H4x0rz
E-mail : Get@Linuxmail.Org - R0x@passport.Com - Egyptian.H4x0rz@gmail.com
Also known as Aymancci and HaCkEr's~MaStEr.
NsSaf@hotmail.com Aymancci@Hotmail.com http://www.flickr.com/people/aymancci/ aymancci@hotmail.com Saudi MOBILE: 0503-801-899 00966-(503-801-899) Or Bahraini MOBILE : 36644714 00973-(3-66-44-714) ;) AbuRahi, S.Ayman alawi "THE LINK mailto:[AbuRahi, S.Ayman alawi - aymancci@hotmail.com] is not available"
Someone using the names Renad Style and Dreams Realized posted images sourced from qirlz.com on a web forum.
The owner of qirlz.com uses the name a7laranoooda, claiming to be a young woman Ranoooda Saud from Saudi Arabia as of October 2010. "a7la" is Arabic netspeak for nifty or pretty.
The Renad Style blog and blogspot account were created Sep 2009.
Likely possibilities:
Kharkiv University has a student with an Arab-sounding name: Rahman Halilov (or Khalilov), possibly a localization of Rahman Halil (or Khalil), 2nd year as of 2011. He is in Group CS-22. If this correlates to the CB track, he is studying information security.
It must be noted that there is no known connection between the student Rahman Halilov and the hacker Dr.EXE other than the coincidence that Rahman attends Kharkov and Dr.EXE put Kharkiv in his whois contact information.
Most of the other students listed in the CS department page have names that sound Russian or Ukrainian.
Cannot tell if these blank accounts are related or not:
There are a large number of other "Dr_pc"s on the web: a car enthusiast from New Zealand, a Cambodian, a Chilean, and a guy from Sheffield, England. There is a dr_pc on a Turkish forum, claiming the name "Hakki Y?ld?r?m". Given the number of people using the name dr_pc, and dr.exe's references to the Arab Peninsula, this is probably a different person.
Albx Team is a different hacker group also calling itself xp10.
Also known as "XP10 _ HaCkErS".
Writes in French.
Writes in Spanish and English. References Italian-language search engines.
This list was anonymously posted to Pastebin on 2011 December 18 and includes the Albx Team xp10 site.
zl0ba.boom.ru vxchaos.6x.to freewebs.com/green-hell virusvn.com low-level.da.ru stopxaker.ru planetcreator.net mdk.iwarp.com mytoxic.20m.com groups.yahoo.com/group/SymbWarrior terabit.blogfa.com taz.newffr.com/TAZ/_VX_ pb.specialised.info/all/tapion freewebs.com/jlnh/makeyourownvirus.htm rfidvirus.org members.fortunecity.com/acid_knight/virii.html users.cjb.net/purplejumpers/virusestrojans.htm polymorphic11.tripod.com/viruses.htm vx.netlux.org/delphi psvx.co.cc malwaredomainlist.com msbasic.wordpress.com ciberia.ya.com/neodrako evilcry.netsons.org freewebs.com/pcgeeks metamodellers.com/software/epigrass epterritori.rg3.netdarkcryptor.altervista.org web.tiscalinet.it/dec_spiderman cryptovirology.com forum.hackforce.ru groups.yahoo.com/group/BLACK_SYMBIAN asm-forum.cjb.net asmatiks.wordpress.com rigacci.org/comp/virus vx.netlux.org malwaredomains.com item9.org underc0ver.com insilence.biz k0de.org ddoser.info blog.botnet.biz sharplabs.wordpress.com icarusrat.wordpress.com ss-rat.blogspot.com pingmafia.com cybershade.org anti-sec.com hackhound.org hackforums.net hacksecu.com malwarereview.com enigmagroup.org level-23.com secret-zone.net tr0jan.net/blog/ avtracker.info advancevb.com.ar cigicigi.gen.tr/anasayfa/ indetectables.net hackaday.com hackthissite.org darkc0de.com darkode.com astalavista.com h4x4u.net76.net crazycoders.com offensivecomputing.net indianhackers.ning.com elite-programmers.com opensc.ws carder.biz hackingnation.com rohitab Exploit.IN codershop.eu malwares-in.net hackingnation.org hostbooter.com zone-hacker.net dark-sc.com h7labs.org naqzo.com carder.su hack-tech.com cyberterrorists.net pakhaxors.com alboraaq.com gothack.net rstcenter.com insecurity.ro cyber-sec.org se.curity.org blacksecurity.org darkcomet-rat.com packetstormsecurity.org the-everythingsite.com mpgh.net damagelab.org zloy.bz zloy.biz web-hack.ru nuclearwintercrew.com zonartm.org securityhome.eu securityvulns.com hack0wn.com inj3ct0r.net inj3ct0r.com nullbyte.org.il inj3ct0r.org morningstarsecurity.com professional-hacker.org sibirity.com md5this.com waraxe.us infosec.org.uk portswigger.net seclists.org nmap.org ihteam.net milw0rm.com heapoverflow.com securityfocus.com learnsecurityonline.com metasploit.com vupen.com full-tr.com coresecurity.com securitytracker.com securityspace.com securityreason.com evilaliv3.org scan4you.biz hackingspirits.com coffeeandsecurity.com h4cky0u.org cih.ms globalhackers.blogspot.com insecure.tk obscurant1st.blogspot.com governmentsecurity.org illmob.org securityh4x.blogspot.com mybazaar.biz hackpedia.info ph4nt0m.org 80sec.com 80vul.com blackhathacking.com computerforensics.parsonage.co.uk leetcoders.org anubis.iseclab.org viruschief.com virscan.org scanner.virus.org filterbit.com wab.ru virtest avcheck.ru avcheck.biz virustotal.com lostdoor.cn virusscan.jotti.org foro.latinohack.com underground.org.mx skamasle.com novirusthanks.org seguridadblanca.org comunidadraw.com sswteam.wordpress.com tecnohacker.com b4ckdoor.wordpress.com hackxcrack.es podzemlje.net trojansakla.net 1x33x7.forum2x2.ru progenic.com x1machine.com hackfind.com poisonivy-rat.com ddbot.x0r.su gh0stmarket.net security-shell.ws uNkn0wn.eu viotto-security.net blackhatworld.com blackhatmoneymaker.com seoblackhat.com blackhatseo.com blackhat-forums.com fuckav.ru h7labs.wordpress.com crimenetwork.biz vxx9.cc owned-m.com zone-h.org sharp-team.org digitalmunition.com foro.elhacker.net subreption.com ghc.ru rst.ghc.ru diablohorn.wordpress.com xatrix.org leetupload.com smashthestack.org hakin9.org helith.net googlebig.com milw0rm.biz insanesecurity.info 77169.com insecure.ro undersecurity.net black-zero.com h4xxor.blogspot.com ciscozine.com insecure.in itsolutionskb.com blacknite.eu hackingstuff4u.blogspot.com maycon.hacknroll.com jbrownsec.blogspot.com bbs.isbase.net zeroidentity.org evilsocket.net mrcracker.com hackersblog.org trythis0ne.com megapanzer.com novusec.com gohacking.com forum.intern0t.net shell-storm.org hakim.ws krakowlabs.com synsecurity.net unremote.org ethicalmafia.blogspot.com devilteam.pl backd0or.wordpress.com narrowfail.blogspot.com mymegafiles.com chinesehonker.org forum-hacker.com.br pay-per-install.org digitalgangster.com prohack.in kurd-security.com/h4kurd pawelzorzan.eu techmantras.com secgeeks.com atlantiq.pl destr0y.net theuntraceable.com blackmarket.mn freewebs.com/kill3rrag3/index.htm hackerscenter.com tippingpoint.com hackingrafica.forumcommunity.net ic0de.org localroot.net jatimcrew.net roothack.org carpetboy.securibox.net fullyundetected.com nodereality.com securibox.net bottalk.us SpiralForce.eu xaknet.ru mhs.blog.ui.ac.id vulns.ru securitynewsportal.com blackhack.ru the0.co.cc secnull.org attacker.securecrash.org/shellz zero-hack.com xeka.ru hack-team.info inattack.ru k0d.cc grabberz.com defeated.ru antichat.ru gfs-team.ru exit31.forumotion.com pro-hack.ru aventgrup.net ru24-team.net soqor.org revengehack.com sa3eka.com Security-Arge.com pakbugs.com users.freenet.am/~zombie evilzone.org exploit-db.com 3asfh.net fkn0wned.com houseofhackers.ning.com secnull.info criticalsecurity.net hellknights.void.ru hack3r.com turkishajan.com dual5651.hacktizen.com/new/ xp10.me kmasecurity.net/xforce/ masterhack.com izocin.com shellshop.hit.bg vbhacker.net joomlaexploit.com atlantislover.blogspot.com security-teams.net verified.ru maza.la paycash.cc prologic.su hack-info.ru chasenet.org culturahack.com.ar mk-eleet.org thestampdown.com anatoxis-tools.net twinkle-crypt.6x.to northfox.tk northfox.dyn.hu northfox.uw.hu hackers.ath.cx ntsecurity.nu securesphere.net eccouncil.org ughabi.blogspot.com heaventeam.ru backd00red.org cybergrup.org happyhacker.org hackmeout.net sec-t.net hakerstvo.informe.com techbroker.com googlehackings.blogspot.com networksecurityjournal.com hackingalert.com sql-injection-tools.blogspot.com xssed.com cyber-ta.org technoguru.forumotion.com swerat.com secdev.org michaeldaw.org nicenamecrew.com malwareforensics.com malwareurl.com csrrt.org anti-malware-test.com hackbase.cc h4ckforu.com nvlabs.in argeniss.com bytehero.com ddanchev.blogspot.com cassandrasecurity.com d2sec.com h-online.com pentestit.com
This list was anonymously posted to Pastebin on 2011 December 27 and includes the Albx Team xp10 site.
http://www.turkhackteam.net/ http://dark.byethost32.com/dark/ www.hackteach.org www.cyber-mirror.org www.albasrah-forums.com www.amman-dj.com www.forums.ibb7.com www.maker-sat.com www.owned-m.com www.vb.7lanet.com www.3kalam.com v4-team.com www.3kalam.com www.dev-chat.com www.al7ra.com www.sazcart.com www.best-sec.net www.app.feeddigest.com www.forum.brg8.com www.zone-h.net www.m-y.cc www.hacker.ps no-exploit.com www.bug-blog.de www.gem-flash.com www.soqor.org www.h4ckf0ru.com www.bawassil.com www.host4ll.com www.hacker-top.com www.xp10.me www.forums.soqor.net www.alkrsan.net blackc0der (www.forum.aria-security.com) SoldierOfAllah (www.m4r0c-s3curity.cc) www.arhack.net www.np-alm7bh.com www.lyloo59.skyrock.com www.sec-eviles.com www.snakespc.com www.kadmiwe.net www.syrcafe.com www.mriraq.com www.dzh4cker.l9l.org www.goyelang.cn www.h-t.cc www.arabic-m.com www.74ck3r.com r1z (www.sec-r1z.com) omanroot.com www.bdr130.net www.zac003.persiangig.ir www.0xblackhat.ir www.mormoroth.net www.securitywall.org www.sec-code.com
Report written by David Turover, 2012 May 21.