Originally created 05/03/01

Chinese hackers hit Colo. high techs



BOULDER, Colo. - In its intended form, the Web site for the Rocky Mountain Windows Technology User Group includes links to job openings and Windows news.

But Monday, it displayed a waving red Chinese flag.

Chinese hackers have been attacking U.S. Web sites this week, mostly replacing pages with anti-American rhetoric. By Tuesday, Chinese hackers had claimed hundreds of attacks - and warned that they could get worse.

"It's a minor hack. It wasn't extremely destructive, but it certainly was annoying," said Bruce Handley, president of the user group.

U.S. hackers have retaliated by defacing Chinese sites.

So far, the hacks have amounted to the online version of graffiti, but hackers on both sides of the Pacific are threatening that they could get worse - escalating to denial-of-service attacks and worm viruses.

The Boulder attacks fulfill the Chinese hackers' promise that they would target sites ranging from U.S. government sites to small business sites. One site boasts of the hackers' vandalized sites, listing hundreds. But some of those were back up and running by Tuesday afternoon.

Art Smoot, president of AES Consulting, said he had four NT servers hacked out of 32 servers. His firm hosts the local Windows NT users group, as well as the site for the Internet Chamber of Commerce. Other sites include Horizon Organic Dairy and the National Information Center.

Smoot said hackers entered through a configuration hole in Windows, and he saved a copy of one of the hackers' pages. The site said it was "powered by the killusa Union of China."

The site was topped with an image of a waving flag and a manifesto that included the line: "Beat down Imperialism of American!"

"They replaced the customer page and erased some files," Smoot said. "But when you've got a big system with tens of thousands of files, it's hard to find what's missing. We're rebuilding the attacked servers."

Smoot said hackers continued to try to hack his other sites, one by one.

"I just saw someone from the same address space in China come into Terry Freeman's (Internet Chamber) site, and I realized they were looking for specific files associated with a front page," Smoot said. "They're randomly attacking addresses and multiple machines."

So he sent them a file associated with a front page - a detour to the home page of Microsoft Corp.

"I figure they're part of what caused this problem," because the hackers could get in, he said.

While he hosts what he calls "quasi-governmental" sites, Smoot said he thinks the attacks were completely random. And while they were mostly harmless, fixing the servers could take days.

"In some cases I don't have a complete fix," said Smoot, who is primarily a one-man shop, with some hired consultants. "I figure we're looking at a cost of about a one-man-day's work per server."

Handley said his site was getting temporarily shut down for upgrading anyway, so the downtime from the hack was less serious for his group.

And unlike some traditional site hacks - which mimic the look and language of the original site - these hacks were very easily recognized, Handley said: "It's pretty universal - if you see a waving red flag on your site, it's been hacked."