Hacker attacks UK government websites

Several UK government websites have been defaced by a hacker protesting about the dangers of smoking.

A hacker calling himself "Herbless" claims to have carried out separate attacks, breaching three local authority websites in England and Scotland and five web sites run by four different government agencies on Monday. The affected websites have since been restored.

The sites hit were the Adult Learning Inspectorate (www.ali.gov.uk), Global Information on Science and Technology (www.gist.gov.uk), Training Standards Council (www.tsc.gov.uk), Dumfries and Galloway Council (www.dumgal.gov.uk), Sheffield City Council (www.sheffield.gov.uk), Swindon Borough Council (www.swindon.gov.uk) and two websites run by the countryside Agency, (www.clevelandway.gov.uk and www.woldsway.gov.uk).

A ninth attack, on a website owned, but not yet used, by the village of Binfield, Berkshire (binfield.gov.uk), was still carrying the hacker's message, at 19.30 Wednesday. The rant against smoking and the governments that don't ban it later disappeared and the site was unavailable.

Ukerna, the body responsible for registering web sites with the .gov.uk extension, told vnunet.com this morning that an initial search on its database did not reveal a listing for the domain but said it needed more time to establish whether or not it officially existed.

Herbless told vnunet.com he exploited a weakness in SQL server which allows him to post a spoof page on the websites. He also said: "The vulnerability in this server was found by me - the exploit code is 100 per cent mine," on the hacked websites.

Security expert Neil Barrett of Information Risk Management confirmed the existence of the vulnerability. Barrett told vnunet.com his team had independently discovered a weakness in SQL server last week that would allow a similar attack.

Herbless told vnunet.com: "I have posted my source code on Bugtraq and exploit method to alert the security community to this new way of modifying files on a server." BugTraq is a security discussion group that can be found at www.securityfocus.com.

However, other experts said the attack may have instead exploited Microsoft's Internet Information Server (IIS) 4.0, using a script known amongst the hacker community.

Matt Tomlinson, a security expert at MIS Corporate Defence Solutions, said: "If this was a new script, we would have seen a lot more hacks by now as other hackers jumped on board."

"We think he has used an available script that exploits weaknesses in Microsoft's Internet Information Server 4.0 - which is known about in the industry although Microsoft denies its existence. All of the hacked sites have been using IIS 4.0 and he's shown up those government administrators [who have been] slow to upgrade."