CERT AM

CERT AM is a country CERT (Computer Emergency Response Team). It is administered by a representative of the Armenian Internet domain.

AM NREN CSIRT is Armenia National Research and Education Network Computer Security Incident Response Team. It is administered by the representative of a major Armenian NREN which is ASNET-AM.

CERT AM/AM NREN CSIRT is a national information security center operating under the management of the Internet Society of Armenia.

CERT AM/AM NREN CSIRT collects and analyzes computer incident cases (i.e. attempts or facts of violation of local rules and policies or rules globally accepted by Internet community on using computer resources), concerning network resources located in Armenia as well as responses to them with the aim of preventing, stopping and collecting evidences about an incident. CERT AM/AM NREN CSIRT also serves as a contact point for users who needs an assistance in dealing with ISPs and Armenian official bodies which are in charge for investigating computer crime cases.

CERT AM/AM NREN CSIRT guarantees the confidentiality of the received information about incidents.

----------------------------------------------------------------------------------------------

Incident reports
- July 4, 2008: On July 4th 2008 13:26 Yerevan time the http://library.aua.am web site was hacked from IP 81.17.94.73 which belongs to AZ-BAKINTER-NET-20051005 Baktelekom. The main page welcome message of library.aua.am site has been redirected to the hacker's site by changing link value. The security hole was in asp script which was accessible by http request. Recovery from attack is done by recovering original information of links. Unsecure scripts are secured by appropriate ACLs.
- June 4, 2008: A host was hacked from azhack.org. Before hacking the hacker used the following IP address to find holes in the website administration 82.118.139.15. Later he hacked the website using 212.38.112.55.
The real hacking process took place starting 03/Jun/2008:18:59:48 by server time (USA GMT -6). On some of their sites the website owners have handmade CMS but used external WYSIWYG editors (FCK, Innova). The hacker managed to find the path to the upload of that editor. He uploaded the file "database1212454545.rar" to the server and gained access to the file system of the server. Later he started deleting all the files and placed index.html with hacked.jpg for different domains. Some of the root directories of domains were totally deleted, some - partially. Since the server administrators in USA have not correctly administered their server the hacker was able to get access to the very root of the hosted username.

- May 5, 2008: One of the ISOC AM web sites was hacked from from IP address 80.69.57.130, which belongs to Aztelekom.Net.

- Feb.5, 2008: Hacker attack with defacement the web site in .am domain coming from the IP addresses: 62.217.145.4, 62.217.145.5. Analysis showed that the IP addresses belong to the Azeronline Information Services. It's important to mention that compromise of the Web page succeeded due to the setting of trivial and easy-to-guess Username/Password (admin/admin) for the Administration area of the Web site, which again had trivial (/admin) path. Web page was recovered and page security increased.
- Jan.9, 2008: Constant hacker attacks breaking several web sites in .am domain coming from the IP addresses: 212.47.128.30, 212.47.132.79, 212.47.133.111, 212.47.133.123, 212.47.133.44, 212.47.133.95. Analysis showed that the IP addresses belong to the Academy of Science of Azerbaijan. The report was sent to cert.aznet.org and cert.pl.
- Dec.25, 2007: A hacker attack on an Armenian bank web site with replacement of the first page. The problem connected with SQL injection was detected and site recovered. Logs were analyzed with the help of cert.pl however hacker's data was not traced.
- Dec.18, 2007: A threatening letter of criminal nature having serious consequencies was received by an Armenian bank from a user of ISP EZZI.NET. A letter sent to the abuse@ezzi.net remained without a response. The report was sent to cert.pl.