28 June 2016

Several media websites shared a story over the weekend about Moroccan hacker, who goes by name ElSurveillance. Reportedly, he hacked 37 British escort websites for religious reasons.

We performed a brief investigation of this incident and below are our findings.

Two posts featuring name “ElSurveillance” were published on pastebin. The first one contains a list of 15 escort websites, the second post with 22 websites.

All 15 websites from the first post are located at the same server with IP address 160.153.162.130. Full report from vulnerability scanner is available here.

22 websites from another post are located on another server with IP address 185.116.214.18. Full report from vulnerability scanner is available here.

As you can see from the results above, both servers host a lot of websites (884 and 650 respectively), some of them spread malware or are used in phishing campaigns. Most likely, they were compromised as well before this event. The servers are poorly configured and use vulnerable software, including vulnerable versions of cPanel, which most likely was used to compromise the server.

According to Softpedia, the hacker plans to release next week 100 000 user records from compromised websites. This claim is doubtful, because the compromised websites did not appear to have user registration or private profiles. They were just landing pages with advertisement of escort services. Some of the website are back again, restored after the hack.