Weakness in disregarded server was used to gain access to News International systems and then redirect traffic to fake web page, and then to LulzSec's Twitter feed

The LulzSec attack on News International's systems to redirect readers from the Sun to a fake story, and to try to get at its internal email store, appears to have been two-pronged.

Some of the more skilled hackers, including some from the hacker collective Anonymous, had been probing it in detail for about two weeks before the hack. One was to break into its email archive; the other was to hack and "deface" the site itself, by putting up a fake story – the same method LulzSec originally came to attention by doing when it hacked the PBS site to claim that Tupac Shakur was not dead.

However as far back as 2009 a weakness was found in the "Contact us" form of the Sun's site that meant that it could be used to attack the database holding emails for the system.

Some former News International employees' names and mobile phone numbers have been given out on Twitter by people affiliated to the hacker collective Anonymous. However, they are not current: some include people who left the company in 2007. But that also implies that they may have access to email archives dating back to when some phone hacking occurred.

Monday night's hack of the Sun occurred because one of the hackers found a weakness in a "retired" server for the News International "microsites" – used for small or unimportant stories – running Sun's Solaris operating system.

The most likely candidate for that hack – which would use the weakness discovered in 2009 – is the "mailback" page at http://www.new-times.co.uk/cgi-bin/newtimesmailback, which on Tuesday morning had been deactivated, along with the whole of the new-times site.

The server hosted the outdated "new-times.co.uk" site put up when the Times was building its paywall.

The hacker used that and then ran a "local file inclusion" program to gain access to the server – meaning they had extensive control over it.

That then gave them access across large parts of the News International network, possibly including the archived emails, and to the Sun's "content management system" (CMS) – which formats news onto pages. That will have included the code for the "breaking news" element of the Sun's main webpage; changing the entire content on the page would be too obvious.

By including a line of Javascript in the "breaking news" element, the hackers were able to ensure that anyone visiting the Sun's home page would, as the ticker was automatically refreshed, they would be redirected to anywhere that the hackers chose.

Initially they made it redirect to a fake page they had created at new-times.co.uk/sun which attempted to look and read like a Sun story claiming that Rupert Murdoch had been found dead. That page used a template of another story that first appeared on 14 July, suggesting that the hackers either grabbed an archived story or have had access since then.

After the team at News International tried to regain control, the hackers then redirected the main News International page to the Twitter page for LulzSec.

But the problems for the News International team aren't over. A number of email addresses and passwords were being tweeted last night on various feeds – implying that the hackers may have gained access to the email archive and be preparing to release it. If that happens, the effects could be titanic.

Many thanks to Jared Earle, Paul Lomax, Joe Saunders, Ian Betteridge and Dan Catt for invaluable help with the analysis.