International Journal of Inactivism (now supplanted by Decoding SwiftHack)


What we know about the CRU attacker, part 3.1: 16 Nov

Filed under: Climatic Research Unit crack — stepanovich @ 20:44

[cite as: F. Bi. 2009. What we know about the CRU attacker, part 3.1: 16 Nov. Intl. J. Inact., 2:103]

More on the .zip file of cracked CRU material:

$ ./vomit-zip | sort -k 6 | tail -5
local-mtime 2007-02-19,11:20:22  gm-mtime 2007-02-19,16:20:22  gm-atime 2009-10-15,09:19:08
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/marooned.jpg
local-mtime 2000-12-19,09:38:54  gm-mtime 2000-12-19,14:38:54  gm-atime 2009-10-24,18:00:00
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/mannuncert.txt
local-mtime 2004-02-09,07:44:58  gm-mtime 2004-02-09,12:44:58  gm-atime 2009-11-15,17:55:23
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/Extreme2100.pdf
local-mtime 2008-01-10,09:55:40  gm-mtime 2008-01-10,14:55:39  gm-atime 2009-11-15,20:43:56
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/trend_profiles_dogs_dinner.png
local-mtime 2009-11-11,09:23:36  gm-mtime 2009-11-11,14:23:35  gm-atime 2009-11-16,07:27:52
  [ tz -0500 ]  uid 1002  gid 1002  name FOIA/documents/EURO4M_DoW_v2.doc

In plain English: the timestamps in the .zip file indicate that the most recent access (probably a read) to any of the files contained in the archive was on 16 Nov, at 07:27:52 UTC, to EURO4M_DoW_v2.doc. The contents of the file itself were last modified on 11 Nov at 14:23:35 UTC.

Update 2009-12-28: Actually that wasn’t correct. The most recent access time was actually 16 Nov 16:43:25 UTC, for all the files in



  1. Frank,
    Very interesting!
    the link ‘cracked CRU material’ is malformed!


    Comment by climate criminal — 2009/11/28 @ 22:08 | Reply

    • climate criminal:

      Thanks, fixed!

      Comment by frankbi — 2009/11/29 @ 03:26 | Reply

  2. I have no idea if this is related, but’s (shared) host was attacked via an Apache vulnerability in the last few days of Oct – I was told the exploit is very sophisticated, and some think state-sponsored. What it did was change the pages that Apache served up, in an annoying but – to my knowledge – harmless way; but if the changes aren’t so harmless, and you have scripting enabled in your browser, and you visit such a site…

    Comment by Anna Haynes — 2009/11/29 @ 04:18 | Reply

    • Anna Haynes:

      Wow, weird stuff. I can’t think of why a (presumably) state-sponsored attacker would want to crack into a shared host which just happens to host a blog aggregator and a ton of other unrelated sites. Hmm…

      Are there any further details available on this attack?

      Comment by frankbi — 2009/11/29 @ 05:43 | Reply

      • It’s certainly out of my expertise range, I’m just going on what tech support told me. I should mention that the (bad) page does just look *commercially* bad – google keygenguru “buy logic studio” “Buy EdgeCAM 12” etc to find sites that have been infected.

        as for “They are more desperate then we think…” – google “mary mcfate”

        Comment by Anna Haynes — 2009/12/05 @ 20:05 | Reply

        • google keygenguru “buy logic studio” “Buy EdgeCAM 12″ etc to find sites that have been infected.

          Hmm… haven’t been able to google up any, but I know some attacks add hyperlinks enclosed by <span style=”display: none;”></span> so they won’t show up in a normal web page view (on CSS-aware browsers).

          But a sophisticated attack… just to boost the googlejuice of some software piracy sites? Sounds weird. (Unless these software piracy sites have some interesting affiliations…)

          google “mary mcfate”


          Comment by frankbi — 2009/12/05 @ 20:50

  3. They are more desperate then we think…

    Comment by hidden — 2009/12/04 @ 04:27 | Reply

    • So it has come to this…

      Comment by frankbi — 2009/12/04 @ 19:38 | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at

%d bloggers like this: