Computer Crime Research Center
How Al-Qaida Site Was Hijacked
(By Patrick Di Justo WIRED.COM)

A Maryland hacker used simple Web tools like whois and traceroute -- as well as online translation software and an anti-cybersquatting service -- to take over the domain name of al-Qaida's website. And he's ready to do it again.

Jon Messner, the Internet entrepreneur who perpetrated the recent domain hijacking, used SnapName's Snapback service to obtain ownership of the domain www.alneda.com.

Since at least March 2001, al-Qaida has been using Al Neda ("The Call") as its official Internet headquarters.

The switch in ownership was made on July 16, after the owners of alneda.com deleted its registration from an ISP in Malaysia. Messner believes this was in preparation to establish Al Neda on another server.

"It was a slippery bastard, but I've got it now," Messner laughs. "I own alneda.com."

Al Neda contained editorials by major al-Qaida leaders, some of them explicit calls for action and justification of terrorist activities. There was a message board, containing relatively innocuous messages believed to be coded signals.

There was also a multimedia section containing pictures, audio files and videos of Osama bin Laden.

Earlier this year, Al Neda was being hosted on a server farm in Kuala Lumpur. Messner believes the United States government pressured the Malaysians to drop www.alneda.com from its site a few months ago.

When al-Qaida deleted the domain from Malaysia, Messner struck. "After they pushed it out of the Malaysian registry... in that split second the domain became exposed, and Snapback... put my info in there," Messner said.

Now Messner was listed as Al Neda's owner.

At that point, Messner put up a copy of the original al-Qaida website on his new domain, with one subtle difference. "I put very simple CGI tracking on the site, so for five days I could trace back to nearly every hostile Islamic message board and website on the Internet."

Messner used the Arabic translation software on Ajeeb.com to read the messages left on his new website.

"The context of the messages was all, 'Praise Allah, The Call is back online,'" Messner said.

For five days, visitors believed www.alneda.com was still the real al-Qaida site. Then at 4:30 a.m. on July 20, a message was posted to an Islamic message board by the person who had regularly maintained the actual Al Neda website.

"He told them it was a trap, not to go there, the infidels were tracking their information, they had taken control of the domain and stay away."

After that, Messner realized, "The jig was up."

With his cover blown, there was no sense keeping the decoy up anymore, so Messner replaced the website with a picture of the Great Seal of the United States and the phrase, "Hacked, tracked and now owned by the USA."

That same morning, Messner says, the real al-Qaida website appeared temporarily at www.news4arab.org, which has since gone down.

Messner hypothesizes that the next incarnation of al-Qaida's website will be on www.drasat.com.

"Drasat.com is where all the videos on alneda.com were located," says Messner. "When Al Neda got shut down a few months ago, at one point the website appeared wholly on drasat.com."

The status of drasat.com seems to be in flux. Its DNS was changed Thursday night to point to two new servers, NS3.XAZDNS.COM and NS4.XAZDNS.COM, which are registered through Everyone's Internet of Houston.

Ali Al-Ali of Saudi Arabia is listed as the owner of drasat.com.

"To me, this activity indicates that they intend to put something on it," Messner said. "If I was to bet, that's where it would appear."

When Messner took control of alneda.com, he immediately contacted federal authorities. "The frustrating part was that it took me five days to actually talk to someone (in the FBI) who had a working knowledge of the Internet, and by that time the opportunity was gone.

"I had an exact duplicate of their site up. And they thought it was theirs."

Messner's motive? He said he made a decision after Sept. 11: "I was going to use every skill I had to screw up the terrorists' communication in any way I could."

FBI agents from the Baltimore field office eventually visited Messner's office but asked him not to disclose what they had discussed. FBI officials could not be reached for comment.

Messner has taken some precautions with his prize. "We've been rotating the website among different servers with a round-robin DNS, because they have been shooting it down pretty regularly," he said, laughing.

One slightly jarring note: A man identifying himself as Michalis Michael, calling from a number in Cyprus, left a message at Messner's office on July 23, claiming that he owned the alneda.com domain and demanding it back. Messner never returned the call.

"I didn't really want to talk to him," Messner said.

Source: www.wired.com

Home | What's New | Articles | Links
Library | Staff | Contact Us
Copyright © Computer Crime Research Center 2001, 2002 All Rights Reserved.
Contact the CCRC Office at 380-612-735-907