Around 2017–02–19 08:17:27, secure2.donaldjtrump.com was reported defaced on Zone-H.org, a common website where various website defacements are reported and verified.
Let me preface this with “I’ve never attributed a hack to anyone before” and “I don’t claim my attribution to be absolute, as is often the case in attributions.” Shoutout to uranium238 for the initial lead.
First things first, the hack.
First let’s check out social media. It seems the first reference to the hack was 2 hours after I found out about it on Twitter. Hussain Adnan is a known White Hat registered with the common bug bounty company HackerOne. HackerOne is a site where you can essentially attempt to hack certain websites under certain rules of engagements and report findings for kudos (bragging rights), stuff or money.
Honestly this tweet being the first to reference it outside of “Donate here!” context made me hesitant due to the similar national pride, the seeming sympathy and more.
I then checked other social networks however and found on Facebook a similar posting.
All in all, I still wasn’t confident so I attempted to find documentation linking the man to the hack.
The first really damning piece of evidence came in the form of a resume. He had a resume on Publitas that, while anyone could have posted it, explicitly links him to the Zone-H login Pro_Mast3r. Between the resume claiming multiple hall of fames and the Sony hall of fame claiming Pro_Mast3r made their wall of fame. HOWEVER the individual link to the person links back to Hussain Adnan’s Facebook. So it’s probably relatively safe to say he was the attacker.
Attack Methodology and Impact
At a first glance at the domain, http://secure2.donaldjtrump.com/robots.txt restricts accessing from any bots and anything like archive.org that provides an earlier snapshot of the website, but it appears to have possibly been a Pantheon website, since the robots.txt indicates as much with the text:
# Pantheon's documentation on robots.txt: http://helpdesk.getpantheon.com/customer/portal/articles/1389628
The URL for donations however is now a vanilla WordPress install. It’s worth noting it seems there used to be a donation portal here as you can probably guess and the SSL is still valid on the site. The DNS record is pointed through CloudFlare. I am a mere college student and I have no funds to throw at historical IP access but someone could probably look at it.
The Certificate Chain confirms it’s trusted from CloudFlare and the certificate was issued in mid-December.
So my first thought is that it’s just an un-updated WordPress site. This wasn’t the case as far as I can tell.
[+] WordPress version 4.7.2 (Released on 2017-01-26) identified from meta generator
[+] WordPress theme in use: twentyseventeen
[+] Name: twentyseventeen
| Latest version: 1.1
| Location: https://secure2.donaldjtrump.com/donate/wp-content/themes/twentyseventeen/
| Style URL: https://secure2.donaldjtrump.com/donate/wp-content/themes/twentyseventeen/style.css
| Referenced style.css: https://secure2.donaldjtrump.com/wp-content/themes/twentyseventeen/style.css
[+] Enumerating plugins from passive detection ...
[+] No plugins found
Similar results were had but https://secure2.donaldjtrump.com/readme.html was exposed and did specify the version number, which was the latest version.
However, there was a full path disclosure
[!] Full Path Disclosure (FPD) in 'https://secure2.donaldjtrump.com/wp-includes/rss-functions.php': /srv/bindings/[redacted]/code/wp-includes/rss-functions.php
This naming convention is common with Pantheon Hosting. Between that and the robots.txt it’s safe to say it’s Pantheon Hosting.
More information will be added as it becomes available.