PRC.gov.ph hacked. Hacker announces on public mailing list.

Around 12.57AM Today, June 19, 2006, A message was posted on the IT Specialist mailing list at Yahoo announcing a successful defacement of the Philippine Regulations Commission's website by White Hat Hackers from the Philippines called PHTeam. Although i find it to be a generous act, the government officials may blow it out of proportion and use it as an excuse to lash back against all Hackers (White Hats, Grey Hats, or Black Hats) which could turn into another Hackers Crackdown like what happened in the US.

Original post (email address hidden):

Message-ID: <20060618165750.62569.qmail@web52412.mail.yahoo.com>
Subject: [IT SPECIALIST] sino gusto pumasa sa PRC exam?

http://www.prc.gov.ph/links.asp <-- kami yung white hat hackers

this monday morning (12:35 AM) ko lang na-hack yung database nung site. hopefully mamya pasok sa opisina, naandyan pa rin yung pinasok ko entry na white hat hackers, including the url. mawawala lang siguro yan kung gising ngayon yung other team of hackers and matakaw sila sa credit and burahin nila yung pinasok ko sa database may access na me sa database ng Professional Regulation Commission. grabe ang sql injection atsaka grabe yung pag nagamit pala ng "sa" na username sa ms sql server database na website o kahit sa desktop application. pag "sa" yung connection string, pwede mag-command shell using sql.  buti hindi "sa" ang ginamit na user connection string ng PRC. kundi baka mas devastating pa yung pwede gawin nung other hackers. mas limited lang yung pwedeng gawin since walang shellcode exploit. ni-try ko i-reboot (i.e. shutdown -t 5) using sql server's shell stored proc yung site nung PRC, pero hindi gumana. basta't "sa" yung mssql connection, meron shelling ng executable, anything can be done, alter index.html (home page defacing or the whole site), create a file, delete a file, shutdown the pc, install a program there, the list is endless. but since hindi "sa" ang ginamit na username sa connection string dun sa PRC, di possible yung shellcode exploit, confined lang ang defacing ng site sa mga table rows. pero delikado pa rin site nila maski walang access sa shelling, meron pa rin mga permission sa tables yung connection string, pwedeng-pwede ko halimbawa mag-insert ng pumasa or mag-alter ng exam result, nakapag-create din ako ng two tables dun. ang hirap din pag public-facing ang application like websites. prone i-attack ng hackers. kailangan security-conscious talaga yung program developer, lalu na kung e-commerce site halimbawa, what if yung i-shi-ship na product order ng iba is gusto mo sayo i-direct, kagulo na actually dalawa hackers na yung  nakapasok dun sa PRC site. yung team ng http://www.phcare.org and http://www.infotechxchange.com/ sa susunod na mga gagawin ko program using ms sql server hindi na "sa" yung gagamitin ko username sa connection string pero ang nakakatuwa rin dun sa site ng PRC, hindi lahat MS SQL yung ginamit na database, yung iba portion ng website ni-implement using MySQL nasa 62 (64 minus the two table i created there) tables lahat yung MS SQL  database nila dun. hopefully within this week ma-ayos na ng PRC yung vulnerability ng site nila