Chutian Jinbao
December 17, 2008

China's local media previously reported that a government website in Jinzhou, Hubei Province, had been hacked on December 5. Today's Chutian Jinbao (the "Golden Post") reports that police have arrested four suspects who are believed to have taken part in the attack:

On December 5, the Internet police in Wuhan, Hubei Province, received a report from the Jinzhou Commerce Bureau that its server had been hacked. A racy bikini photo was uploaded in place of what should have been the biographies of government officials, and remarks from the director had been replaced with the attacker's own announcement.

After the news was broken by a local BBS, major portals reposted the news and the hacked website saw a sudden traffic spike.

Two days later, the website suffered another attack, and this time the attacker even left a message stating, "I want the government to fix this problem quickly. Please don't let me infiltrate this website again." The attacker also left provocative messages in the forums of the Internet police website.

On the forums, however, thousands of netizens claimed responsibility and mockingly pleaded for the police to arrest them. Given the chaotic situation, it was very difficult to identify who the real perpetrator was.

The police established the first round of attacks on December 4 were from two IP addresses in Puyang, Henan Province. Two IP addresses were found to belong to an Internet cafe and a computer hardware store.

Police were immediately dispatched to Puyang. Because the two locations were about 60 kilometers apart, and the two attacks happened within ten minutes, the police determined that the attacker could not be the same person. This suggested the possibility that the attacker had used the two machines as "proxies" to hide his own real address.

Unfortunately, the Internet cafe computers used hard drive restoration software that eliminated all traces that attacker may have left. The owner of the second computer didn't seem capable of launching a sophisticated hacker attack. The police discovered that he had recently reinstalled his operating system: the computer had been infected by viruses a few days before, he explained.

With the investigation at a dead end, a new attack took place on December 7. The attacker left a new message: "The loophole is still there. This is a friendly reminder; I will not delete your data. Please fix the problem." This time, the attacker was from Yichang, Hubei Province.

Finally, the police were able to recover data from the hard drive of the machine in the computer shop, and they found a suspicious QQ account. The owner finally confessed to the police that the account belonged to his cousin, who had once used his computer. After seeing the media report about the attack, his cousin, identified as Zhang, went into hiding on December 7.

Zhang turned himself to the police on December 11. He confessed that he launched the first attack using software downloaded from the Internet. After he succeeded, he told his friends about his method via QQ. It is clear that one of his friends followed his lead and infiltrated the system the same night.