@OfficialNull just announced the breach of the studyinthestates.dhs.gov, a sub domain of the official dhs.gov site.
Nullcrew dumped some info from the servers including the wp-config.php which contains the database info and database names. Wp-config.php is a PHP file contained in the WordPress CMS, and is the most sensitive file in a WordPress installation. They announced the hack on Twitter with a Pastebin link containing specifics of the hack.
http://twitter.com/OfficialNull/status/287465103912222720
The sub domain was exploited via a local file inclusion (LFI) which allows the attackers to access files on the victim’s system. This exposure comes about when a page include isn’t properly sanitized, and grants directory traversal characters to be injected.
