Below is a list of US governmental websites which were defaced by crackers – or elite hackers as the media would say – since 26th of June 07 until late February 2008. It is quite interesting to know that most of the security vulnerabilities affecting the following *.gov websites are known for some years now.

buckinghamcounty.virginia.gov – IIS5.0 on Win 2000 – Defaced by a Turkish cracker. Possibly he successfully exploited the FrontPage extensions misconfiguration vulnerability. He added his e-mail address. Of course if you contact him to ask what was the method used to deface, most probably he is going to reply that was a 0day vulnerability. What a stupid thing to do (add contact details). I am not going to explain why. He should work his own mind. I’m sure that at some point he is going to check this blog post because his nickname (UyuSsman) will be soon enough indexed in search engines…

genome.nasa.gov/delivery/affy-C2wPDrGz – Apache on Linux – Defaced by an Algerian cracker. Exploited an open door left in a web application. It is NASA! Automatically becomes teh uber h4x0r. LOL. Worths admiring l33t skills that even my grandma could use.

williamsburgva.gov/uk/4ever.htm – IIS6.0 on Win 2003 – Another deface by a Turkish cracker. You can contact him via MSN, just add turkishmember@yahoo.com.br!!! Obviously he is collaborating with Brazilian defacers. Without collaboration he wont be able to climb his way up on Zone-H’s hall of shame board for special defacements.

cncsoig.gov/cum.htm – IIS6.0 on Win 2003 – Defaced by a cracker from Panama. Silly him, named the defaced page “cum.htm”. Notice to how many people sends greets. You can find him at irc.GigaChat.net [Now down for some reason] #core-project, #whackerz, #Xtech, #Segfault – where all the l33t peeps are idling and privately exchanging messages about their achievements. In this defacement there is a reference to the recent arrest of four Chilean crackers who were members of the “Byond Hackers Team”. Most probably the defaced page was influenced from watching too many h4x0r movies! h0h0.

dialog.cancer.gov – IIS5.0 on Win 2000 – Defaced by crackers from the Dominican Republic. They seem to know how to exploit basic SQL injection vulnerabilities. They just defaced the page with the message “D.O.M TEAM 2007 === xarnuz === “. No specific reason for their deface. Just for fun I guess. Surely showing off their team and nicknames to the defacers underground community.

ncilistens.cancer.gov – IIS5.0 on Win 2000 – Defaced by Brazilian crackers. Exploited an SQL injection vulnerability to add “Hacked by AciDmuD – RitualistaS GrouP”. They also added a contact e-mail address.

cncsig.gov – IIS6.0 on Win 2003 – Defaced by Brazilian crackers. Funny thing they call their team “linuXploit_crew”. That means they exploit Linux boxes as well. OMG! Those guys must be uber-l33t0r. So ultimate respect for them. They support that hacking is not a crime. I certainly agree, but what they did is not hacking but cracking, and this is illegal aka a crime.

whitecounty-il.gov/index.html Win 2003
woolwichnj.gov – Apache on Linux – Defaced by Brazilian crackers. Possibly exploited a PHP inclusion vulnerability, called a remote command shell script, checked with “uname -a” that the kernel is vulnerable to a local root exploit, run wget to download a backdoor to a writable directory, run the backdoor, telneted to the specific backdoor port, run wget to download h00lyshit or prctl local root kernel exploits, tested successfully one of the local root exploits, got root, owned the web server. They didn’t even spell right the word “owned” in the defaced page. Quite possibly, maybe they even tried to deceive by changing the kernel version in the defaced page. They would look more l33t that way: “2.6.16-1.2111_FC5smp #1 SMP Thu May 4 21:35:09 EDT 2006 “.

armenia.ca.gov – Apache on Linux – Defaced by a cracker from Saudi Arabia. This guy seems to know who he is, not a hacker, but a “R00T Cracker”. ROFL! Even that, maybe he is lying. Could be a “UID=APACHE Cracker”. You can contact him “For Mor Security” at S4curity@HotMail.Com and Admin@611.Com. This cracker used the same exploitation methodology as the Brazilian group above. No further commentary for this deface…

arb.ca.gov/research – Apache on Linux – Defaced by crackers from Brazil.

Concluding this commentary, all of the above defacements were a result of the following security vulnerabilities which were already known – some for many years now.

- SQL injections (programming mistake)

- PHP inclusion (programming mistake)

- FrontPage Extensions (misconfiguration)

Windows or Unix with enabled FrontPage extensions could be vulnerable due to misconfiguration. If vulnerable, open the target domain or ip as web folder and you are in its webroot. It is very possible that you have write access. What if such misconfiguration exists in a web server which hosts thousand of sites and supports server side languages as ASP and PHP? Attackers can upload scripts which allow them to mass deface in few seconds all the hosted sites, run backdoors, download confidential data if any, use server as part of their botnet and erase all the log files. The best solution is to totally disable FrontPage extensions.

Read this text for more detailed information about web folders and FrontPage extensions.

- Microsoft Data Access Internet Publishing Provider DAV 1.1 and mod_dav (misconfiguration)

Attackers can import a list of high-profiled domains and check against if they allow PUT requests. Using the PoC for this vuln, they can PUT /theirdeface.htm to the webroot of the vulnerable domains. They can even PUT /ntdaddy.asp or other shorter in size web administration scripts in order to grant complete access to the web server. Also Linux web servers with mod_dav could be vulnerable.

The sysadmins, webmasters and web developers surely learnt their lesson. It is always the human factor to blame first for any occurrence of security breaches.

Quite ironic that gov systems are consistently attacked by confused script-kiddies. After all for them is just “show off” game.

More U.S. governmental defacements submitted to Zone-H by the crackers:

DigitalMind woolwichnj.gov Linux
ArREs vil.prentice.wi.gov Linux
S4udi-S3curity-T3rror armenia.ca.gov Linux
Apocalypse cncsoig.gov/cum.htm Win 2003
D.O.M dialog.cancer.gov Win 2000
RitualistaS ncilistens.cancer.gov Win 2000
linuXploit_crew cncsig.gov Win 2003
Kript3X bowmar.gov/hacked.htm Win 2003
soyletmez https://sc-isac.sc.gov Win 2003
SegmentationFault ops.sgp.arm.gov Win 2000
SegmentationFault nevadatreasurer.gov Win 2000
SuZuki commerce.idaho.gov Win 2003
SuZuki community.idaho.gov Win 2003
XTech Inc lmhc.la.gov Win 2003
XTech Inc lmhc.louisiana.gov Win 2003
Phantom Orchid cstx.gov/home Win 2000
BiyoSecurityTeam roundrocktexas.gov Win 2003
S4t4n1c_s0uls csac.ca.gov/doc.asp Win 2003
RootDamages vacsp.gov/news.cfm Win 2003
beyrut-KaI3uS vivote.gov Win 2003
PowerDream leesburgva.gov/pwd.htm Win 2003
SuZuki remember.gov Win 2000
S4udi-S3curity-T3rror armenia.usaid.gov Linux
sinaritx doe.nv.gov Win 2003
s@bun secure.sc.gov//LexSheriff Win 2003
W4n73d_H4ck3r senegal.usaid.gov Win 2000
DigitalMind seagrantdev.noaa.gov Linux
W4n73d_H4ck3r admin.fmcs.gov Win 2003
W4n73d_H4ck3r fmcs.gov Win 2003
DigitalMind seagrantdev.noaa.gov Win 2000
DigitalMind seagrantdev.noaa.gov Win 2000

and many other that we don’t know about…

View the mirrors of the defaced sites on Zone-H and if you want add a comment below:
http://old.zone-h.org/en/defacements/special/filter/filter_domain=gov

Clearly they “promoted” themselves to the script kiddies scene with a “wannabe an elite defacer, thats why I deface .gov/s and publish them on Zone-H” attitude. Of course they will never admit to this and continue to feed their bogus pride until is jail time!!

Nuff said.

Trackback This Post | Subscribe to the comments through RSS Feed