buckinghamcounty.virginia.gov – IIS5.0 on Win 2000 – Defaced by a Turkish cracker. Possibly he successfully exploited the FrontPage extensions misconfiguration vulnerability. He added his e-mail address. Of course if you contact him to ask what was the method used to deface, most probably he is going to reply that was a 0day vulnerability. What a stupid thing to do (add contact details). I am not going to explain why. He should work his own mind. I’m sure that at some point he is going to check this blog post because his nickname (UyuSsman) will be soon enough indexed in search engines…

genome.nasa.gov/delivery/affy-C2wPDrGz – Apache on Linux – Defaced by an Algerian cracker. Exploited an open door left in a web application. It is NASA! Automatically becomes teh uber h4×0r. LOL. Worths admiring l33t skills that even my grandma could use.

williamsburgva.gov/uk/4ever.htm – IIS6.0 on Win 2003 – Another deface by a Turkish cracker. You can contact him via MSN, just add turkishmember@yahoo.com.br!!! Obviously he is collaborating with Brazilian defacers. Without collaboration he wont be able to climb his way up on Zone-H’s hall of shame board for special defacements.

cncsoig.gov/cum.htm – IIS6.0 on Win 2003 – Defaced by a cracker from Panama. Silly him, named the defaced page “cum.htm”. Notice to how many people sends greets. You can find him at irc.GigaChat.net [Now down for some reason] #core-project, #whackerz, #Xtech, #Segfault – where all the l33t peeps are idling and privately exchanging messages about their achievements. In this defacement there is a reference to the recent arrest of four Chilean crackers who were members of the “Byond Hackers Team”. Most probably the defaced page was influenced from watching too many h4×0r movies! h0h0.

dialog.cancer.gov – IIS5.0 on Win 2000 – Defaced by crackers from the Dominican Republic. They seem to know how to exploit basic SQL injection vulnerabilities. They just defaced the page with the message “D.O.M TEAM 2007 === xarnuz === “. No specific reason for their deface. Just for fun I guess. Surely showing off their team and nicknames to the defacers underground community.

ncilistens.cancer.gov – IIS5.0 on Win 2000 – Defaced by Brazilian crackers. Exploited an SQL injection vulnerability to add “Hacked by AciDmuD – RitualistaS GrouP”. They also added a contact e-mail address.

cncsig.gov – IIS6.0 on Win 2003 – Defaced by Brazilian crackers. Funny thing they call their team “linuXploit_crew”. That means they exploit Linux boxes as well. OMG! Those guys must be uber-l33t0r. So ultimate respect for them. They support that hacking is not a crime. I certainly agree, but what they did is not hacking but cracking, and this is illegal aka a crime.

whitecounty-il.gov/index.html Win 2003
woolwichnj.gov – Apache on Linux – Defaced by Brazilian crackers. Possibly exploited a PHP inclusion vulnerability, called a remote command shell script, checked with “uname -a” that the kernel is vulnerable to a local root exploit, run wget to download a backdoor to a writable directory, run the backdoor, telneted to the specific backdoor port, run wget to download h00lyshit or prctl local root kernel exploits, tested successfully one of the local root exploits, got root, owned the web server. They didn’t even spell right the word “owned” in the defaced page. Quite possibly, maybe they even tried to deceive by changing the kernel version in the defaced page. They would look more l33t that way: “2.6.16-1.2111_FC5smp #1 SMP Thu May 4 21:35:09 EDT 2006 “.

armenia.ca.gov – Apache on Linux – Defaced by a cracker from Saudi Arabia. This guy seems to know who he is, not a hacker, but a “R00T Cracker”. ROFL! Even that, maybe he is lying. Could be a “UID=APACHE Cracker”. You can contact him “For Mor Security” at S4curity@HotMail.Com and Admin@611.Com. This cracker used the same exploitation methodology as the Brazilian group above. No further commentary for this deface…

arb.ca.gov/research – Apache on Linux – Defaced by crackers from Brazil.

Concluding this commentary, all of the above defacements were a result of the following security vulnerabilities which were already known – some for many years now.

- SQL injections (programming mistake)

- PHP inclusion (programming mistake)

- FrontPage Extensions (misconfiguration)

Windows or Unix with enabled FrontPage extensions could be vulnerable due to misconfiguration. If vulnerable, open the target domain or ip as web folder and you are in its webroot. It is very possible that you have write access. What if such misconfiguration exists in a web server which hosts thousand of sites and supports server side languages as ASP and PHP? Attackers can upload scripts which allow them to mass deface in few seconds all the hosted sites, run backdoors, download confidential data if any, use server as part of their botnet and erase all the log files. The best solution is to totally disable FrontPage extensions.

Read this text for more detailed information about web folders and FrontPage extensions.

- Microsoft Data Access Internet Publishing Provider DAV 1.1 and mod_dav (misconfiguration)

Attackers can import a list of high-profiled domains and check against if they allow PUT requests. Using the PoC for this vuln, they can PUT /theirdeface.htm to the webroot of the vulnerable domains. They can even PUT /ntdaddy.asp or other shorter in size web administration scripts in order to grant complete access to the web server. Also Linux web servers with mod_dav could be vulnerable.

The sysadmins, webmasters and web developers surely learnt their lesson. It is always the human factor to blame first for any occurrence of security breaches.

Quite ironic that gov systems are consistently attacked by confused script-kiddies. After all for them is just “show off” game.

More U.S. governmental defacements submitted to Zone-H by the crackers:

DigitalMind woolwichnj.gov Linux
ArREs vil.prentice.wi.gov Linux
S4udi-S3curity-T3rror armenia.ca.gov Linux
Apocalypse cncsoig.gov/cum.htm Win 2003
D.O.M dialog.cancer.gov Win 2000
RitualistaS ncilistens.cancer.gov Win 2000
linuXploit_crew cncsig.gov Win 2003
Kript3X bowmar.gov/hacked.htm Win 2003
soyletmez https://sc-isac.sc.gov Win 2003
SegmentationFault ops.sgp.arm.gov Win 2000
SegmentationFault nevadatreasurer.gov Win 2000
SuZuki commerce.idaho.gov Win 2003
SuZuki community.idaho.gov Win 2003
XTech Inc lmhc.la.gov Win 2003
XTech Inc lmhc.louisiana.gov Win 2003
Phantom Orchid cstx.gov/home Win 2000
BiyoSecurityTeam roundrocktexas.gov Win 2003
S4t4n1c_s0uls csac.ca.gov/doc.asp Win 2003
RootDamages vacsp.gov/news.cfm Win 2003
beyrut-KaI3uS vivote.gov Win 2003
PowerDream leesburgva.gov/pwd.htm Win 2003
SuZuki remember.gov Win 2000
S4udi-S3curity-T3rror armenia.usaid.gov Linux
sinaritx doe.nv.gov Win 2003
s@bun secure.sc.gov//LexSheriff Win 2003
W4n73d_H4ck3r senegal.usaid.gov Win 2000
DigitalMind seagrantdev.noaa.gov Linux
W4n73d_H4ck3r admin.fmcs.gov Win 2003
W4n73d_H4ck3r fmcs.gov Win 2003
DigitalMind seagrantdev.noaa.gov Win 2000
DigitalMind seagrantdev.noaa.gov Win 2000

and many other that we don’t know about…

View the mirrors of the defaced sites on Zone-H and if you want add a comment below:
http://old.zone-h.org/en/defacements/special/filter/filter_domain=gov

Clearly they “promoted” themselves to the script kiddies scene with a “wannabe an elite defacer, thats why I deface .gov/s and publish them on Zone-H” attitude. Of course they will never admit to this and continue to feed their bogus pride until is jail time!!

Nuff said.

Almost everyday I visit Zone-H’s archive of special digital attacks, I find that at least 1 or 2 attacks were done against US governmental web servers. The domain suffix of the defaced websites was *.gov. Does this fact means that they are totally secure? I don’t think so… Obviously the web servers may host very confidential data. In this case the web server administrators seemed to have allowed threats against governmental assets. Any unwanted consequences that a breach of security can lead to, are mainly caused by the irresponsibility and lazyness of system administrators and web developers.

The methodology for defacing a website is pretty standard. Here is the standard sequence of tasks that normally the crackers/defacers would follow: Footprinting, scanning, enumeration, penetration, attack, covering of tracks and installation of backdoors. As I mentioned before, the motivations for defacing any website are various, whereas when defacing governmental websites, could be a promotion of an ideology, revenge, or just a challenge.

I don’t believe that people who are serial website defacers hold good real-life jobs, or any job at all. This is just my personal opinion which is based on the fact that defacing is illegal in most countries – thus involving a high risk of getting arrested - and requires some basic knowledge, time, and patience. Advanced knowledge of technical and theoretical network security issues is not always required to deface. I think that understanding IT security theories, enhances intelligently your logical application of related practicalities. Achieving a deface could require the application of a complex exploitation methodology. This is enough reason to give up for some defacers without patience and with incomplete knowledge.

Tools assisting each step mentioned in the last paragraph are widely available for free on the internet. Most of the authors coded them for ethical, legal and educational use. Of course some were specifically coded for easily generating domain lists, exploiting security vulnerabilities, and mass-defacing websites. These are not easy to find on the web, nor are that difficult to code. Instead, individual defacers and groups exchange them in IRC channels, private forums  and servers, and through instant messengers.

One example of such an IRC server is irc.gigachat.net.

Script kiddies who deface, prefer to use fancy GUIs for tools rather than command line. Command line tools seem to exceed their learning and memory capabilities, or they don’t have the will and patience to research and analyze effective methodologies used by professionals in netsec pen-testing. They would be more technically skilled and better exercise their brain to remember simple and complex command sequences in multi-OS environments. Plus they would develop their practical skill-set which may be necessary if they choose to follow an IT career at some point – if they don’t end up in jail.

Depending on their ethical and legal attitudes, usually what they want is to quickly accomplish breaking in a network, maybe lookup for confidential data, download them and deface the home pages of hosted sites. Always counting in exceptions, most probably they didn’t use their own exploits, but what was already public.

Now I’m going to quote from another of my posts the following:

“In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them defacing is more like a game. The messages shown in their defacements are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.”

You will be ignored if you request mentioned tools or help to deface a website. Comments are welcome of course.

XSSed.com is also an attempt to spread education and awareness about XSS to IT professionals and amateurs involved or interested in secure web application development.

The project is run by Kevin Fernandez and Dimitris Pagkalos.
There are still a lot of improvements in the TODO list including the ones listed below:
-RSS feeds.
-Search filters.
-More statistics.
-Submit POST data in the submission page.
-Add public and protected informations with the submitted XSS (more details will soon be available).
-Additional informations will be published on the mirror page (for instance the use of a specific browser to reproduce the vulnerability).

Submitting XSS vulnerable websites, should not be seen as a game for getting the lead in total submissions. Nevertheless we encourage you to submit XSS vulnerable websites for the greater good of a secure web. As RSnake commented on his blog post about XSSed.com, “It’s not who finds the most, it’s about the ease of finding them, the difficulty in stopping them, the various vectors, etc…”. We seriously take in consideration such comments and suggestions for improvements by people with significant experience and expertise in the web application security field.

We call for papers and video tutorials that focus on exploiting XSS vulnerabilities and on preventing them.

Since the launch of XSSed.com, we received many notifications of high-profiled websites that got XSS’ed.

Here is a list of notable XSS’ed websites in the archive:

hushmail.com
youtube.com
members.microsoft.com
netscape.com
*.search.yahoo.com
my.screenname.aol.com
my.imageshack.us
register.go.com
cafepress.com
thawte.com
verisign.com
zonelabs.com
www4.symantec.com
domaintools.com
controlpanel.netfirms.com
2600.com
sun.com
*.globo.com – Famous portal in Brazil
*.mynet.com – Famous portal in Turkey
login.pathfinder.gr – Famous portal in Greece

plus many other “special” websites, including governmental and military…

So far we have had visitors and submitters from – in order of number of visits – Turkey, Italy, United Kingdom, United States, Brazil, France, Russia, Germany, Czech Republic and Pakistan. We would like to thank you for supporting our project.

The XSS attack vectors used on the archived websites, were from RSnake’s XSS cheat sheet.

Zone-H.org has listed the following reasons in the “Attacks Notification” page:

- As a challenge
- Heh…just for fun!
- I just want to be the best defacer
- Not available
- Patriotism
- Political reasons
- Revenge against that website

Here is a list of notable hand picked defacements – archived in Zone-H.org:

US Governmental:

http://dbreports.lanl.gov Win 2003
http://learnlinc.oph.dhh.louisiana.gov Win 2000
http://elbertcounty-co.gov/events.asp Win 2000
http://gis.sedgwick.gov Win 2003
http://gis2.sedgwick.gov Win 2003
http://azdps.gov/inf4z.htm Win 2000
http://csdr-cde.ca.gov/nhst.htm Win 2003
http://join.cio.ca.gov/data/d7j.htm FreeBSD

http://appointments.ca.gov/3D.htm

Famous dot-coms:

http://flightpak.paramount.com Win 2000
http://vassiebel.volvo.com Win 2003
http://ecommercesuite.usbank.com Win 2003
http://panasonickorea.com Linux
http://beta.cmt.msn.com Win 2003

Famous dot-nets:

http://self.wind.it.net/ownz.htm SolarisSunOS
http://korea.net Win 2000

Most defacers of the above websites originate from Turkey, Brazil and Iran.

The sysadmins of insecure webservers and the developers of insecure web applications are mostly responsible for the cracking incidents. It appears to me that the crackers don’t have a specific target.

What they do most of the times, is to use a Netcraft and a Google website list generator. After they import the list into a scanner and scan thousands of websites for possible SQL injections, PHP inclusions, directory traversals, information leaks and other security vulnerabilities. There have been many cases of crackers using social engineering techniques, such as pretexting and phishing, in order to grant access priviledges to confidential information.

Screenshot of a Turkish Googler generating a list of *.gov/s (Click on thumbnail to view it):

No. I am not a defacer psychologist. I am just expressing my personal opinion on the matter, which is this: If a website defacement doesn’t convey a meaningful message, then it is done for selfish reasons.

A bit of an embarassment for Microsoft’s sysadmins…

The cracker exploited an SQL injection vulnerability in the story.asp file and thus was able to deface the following websites:

http://whatinvestment.money.msn.co.uk Win 2003
http://personalfinance.money.msn.co.uk Win 2003

Screenshot of the defaced website (Click thumbnail to view it):

The most surprising thing – actually not very suprising, judging from past cracking incidents of Microsoft’s systems – is that the website remained defaced for more than 8 hours and the SQL injection vulnerability has not been fixed yet.

Screenshot (Click thumbnail to view it):

You can view the above website defacements and 2.092.360 – as for today at 23:00 GMT – archived digital attacks at Zone-H.org.

“XTech Inc Onwed the Music Industry… and the rest of it ”

Apparently it was hosted in the same webserver with other official german websites of Sony BMG entertainment.

The attackers exploited a web application vulnerability – probably php inclusion – in order to get access to the Solaris 9/10 webserver.

The most probable attack scenario was this: Initially a backdoor through a php shell script was run, then shell access through a terminal to the attackers specified port was aquired. Having done this, if a local root exploit is successful, then the attackers have complete access to the webserver, leaving it vulnerable to other cracking teams, usually for a short time span.

Screenshot of the deface (Click thumbnail to view it):

Here is the list of all the affected websites, along with the OS that they run:

http://britneyspears.de SolarisSunOS
http://stuff.sonybmg.de SolarisSunOS
http://dms.sonybmg.de SolarisSunOS
http://stats.bmg.de SolarisSunOS
http://forum.bmg.de SolarisSunOS
http://research.sonybmg.de SolarisSunOS
http://live.bmg.de SolarisSunOS
http://mediaplayer.sonybmg.de SolarisSunOS

All of the above defacements are archived at Zone-H.org.

Just one confused kid who praises the devil – Devil Hacker – with his fellow pal Unix Web. Both from Jeddah in Saudi Arabia.

Students with too much time on their hands. They proved that they can use a basic backdoor, change the DNS and use the exploits that come together with some security advisories.

If you look at Devil Hacker’s blog, you will immediately notice some really lame posts and links to lame – “im going to show you what my cracking skills are” – videos.

Devil Hacker’s blog (muhahahaha):
www.dev.blogfa.com

I must admit though… These guys have skills in following the instructions…

What were their motives? Publicity. I’m sure the one went to the other’s house and searched for their nicknames on a search engine. A few good laughs, a false sense of pride. Now lets go listen to Marilyn Manson!

Neither hackers or crackers! Just script kiddies – computer power users.
Real hackers and crackers don’t post their e-mail addresses, they don’t say from where they are from, they don’t say who they are.

Nuff said.

What seems obvious to me – after viewing most of those defacements on the Zone-H digital attacks archive – is that their motives are not fully justified. Most of these crackers – better say “script kiddies” – are using publicly available exploits for known vulnerabilities, and by applying logic on how to use them, they succeed in the end at gaining access on webservers.

The fact that the attacked webservers belong to the US government, doesn’t necessarily mean that there is adequate security implemented.

Apart from the little warning/disclaimer that they put on their websites as a scare tactic for crackers, there is very little done on tracing and catching the crackers who successfully broke into their webservers. Setting up honeypots on their systems in order to track the techniques and methodologies which are used by crackers, is certainly helpful knowledgewise.

In the mind and soul of the crackers who deface high-profiled websites, there is a false sense of pride. They think that it reflects their cracking skills and status in the defacers scene. For them, defacing is more like a game. The messages shown in their defacements, are more like an excuse for taking part in this game. The real motivation and reasoning behind their attacks, in most of the cases is not political, patriotic or other; but is just to show off themselves and their country to the world…

They attach a nickname to their personalities and cracking abilities, and they try to raise its status in the scene. They like searching for their nicknames in news websites and showing off the link to other crackers in their IRC channel, other channels, or through their websites.

Below is the list of all the *.gov websites that were defaced in the past 27 days, along with the OS that they run:

(Visit Zone-H.org to view the defacements)

https://www.cahps.ahrq.gov/content/cahpsOverview/faqanswer.asp Win 2000
http://learnabouteva.dgs.virginia.gov/FAQ Win 2003
http://mail.vi.gov/ibh.html Win 2003
http://webmail.vi.gov/index.html Win 2003
http://nd.gov/ndins/communications Linux
http://hca.montgomerycountymd.gov/govtmpl.asp Win 2000
http://fairfaxva.gov/personnel/Jobs.asp Win 2003
http://cstx.gov/home/index.asp Win 2000
https://ssl.cstx.gov/csjobs/job_list.asp Win 2000
http://oss.monroecounty-fl.gov/1923tg.htm Win 2000
http://asc.gov/default.aspx Win 2003
http://eppcapps.ky.gov/earthday/ideas.aspx Win 2003
http://tncarefraud.tennessee.gov/newsAndInfo.aspx Win 2003
http://floydcounty.in.gov Win 2000
http://radsite.lbl.gov/testhost.htm FreeBSD
http://hobbes.lbl.gov/ibh.htm FreeBSD
http://floyd.lbl.gov/ibh.htm FreeBSD
http://archivesindex.sc.gov Win 2000
https://fortress.wa.gov/dshs/f2ws03esaapps/stars/newsarchive.asp FreeBSD

Website defacement [2] is the substitution of an original home page by a system cracker/hacker. It is illegal in most countries as is considered an unauthorized computer access, data modification and denial of service. Crackers/hackers are usually defacing websites to spread messages and beliefs. Some of them are politically, socially and religiously motivated – given the term hacktivists – and some other just deface for the thrill.

A website defacement can create serious problems for companies as it they affects negatively their public image on the internet and in general. Victim companies may stop their transactions in order to repair the affected computer systems and thus lose money. It can also make their existing customers or potential future customers to lose faith in the company as it is evidence that their web server was broken into due to lack of security.

Hacktivism [1] is the act of hacking, or breaking into computer systems (including website defacements), usually to promote political, social and religious ideology – promoting expressive politics, free speech, human rights, or information ethics – and is not specifically motivated by malicious, curious or criminal intents.

What are your views on hacktivism with respect to website defacing? (Generally and legislationwise)

Sources:

[1] http://en.wikipedia.org/wiki/Hacktivism

[2] http://en.wikipedia.org/wiki/Website_defacement