buckinghamcounty.virginia.gov – IIS5.0 on Win 2000 – Defaced by a Turkish cracker. Possibly he successfully exploited the FrontPage extensions misconfiguration vulnerability. He added his e-mail address. Of course if you contact him to ask what was the method used to deface, most probably he is going to reply that was a 0day vulnerability. What a stupid thing to do (add contact details). I am not going to explain why. He should work his own mind. I’m sure that at some point he is going to check this blog post because his nickname (UyuSsman) will be soon enough indexed in search engines…

genome.nasa.gov/delivery/affy-C2wPDrGz – Apache on Linux – Defaced by an Algerian cracker. Exploited an open door left in a web application. It is NASA! Automatically becomes teh uber h4×0r. LOL. Worths admiring l33t skills that even my grandma could use.

williamsburgva.gov/uk/4ever.htm – IIS6.0 on Win 2003 – Another deface by a Turkish cracker. You can contact him via MSN, just add turkishmember@yahoo.com.br!!! Obviously he is collaborating with Brazilian defacers. Without collaboration he wont be able to climb his way up on Zone-H’s hall of shame board for special defacements.

cncsoig.gov/cum.htm – IIS6.0 on Win 2003 – Defaced by a cracker from Panama. Silly him, named the defaced page “cum.htm”. Notice to how many people sends greets. You can find him at irc.GigaChat.net [Now down for some reason] #core-project, #whackerz, #Xtech, #Segfault – where all the l33t peeps are idling and privately exchanging messages about their achievements. In this defacement there is a reference to the recent arrest of four Chilean crackers who were members of the “Byond Hackers Team”. Most probably the defaced page was influenced from watching too many h4×0r movies! h0h0.

dialog.cancer.gov – IIS5.0 on Win 2000 – Defaced by crackers from the Dominican Republic. They seem to know how to exploit basic SQL injection vulnerabilities. They just defaced the page with the message “D.O.M TEAM 2007 === xarnuz === “. No specific reason for their deface. Just for fun I guess. Surely showing off their team and nicknames to the defacers underground community.

ncilistens.cancer.gov – IIS5.0 on Win 2000 – Defaced by Brazilian crackers. Exploited an SQL injection vulnerability to add “Hacked by AciDmuD – RitualistaS GrouP”. They also added a contact e-mail address.

cncsig.gov – IIS6.0 on Win 2003 – Defaced by Brazilian crackers. Funny thing they call their team “linuXploit_crew”. That means they exploit Linux boxes as well. OMG! Those guys must be uber-l33t0r. So ultimate respect for them. They support that hacking is not a crime. I certainly agree, but what they did is not hacking but cracking, and this is illegal aka a crime.

whitecounty-il.gov/index.html Win 2003
woolwichnj.gov – Apache on Linux – Defaced by Brazilian crackers. Possibly exploited a PHP inclusion vulnerability, called a remote command shell script, checked with “uname -a” that the kernel is vulnerable to a local root exploit, run wget to download a backdoor to a writable directory, run the backdoor, telneted to the specific backdoor port, run wget to download h00lyshit or prctl local root kernel exploits, tested successfully one of the local root exploits, got root, owned the web server. They didn’t even spell right the word “owned” in the defaced page. Quite possibly, maybe they even tried to deceive by changing the kernel version in the defaced page. They would look more l33t that way: “2.6.16-1.2111_FC5smp #1 SMP Thu May 4 21:35:09 EDT 2006 “.

armenia.ca.gov – Apache on Linux – Defaced by a cracker from Saudi Arabia. This guy seems to know who he is, not a hacker, but a “R00T Cracker”. ROFL! Even that, maybe he is lying. Could be a “UID=APACHE Cracker”. You can contact him “For Mor Security” at S4curity@HotMail.Com and Admin@611.Com. This cracker used the same exploitation methodology as the Brazilian group above. No further commentary for this deface…

arb.ca.gov/research – Apache on Linux – Defaced by crackers from Brazil.

Concluding this commentary, all of the above defacements were a result of the following security vulnerabilities which were already known – some for many years now.

- SQL injections (programming mistake)

- PHP inclusion (programming mistake)

- FrontPage Extensions (misconfiguration)

Windows or Unix with enabled FrontPage extensions could be vulnerable due to misconfiguration. If vulnerable, open the target domain or ip as web folder and you are in its webroot. It is very possible that you have write access. What if such misconfiguration exists in a web server which hosts thousand of sites and supports server side languages as ASP and PHP? Attackers can upload scripts which allow them to mass deface in few seconds all the hosted sites, run backdoors, download confidential data if any, use server as part of their botnet and erase all the log files. The best solution is to totally disable FrontPage extensions.

Read this text for more detailed information about web folders and FrontPage extensions.

- Microsoft Data Access Internet Publishing Provider DAV 1.1 and mod_dav (misconfiguration)

Attackers can import a list of high-profiled domains and check against if they allow PUT requests. Using the PoC for this vuln, they can PUT /theirdeface.htm to the webroot of the vulnerable domains. They can even PUT /ntdaddy.asp or other shorter in size web administration scripts in order to grant complete access to the web server. Also Linux web servers with mod_dav could be vulnerable.

The sysadmins, webmasters and web developers surely learnt their lesson. It is always the human factor to blame first for any occurrence of security breaches.

Quite ironic that gov systems are consistently attacked by confused script-kiddies. After all for them is just “show off” game.

More U.S. governmental defacements submitted to Zone-H by the crackers:

DigitalMind woolwichnj.gov Linux
ArREs vil.prentice.wi.gov Linux
S4udi-S3curity-T3rror armenia.ca.gov Linux
Apocalypse cncsoig.gov/cum.htm Win 2003
D.O.M dialog.cancer.gov Win 2000
RitualistaS ncilistens.cancer.gov Win 2000
linuXploit_crew cncsig.gov Win 2003
Kript3X bowmar.gov/hacked.htm Win 2003
soyletmez https://sc-isac.sc.gov Win 2003
SegmentationFault ops.sgp.arm.gov Win 2000
SegmentationFault nevadatreasurer.gov Win 2000
SuZuki commerce.idaho.gov Win 2003
SuZuki community.idaho.gov Win 2003
XTech Inc lmhc.la.gov Win 2003
XTech Inc lmhc.louisiana.gov Win 2003
Phantom Orchid cstx.gov/home Win 2000
BiyoSecurityTeam roundrocktexas.gov Win 2003
S4t4n1c_s0uls csac.ca.gov/doc.asp Win 2003
RootDamages vacsp.gov/news.cfm Win 2003
beyrut-KaI3uS vivote.gov Win 2003
PowerDream leesburgva.gov/pwd.htm Win 2003
SuZuki remember.gov Win 2000
S4udi-S3curity-T3rror armenia.usaid.gov Linux
sinaritx doe.nv.gov Win 2003
s@bun secure.sc.gov//LexSheriff Win 2003
W4n73d_H4ck3r senegal.usaid.gov Win 2000
DigitalMind seagrantdev.noaa.gov Linux
W4n73d_H4ck3r admin.fmcs.gov Win 2003
W4n73d_H4ck3r fmcs.gov Win 2003
DigitalMind seagrantdev.noaa.gov Win 2000
DigitalMind seagrantdev.noaa.gov Win 2000

and many other that we don’t know about…

View the mirrors of the defaced sites on Zone-H and if you want add a comment below:
http://old.zone-h.org/en/defacements/special/filter/filter_domain=gov

Clearly they “promoted” themselves to the script kiddies scene with a “wannabe an elite defacer, thats why I deface .gov/s and publish them on Zone-H” attitude. Of course they will never admit to this and continue to feed their bogus pride until is jail time!!

Nuff said.

This release implements DNS queries against multiple DNS servers, a more efficient threading algorithm and some minor bug fixes.

Quoting from the tool’s official website:

TXDNS main goal is to expose a domain namespace trough a number of techniques:

-Typos
-TLD rotation
-Dictionary attack
-Brute force

TXDNS may be used to:

- Fill the reconnaiscence gap left due to DNS servers hardening, as dns-zone transfers are much like to fail.
- Dig a given domain name for possible phishing variations based on common well-known typo algorithms and return dns queries on both used and not used names.
- Stress-test DNS servers due is configurable aggressive behaviour.

TXDNS provides some cool options, such as:

- Perform queries only for a given Resource Record type:
A, CNAME, HINFO, NS, TXT & SOA
- Perform non-recursive queries.
- Perform queries against a given DNS server.

Read more about the latest version.

Download TXDNS v2.1.5

It is multi threaded and can audit more than one system and account in a given session.

Download SSHatter-0.2

Furthermore, here are the steps which the attacker would follow:

1. Information gathering for the external network
2. Seeking for vulnerabilities & misconfigurations
3. Using flaws to get a shell
4. Information gathering for the internal network
5. Escalating privileges for the internal network
6. Converting internal network to external

Download SuRGeoN’s paper from here: [ srgn-pentest-01.pdf ]

This information is provided to you ONLY for educational purposes. The way that the information in this paper will be used, depends on the individual’s legal and ethical attitudes. YOUR choice!… YOUR risk!…

Comments on the paper are of course welcome. You can also contact SuRGeoN via e-mail: surgeony/\gmail.com (replace /\ with @).

This resource is called when the navigation to a page has been canceled, it displays an error message with a link to reload the current page, however the link is not filtered before being used (successful exploitation requires the user to click on the link). The researcher also explains how the browser does not show in the URL the local resource when it is called, this design flaw can thus be combined with the XSS vulnerability to conduct very dangerous phishing attacks.

A PoC is available on the Aviv Raff’s website:
http://www.raffon.net/research/ms/ie/navcancl/cnn.html
For those who do not have Internet Explorer 7, a video is also provided:
http://raffon.net/videos/ie7navcancl.wmv

Original News #1: http://aviv.raffon.net/2007/03/14/PhishingUsingIE7LocalResourceVulnerability.aspx by Aviv Raff

Original News #2: http://www.xssed.com/news/23/IE7_users_beware_of_Navigation_Canceled_errors/ by Kevin Fernandez

No. I am not a defacer psychologist. I am just expressing my personal opinion on the matter, which is this: If a website defacement doesn’t convey a meaningful message, then it is done for selfish reasons.

A bit of an embarassment for Microsoft’s sysadmins…

The cracker exploited an SQL injection vulnerability in the story.asp file and thus was able to deface the following websites:

http://whatinvestment.money.msn.co.uk Win 2003
http://personalfinance.money.msn.co.uk Win 2003

Screenshot of the defaced website (Click thumbnail to view it):

The most surprising thing – actually not very suprising, judging from past cracking incidents of Microsoft’s systems – is that the website remained defaced for more than 8 hours and the SQL injection vulnerability has not been fixed yet.

Screenshot (Click thumbnail to view it):

You can view the above website defacements and 2.092.360 – as for today at 23:00 GMT – archived digital attacks at Zone-H.org.

“XTech Inc Onwed the Music Industry… and the rest of it ”

Apparently it was hosted in the same webserver with other official german websites of Sony BMG entertainment.

The attackers exploited a web application vulnerability – probably php inclusion – in order to get access to the Solaris 9/10 webserver.

The most probable attack scenario was this: Initially a backdoor through a php shell script was run, then shell access through a terminal to the attackers specified port was aquired. Having done this, if a local root exploit is successful, then the attackers have complete access to the webserver, leaving it vulnerable to other cracking teams, usually for a short time span.

Screenshot of the deface (Click thumbnail to view it):

Here is the list of all the affected websites, along with the OS that they run:

http://britneyspears.de SolarisSunOS
http://stuff.sonybmg.de SolarisSunOS
http://dms.sonybmg.de SolarisSunOS
http://stats.bmg.de SolarisSunOS
http://forum.bmg.de SolarisSunOS
http://research.sonybmg.de SolarisSunOS
http://live.bmg.de SolarisSunOS
http://mediaplayer.sonybmg.de SolarisSunOS

All of the above defacements are archived at Zone-H.org.

Although the official rules of the challenge forbid the disclosure of any vulnerability related information before the end of the challenge, according to the organizers, news information about important vulnerabilities that worth the early attention of the IT community should be made known before public disclosure of the related exploits.

When I visited their website, their latest news read that “EXCLUSIVE Linux Kernel 2.6.x unpatched remote exploit is available at auction to the Platinum Subscription”. The fee for the Platinum Subscription is 80,000 $ for a year!

My question is: Is the vulnerability so important or the early news about it are for the promotional purposes of the company?

I believe is quite obvious that the early news about this vulnerability, were publicized in order to get more people interested in subscribing to their – in my opinion – very very expensive services… Let’s see what will happen after the 31st of December!

Rumors say that the vulnerability affects the Linux Kernel IPv4 and IPv6.