SecuriTeam - Statement on the Announced Defacement Challenge (Zone-H.org)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

The following is Zone-H.org's statement about the announced "defacement challenge". Zone-H.org has been informed about the oncoming "defacement challenge", a defacer contest that should happen July 6th in which defacers are challenged to deface as many as 6.000 in the shortest time as possible.

Credit:
Additional information can be found at:
Government, industry warn of mass hacker attacks on July 6
Sunday hack-a-thon
Hackers organize vandalism contest
Hacking Contest Threatens Web Sites
The original announcement if available from: http://www.zone-h.org/en/news/read/id=2986/
The information has been provided by SyS64738.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

It is quite clear, judging by the sharp decrease of the defacement notifications occurred during the last days that the crackers aren't at the beach but they are rather rooting possible targets without defacing them, so to be ready with a lot of ready-to-be-defaced targets to be used on the contest day.

A lot of news items have been written about this contest, many of them they were reporting serious alerts about possible Internet service disruption. Those who wrote or reported such alert are obviously not aware about how a defacement is usually done.

Those who have a "trained eye" like Zone-H.org, analyzed the text reported on the defacement-challenge website (www.defacers-challenge.com) can understand immediately that the "rules" state that there will be no difference between counting a single defacement (single IP) or a mass-defacement (many domain names on the same IP) and that the given time frame for the defacement counting will be six hours. This means that most of the defacements will occur to web servers containing a lot of web sites (mass-defacements).

Due to this, Zone-H.org does not forecast any possible disruption in the Internet service as very little traffic will be generated.

In fact, a mass-defacement (even of several thousands domain names) usually is conducted by opening a single connection to the attacked server.

Once root/admin privileges or web server privileges are achieved, a special defacement tool (usually a perl script) are uploaded and executed.

The tool usually reads the web server's configuration files (like httpd.conf) and automatically substitutes all the main pages (index.html etc) of the hosted websites with the defaced one, thus doing the job of defacing thousands of websites in a matter of seconds.

Judging by the "rumors", Zone-H.org is forecasting that the amount of attacks will start from anywhere around 20,000.

As usual, Zone-H wants to render a service to the community so here is their advice for the system administrators:

Defacers are usually looking for easy targets. Mass defacers in a hurry (as they'll be on July 6th) will look for even easier targets.

As such, all the web server administrators must:

- Download and apply all the possible official patches released by the software producers

- Shut down all the unnecessary modules

- Close all the unnecessary ports

- Download one of the many vulnerability scanners or run an automated security check on their own system

Administrators managing their own private server shouldn't be concerned more than usual, while administrators who are managing servers of web hosting companies should be concerned.

It is unlikely that any server will be hacked July 6th. Most of the servers that will be attacked that day are most likely conquered by crackers a few days before the contest.

Due to this, the fact that you downloaded and installed the patches and shut down the unnecessary services is not enough. In fact it is very possible that a backdoor/Rootkit has been installed by the attacker to prevent system administrators to ban future access to their servers because of patching.

Considering this, Zone-H's advice all the sys administrators to:

- Check for any freshly added user in the userlist (shadow file, sam file etc.)

- Check for any suspicious connection on the open ports.

- Run a Trojan/backdoor checking program.

- Look for any suspicious shell program

Zone-H.org also wants to remind that the most recently exploited vulnerabilities used by defacers are in the following packages/services:

- OpenSSL

- Samba

- WebDAV

- FrontPage extension misconfiguration

- AIX FTPd

- Solaris telnetd

- Sendmail

- Wuftpd

- ProFTPd

- PHPNuke (not for mass defacement but still a ever present one)

- OmniBack II

- Cpanel

	LedgerSMB Multiple Vulnerabilities
	Kaspersky Lab Multiple Products Local Privilege Escalation Vulnerability
	Piwik Cookie Unserialize Vulnerability
	Invision Power Board SQL PHP File Inclusion and SQL Injection
	U.S. Defense Information Systems Agency (DISA) Unix Security Readiness Review (SRR) Vulnerability
	DevIL DICOM Buffer Overflow Vulnerability
	Marvell Driver Multiple Information Element Overflows
	HP Data Protector Express and Single Server Edition (SSE) DoS and Code Execution
	HP Color LaserJet Printers Unauthorized Access to Data and DoS
	KDE KDELibs Remote Array Overrun with Arbitrary Code Execution
	Gimp BMP Image Parsing Integer Overflow Vulnerability
	Avast aswRdr.sys Kernel Pool Corruption and Local Privilege Escalation
	WordPress Unrestricted File Upload Arbitrary PHP Code Execution
	Atheros Driver Reserved Frame DoS Vulnerability
	McAfee Security Manager Authentication Bypass and Session Hijacking Vulnerability