[Dshield] FW: [ISN] Zone-H.org statement about the announced defacement cha llenge

David Vincent david.vincent at mightyoaks.com
Thu Jul 3 15:30:54 GMT 2003


SyS64738 - G00db0y

Zone-H.org statement about the announced "defacement challenge" We at
Zone-H have been informed about the oncoming "defacement challenge", a
defacer contest that should happen July 6th in which defacers are
challenged to deface as many as 6.000 in the shortest time as

It is quite clear, judging by the sharp decrease of the defacement
notifications occoured during the last days, that the crackers aren't
at the beach but they are rather rooting possible targets without
defacing them, so to be ready with a lot of ready-to-be-defaced
targets to be used on the contest day.

Many news have been written about this contest, many of them they were
reporting serious alerts about possible Internet service disruption.  
Those who wrote or reported such alert are obviously not aware about
how a defacement is usually done.

Those who have a "trained eye" like Zone-H, when analizing the text
reported on the defacement-challenge website
(www.defacers-challenge.com) understood immediately that being the
"rules" stating that there will not be any difference when counting a
single defacement (single IP) or a mass-defacement (many domain names
on the same IP) and the given time frame will be only six hours, what
is mostly going to happen is that a lot of web hosting companies will
be hit, instead than single servers belonging to different companies.

Due to this, we don't forecast any possible disruption in the Internet
service as very little traffic will be generated.

In fact, a mass-defacement (even of several thousands domain names) is
usually conducted opening a SINGLE connection to the attacked server.  
Once obtained either root/admin priviledges or webserver priviledges,
a special defacement tool (maybe a perl script) is usually uploaded.

This tool reads from the webserver configuration files like httpd.conf
and automatically substitutes all the main pages (index.html etc) of
the hosted websites with the defaced one, doing the job of defacing
thousands of websites in a matter of seconds.

Judging by the "rumors", we at Zone-H are forecasting an amount of
attacks starting from anywhere around 20.000 and up.

As usual, Zone-H wants to render a service to the community so here is
our advices for the sysadmins:

Defacers are usually looking for easy targets, mass defacers in a
hurry (as they'll be on July 6th) are looking for even easier targets.  
All the webserver administrators must :

- download and apply all the possible official patches released by the 
  software producers

- shut down all the unnecessary modules 

- close all the unnecessary ports

- download one of the many vulnerability scanners and run a security 
  check on their own system

Administrators managing their own private server shouldn't be
concerned more than usual, while administrators who are managing
servers of web-hosting companies should be VERY MUCH concerned.

It is unlikely that any server will be hacked July 6th. Most of the
servers that will be attacked that day are most likely conquered by
crackers a few days before the contest.

Due to this, the fact that you downloaded and installed the patches
and shut down the unnecessary services is not enough. In fact it is
very possible that a backdoor/rootkit has been installed by the
attacker to prevent sysadmins to ban future access to their servers
because of patching.

Considering this, we advice all the sysadmins to :

- check for any freshly added user in the userlist (shadow file, sam
  file etc.)

- check for any suspicious connection on the open ports.

- run a trojan/backdoor checking program.

- look for any suspicious shell program 

We also want to remind that the most recently exploited
vulnerabilities used by defacers are in the following

- Openssl

- Samba

- Webdav

- Frontpage extension misconfiguration

- Aix ftpd

- Solaris telnetd

- Sendmail

- Wuftpd

- Proftpd

- Phpnuke (not for massdefacement but still a ever present one)

- OmniBack II

- Cpanel

We invite all the IT security online magazine to report this article
so to better inform sysadmins about possible countermeasures.

SyS64738 - G00db0y www.zone-h.org admins

More information about the list mailing list