Tat
Newbie
 
Gender: 
Posts: 18
|
 |
Web Site Warning: mass hacker attacks on July 6
« on: Jul 3rd, 2003, 1:41pm » |
 Quote  Modify
|
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
Statement on the Announced Defacement Challenge (Zone-H.org)
------------------------------------------------------------------------
SUMMARY
The following is Zone-H.org's statement about the announced "defacement
challenge". Zone-H.org has been informed about the oncoming "defacement
challenge", a defacer contest that should happen July 6th in which
defacers are challenged to deface as many as 6.000 in the shortest time as
possible.
DETAILS
It is quite clear, judging by the sharp decrease of the defacement
notifications occurred during the last days that the crackers aren't at
the beach but they are rather rooting possible targets without defacing
them, so to be ready with a lot of ready-to-be-defaced targets to be used
on the contest day.
A lot of news items have been written about this contest, many of them
they were reporting serious alerts about possible Internet service
disruption. Those who wrote or reported such alert are obviously not aware
about how a defacement is usually done.
Those who have a "trained eye" like Zone-H.org, analyzed the text reported
on the defacement-challenge website(www.defacers-challenge.com) can
understand immediately that the "rules" state that there will be no
difference between counting a single defacement (single IP) or a
mass-defacement (many domain names on the same IP) and that the given time
frame for the defacement counting will be six hours. This means that most
of the defacements will occur to web servers containing a lot of web sites
(mass-defacements).
Due to this, Zone-H.org does not forecast any possible disruption in the
Internet service as very little traffic will be generated.
In fact, a mass-defacement (even of several thousands domain names)
usually is conducted by opening a single connection to the attacked
server.
Once root/admin privileges or web server privileges are achieved, a
special defacement tool (usually a perl script) are uploaded and executed.
The tool usually reads the web server's configuration files (like
httpd.conf) and automatically substitutes all the main pages (index.html
etc) of the hosted websites with the defaced one, thus doing the job of
defacing thousands of websites in a matter of seconds.
Judging by the "rumors", Zone-H.org is forecasting that the amount of
attacks will start from anywhere around 20,000.
As usual, Zone-H wants to render a service to the community so here is
their advice for the system administrators:
Defacers are usually looking for easy targets. Mass defacers in a hurry
(as they'll be on July 6th) will look for even easier targets.
As such, all the web server administrators must:
- Download and apply all the possible official patches released by the
software producers
- Shut down all the unnecessary modules
- Close all the unnecessary ports
- Download one of the many vulnerability scanners or run an automated
security check on their own system
Administrators managing their own private server shouldn't be concerned
more than usual, while administrators who are managing servers of web
hosting companies should be concerned.
It is unlikely that any server will be hacked July 6th. Most of the
servers that will be attacked that day are most likely conquered by
crackers a few days before the contest.
Due to this, the fact that you downloaded and installed the patches and
shut down the unnecessary services is not enough. In fact it is very
possible that a backdoor/Rootkit has been installed by the attacker to
prevent system administrators to ban future access to their servers
because of patching.
Considering this, Zone-H's advice all the sys administrators to:
- Check for any freshly added user in the userlist (shadow file, sam file
etc.)
- Check for any suspicious connection on the open ports.
- Run a Trojan/backdoor checking program.
- Look for any suspicious shell program
Zone-H.org also wants to remind that the most recently exploited
vulnerabilities used by defacers are in the following packages/services:
- OpenSSL
- Samba
- WebDAV
- FrontPage extension misconfiguration
- AIX FTPd
- Solaris telnetd
- Sendmail
- Wuftpd
- ProFTPd
- PHPNuke (not for mass defacement but still a ever present one)
- OmniBack II
- Cpanel
ADDITIONAL INFORMATION
Additional information can be found at:
- Government, industry warn of mass hacker attacks on July 6
- Sunday hack-a-thon
- Hackers organize vandalism contest
- Hacking Contest Threatens Web Sites
The original announcement if available from:
http://www.zone-h.org/en/news/read/id=2986/
The information has been provided by <email address removed>
SyS64738.
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
IP Logged
Search
Members
Login
Register