"Feds warn of mass hacker attacks

Attack on thousands of Web sites said planned for Sunday

ASSOCIATED PRESS

WASHINGTON, July 2 — The government and private technology experts warned Wednesday that hackers plan to attack thousands of Web sites Sunday in a loosely coordinated “contest” that could disrupt Internet traffic."

http://www.msnbc.com/news/934055.asp?0dm=C11LT&cp1=1

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com


Statement on the Announced Defacement Challenge (Zone-H.org)
------------------------------------------------------------------------


SUMMARY

The following is Zone-H.org's statement about the announced "defacement
challenge". Zone-H.org has been informed about the oncoming "defacement
challenge", a defacer contest that should happen July 6th in which
defacers are challenged to deface as many as 6.000 in the shortest time as
possible.

DETAILS

It is quite clear, judging by the sharp decrease of the defacement
notifications occurred during the last days that the crackers aren't at
the beach but they are rather rooting possible targets without defacing
them, so to be ready with a lot of ready-to-be-defaced targets to be used
on the contest day.

A lot of news items have been written about this contest, many of them
they were reporting serious alerts about possible Internet service
disruption. Those who wrote or reported such alert are obviously not aware
about how a defacement is usually done.

Those who have a "trained eye" like Zone-H.org, analyzed the text reported
on the defacement-challenge website (www.defacers-challenge.com) can
understand immediately that the "rules" state that there will be no
difference between counting a single defacement (single IP) or a
mass-defacement (many domain names on the same IP) and that the given time
frame for the defacement counting will be six hours. This means that most
of the defacements will occur to web servers containing a lot of web sites
(mass-defacements).

Due to this, Zone-H.org does not forecast any possible disruption in the
Internet service as very little traffic will be generated.

In fact, a mass-defacement (even of several thousands domain names)
usually is conducted by opening a single connection to the attacked
server.

Once root/admin privileges or web server privileges are achieved, a
special defacement tool (usually a perl script) are uploaded and executed.


The tool usually reads the web server's configuration files (like
httpd.conf) and automatically substitutes all the main pages (index.html
etc) of the hosted websites with the defaced one, thus doing the job of
defacing thousands of websites in a matter of seconds.

Judging by the "rumors", Zone-H.org is forecasting that the amount of
attacks will start from anywhere around 20,000.

As usual, Zone-H wants to render a service to the community so here is
their advice for the system administrators:

Defacers are usually looking for easy targets. Mass defacers in a hurry
(as they'll be on July 6th) will look for even easier targets.

As such, all the web server administrators must:

- Download and apply all the possible official patches released by the
software producers

- Shut down all the unnecessary modules

- Close all the unnecessary ports

- Download one of the many vulnerability scanners or run an automated
security check on their own system

Administrators managing their own private server shouldn't be concerned
more than usual, while administrators who are managing servers of web
hosting companies should be concerned.

It is unlikely that any server will be hacked July 6th. Most of the
servers that will be attacked that day are most likely conquered by
crackers a few days before the contest.

Due to this, the fact that you downloaded and installed the patches and
shut down the unnecessary services is not enough. In fact it is very
possible that a backdoor/Rootkit has been installed by the attacker to
prevent system administrators to ban future access to their servers
because of patching.

Considering this, Zone-H's advice all the sys administrators to:

- Check for any freshly added user in the userlist (shadow file, sam file
etc.)

- Check for any suspicious connection on the open ports.

- Run a Trojan/backdoor checking program.

- Look for any suspicious shell program

Zone-H.org also wants to remind that the most recently exploited
vulnerabilities used by defacers are in the following packages/services:

- OpenSSL

- Samba

- WebDAV

- FrontPage extension misconfiguration

- AIX FTPd

- Solaris telnetd

- Sendmail

- Wuftpd

- ProFTPd

- PHPNuke (not for mass defacement but still a ever present one)

- OmniBack II

- Cpanel


ADDITIONAL INFORMATION

Additional information can be found at:

- Government, industry warn of mass hacker attacks on July 6 (http://www.sfgate.com/cgi-bin/article.cgi?f=/news/archive/2003/07/02/financial1239EDT0109.DTL&type=tech)
- Sunday hack-a-thon (http://www.nydailynews.com/front/story/97769p-88453c.html)
- Hackers organize vandalism contest (http://news.com.com/2100-1002_3-1023172.html)
- Hacking Contest Threatens Web Sites (http://www.informationweek.com/story/showArticle.jhtml?articleID=10818007)

The original announcement if available from:
http://www.zone-h.org/en/news/read/id=2986/

The information has been provided by <email address removed>
SyS64738.

-{ Quote: "As usual, Zone-H wants to render a service to the community " }-

Ah, so they're altruists and philanthropists; actively pursuing the public good! I had it wrong the whole time! ;)

[Good find there _Tat_, you get a crunchy Karma cookie!]

Dan,

I find it odd how (in this particular instance) we never seem to see a hyperlink to the originating source, much less to a Government agency (which seems to be what all the press releases reference without attribution).

Oh, sure, lots of 'professional' security sites and other news agencies seem to be picking up on this now -- and even some Government agencies are picking up on the "news" sources.

I just got one question: Where's the beef? ::)

Hi Joseph,

I'm not quite sure what you mean. The original source was the site of the groups "hosting" the competition but this had already been taken offline before the news came out.

If you mean that the "danger" of this is being taken out of proportion, yes there are numerous people/groups that have been stating this (e.g. SANS/incidents.org). NIPC has not issued any warning or advisory on this issue so apparently they also feel that the impact will be too minimal to warrant any mention.

Or did I miss your point entirely :)

Dan,

No, my query was related to the source of the story. As you say, the site seemed to be among the missing by the time people started looking for it. Which simply makes the question of where did the story come from all the more intriguing.

I read many of the early press releases (and that's really all they were). There were frequent allusions to 'government agencies and security organizations working with them', but these sources were never identified, nor was any website ever identified on which one could find a threat warning.

This is all rather bizarre, not at all the way these things are typically done. So, . . . is it a hoax? Or, . . . is it a sting? Just wondering here.

http://www.dslreports.com/forum/remark,7311001~root=security,1~mode=flat
has a link to the supposed page in question.
Douglas

-{ Quote: " quoting: Douglas link=board=18;threadid=10946;start=0#msg71704 date=1057417040]

http://www.dslreports.com/forum/remark,7311001~root=security,1~mode=flat
has a link to the supposed page in question.
Douglas
" }-Yep, . . . and I made the same comment there, some time back. 8)

http://www.defacers-challenge.com is back up.

Mirror : http://www.defacers-challenge.info

;D

Joseph - I think it was extremely nice of them to put the site back up just to answer your question, don't you? Now you can rest-assured that the whole thing is totally legit.

And remember:

home users don't have to worry
home users don't have to worry
home users don't have to worry

Straight skinny? Or mis-direction? (Although so far, I must admit that my computer hasn't melted down - of course, I've changed my computer clock ahead to Monday so I'll miss any ill-effects just to be on the safe side!).

Good to see you! Pete

FYI...

News media now calling the Sunday hacker contest just hype or a hoax
http://www.wilderssecurity.com/securitynews.html

Well, guess it wasn't a hoax. Look again at the link in the previous post.

Regards,
Douglas