MassHackerAttacks on Sunday

Discussion in 'other security issues & news' started by Douglas, Jul 2, 2003.

Thread Status:
Not open for further replies.
  1. Douglas

    Douglas Guest

    "Feds warn of mass hacker attacks

    Attack on thousands of Web sites said planned for Sunday


    WASHINGTON, July 2 — The government and private technology experts warned Wednesday that hackers plan to attack thousands of Web sites Sunday in a loosely coordinated “contest” that could disrupt Internet traffic."
  2. _Tat_

    _Tat_ Registered Member

    Apr 13, 2003
    somewhere between the worlds
    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:

    Statement on the Announced Defacement Challenge (


    The following is's statement about the announced "defacement
    challenge". has been informed about the oncoming "defacement
    challenge", a defacer contest that should happen July 6th in which
    defacers are challenged to deface as many as 6.000 in the shortest time as


    It is quite clear, judging by the sharp decrease of the defacement
    notifications occurred during the last days that the crackers aren't at
    the beach but they are rather rooting possible targets without defacing
    them, so to be ready with a lot of ready-to-be-defaced targets to be used
    on the contest day.

    A lot of news items have been written about this contest, many of them
    they were reporting serious alerts about possible Internet service
    disruption. Those who wrote or reported such alert are obviously not aware
    about how a defacement is usually done.

    Those who have a "trained eye" like, analyzed the text reported
    on the defacement-challenge website ( can
    understand immediately that the "rules" state that there will be no
    difference between counting a single defacement (single IP) or a
    mass-defacement (many domain names on the same IP) and that the given time
    frame for the defacement counting will be six hours. This means that most
    of the defacements will occur to web servers containing a lot of web sites

    Due to this, does not forecast any possible disruption in the
    Internet service as very little traffic will be generated.

    In fact, a mass-defacement (even of several thousands domain names)
    usually is conducted by opening a single connection to the attacked

    Once root/admin privileges or web server privileges are achieved, a
    special defacement tool (usually a perl script) are uploaded and executed.

    The tool usually reads the web server's configuration files (like
    httpd.conf) and automatically substitutes all the main pages (index.html
    etc) of the hosted websites with the defaced one, thus doing the job of
    defacing thousands of websites in a matter of seconds.

    Judging by the "rumors", is forecasting that the amount of
    attacks will start from anywhere around 20,000.

    As usual, Zone-H wants to render a service to the community so here is
    their advice for the system administrators:

    Defacers are usually looking for easy targets. Mass defacers in a hurry
    (as they'll be on July 6th) will look for even easier targets.

    As such, all the web server administrators must:

    - Download and apply all the possible official patches released by the
    software producers

    - Shut down all the unnecessary modules

    - Close all the unnecessary ports

    - Download one of the many vulnerability scanners or run an automated
    security check on their own system

    Administrators managing their own private server shouldn't be concerned
    more than usual, while administrators who are managing servers of web
    hosting companies should be concerned.

    It is unlikely that any server will be hacked July 6th. Most of the
    servers that will be attacked that day are most likely conquered by
    crackers a few days before the contest.

    Due to this, the fact that you downloaded and installed the patches and
    shut down the unnecessary services is not enough. In fact it is very
    possible that a backdoor/Rootkit has been installed by the attacker to
    prevent system administrators to ban future access to their servers
    because of patching.

    Considering this, Zone-H's advice all the sys administrators to:

    - Check for any freshly added user in the userlist (shadow file, sam file

    - Check for any suspicious connection on the open ports.

    - Run a Trojan/backdoor checking program.

    - Look for any suspicious shell program also wants to remind that the most recently exploited
    vulnerabilities used by defacers are in the following packages/services:

    - OpenSSL

    - Samba

    - WebDAV

    - FrontPage extension misconfiguration

    - AIX FTPd

    - Solaris telnetd

    - Sendmail

    - Wuftpd

    - ProFTPd

    - PHPNuke (not for mass defacement but still a ever present one)

    - OmniBack II

    - Cpanel


    Additional information can be found at:

    - Government, industry warn of mass hacker attacks on July 6
    - Sunday hack-a-thon
    - Hackers organize vandalism contest
    - Hacking Contest Threatens Web Sites

    The original announcement if available from:

    The information has been provided by <email address removed>
  3. Dan Perez

    Dan Perez Retired Moderator

    May 18, 2003
    Sunny San Diego
    Ah, so they're altruists and philanthropists; actively pursuing the public good! I had it wrong the whole time! ;)

    [Good find there _Tat_, you get a crunchy Karma cookie!]
  4. jvmorris

    jvmorris Registered Member

    Feb 9, 2002

    I find it odd how (in this particular instance) we never seem to see a hyperlink to the originating source, much less to a Government agency (which seems to be what all the press releases reference without attribution).

    Oh, sure, lots of 'professional' security sites and other news agencies seem to be picking up on this now -- and even some Government agencies are picking up on the "news" sources.

    I just got one question: Where's the beef? :rolleyes:
  5. Dan Perez

    Dan Perez Retired Moderator

    May 18, 2003
    Sunny San Diego
    Hi Joseph,

    I'm not quite sure what you mean. The original source was the site of the groups "hosting" the competition but this had already been taken offline before the news came out.

    If you mean that the "danger" of this is being taken out of proportion, yes there are numerous people/groups that have been stating this (e.g. SANS/ NIPC has not issued any warning or advisory on this issue so apparently they also feel that the impact will be too minimal to warrant any mention.

    Or did I miss your point entirely :)
  6. jvmorris

    jvmorris Registered Member

    Feb 9, 2002

    No, my query was related to the source of the story. As you say, the site seemed to be among the missing by the time people started looking for it. Which simply makes the question of where did the story come from all the more intriguing.

    I read many of the early press releases (and that's really all they were). There were frequent allusions to 'government agencies and security organizations working with them', but these sources were never identified, nor was any website ever identified on which one could find a threat warning.

    This is all rather bizarre, not at all the way these things are typically done. So, . . . is it a hoax? Or, . . . is it a sting? Just wondering here.
  7. Douglas

    Douglas Guest

  8. jvmorris

    jvmorris Registered Member

    Feb 9, 2002
  9. Wox

    Wox Registered Member

    Jun 30, 2003
    9 is back up.

    Mirror :
  10. spy1

    spy1 Registered Member

    Dec 29, 2002
    Clover, SC

    Joseph - I think it was extremely nice of them to put the site back up just to answer your question, don't you? Now you can rest-assured that the whole thing is totally legit.

    And remember:

    home users don't have to worry
    home users don't have to worry
    home users don't have to worry

    Straight skinny? Or mis-direction? (Although so far, I must admit that my computer hasn't melted down - of course, I've changed my computer clock ahead to Monday so I'll miss any ill-effects just to be on the safe side!).

    Good to see you! Pete
  11. AplusWebMaster

    AplusWebMaster Registered Member

    Jun 14, 2003
    Philadelphia, PA, USA
  12. Douglas

    Douglas Guest

    Well, guess it wasn't a hoax. Look again at the link in the previous post.

Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.