MassHackerAttacks on Sunday

Discussion in 'other security issues & news' started by Douglas, Jul 2, 2003.

Thread Status:
Not open for further replies.
  1. Douglas

    Douglas Guest

    "Feds warn of mass hacker attacks

    Attack on thousands of Web sites said planned for Sunday

    ASSOCIATED PRESS

    WASHINGTON, July 2 — The government and private technology experts warned Wednesday that hackers plan to attack thousands of Web sites Sunday in a loosely coordinated “contest” that could disrupt Internet traffic."

    http://www.msnbc.com/news/934055.asp?0dm=C11LT&cp1=1
     
  2. _Tat_

    _Tat_ Registered Member

    Joined:
    Apr 13, 2003
    Posts:
    14
    Location:
    somewhere between the worlds
    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com


    Statement on the Announced Defacement Challenge (Zone-H.org)
    ------------------------------------------------------------------------


    SUMMARY

    The following is Zone-H.org's statement about the announced "defacement
    challenge". Zone-H.org has been informed about the oncoming "defacement
    challenge", a defacer contest that should happen July 6th in which
    defacers are challenged to deface as many as 6.000 in the shortest time as
    possible.

    DETAILS

    It is quite clear, judging by the sharp decrease of the defacement
    notifications occurred during the last days that the crackers aren't at
    the beach but they are rather rooting possible targets without defacing
    them, so to be ready with a lot of ready-to-be-defaced targets to be used
    on the contest day.

    A lot of news items have been written about this contest, many of them
    they were reporting serious alerts about possible Internet service
    disruption. Those who wrote or reported such alert are obviously not aware
    about how a defacement is usually done.

    Those who have a "trained eye" like Zone-H.org, analyzed the text reported
    on the defacement-challenge website (www.defacers-challenge.com) can
    understand immediately that the "rules" state that there will be no
    difference between counting a single defacement (single IP) or a
    mass-defacement (many domain names on the same IP) and that the given time
    frame for the defacement counting will be six hours. This means that most
    of the defacements will occur to web servers containing a lot of web sites
    (mass-defacements).

    Due to this, Zone-H.org does not forecast any possible disruption in the
    Internet service as very little traffic will be generated.

    In fact, a mass-defacement (even of several thousands domain names)
    usually is conducted by opening a single connection to the attacked
    server.

    Once root/admin privileges or web server privileges are achieved, a
    special defacement tool (usually a perl script) are uploaded and executed.


    The tool usually reads the web server's configuration files (like
    httpd.conf) and automatically substitutes all the main pages (index.html
    etc) of the hosted websites with the defaced one, thus doing the job of
    defacing thousands of websites in a matter of seconds.

    Judging by the "rumors", Zone-H.org is forecasting that the amount of
    attacks will start from anywhere around 20,000.

    As usual, Zone-H wants to render a service to the community so here is
    their advice for the system administrators:

    Defacers are usually looking for easy targets. Mass defacers in a hurry
    (as they'll be on July 6th) will look for even easier targets.

    As such, all the web server administrators must:

    - Download and apply all the possible official patches released by the
    software producers

    - Shut down all the unnecessary modules

    - Close all the unnecessary ports

    - Download one of the many vulnerability scanners or run an automated
    security check on their own system

    Administrators managing their own private server shouldn't be concerned
    more than usual, while administrators who are managing servers of web
    hosting companies should be concerned.

    It is unlikely that any server will be hacked July 6th. Most of the
    servers that will be attacked that day are most likely conquered by
    crackers a few days before the contest.

    Due to this, the fact that you downloaded and installed the patches and
    shut down the unnecessary services is not enough. In fact it is very
    possible that a backdoor/Rootkit has been installed by the attacker to
    prevent system administrators to ban future access to their servers
    because of patching.

    Considering this, Zone-H's advice all the sys administrators to:

    - Check for any freshly added user in the userlist (shadow file, sam file
    etc.)

    - Check for any suspicious connection on the open ports.

    - Run a Trojan/backdoor checking program.

    - Look for any suspicious shell program

    Zone-H.org also wants to remind that the most recently exploited
    vulnerabilities used by defacers are in the following packages/services:

    - OpenSSL

    - Samba

    - WebDAV

    - FrontPage extension misconfiguration

    - AIX FTPd

    - Solaris telnetd

    - Sendmail

    - Wuftpd

    - ProFTPd

    - PHPNuke (not for mass defacement but still a ever present one)

    - OmniBack II

    - Cpanel


    ADDITIONAL INFORMATION

    Additional information can be found at:

    - Government, industry warn of mass hacker attacks on July 6
    - Sunday hack-a-thon
    - Hackers organize vandalism contest
    - Hacking Contest Threatens Web Sites

    The original announcement if available from:
    http://www.zone-h.org/en/news/read/id=2986/

    The information has been provided by <email address removed>
    SyS64738.
     
  3. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Ah, so they're altruists and philanthropists; actively pursuing the public good! I had it wrong the whole time! ;)

    [Good find there _Tat_, you get a crunchy Karma cookie!]
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Dan,

    I find it odd how (in this particular instance) we never seem to see a hyperlink to the originating source, much less to a Government agency (which seems to be what all the press releases reference without attribution).

    Oh, sure, lots of 'professional' security sites and other news agencies seem to be picking up on this now -- and even some Government agencies are picking up on the "news" sources.

    I just got one question: Where's the beef? :rolleyes:
     
  5. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi Joseph,

    I'm not quite sure what you mean. The original source was the site of the groups "hosting" the competition but this had already been taken offline before the news came out.

    If you mean that the "danger" of this is being taken out of proportion, yes there are numerous people/groups that have been stating this (e.g. SANS/incidents.org). NIPC has not issued any warning or advisory on this issue so apparently they also feel that the impact will be too minimal to warrant any mention.

    Or did I miss your point entirely :)
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Dan,

    No, my query was related to the source of the story. As you say, the site seemed to be among the missing by the time people started looking for it. Which simply makes the question of where did the story come from all the more intriguing.

    I read many of the early press releases (and that's really all they were). There were frequent allusions to 'government agencies and security organizations working with them', but these sources were never identified, nor was any website ever identified on which one could find a threat warning.

    This is all rather bizarre, not at all the way these things are typically done. So, . . . is it a hoax? Or, . . . is it a sting? Just wondering here.
     
  7. Douglas

    Douglas Guest

  8. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
  9. Wox

    Wox Registered Member

    Joined:
    Jun 30, 2003
    Posts:
    9
    http://www.defacers-challenge.com is back up.

    Mirror : http://www.defacers-challenge.info
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    :D

    Joseph - I think it was extremely nice of them to put the site back up just to answer your question, don't you? Now you can rest-assured that the whole thing is totally legit.

    And remember:

    home users don't have to worry
    home users don't have to worry
    home users don't have to worry

    Straight skinny? Or mis-direction? (Although so far, I must admit that my computer hasn't melted down - of course, I've changed my computer clock ahead to Monday so I'll miss any ill-effects just to be on the safe side!).

    Good to see you! Pete
     
  11. AplusWebMaster

    AplusWebMaster Registered Member

    Joined:
    Jun 14, 2003
    Posts:
    239
    Location:
    Philadelphia, PA, USA
  12. Douglas

    Douglas Guest

    Well, guess it wasn't a hoax. Look again at the link in the previous post.

    Regards,
    Douglas
     
Thread Status:
Not open for further replies.