Dear friends, in these days we all turned our minds to Japan, to the Japanese people, some of them are our friends, or some of our friends live in Japan.
We would like to express the condolences to the families which lost their family members. We are deeply concerned about the injuries and losses caused by the earthquake set, tsunami flooding and the nuclear catastrophe.
Nevertheless, we have to express also our anger. We already recorded first set of the scam emails asking the unaware users to donate for the charity, but as usual the money will never come to the victims. The scam scenario is very similar to other scams using donating over PayPal, WU, Moneygram etc…
Another form of the scam is the Facebook clickjacking/likejacking scam with the sick title “Japans Tsunami Sends whale Smashing Into A Building” or similar. While the people are hot for the news from Japan, this and similar scams serve to the viral spreading of the link, some of them also deliver an unsolicited ads. Already many security companies informed about this issue (for example Sophos reported it here).
Such scam websites are also trying to trick the users into entering their data into the fake surveys…
Last year the Zone-H archived a sad record number, we archived 1.419.203 websites defacements.
Why and how this is happening?
If you are looking at on the stats, the things remain the same: file inclusion, sql injection, webdav attacks and shares misconfiguration are still at the top ranks of the attack methods used by the defacers to gain first access into the server. As an important factor influencing the stats we consider the fact that last year brought a very high number of the local linux kernel exploits.
Since many years ago, Linux became the most used OS for webservers and of course the preferred target for the defacers. Last year we archived 1.126.987 attacks against websites running on the Linux systems. The most used exploit by the defacers is the CVE-2010 – 3301,
that was fixed in 2007 and was mysteriously reintroduced in 2008, in a large pile of kernel versions x86_64.
But should be the out-of-date Linux server the only reason of this huge amount of defacements?
Yes and no.
First of all, we would like to emphasize that Zone-H is not related to any party in the Wikileaks case. We are do not agree nor disagree with any action happened, we just want to share our opinion on the forthcomming events. Already many news media released information about the cables, sources, how it happened etc.
But now, it is clear that the Wikileaks will not stop to publish the cables. There are plenty of the mirrors all around the globe and information are shared over the Facebook and Twitter. Also the arrest of Julian Assange can’t stop the day-by-day publishing of the cables. Whole case raises more questions, some cannot be answered. Like first one: how is it possible that Bradley Manning was able to get 250k of cables? As from the Guardian article, he had “unprecedented access to classified networks 14 hours a day 7days a week for 8+ months”.
When Zone-H started back in 2002, we were receiving an average of 2500 defacements monthly, this number keeps on increasing year after year. For example, the last month we registered over 95.000 defacements, while we only had 60.000 in 2009 for the same period.
What we can also say from these numbers is that the methods used are still the same: most of the vulnerabilities exploited are on web applications. We also know from what we monitored that registrar attacks greatly increased the past years even if this number is quite low compared to the total of attacks. But not only web applications are guilty, as poor local system security on various web hostings usually allow crackers to get full access to the servers.
You probably read that story somewhere last month, on December 17 2009 Twitter’s homepage has been replaced by this message:
“Iranian Cyber Army
THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMY
U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….
NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA?
WE PUSH THEM IN EMBARGO LIST ;)
They “simply” hacked their registrar (dyndns) and modified their DNS entries.
Yesterday the Baidu homepage, China’s n°1 search engine, got defaced by the same attacker and with the same method, but this time register.com was the vulnerable registrar.