.Last year the Zone-H archived a sad record number, we archived 1.419.203 websites defacements.
Why and how this is happening?
If you are looking at on the stats, the things remain the same: file inclusion, sql injection, webdav attacks and shares
misconfiguration are still at the top ranks of the attack methods used by the defacers to gain first access into the server. As an important factor influencing the stats we consider the fact that last year brought a very high number of the local linux kernel exploits.
Since many years ago, Linux became the most used OS for webservers and of course the preferred target for the defacers. Last year we archived 1.126.987 attacks against websites running on the Linux systems. The most used exploit by the defacers is the CVE-2010 – 3301, that was fixed in 2007 and was mysteriously reintroduced in 2008, in a large pile of kernel versions x86_64.
But should be the out-of-date Linux server the only reason of this huge amount of defacements?
Yes and no.
We were talking about local kernel exploits, but the first problem is in the website code. For example, we received too many single defacements due a remote upload flaw in OsCommerce CMS, that allows the defacers to upload anything to the CMS folder without a proper credential check. When this flaw became public, the developers had a too much time to fix it, but the fix appeared few months later. Pity.
Year after year, the developers are still coding by an unsafely, keeping tons of the remote and local file inclusion and the SQL injections, that the attackers use as the first step to gain the access into the server OS.
Then an another problem with the out-of-date system is that the old kernel versions indicate also that another packages (sometimes also misconfigured) by performing privilege escalation for the services/users access.
But we should not speak only about the Linux servers, the Windows Servers are also in the stats, (not) surprisingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high number of the webdav and shares misconfiguration attacks. For webdav there are tons of the updates, for shares too, administrators just need to put their hands on it and update and/or change the configuration.
From the results one outcome is clear–code developer teams and webserver admins are still living in two distinct worlds. And if something is not working properly, their answer is that this is most likely the other side’s fault. While this “fight” continues, the defacement count still grows up.
If you have any comments, send them to comments@zone-h.org
|
Attacks by month
|
Year 2010 |
| Jan |
53.915 |
| Feb |
57.867 |
| Mar |
73.712 |
| Apr |
95.078 |
| May |
83.182 |
| Jun |
81.865 |
| Jul |
87.364 |
| Aug |
63.367 |
| Sep |
185.741 |
| Oct |
194.692 |
| Nov |
258.355 |
| Dec |
184.064 |
| Special Attacks by month |
Year 2010 |
| Jan |
891 |
| Feb |
1.851 |
| Mar |
1.228 |
| Apr |
1.361 |
| May |
1.693 |
| Jun |
1.711 |
| Jul |
1.198 |
| Aug |
1.411 |
| Sep |
1.265 |
| Oct |
1.463 |
| Nov |
1.227 |
| Dec |
1.576 |
| Total |
16.875 |
| Single attacks by month |
Year 2010 |
| Jan |
10.332 |
| Feb |
10.936 |
| Mar |
11.908 |
| Apr |
14.333 |
| May |
12.496 |
| Jun |
15.352 |
| Jul |
13.762 |
| Aug |
13.449 |
| Sep |
16.559 |
| Oct |
13.366 |
| Nov |
32.829 |
| Dec |
24.316 |
| Total |
189.638 |
| Mass attacks by month |
Year 2010 |
| Jan |
43.583 |
| Feb |
46.931 |
| Mar |
61.804 |
| Apr |
80.745 |
| May |
70.686 |
| Jun |
66.513 |
| Jul |
73.602 |
| Aug |
49.918 |
| Sep |
169.182 |
| Oct |
181.326 |
| Nov |
225.526 |
| Dec |
159.748 |
| Total |
1.229.564 |
| Operative System |
Year 2010 |
| Linux |
1.126.987 |
| Windows 2003 |
197.822 |
| FreeBSD |
46.992 |
| Win 2008 |
15.083 |
| F5 Big-IP* |
14.000 |
| Unknown |
7.840 |
| Win 2000 |
6.097 |
| Solaris 9/10 |
2.373 |
| MacOSX |
1.038 |
| Citrix Netscaler* |
232 |
| Win NT9x |
221 |
| Win XP |
196 |
| NetBSDOpenBSD |
99 |
| HP-UX |
73 |
| IRIX |
47 |
| SCO UNIX |
22 |
| Unix |
15 |
| SolarisSunOS |
13 |
| BSDOS |
12 |
| Solaris 8 |
11 |
| OpenBSD |
8 |
| Compaq Tru64 |
5 |
| Compaq OS2 |
5 |
| OS390 |
3 |
| MacOS |
3 |
| AIX |
3 |
| NovellNetware |
1 |
| AS/400 |
1 |
| Webserver defaced |
Year 2010 |
| Apache |
1.095.982 |
| IIS/6.0 |
195.154 |
| nginx |
40.640 |
| LiteSpeed |
37.795 |
| Zeus |
14.111 |
| Unknown |
10.763 |
| IIS/7.0 |
10.433 |
| IIS/5.0 |
6.109 |
| IIS/7.5 |
4.002 |
| NOYB* |
2.083 |
| lighttpd |
733 |
| YTS* |
306 |
| IdeaWebServer |
305 |
| IIS/5.1 |
196 |
| IIS/4.0 |
141 |
| WebSitePro |
59 |
| Microsoft-HTTPAPI |
52 |
| Rapidsite |
51 |
| IBM HTTP SERVER |
38 |
| SunONE WebServer |
37 |
| ConcentricHost-Ashurbanipal* |
21 |
| Squid |
21 |
| Cherokee |
20 |
| Zope |
15 |
| DinaHTTPd Server |
13 |
| Resin |
11 |
| SilverStream Server |
10 |
| Sun-Java-System-Web-Server/7.0 |
10 |
| exteNd Application Server |
10 |
| Netscape-Enterprise |
9 |
| DataPalm |
6 |
| Allegro-Software-RomPager |
6 |
| IceWarp |
5 |
| AOL server |
5 |
| Abyss* |
3 |
| Sun Java System Application Server 9.1_02 |
3 |
| HP-ChaiServer |
3 |
| GHS* |
2 |
| Jetty* |
2 |
| GWS* |
2 |
| Sun Java System Web Server 6.1 |
2 |
| Roxen* |
1 |
| Caudium* |
1 |
| Squeegit |
1 |
| Lasso |
1 |
| Net Port Software 1.1 |
1 |
| NetWare-Enterprise-Web-Server |
1 |
| 4D_WebSTAR_S |
1 |
| OmniHTTPd |
1 |
| SAMBAR |
1 |
| Oracle AS |
1 |
| Attack Method |
Year 2010 |
| File Inclusion |
634.620 |
| Attack against the administrator/user (password stealing/sniffing) |
220.521 |
| Other Web Application bug |
124.878 |
| SQL Injection |
98.250 |
| Not available |
91.402 |
| Known vulnerability (i.e. unpatched system) |
42.849 |
| Undisclosed (new) vulnerability |
25.552 |
| Other Server intrusion |
19.528 |
| Web Server intrusion |
18.976 |
| FTP Server intrusion |
15.619 |
| SSH Server intrusion |
15.214 |
| Configuration /admin. mistake |
13.901 |
| URL Poisoning |
13.191 |
| Remote administrative panel access through bruteforcing |
12.132 |
| Brute force attack |
10.145 |
| Shares misconfiguration |
9.530 |
| RPC Server intrusion |
7.911 |
| Telnet Server intrusion |
7.530 |
| Web Server external module intrusion |
7.368 |
| Mail Server intrusion |
6.260 |
| social engineering |
4.776 |
| DNS attack through cache poisoning |
3.689 |
| DNS attack through social engineering |
2.878 |
| Rerouting after attacking the Firewall |
2.550 |
| Rerouting after attacking the Router |
2.458 |
| Remote service password bruteforce |
1.987 |
| Remote service password guessing |
1.917 |
| Access credentials through Man In the Middle attack |
1.752 |
| Remote administrative panel access through social engineering |
992 |
| Remote administrative panel access through password guessing |
849 |
| Attack Reason |
Year 2010 |
| Heh…just for fun! |
829.975 |
| I just want to be the best defacer |
289.630 |
| Not available |
94.017 |
| Patriotism |
58.970 |
| Political reasons |
57.083 |
| Revenge against that website |
45.093 |
| As a challenge |
44.457 |
Linux X Windows
| Year |
Total defacements Linux (all distros) |
Total defacements Windows (all versions) |
| 2000 |
931
|
2.587
|
| 2001 |
4.080
|
13.549
|
| 2002 |
22.693
|
43.441
|
| 2003 |
191.720
|
58.571
|
| 2004 |
247.113
|
119.402
|
| 2005 |
276.294
|
179.945
|
| 2006 |
446.039
|
258.129
|
| 2007 |
305.968
|
139.427
|
| 2008 |
352.449
|
141.061
|
| 2009 |
378.728
|
143.151
|
| 2010 |
1.126.987
|
219.419
|
| Total |
3.076.889
|
1.318.682
|
You may view the latest statistics at this page http://www.zone-h.org/stats
* OS/Webserver unknown or fake banner
