Defacements Statistics 2010: Almost 1,5 million websites defaced, what's happening?06/01/2011 Written by Marcelo Almeida (Vympel), Boris Mutina (Minor)
Last year the Zone-H archived a sad record number, we archived 1.419.203 websites defacements.
Why and how this is happening?
If you are looking at on the stats, the things remain the same: file inclusion, sql injection, webdav attacks and shares misconfiguration are still at the top ranks of the attack methods used by the defacers to gain first access into the server. As an important factor influencing the stats we consider the fact that last year brought a very high number of the local linux kernel exploits.
Since many years ago, Linux became the most used OS for webservers and of course the preferred target for the defacers. Last year we archived 1.126.987 attacks against websites running on the Linux systems. The most used exploit by the defacers is the CVE-2010 – 3301,
that was fixed in 2007 and was mysteriously reintroduced in 2008, in a large pile of kernel versions x86_64.
But should be the out-of-date Linux server the only reason of this huge amount of defacements?
Yes and no.
We were talking about local kernel exploits, but the first problem is in the website code. For example, we received too many single defacements due a remote upload flaw in OsCommerce CMS, that allows the defacers to upload anything to the CMS folder without a proper credential check. When this flaw became public, the developers had a too much time to fix it, but the fix appeared few months later. Pity.
Year after year, the developers are still coding by an unsafely, keeping tons of the remote and local file inclusion and the SQL injections, that the attackers use as the first step to gain the access into the server OS.
Then an another problem with the out-of-date system is that the old kernel versions indicate also that another packages (sometimes also misconfigured) by performing privilege escalation for the services/users access.
But we should not speak only about the Linux servers, the Windows Servers are also in the stats, (not) surprisingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high number of the webdav and shares misconfiguration attacks. For webdav there are tons of the updates, for shares too, administrators just need to put their hands on it and update and/or change the configuration.
From the results one outcome is clear – code developer teams and webserver admins are still living in two distinct worlds. And if something is not working properly, their answer is that this is most likely the other side’s fault. While this “fight” continues, the defacement count still grows up.
If you have any comments, send them to firstname.lastname@example.org
Attacks by month
|Special Attacks by month||Year 2010|
|Single attacks by month||Year 2010|
|Mass attacks by month||Year 2010|
|Operative System||Year 2010|
|Webserver defaced||Year 2010|
|IBM HTTP SERVER||38|
|exteNd Application Server||10|
|Sun Java System Application Server 9.1_02||3|
|Sun Java System Web Server 6.1||2|
|Net Port Software 1.1||1|
|Attack Method||Year 2010|
|Attack against the administrator/user (password stealing/sniffing)||220.521|
|Other Web Application bug||124.878|
|Known vulnerability (i.e. unpatched system)||42.849|
|Undisclosed (new) vulnerability||25.552|
|Other Server intrusion||19.528|
|Web Server intrusion||18.976|
|FTP Server intrusion||15.619|
|SSH Server intrusion||15.214|
|Configuration /admin. mistake||13.901|
|Remote administrative panel access through bruteforcing||12.132|
|Brute force attack||10.145|
|RPC Server intrusion||7.911|
|Telnet Server intrusion||7.530|
|Web Server external module intrusion||7.368|
|Mail Server intrusion||6.260|
|DNS attack through cache poisoning||3.689|
|DNS attack through social engineering||2.878|
|Rerouting after attacking the Firewall||2.550|
|Rerouting after attacking the Router||2.458|
|Remote service password bruteforce||1.987|
|Remote service password guessing||1.917|
|Access credentials through Man In the Middle attack||1.752|
|Remote administrative panel access through social engineering||992|
|Remote administrative panel access through password guessing||849|
|Attack Reason||Year 2010|
|Heh…just for fun!||829.975|
|I just want to be the best defacer||289.630|
|Revenge against that website||45.093|
|As a challenge||44.457|
Linux X Windows
|Year||Total defacements Linux (all distros)||Total defacements Windows (all versions)|
You may view the latest statistics at this page http://www.zone-h.org/stats
* OS/Webserver unknown or fake banner