++ Defacements Statistics 2010 - SouthernWolf.net

Defacements Statistics 2010

Posted on Thursday, January 12, 2012 @ 14:34:18 EST in Hacking
by Southern

 Almost 1,5 million websites defaced, what's happening?

Marcelo Almeida (Vympel), Boris Mutina (Minor)

stats 2010

Last year the Zone-​H archived a sad record num­ber, we archived 1.419.203 web­sites deface­ments.

Why and how this is hap­pen­ing?

If you are look­ing at on the stats, the things remain the same: file inclu­sion, sql injec­tion, web­dav attacks and shares mis­con­fig­u­ra­tion are still at the top ranks of the attack meth­ods used by the defac­ers to gain first access into the server. As an impor­tant fac­tor influ­enc­ing the stats we con­sider the fact that last year brought a very high num­ber of the local linux ker­nel exploits.

Since many years ago, Linux became the most used OS for web­servers and of course the pre­ferred tar­get for the defac­ers. Last year we archived 1.126.987 attacks against web­sites run­ning on the Linux sys­tems. The most used exploit by the defac­ers is the CVE-​2010 – 3301,that was fixed in 2007 and was mys­te­ri­ously rein­tro­duced in 2008, in a large pile of ker­nel ver­sions x86_​64.

But should be the out-​of-​date Linux server the only rea­son of this huge amount of deface­ments?

Yes and no.

We were talk­ing about local ker­nel exploits, but the first prob­lem is in the web­site code. For exam­ple, we received too many sin­gle deface­ments due a remote upload flaw in OsCom­merce CMS, that allows the defac­ers to upload any­thing to the CMS folder with­out a proper cre­den­tial check. When this flaw became pub­lic, the devel­op­ers had a too much time to fix it, but the fix appeared few months later. Pity.

Year after year, the devel­op­ers are still cod­ing by an unsafely, keep­ing tons of the remote and local file inclu­sion and the SQL injec­tions, that the attack­ers use as the first step to gain the access into the server OS.

Then an another prob­lem with the out-​of-​date sys­tem is that the old ker­nel ver­sions indi­cate also that another pack­ages (some­times also mis­con­fig­ured) by per­form­ing priv­i­lege esca­la­tion for the services/​users access.

But we should not speak only about the Linux servers, the Win­dows Servers are also in the stats, (not) sur­pris­ingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high num­ber of the web­dav and shares mis­con­fig­u­ra­tion attacks. For web­dav there are tons of the updates, for shares too, admin­is­tra­tors just need to put their hands on it and update and/​or change the con­fig­u­ra­tion.

From the results one out­come is clear – code devel­oper teams and web­server admins are still liv­ing in two dis­tinct worlds. And if some­thing is not work­ing prop­erly, their answer is that this is most likely the other side’s fault. While this “fight” con­tin­ues, the deface­ment count still grows up.

If you have any com­ments, send them to comments@​zone-​h.​org


Short URL:
click Related        click Rate This        click Share
Associated Topics

Comments powered by Disqus
News ©

Site Menu

null.gif Home
null.gif Members
null.gif News
null.gif Downloads
null.gif Content
null.gif Site
null.gif Drugs
null.gif Physics
null.gif Nature
null.gif Poetry
null.gif Chess

Site Info

Server TrafficServer Traffic
  • Total: 9,942,222
  • Today: 279
Server InfoServer Info
  • May 28, 2023
  • 10:03 am EDT


This is the list of NukeSentinel(tm) banned IP addresses.

  • 179.60.147.*
  • 185.225.28.*
  • 93.35.128.*
  • 54.36.173.*
  • 81.19.135.*
  • 146.59.52.*
  • 51.83.238.*
  • 156.146.57.*
  • 196.196.53.*
  • 212.102.49.*
  • 46.246.122.*
  • 95.181.238.*
  • 181.41.206.*
  • 46.53.243.*
  • 1.196.84.*
  • 104.255.175.*
  • 185.65.134.*
  • 194.165.17.*
  • 194.165.16.*
  • 2.58.56.*



You have been warned!
We have caught 2700 shameful hackers.