The biggest hacking incident in the web-hosting history

Date May 23, 2006

Roberto Preatoni (SyS64738)
05/18/2006

We received a mail from stokia.com fellows with an interesting analysis on the incident:

“The hack seems to have been done through a asp script that is automatically installed on all hosting customers accounts on these particular servers.

The mass defacement was placed in a sub directory on each site. /ssfm/isko.htm

A search on google for: ‘ ssfm vulnerability ‘ (without quotes) returns a google cache result with a godaddy user complaining about being hacked through the ssfm directory, and a response from “hosting support” claiming that the problem “is a vulnerability in the Microsoft IIS”.

Quote: This email is in regards to the issue that you escalated on xx xxxxx 2005. The ssfm hack is not something we can really defend against. It is a vulnerability in the Microsoft IIS webserving system. As Microsoft uses closed source software, we are dependant on them for a fix to this issue. They have not, as of yet, issued a patch for this vulnerability. Rest assured that your passwords have not been compromised. The attacker does not need these to insert his file into the account as it is done through a hole in the IIS system (and this is the only directory that they would have access to).

A search on google for: ‘ ssfm directory asp ‘ (without quotes) returns multiple results for godaddy users seeking help with the file ‘gdform.asp’. The ‘gdform.asp’ appears to be a form mail type script. The source code of ‘gdform.asp’ also contains a reference to the SSFM folder. filename = Server.MapPath(“ssfm”). (See the second post at http://forums.aspfree.com/asp-development-5/asp-email-form-on-godaddy-114110.html for the source code to gdform.asp

A search on google for: ‘ ssfm directory godaddy ‘ (without quotes) or ‘ ssfm directory secureserver.net ‘ (without quotes) returns multiple results for users seeking help with the ‘gdform.asp’ or ‘gdform.php’ form mail type scripts.

We have not examined the source code to the asp file in detail or done more than superficial research on this mass defacement, but this does not appear to be a vulnerability in IIS. This appears to be a problem with poor script coding and / or failing to properly validate user form input. I would guess that the hacker is able to inject their own code into the asp or php script being used to send mail.”

******************************************

UPDATE 11.30 PM GMT

We are receiving 17,000 more defaced websites in these minutes. We will account them in this news but we are not sure we will ever be able to handle such a huge amount of notifications as to mirror all of them we should possess a distributed platform such the one Google is having on Akamai. The latest notified defacements seems to belong to the ISP secureserver.com

******************************************

Yesterday the Turkish cracker going by the handle “Iskorpitx”, succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it) and reporting:

“HACKED BY iSKORPiTX

(TURKISH HACKER)

FUCKED ARMANIAN-FUCKED FRANCE-FUCKED GREECE-FUCKED PKK TERROR

iscorpitx, marque du monde, présente ses salutations à tout le monde. ”

Iskorpitx controversial defacing activity started back in year 2003 being the first Turkish defacer ever. His defacing frenzy led him soon to reach the “incredible” number of more than 117,000 hacked websites some of them being even government websites of his own country. In this last incident, it is not clear at which level the intrusion was performed (root or webserver) as the fact that all the 21,549 websites got defaced on a secondary page (site.com/ssfm/isko.htm) it is not indicative given the particular Iskorpitx’s modus operandi that sees all of his hacks performed creating a subpage, regardless the authorization level achieved on the attacked servers.

In the recent months Iskorptix has been taken as a model to be imitated by a lot of young Turkish crackers, making Turkey the new defacers kingdom, totaling nowadays more than 50% of the notified defacements overall, surpassing the former defacers kingdom: Brazil.

Script Kiddies or Script Grannies? Iskorpitx is believed to be 45 years old, sometimes being helped for minor defacement activities by another Turkish “senior cracker” (42) going by the handle of Metlak .

Despite the fact that the majority of Turkish defacers are performing Islam-related hacks, this doesn’t seem to be the leading motivation for Iskorpitx.

Statistics about Iskorpitx’s incidents can be found at:

http://www.zone-h.org/en/en/defacements/filter/filter_defacer=iskorpitx/

while the full list of the 21,549 defacements can be found at:

http://www.zone-h.org/defaced/list.txt
Original article: http://www.zone-h.org

Category Posted in Internet

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>