During my research for a report I identified over a hundred Web servers that had been infected by ‘defacers’, including Web servers belonging to some high-profile companies.
These infections resulted in confidential data from sites, as well as information on how to infect them, being sold on the black market. The cybercriminals were also able to use the Web servers to launch DDoS attacks or conduct spam mailings.
Everyone knows that the Internet is plagued by hackers and criminals cracking Web sites, turning computers into nodes in botnets, and openly selling spyware and stolen passwords to user accounts on the black market. One type of cybercrime, however, remains a bit of mystery. Defacement attacks change the content or visual appearance of random websites; while the attackers are not doing this to make a direct profit, such attacks can damage the reputation of the organisations targeted, or cause financial losses.
There is a defacer community whose groups and members compete with each other to see who can crack and deface the most sites. There are a number of online archives where defacers can see how many times and by whom a particular site has been modified. These archives include the names of high-profile sites belonging to some major companies.
A PHP backdoor, deployed to a cracked site from within, is central to any defacement attack. The backdoors have a range of functionality, but most of them will have methods to bypass PHP security functions, steal information, read/modify files, access SQL databases, crack passwords, execute arbitrary commands and escalate privileges. Moreover, the server where the site is located can be used to send out spam or to carry out DDoS attacks. Defacers generally use scanners to find vulnerable servers, checking for Remote and Local File Inclusion and SQL injection vulnerabilities, among others.
One major problem in combating defacements is that defacers aren’t only exploiting technical vulnerabilities, they are also exploiting ignorance. Most people who work with Web servers today do not understand the importance of having a system which is up-to-date and fully patched.
Companies and organisations often put a lot of time and effort into teaching their IT personnel about how SQL injection and buffer overflows work, and how they can be exploited, when it would be more sensible to focus on ensuring that systems are fully patched and configured properly.