Web Defacement
Anh Nguyen
May 6th , 2010
�Organization
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
�Introduction
Introduction
Web Defacement
Hackers Motivation
Effects on Organizations
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
�Introduction
Web Defacement
Occurs when an intruder maliciously
alters a Web page by inserting or
substituting provocative and
frequently offending data
Exposes visitors to misleading
information
�Introduction
Web Defacement
http://www.attrition.org/mirror/attritio
n/
Tracks of defacement incidents and
keeps a mirror of defaced Web sites
�Introduction
Hackers Motivation
Look for credit card numbers and other valuable
proprietary information
Gain credibility in the hacking community, in
some high profile cases, 15 minutes of fame
through media coverage of the incident
�Introduction
Effects on Organizations
Organizations lose
Credibility and reputation
Customer trust and revenue
E-retailers can lose considerable patronage if their
customers feel their e-business is insecure
Financial institutions may experience significant loss of
business and integrity
�How Hackers Deface Web
Pages
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
�How Hackers Deface Web
Pages
Obtain usernames
Use information-gathering techniques
Make use of publicly available
information
Domain registration records
Use social engineering tactics
Call an employee and pose as a system
administrator
�How Hackers Deface Web Pages
(Cont.)
Guess passwords
Go through a list of popular or default
choices
Use intelligent guesses
Use social engineering tactics
Birth dates
Names of family members
10
�How Hackers Deface Web Pages
(Cont.)
Obtain administrator privileges
Perform additional information
gathering to find out useful tidbits
The exact version and patch levels of
the OS
The versions of software packages
installed on the machine
Enabled services and processes
11
�How Hackers Deface Web Pages
(Cont.)
Access well-known Web sites and
locate hacks that exploit
vulnerabilities existing in the
software installed
Gain control of the machine and
modify the content of pages easily
12
�How Hackers Deface Web Pages (Cont.)
Sechole
An example of a privilege escalation
exploit on Windows NT4
The attack modifies the instructions
in memory of the OpenProcess API
call so it can attach to a privileged
process
Once the privileged process runs, the
code adds the user to the
Administrators group
The technique works if the code runs
13
�How Hackers Deface Web Pages (Cont.)
Sechole
In the presence of Microsofts
Internet Information Server (IIS) Web
server and some other conditions,
Sechole can be launched from a
remote location
14
�How Hackers Deface Web Pages (Cont.)
Sechole
Another approach is to exploit
vulnerabilities in Internet servers that
are listening to open ports
No need to log on to the server
Execute malicious code over an open
legitimate connection
15
�How Hackers Deface Web Pages (Cont.)
IIS Hack
Well-known example for a remote
attack on the IIS Web server
Hackers exploit a buffer overflow
weakness in lsm.dll, causing
malicious code to execute in the
security context of the System on the
server
16
�Solutions to Web
Defacement
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
17
�Solutions to Web Defacement
Firewalls
Do not scan incoming HTTP packets
HTTP attacks (such as IIS Hack) are not
detected
Network-based Intrusion Detection Systems
(NIDS) and Host-based Intrusion Detection
Systems (HIDS)
Listen to packets on the wire, but do not block
them
In many cases, the packet reaches its
destination before it is being interpreted by the
NIDS
18
�Solutions to Web
Defacement (Cont.)
Integrity assessment
A hash code (similar to a checksum) for
a Web page reflecting the pages
content is computed
The saved hash code is periodically
compared with the freshly computed
one to see if they match
The frequency of the hash code
comparisons needs to be high
The scheme collapses when pages are
19
generated dynamically
�Solutions to Web
Defacement (Cont.)
Multi-layered protection system
Needed in order to effectively deal with
Web defacement
On-the-spot prevention
Attack s should be identified before their
executions, i.e. they should be identified at
the service request level
Use system call and API call interception
20
�Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
Administrator (root) resistant
Allow only specific predefined user (the Web
master), instead of the Administrator
account, to modify the Web site content and
configuration
Application access control
A single predefined program should be used
to edit and/or create Web pages
OS level protection
21
�Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
HTTP attack protection
A protection module that scans incoming
HTTP requests for malicious requests, even
when the communication is encrypted,
should be used
Web server resources protection
Executables
Configuration files
Data files
Web server process
22
�Solutions to Web
Defacement (Cont.)
Multi-layered protection system
(Cont.)
Other Internet server attack protection
Bind (a DNS server)
Sendmail (an SMTP server)
23
�Conclusions
Introduction
How Hackers Deface Web Pages
Solutions to Web Defacement
Conclusions
24
�Conclusions
Thank you for your time
Questions and feedback are welcome
25
�References
Prevent Web Site Defacement
http://www.mcafee.com/us/local_content
/white_papers/wp_2000hollanderdeface
ment.pdf
26
