Akamai Diversity
Home > Web Security > CSIRT Advisory: Mass Website Defacements

CSIRT Advisory: Mass Website Defacements

The following was written by Akamai CSIRT researcher Patrick Laverty:

Akamai has seen multiple media reports where a group will claim to have hacked hundreds or thousands of sites in a single night. The intent is to instill a sense of widespread unease to the casual observer.

When we look a little closer, we see that there may be more to it. One can rightly assume that many of these have been done through a type of automation. But if we look even closer, we see something else interesting about the attacks.

If we look at the IP address for the hundreds of web sites affected, we notice that many and sometimes all of them have the same IP address.

When we see this, it leads us to believe the sites are running on the same server.

Attack details

Hundreds of web-hosting companies exist that provide a wide variety of services with added features. Some may cost as little as a few dollars a month for web hosting and with that, the hosting company will look to share as many paying accounts on the same server. We can often find hundreds of domains and sites running on the same server. One way to check what other sites are running at a specific IP address is to use http://www.bing.com and use the IP: operator. Enter IP: with the IP address you'd like to query and Bing will reply with all the sites it is aware of being hosted at that IP.

The way the attackers are able to do so much damage at once is due to what is known as mass defacements, usually with a symlink vulnerability. This is a vulnerability which exists due to the hosting server not properly preventing one account from being able to access files outside of their assigned space.

As a result, an attacker is able to traverse the server's directories and read username and password lists as well as read files from other customer accounts. These other customer accounts will often include database credentials for their site. With this information, attackers potentially gain the ability to change files on every other site on the server.

First, the attacker needs to get a foothold on the server. A single site will need to be compromised to gain access and with possibly hundreds of sites running on the server, there is a high likelihood that one of them will be vulnerable to an attack that gives the attacker the ability to upload files to the server. Attackers are able to find vulnerable sites through "Google hacking", which is to do searches for typically vulnerable software or versions of vulnerable software.

Most frequently, the software will be through third-party content, or "plugins" to popular content management systems, such as Wordpress and Joomla. The attacker will use the vulnerability, whether it is SQL injection, an insecure file upload or remote file execution, to implant scripts on the server. The attacker will often start first with a shell script, frequently the c99 madshell, which gives the attacker some visibility of the server structure and also assists in gathering other necessary files, like account and possibly password lists.

With the list of accounts, the attacker will upload a mass deface script. This script is able to use the account names, which often will match the web root for each customer on the server, and then access the desired files. The most common type of defacing script will target Wordpress and Joomla installations. The deface script will use the accessible credentials to overwrite the home page for each site with the attacker's own file.


Joomla!/Wordpress

Another script Akamai CSIRT detected was one that focuses on defacing Joomla! and Wordpress sites. This works similarly to the defacing script above in how it can access files in other account directories. With this deface script, it will access either the Wordpress wp-config.php or the Joomla! configuration.php file and extract the database credentials. Once it has the site owner's database username and password, it will attempt to insert a new administrator account into the database.

The next step in the process is for the defacer to access Wordpress's Theme Editor. This is a part of the administrator's dashboard that allows the administrator to edit template files. The deface script will then overwrite the home page template's code with the attacker's own deface page.

If the script determines that the CMS is Joomla!, it will do something similar. It uses the symlink attack to get the database credentials and then use Joomla!'s com_installer plugin to overwrite the home page of the site with the attacker's message page.

On the Joomla! side, the script will actually attempt to change the admin user's password. Remember against a Wordpress instance, the script would simply install an additional account with administrator privileges. The Joomla! administrator will be locked out of the system but also will know quickly that there is an issue. The Wordpress administrator will still be able to log in to the system, but unless careful forensics is done, may not know that the attacker still has access to the system even after the defacement is updated.

Knowing if you're affected

This attack type is one of the easiest to know that you are affected. The home page of your web site, or possibly a secondary page, has been replaced or edited to have unwanted content. The message on the site will often proclaim support for a cause or even to simply brag about the ability to deface the site.

Defensive measures

If you are using a hosted service and your site is affected by this attack, there may not be much that can be done, other than move to another hosted service that doesn't have this issue.

You can test to see if this vulnerability is possible by logging in to your account and trying to view the web space of other accounts. You can do this at the command line (if your host gives shell access) and using the "cd .." command to move up in the file system. With each iteration of the command, run the "ls" command to see what shows and if you're able to see other accounts. Often, the host will not allow shell/command line access and instead will allow FTP client access. FTP clients often simply have a button that lets one go "up" in the file structure.

Simply keep going up and see if you're able to view other accounts and their files. If you can, your server is vulnerable to this attack.

Leave a comment