MA-287.082011 : MyCERT Alert - Increase in Web Defacement Incidents

Date of publication: 2011-08-19

1.0 Introduction

MyCERT has observed significant increase in cyber security related activities related to web defacement (i.e. vulnerability scanning, intrusion attempts, brute force attacks) starting on the 17th of August 2011. Attackers are targeting websites that belong to individual, organizations and the government agencies in Malaysia or basically anything with a .MY in the domain name.

2.0 Impact

Successful attack will affect the confidentiality, integrity of information and availability of the websites. This may further impact business activities of the affected organization.

3.0 Technical Analysis 

Based on our analysis, the attackers are targeting web applications that are vulnerable to known attack techniques. Many of the successful attacks are due to:

• Weak Password
  Attackers gain access by trying all possible common or default passwords and username combinations .  We advise users to use strong passwords and remove default or idle accounts.


• Vulnerabile Third Party Components or Plug-ins
  Components of plug-ins that give an additional features to the website may be vulnerable to SQL-Injection, Remote File Upload or Remote File Inclusion that may allow the attacker to gain admin access or to upload a web shell. Users are advised to use the latest version of the plugins.


• Improper File's and Directory's Permission
  Directory permission that are not properly configured may allow the attacker to upload a web shell or write to other directories (i.e. in a mass defacement incident)


• Vulnerable Content Management Systems (CMS)
  Old version or outdated CMS (i.e. Joomla, Wordpress, etc) may contain known vulnerabilities that can be exploited by attackers. Users should ensure that the CMS that they are using are the latest version.


• Reuse of Old Backdoor
  Backdoor programs installed by the attacker that have not been removed (from the previous incident) could be used to re-deface the website or gain access to the web server. Users are advised to do a thorough check to ensure that backdoor programs (i.e. web shell) do not exist on the system. 

4.0 Recommendation

MyCERT advises all system owners to be alert and do the necessary to secure their websites. Please refer to the link in the references section for tips and best practices that can be applied to secure the websites.

If your website is defaced or you observe an anomalous activities within your network, do not hesitate to contact Cyber999 via the following channels:

E-mail : cyber999@cybersecurity.my or mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT <EMAIL> <COMPLAINT> to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

• What you should know about web defacement
• Steps for recovering from a UNIX or NT system compromise
• Intrusion Detection Checklist
• Guides On Fixing Sql Injections Vulnerabilities
• How To: Protect From SQL Injection in ASP.NET
• ModSecurity
• OWASP Top 10 Application Security Risks 2010
• Strong Passwords
• Improving Web Application Security: Threats and Countermeasures