MS-089.042005: MyCERT Quarterly Summary (Q1) 2005Original Issue Date: 12th April 2005
The MyCERT Quarterly Summary is a quarterly report to wrap up incidents reported to us with some brief descriptions and analysis of major incidents observed during that period. Included are highlights on the statistics of attacks/incidents reported, as well as other noteworthy incidents and new vulnerability information is inclusive.
Additionally this summary also directs to resources in dealing with problems related to security incidents, including patches, service packs, upgrades and hardenings.
The 1st Quarter of 2005 was hectic as compared to previous quarters. Significantly, during this period, we received a overwhelming number of reports on web defacements of local websites, which had caused lots of annoyances and disturbances to our country that a crisis was declared during this period. However, no severe impact to the network infrastructure of the country was observed. Generally, the number of incidents had increased in this quarter to previous quarter with 6.7% increase. Hack attempts, intrusion, denial of service and spam had increased this quarter compared to previous quarter. Malicious code, forgery and harassment had dropped this quarter compared to the previous quarter.
Tremendous Increase on Intrusion
This quarter also saw a significant increase on Intrusion, with a total of 256 incidents compared to 42 incidents in previous quarter, which represents more than a 100% increase. The significant increase to Intrusion in this quarter is mainly due to mass defacement as a result of recent issues presented by the media.
Most of the defaced sites were left with hatred/dissatisfaction against the Government of Malaysia and its Ministers/Ministries. A total of 216 Malaysian websites were defaced during this period, which began on March 6th until 21st March 2005.
MyCERT had produced 2 alerts on the recent mass defacements of Malaysian websites, available at:
http://www.mycert.org.my/en/services/advisories/mycert/2005/main/detail/57/index.html (Released on 11th March 2005)
http://www.mycert.org.my/en/services/advisories/mycert/2005/main/detail/58/index.html (Released on 9th March 2005)
The recent mass defacement also received serious attention from the Cabinet that the Minister of Science, Technology and Innovation, Datuk Seri Dr Jamaluddin Jarjis had made a press statement on the 16th March 2005 on this issue.
Our findings, based on the log analysis extracted from the victims' machines, indicate that the mass defacements were done using the following exploits:
- SQL Injection
- Vulnerable PHP Scripts
- Vulnerable AWStat
The crisis was handled successfully by MyCERT team and we observed a significant decrease in the defacement beginning 15th March onwards until the situation was declared peace. The Indonesian CERT had responded to MyCERT's request by urging the Indonesian hackers to stop defacing our sites. This urge had helped in reducing the number of defaced sites and finally stopped the activities.
MyCERT would like to advise all System Administrators and owners of systems/networks to upgrade and patch softwares/services/applications they're currently running. In addition, it is also recommended to disable unnecessary/ unneeded default services supplied by vendors. Our analysis showed that majority of previous Intrusions such as web defacements were due to vulnerable and unpatched services running on the server. Web defacements involving Linux machines are due to running of older versions of the Apache servers, PHP scripts and OpenSSL. As for IIS web servers, web defacements were commonly due to Microsoft IIS extended Unicode directory traversal vulnerability, Microsoft Frontpage Server Extension vulnerability and WEBDAV vulnerability.
Details of the vulnerabilities and solutions are available at:
Apache Web Server Chunk Handling Vulnerability
Vulnerabilities in PHP File upload
Vulnerabilities in SSL/TLS Implementation
Microsoft IIS extended Unicode directory traversal vulnerability
Web servers running Windows IIS servers, may use the IIS Lockdown tool to harden their server.
IIS Lockdown Wizard version 2.1 works by turning off unnecessary features, thus reducing attack surface available to attackers.
The IIS Lockdown tool can be downloaded at:
Web server running on Linux, may use the TCP filtering mechanism such as TCP Wrappers at the server or gateway level. TCP Wrappers is a tool commonly used on UNIX systems to monitor and filter connections to network services.
TCP Wrapper can be downloaded free at:
Hack Attempts on the Rise
Incidents on hack attempts had increased for this quarter compared to previous quarter with a 95.2% increase. A total of 41 reports were received on hack attempts for this quarter compared to 21 reports in previous quarter, targeting mainly on organizations' systems/networks. Home users PCs are also becoming a target among attackers on port scannings.
MyCERT's findings for this quarter shows that the top targeted ports for scanning are SSH (TCP/ 22), HTTP (TCP/ 80), MS SQL (TCP/1433) and Netbios (TCP/137, TCP/138, TCP/139). Port scannings are actively carried out once a new bug or exploit being released to the public. Besides scanning for open ports, scannings are also actively done to detect any machines running vulnerable programs and scripts, such as scanning for Unicode vulnerability on IIS web servers and scanning machines running vulnerable PHP scripts.
MyCERT recommends the following preventive measures:
Close all ports or unneeded services except http service and other required ports/services should be filtered and patched accordingly.
All machines/systems are properly patched and upgraded with latest patches, service packs and upgrades to fix any vulnerability that may present in the machines/systems.
Organizations can install network based or host based IDS to alert scannings and other malicious attempts to their hosts.
It is recommended that home users install personal firewalls in order to alert the owner of any unauthorized scanning to their machine, and to block any penetration into their system.
More information on home PC security is available at:
Harassment and Forgery Had Dropped
Incidents on harassment had decreased compared to previous quarter with a 53.8%. Majority of harassment incidents received, involved harassments committed via emails, chat forums and web forums where majority of them were referred to the law enforcement agencies for further investigation. MyCERT were also involved in assisting Law Enforcement Agencies, such as the police, Attorney General, Malaysian Communications and Multimedia Commission (MCMC) in investigating some harassment incidents.
We advise users who are harassed via Internet or any individuals who observed any kind of harassments via web forums that has implications to religion, social, politic and economy of the country to report to MyCERT for further analysis.
This quarter also witnessed a decrease of 26.8% in Forgery incidents compared to previous quarter. We received 30 reports on Forgery for this quarter which includes phishing scams and email forgery with a majority comes from the former. We continue to receive reports on phishing activities for this quarter, involving local and foreign banks. The phishing activities reported to us includes local and foreign banks becoming victim of phishing scams and users who receive phishing emails purportedly from trusted banks.
MyCERT strongly urge users who receive emails purportedly from a bank requesting to change their logon and password to ignore/delete such emails immediately. Users are also advised to refer and verify any such emails with their ISPs, CERTs or with the Particular Financial institutions mentioned.
Incident on Malicious Code Continue to Drop
The quarter 1of 2005 saw a decrease in virus/worm incidents again with a total of 17 incidents which is about 46.8% decrease compared to previous quarter. No significant worm outbreak was reported in this quarter. Though we received information of worm outbreaks in overseas, we were not affected by them.
MyCERT advise users to always take precautions against worm incidents, even though no worm outbreaks observed within our constituency. Some of the precautions that users can take are:
Email Gateway Filtering
Sites are encouraged to apply filters at email gateways to block any attachments associated to the worm.
Users must make sure that their PCs are installed with anti-virus software and are updated continuously with the latest signature files. Users who do not have an anti-virus installed on their PCs may download an anti-virus from the following site:
Users need to make sure that their PCs/machines are always updated with the latest service packs and patches as some worms propagate by exploiting unpatched programs present in PCs/machines.
Users are also advised to install personal firewalls, such as Zone Alarm on their PCs/machines.
Organizations are also advised to close unnecessary services and ports except for http port. If other services/ports need to be utilized, then they should be filtered to allow authorize users only.
Safe Email Practices
MyCERT strongly advice users not to open any unknown attachments that they received via emails. Any suspicious emails shall be deleted or forwarded to the respective ISPs or CERTs for verification. Users may refer to the following guidelines on safe email practices:
Spam incidents still remain on top with a total of 3683 incidents for this quarter, representing 1.6% increase compared to the previous quarter.
It is almost impossible to completely eradicate spamming activities; however it can be minimized to a certain extent by following tips, spam filters for end users and guidelines to minimize the daily annoying spam emails they received which is available freely in the Internet. In addition, home users may also subscribe to their ISP's Spam Filtering service, which is available with a very reasonable fee. Users may contact their ISPs for further information on this service.
We received 3 reports on Denial of service compared to 1 report in previous quarter, representing a more than 100% increase. Denial of service attacks have become less popular nowadays compared to previous years, which makes less incidents related to these categories, however System/Network Administrators should not take for granted against this attack.
Complete figures and statistics graph on the Abuse Statistic released by MyCERT monthly is available at:
Reference to past years' Abuse Statistics is also available at the above URL.