MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2005

MA-088.032005: MyCERT Special Alert - Mass Web Defacement

Original Issue Date: 11th March 2005

With regards to an initial alert on the mass web defacement, released on 9th March 2005, MyCERT continues to receive more reports and information from trusted sources of the tremendously increasing number of Malaysian websites been defaced daily due to the recent issues presented by the media.

Since 6th March 2005, a total of 88 Malaysian websites had been defaced and based on the current situation, we predict the number may increase, especially during the weekends.

Most of the defaced sites were left with hatred/dissatisfaction messages against the Government of Malaysia over the current issue.

Our initial findings, based on the log analysis extracted from the victims' machines, indicates that the current mass defacements were done using the following exploits:

  1. SQL Injection
  2. Vulnerable PHP Scripts
  3. Vulnerable AWStat

System Administrators/Web Administrators who are running the above programs are advised the followings:

  1. SQL Injection

    If you are running SQL, we advise you to use input VALIDATION to prevent your website being defaced via the SQL Injection.

  2. Vulnerable PHP Scripts

    If you are running an older version of PHP Script, you need to patch or upgrade it to the latest version which is PHP 4.3.10. The latest version of PHP can be downloaded at:

    http://www.php.net/downloads.php

  3. Vulnerable AWStat

    If you are running AWStat 6.0 and below, you need to patch or upgrade to Awstat 6.3. which can be downloaded at:

    http://awstats.sourceforge.net/#DOWNLOAD

We do not want to see anymore Malaysian websites being defaced and MyCERT would like to alert and advise all system owners to take precautions to patch and secure their servers in order to avoid their websites defaced.

In addition to the above preventive measures, we also advise System Administrators to check their system in case it has been installed with any backdoors or Trojan programs. Simple guides are as follows:

  1. System administrators are advised to regularly monitor / check their systems.

  2. Check for any newly added user account in the userlist. You may check at the shadow file, sam file etc.

  3. Check for any suspicious connection on the open ports, esp on bigger port number.

  4. Scan your server for any kind of backdoor. Use tripwire to check for any signs of backdoor or trojan. This will only be effective if your version of the software is clean prior to applying tripwire.

    Pls refer to:
    http://www.tripwiresecurity.com

  5. Check and look for any suspicious shell programs.

  6. Use URLScan to filter HTTP requests. Many IIS exploits, the Code Red family, use maliciously formed HTTP requests in directory traversal or buffer overflow attacks. The URLScan filter can be configured to reject such requests before the server attempts to process them.

    The URLScan filter can be downloaded separately from Microsoft at

    URLScan Filter
    http://www.microsoft.com/technet/security/tools/urlscan.asp

  7. Download and use IIS Lockdown Tool version 2.1.Running the IIS Lockdown Wizard in "custom" or "expert" mode will allow you to make the following recommended changes to an IIS installation:

    1. Disable WebDAV (unless your environment absolutely requires it for web content publishing).
    2. Unmap all unnecessary ISAPI extensions (including .htr, .idq, .ism, and .printer in particular).
    3. Eliminate sample applications.
    4. Forbid the web server from running system commands commonly used in a compromise (e.g., cmd.exe and tftp.exe).

    IIS Lockdown can be downloaded
    http://www.microsoft.com/technet/security/tools/locktool.mspx

    Note: If some applications requires these services which had beenpreviously removed by Lockdown, the setup can be restored by having the undo files located at n32\inetsrv\oblt-log can be used to recover previous settings.

  8. Close all unnecessary services or ports.

  9. Close all unnecessary applications.

Pls check on the above vulnerabilities and make sure measures are taken to fix any such vulnerability that may present in your system. We advise/urge System Administrators to contact MyCERT immediately if they detected defacement to their websites or detected any attempts to deface their sites and forward us a copy of the "intrusion log" for analysis and consolidation.

MyCERT can be reached for assistance at:

Web: http://www.mycert.org.my
Email:
Tel: 03-89961901
Fax: 03-89960827
SMS: 019-2813801