MA-087.032005: Mass Defacements of Malaysian Websites
Original Issue Date: 9th March 2005
MyCERT received reports regarding mass web defacements of Malaysian websites, which had increased tremendously since last week.
Since 1st January 2005, a total of 45 Malaysian websites had been defaced and is worsen by the recent issues presented by the media.
Most of the defaced sites were left with hatred/dissatisfaction against the Government of Malaysia and its Ministers/Ministries.
We do not want to see anymore Malaysian websites being defaced and MyCERT would like to alert and advise all system owners to take precautions to patch and secure their servers in order to avoid their websites defaced. Our initial findings also shows that most of the defacements are done via exploiting vulnerabilities that exists in unpatched programs, such as scriptings used to develop the websites.
Some of the steps that could be taken are:
Apply latest patches and upgrades released by the software vendors.
Harden your servers using hardening tools.
Close all unnecessary applications.
Close all unnecessary ports.
Download one of the many vulnerability scanners and run a security check on your systems.
If you use third-party add-ons such as ColdFusion, PerlIIS, or PHP, please check the third-party vendors' web sites for patches and configuration tips as well.
In addition to the above preventive measures, we also advise System Administrators to check their system in case it has been installed with any backdoors or Trojan programs. Simple guides are as follows:
System administrators are advised to regularly monitor / check their systems.
Check for any newly added user account in the userlist. You may check at the shadow file, sam file etc.
Check for any suspicious connection on the open ports, esp on bigger port number.
Scan your server for any kind of backdoor. Use tripwire to check for any signs of backdoor or trojan. This will only be effective if your version of the software is clean prior to applying tripwire.
Pls refer to:
Check and look for any suspicious shell programs.
Pls check on the above vulnerabilities and make sure measures are taken to fix any such vulnerability that may present in your system. We advise/urge System Administrators to contact MyCERT immediately if they detected defacement to their website or detected any attempts to deface their sites and forward us a copy of the "intrusion log" for analysis and consolidation.