I suppose there will be some more, but here is a listing to wake some people up
So imagine that you could change an ebook (PDF) in a file with malicious code
and this also counts for
this is the advertising
this is the hack
and look also at http://www.ange-gabriel.be/peniche/configurat...
just one of many examples
and eventually be hacked
In fact you would just forget and with zone-h.org being forced offline again (you had your 2008 report just in time between two full scale attacks)
And this counts for a whole lot of .il sites. If you have .il site you should control your logs on a permanent basis and patch and defend your machine as if you are in the middle of an online battlefield (and you are the cowboys being surrounded by indians with all kinds of weapons, some even more sophisticated than yours)
http://www.zone-H.org is one of the best to follow
this Belgian scoutssite fell under heavy shelling with code.
We have said so before and it is just accumulating. YOu may have the best site in your own country and you may be able to withhold the levels of attacks in your country or on the international level, but the level of internet-attacks in Israel for the moment is of a totally different kind. For this you will have a tough decision to make.
Or you send down specialist teams to defend the sites that are up there. And you close down any interactive function that is not essential for the site.
Or you transfer the content of the site to your main server on a Israeli subdomain and you upgrade the central monitoring and security defenses.
Because somewhere on this internet is maybe someone somewhere with the professional knowledge and time to scan, attack and hack those systems as he has never done before. Prepare yourself for the brightest and most intensive.
2009/01/12 Jurm Team gillettechampions.co.il 2009/01/12 Agd_Scorp fanta.co.il 2009/01/12 Jurm Team sprite.co.il 2009/01/12 Jurm Team daihatsu-israel.co.il 2009/01/12 Jurm Team wellaclub.co.il 2009/01/12 Jurm Team headandshoulders.co.il 2009/01/12 Jurm Team gillettefusion.co.il 2009/01/12 Jurm Team kia-israel.co.il
and so it is strange to see that a site like israelmagazine.net didn't prepare itself enough for the onslaught and was hacked
and don't think it will be over soon
This is a must for hosters and networkadministrators, there is no other way that you could know and as long as they are around it is the best and fastest way to know
Starting from today and only for registered users will be available the old Zone-H services plus some new one.
The services subscription module is now available from the user menu by clicking on the "Mailing list subscription" link, provided you are registered and logged in.
What kind of services are available?
1) Early Warning service: this service has already more than 8000 subscribers most of them being the admin/webmaster of the website they want to monitor. Each time Zone-H receives a notification of a defacement, it checks if for that website there are Early Warning subscribers and notify them about the intrusion. This service is free and will always stay free. What's the value of this service? There are little chanches for administrators to be aware about intrusions on their webserver if the defacer created a /hacked page; being the homepage still online there would not be any immediate evidence about the intrusion. The Early Warning service overcomes such problem.
click on "read more" ro know about further services...
2) daily news mailing list: this service will send directly to your email address all the daily news published on zone-h (one mail per day)
3) special defacement mailing list: this service will send directly to your email address all the daily special defacements published on zone-h (one mail per day)
4) advisory mailing list: this service will send directly to your email address all the daily advisories published on zone-h (one mail per day)
Please note that subscription to services 2, 3 and 4 is already available while the service itself will start somewhere within the next 48 hours.
Every weakness in your site or any of your functions or modules will be exploited to inject text or change anything that is possible just to leave a mark or vandalize it a bit.
During cyberwar you should desactivate everything that is interactive or put it really in a freeze mode or with very limited access. But the less you have the less you have to worry about.
if you have a site in israel you will get attacked and eventually hacked, so prepare for it, even if you think that you are smart and big and whatever...
still the case at http://snl.mit.edu/
we told you the cyberwar was beginning to go after bigger sites....
It seems broken (database error) and dead 404 anyway, but now it is also defaced
These are all the 2519 websites with a .be domainname that have been defaced, hacked, injected according to zone-h.org during 2008. We received the listing exclusively to be able to make some predictions and some statistical explorations. This is not a scientific study, it is an INDICATOR.
The reason that it is an indicator is because zone-h.org is not a search machine that scans the internet for hacked sites. This is not possible. It is not possible to do because there are so many ways in which you can change a page or inject pictures or code in it. It is not possible because search engines don't have access to all the pages, even if those pages get hacked, defaced or injected. This is the reason why Google can't replace a collector like zone-h.org. We have found other sites that were hacked during the year that we did find with special google searches and we will publish that list shortly.
So to make it clear : these are all the sites that the attackers and defacers have submitted THEMSELVES to the collector zone-h.org This doesn't mean that everybody who hacks does it, but many do. This is also the reason why some securitypeople want to take zone-h.org offline because they hate it when the vulnerabilities of even big sites are published for all to see.
We here find that zone-h.org is a very good resource for securityresearch because it gives us some realtime indications at the one hand and a historic view at the other. During though economic times in which priorities have to be reviewed so often, this is a nice indicator to have. We would never have known that there was a Turkish attack against .be websites while there were Turkish riots in Brussels. We have sent out a warning at that time and we can see that this has made some effect. We would never have seen that the hacking of Joomla sites after the release of the exploit would be so massive (july-august) if it weren't for zone-h.org. We did sent out different warnings but it seems now that Joomla sites have become a favourite attack target. If the Joomla community doesn't take the necessary measures as Windows did some years ago they will get attacked, whacked and defaced on a continuous basis.
Zone-h.org is the best collector on the web for the moment and this has something to do with her credentials, reputation and her internal controls before adding submissions to the database itself. At the end of 2008 Zone-h.org was attacked again (second time that year) and taken offline. At the height of the beginning of the cyberguerilla between Arab militants and Israeli and western defenders, security researchers were scrambling to find an alternative. There was none worthy of that name and the alternatives were too incomplete to show a global view.
Another thing to make clear before going to the numbers is that we are speaking about hacking, defacing and injecting all together. The listings we received don't indicate if the site was fully hacked, defaced or if there was just some text injected in the forum or other interactive functions. This gives sometimes way for an enormous and silly discussion that needs to receive some attention before going to the statistics.
One of the least commented but in my eyes most important hacks ever was the change of some text and numbers in a text on a newspage of Yahoo. People tend to believe things on the internet too easily. They presume that it has been reviewed, checked and is effectively only written by the writer. This totally changes when a hacker shows that anyone can add a picture, some text or even a page to a website. No matter if it is small or big. Someone that didn't receive any rights to do anything on the website just changed content on the website. The webmaster may find it silly. But he may find himself lucky that the silly hacker/injector/defacer just put some stupid graffitti or slogans on the website and didn't change prices, conditions, press releases, contacts or other things without indicating to the outside world that someone else than the administrators did those changes and that those administrators didn't know anything about those changes. Imagine that a major newspaper would have as headline that Fortis was to be sold to KBC. The effect and damage would be immediate, the time to resolve it would be too long and the lasting impact on the trust we have with online content would be enormous.
So every change to a website or a page that is done without the knowledge and consent of the administrator, especially on the places where users normally can't change or add things themselves, is a hack. Period. This doesn't mean that people have access to the server or the member list, but they did control part of the website.
Another thing to make clear is that operating systems of servers as such are losing their importance. It are the webservices that are running on them (for example the bulletin boards, the content management systems and so on) that are being attacked. It is so important to place an application firewall, to limit access and to patch all your modules and parts of your webservices on a permanent basis. And if you are not up to it, it is time to consider a professional service. With this we don't mean the amateurs that are selling hosting for peanuts but don't have any backup, firewall, antivirus, HIDS and other defensive and protective services to offer.
The most important thing although is to keep an eye on your website. It is just amazing how many websites were being hacked/defaced for weeks, months and that no-one corrected a thing. (even after publication on this blog and so on Google if you did a research on your domain site:x.x). A related observation is that if you don't need a domainname anymore, you just park it somewhere without any website. It is dead and over and gone and if you don't have any more time for it, you should just kill it.
We have chosen the .be domainname because they fall under Belgian law. As there is for the moment no geolocation with the hacks in the zone-h.org database it is the easiest way to locate websites that fall under Belgian law. We want also to point out that there is a difference between the domainnames and the servers. µµIt is possible that a server has been defaced/hacked with many .be domainnames on it. Strangly everyone in Belgium can set up a server and call himself a webhoster. There is no certification or quality control or minimal obligations. In the real world no one could set up a business like that, surely not a webshop (of which some were defaced/hacked/injected last year).
When we look at the number of 2419 domainnames that were victim in 2008 of such an attack according to zone-h.org and we see clearly that the Joomla crisis had a big impact during the summer. You can see that between 100 and 200 .be sites are submitted to zone-h.org each month. This means around 20 to 50 each week. Take with that around max. 10 additional hacked .be sites that are found by Google each week and you have a number of sites that a CERT in Belgium would have to clean up each week. You don't need an army for that.
When we look at the operating system of the .be domainnames that were hacked, we have the following result. It can be that there are more domainnames on some hacked linux servers but shared hosting is not always a smart idea.
The operating systems for Apache webservers of domains that were hacked.
The same for the IIS servers
we also publish the total listing with the names. If you are in it, than I hope that you have done something about your security because if you are hacked, you will be attacked and tested and scanned on a permanent basis. Once you were hacked your security situation changes totally. Like or not, but that is the way it is.
And this is the reason that before you set up a website or add a whole bunch of interactive functions you should be sure that you have set up a secured hosting, a safe and tested code and implementation and a security surveillance and response team. Otherwise you are just a sitting duck, as we have called the Joomla people during the summer.
Sunday we will publish the top5 of the hacked .be websites and some analysis about the attacking clans. Who are they and who is most important to watch out for ?
if you have indicators and numbers about Belgian security we will be happy to treat them for you and to give them the visibility that they deserve. Just contact us.
Source is zone-h.org with which we will be working more closely soon