PoizonBOx hackers leave e-envoy red-faced.
-----------------------------------------------------------
Computer crackers leave their mark on numerous government Web sites,
including that of e-envoy Andrew Pinder 05/09/2001
The government has launched an investigation after a chain of UK
government Web sites including one belonging to the office of the e-envoy
were hacked and defaced on Tuesday by a group of computer crackers. The
sites, including the e-envoy's site for intergovernmental policy,
www.govtalk.gov.uk, Scottish archive site www.nas.gov.uk, and local
government sites www.wiltshire.gov.uk and www.havant.gov.uk, were defaced
late on Tuesday and early Wednesday morning. A group of cybervandals
calling themselves PoizonBOx replaced government information with graffiti
showing a self-styled logo. A spokeswoman for the office of the e-envoy
said that an investigation had been launched. "The service providers are
investigating and will make a report. We can't say anything until then."
The spokeswoman said that when launched, the site complied with security
standards established by CESG (Communications Electronics Security Group) -
the government's centre for computer security. She added that the sites
were expected to be back up and running by midday Wednesday. According
to Alldas, a German site that lists defaced Web sites, all the government
sites were running on Microsoft's Internet Information Server (ISS) 4.0
Web hosting application .
RELATED STORY
---------------
Hackers Deface Web Sites; FBI Issues DDoS Warning
By Ryan Naraine and Michael Singer
Web page defacement attacks by hackers have escalated dramatically in
the last 24 hours, with technology news site CNET, Webex and game
developer Blizzard.com among those hit this morning.
At 2:00 p.m today, 153 defacements were reported by http://www.alldas.de a
site which archives posts mirrors of hacking attacks around the world.
Executives at Web-based meeting center, WebEx say they can't explain the
defacement of their home page Monday.
"We have no idea why anyone would be interested in attacking us," says
one WebEx executive who asked not to be identified.
Visitors to the site were greeted to a black page with bold red letters
slamming both the U.S. government and another group of cybervandals.
"f*** USA Government - f*** PoizonBOx," read the message along with an
email contact to a Chineese Yahoo! e-mail account.
A copy of the defaced site was immediately posted at Attrition.org, a
site where hackers also sometimes post their exploits.
The San Jose-based company runs an online service that lets you run
real-time meetings right through your Internet browser.
As to why a separate hacking group would be named during a defacement,
Attrition spokesperson Modify could only give these thoughts.
"Because he/she/they have been defacing .tw sites (Taiwan)," says
Modify.
In March, the British government launched an investigation into
PoizonBOx after a chain of UK government Web sites had their information
replaced with graffiti showing a self-styled logo.
Web Attacks On Upswing
Today's defacement barrage comes just days after a hacking group calling
itself "Prime Suspectz" hit three Microsoft sites. The latest round of
attacks also include pro-Chinese slogans and seemed to be targeting U.S
commercial and government Web sites.
Last week, the Federal Bureau of Investigations (FBI) issued a warning
that U.S sites faced hacking attacks from pro-Chinese groups. The FBI
said Chinese hacker groups planned to retaliate against U.S attacks on
Chinese government-owned sites.
This week's attacks coincided with the recent political standoff between
the two countries and the second anniversary of the NATO bombing of a
Chinese embassy in Belgrade, according to the FBI.
In the recent round of attacks, Web pages owned by the Inter-American
Defense Board, The U.S Fish and Wildlife Service, the Department of
Health and Human Services and several universities in Washington, D.C
were hit with defacements.
Explicit anti-American messages were posted and defacements included the
flags of Russia and China.
Separately, the FBI warned there would be ongoing attempts to disrupt
Web access to several sites. The National Infrastructure Protection
Center (NIPC), which acts as the FBI's cybercrime unit, said hackers
planned to use distributed denial-of-service (DDoS) attacks to cripple
targeted Web sites.
Denial-of-service attacks typically flood Web sites with excess traffic,
effectively slowing or blocking access to targeted sites.
"The activity has been seen from several networks, and consists entirely
of fragmented large UDP packets directed at port 80. Analysis indicates
that this activity may be intended to bypass standard port/protocol
blocking techniques, as certain major routing equipment manufacturer's
products will block the first fragment of a large UDP packet, but may
not block subsequent packets, thereby permitting the denial of service
to continue," the NIPC said in a warning issued over the weekend.
The unit advised systems and network administrators to inspect their
facilities (firewall logs) for the presence of fragmented UDP packets
directed at port 80.
"Inbound packets of this type indicate that a denial of service to the
network in question may be underway. Outbound packets of this type
indicate that there is a high likelihood that system(s) on the network
in question are compromised and that DDOS tools are installed.
Attempting to block this traffic at the IP-only level (as opposed to
protocol-specific level like UDP) may have improved effectiveness," it
said.
To determine if a computer system has been infected with a DDoS agent,
the NIPC has posted a "Find DDoS" tool on its Web site. The tool may be
downloaded from the NIPC site.
The FBI has also called on targeted sites to report computer intrusions
to their local FBI office.
Incidents may also be reported online or by dialing
202-323-3204/3205/3206
WHAT IS A DEFACEMENT
A web defacement is when the content of a public web page is altered by
someone other than the legitimate person responsible for the machine or
pages. This is regardless of reasons or motivation. In simple terms, if
someone types a URL into their browser and sees anything but the
legitimate page, this is a defacement. One factor that is often forgotten
by some (defacers) is that the page must be seen by legitimate users for
it to be a defacement. Web surfers do not view IP addresses, obscure named
servers that had nothing but a default IIS or Apache page, etc. We make
the decision of what to mirror based on whether we think there is already
legitimate traffic to the machine that has been reported to us. Therefore,
s3k128nsdl39.state.home.com type machines will not be mirrored. People
simply do NOT type that into their browser. Just the same, people do not
type in 208.225.201.200 into their browser either. So if an IP does not
resolve, it isn't a valid defacement.
Please check all such boxes in your care and look for files named
default.asp, default,htm, index.asp, and index.htm containing the
strings "PoizonBOx".
I also do not know what the exploit does to a compromised system. It is
possible, so far as I know at this point, for it to replace executable and
shared object library files, install services, and generally inviegle
itself throughout the system. So, at this point the only remedy I can
safely recommend is to reformat the hard drive and reinstall from scratch.
Everyone running Microsoft operating systems with IIS must get in the
habit of checking for and applying security patches at least weekly. I'm
attaching an email I sent to this list back in January that contains some
URLs to guide your review of the security of your IIS installations and
another URL to get a tool that automatically notifies you when new
security patches are available.
Anonymous access should only be enabled when absolutely necessary, and
then you must ensure that anonymous has the minimal priviledges necessary,
and never has any write priviledges under any circumstances. PASV mode (or
passive connection support) enables an ftp client to use the ftp server to
make connections to other computers on behalf of the client. This must
never be enabled for anonymous ftp users, and should generally be disabled
unless there is a specific reason to enable it. To disable, ensure that
the following registry setting is in effect:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSFTPSVC\Parameters\EnablePortAttack = 0 2. IIS 4.x and 5.x web servers install with a default
configuration that enables several well-known hacker exploits. While I
can't give a one-size fits all configuration guideline, there are at least
2 steps you should take: i). Review the Microsoft-supplied security
checklist and implement its recommendations. For IIS 4.x the checklist is
at: <http://www.microsoft.com/technet/security/iischk.asp> For IIS 5.x
it's: <http://www.microsoft.com/technet/security/iis5chk.asp> Also, for
IIS 5 on w2000, there's a tool that can configure it for you, based on an
interactive specification of what you need IIS to do for you. I've newver
used this tool, so FWIW It's at: <http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19889> ii). If
you're running IIS 5, you should install the hotfis checker tool, which
automatically checks for new IIS security hotfixes and alerts you to them
(or can install them for you). It's at:
<http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168>
PHEW! Cheers,
George Sarr
Gambians Online " Designed With The Gambian People In Mind"
http://www.gambiansonline.com
----------------------------------------------------------------------------
To unsubscribe/subscribe or view archives of postings, go to the Gambia-L
Web interface at: http://maelstrom.stjohns.edu/archives/gambia-l.html
You may also send subscription requests to [log in to unmask]
if you have problems accessing the web interface and remember to write your full name and e-mail address.
----------------------------------------------------------------------------
|
