Defacements Statistics 2010: Almost 1.5 million websites defaced
6/01/2011 Written by Marcelo Almeida (Vympel), Boris Mutina (Minor)
(reposted June 16, 2011)
Last year the Zone-H archived a sad record number, we archived 1.419.203 web sites defacements.
Why and how this is happening?
If you are looking at on the stats, the things remain the same: file inclusion, sql injection, web dav attacks and shares misconfiguration are still at the top ranks of the attack methods used by the defacers to gain first access into the server. As an important factor influencing the stats we consider the fact that last year brought a very high number of the local linux kernel exploits.
Since many years ago, Linux became the most used OS for web servers and of course the preferred target for the defacers. Last year we archived 1.126.987 attacks against web sites running on the Linux systems. The most used exploit by the defacers is the CVE-2010 – 3301,
that was fixed in 2007 and was mysteriously reintroduced in 2008, in a large pile of kernel versions x86_64.
But should be the out-of-date Linux server the only reason of this huge amount of defacements? Yes. and no.
We were talk ing about local kernel exploits, but the first problem is in the web site code. For example, we received too many single defacements due a remote upload flaw in OsCommerce CMS, that allows the defacers to upload any thing to the CMS folder without a proper credential check. When this flaw became public, the developers had a too much time to fix it, but the fix appeared a few months later. Pity.
Year after year, the developers are still coding unsafely, keeping tons of the remote and local file inclusion and the SQL injections, that the attackers use as the first step to gain the access into the server OS.
Then another problem with the out-of-date sys tem is that the old kernel versions indicate also that another packages (some times also misconfigured) by performing privilege escalation for the services/users access.
But we should not speak only about the Linux servers, the Win dows Servers are also in the stats, (not) surprisingly still hacked by the same flaws like in year 2000 and early. Every year we also recorded a high number of the web dav and shares misconfiguration attacks. For web dav there are tons of the updates, for shares too, administrators just need to put their hands on it and update and/or change the configuration.
From the results one out come is clear – code developer teams and web server admins are still living in two distinct worlds. And if some thing is not work ing properly, their answer is that this is most likely the other side’s fault. While this “fight” continues, the deface ment count still grows up.
If you have any comments, send them to comments@zone-h.org
|
Attacks by month |
Year 2010 |
| Jan | 53.915 |
| Feb | 57.867 |
| Mar | 73.712 |
| Apr | 95.078 |
| May | 83.182 |
| Jun | 81.865 |
| Jul | 87.364 |
| Aug | 63.367 |
| Sep | 185.741 |
| Oct | 194.692 |
| Nov | 258.355 |
| Dec | 184.064 |
| Spe cial Attacks by month | Year 2010 |
| Jan | 891 |
| Feb | 1.851 |
| Mar | 1.228 |
| Apr | 1.361 |
| May | 1.693 |
| Jun | 1.711 |
| Jul | 1.198 |
| Aug | 1.411 |
| Sep | 1.265 |
| Oct | 1.463 |
| Nov | 1.227 |
| Dec | 1.576 |
| Total | 16.875 |
| Sin gle attacks by month | Year 2010 |
| Jan | 10.332 |
| Feb | 10.936 |
| Mar | 11.908 |
| Apr | 14.333 |
| May | 12.496 |
| Jun | 15.352 |
| Jul | 13.762 |
| Aug | 13.449 |
| Sep | 16.559 |
| Oct | 13.366 |
| Nov | 32.829 |
| Dec | 24.316 |
| Total | 189.638 |
| Mass attacks by month | Year 2010 |
| Jan | 43.583 |
| Feb | 46.931 |
| Mar | 61.804 |
| Apr | 80.745 |
| May | 70.686 |
| Jun | 66.513 |
| Jul | 73.602 |
| Aug | 49.918 |
| Sep | 169.182 |
| Oct | 181.326 |
| Nov | 225.526 |
| Dec | 159.748 |
| Total | 1.229.564 |
| Oper a tive System | Year 2010 |
| Linux | 1.126.987 |
| Win dows 2003 | 197.822 |
| FreeBSD | 46.992 |
| Win 2008 | 15.083 |
| F5 Big-IP* | 14.000 |
| Unknown | 7.840 |
| Win 2000 | 6.097 |
| Solaris 9⁄10 | 2.373 |
| MacOSX | 1.038 |
| Cit rix Netscaler* | 232 |
| Win NT9x | 221 |
| Win XP | 196 |
| NetBSDOpenBSD | 99 |
| HP-UX | 73 |
| IRIX | 47 |
| SCO UNIX | 22 |
| Unix | 15 |
| SolarisSunOS | 13 |
| BSDOS | 12 |
| Solaris 8 | 11 |
| OpenBSD | 8 |
| Com paq Tru64 | 5 |
| Com paq OS2 | 5 |
| OS390 | 3 |
| MacOS | 3 |
| AIX | 3 |
| NovellNetware | 1 |
| AS/400 | 1 |
| Web server defaced | Year 2010 |
| Apache | 1.095.982 |
| IIS/6.0 | 195.154 |
| nginx | 40.640 |
| LiteSpeed | 37.795 |
| Zeus | 14.111 |
| Unknown | 10.763 |
| IIS/7.0 | 10.433 |
| IIS/5.0 | 6.109 |
| IIS/7.5 | 4.002 |
| NOYB* | 2.083 |
| lighttpd | 733 |
| YTS* | 306 |
| IdeaWebServer | 305 |
| IIS/5.1 | 196 |
| IIS/4.0 | 141 |
| WebSitePro | 59 |
| Microsoft-HTTPAPI | 52 |
| Rapidsite | 51 |
| IBM HTTP SERVER | 38 |
| SunONE WebServer | 37 |
| ConcentricHost-Ashurbanipal* | 21 |
| Squid | 21 |
| Cherokee | 20 |
| Zope | 15 |
| DinaHTTPd Server | 13 |
| Resin | 11 |
| Sil ver Stream Server | 10 |
| Sun-Java-System-Web-Server/7.0 | 10 |
| exteNd Appli ca tion Server | 10 |
| Netscape-Enterprise | 9 |
| DataPalm | 6 |
| Allegro-Software-RomPager | 6 |
| IceWarp | 5 |
| AOL server | 5 |
| Abyss* | 3 |
| Sun Java Sys tem Appli ca tion Server 9.1_02 | 3 |
| HP-ChaiServer | 3 |
| GHS* | 2 |
| Jetty* | 2 |
| GWS* | 2 |
| Sun Java Sys tem Web Server 6.1 | 2 |
| Roxen* | 1 |
| Caudium* | 1 |
| Squeegit | 1 |
| Lasso | 1 |
| Net Port Soft ware 1.1 | 1 |
| NetWare-Enterprise-Web-Server | 1 |
| 4D_WebSTAR_S | 1 |
| OmniHTTPd | 1 |
| SAMBAR | 1 |
| Ora cle AS | 1 |
| Attack Method | Year 2010 |
| File Inclusion | 634.620 |
| Attack against the administrator/user (pass word stealing/sniffing) | 220.521 |
| Other Web Appli ca tion bug | 124.878 |
| SQL Injection | 98.250 |
| Not available | 91.402 |
| Known vul ner a bil ity (i.e. unpatched system) | 42.849 |
| Undis closed (new) vulnerability | 25.552 |
| Other Server intrusion | 19.528 |
| Web Server intrusion | 18.976 |
| FTP Server intrusion | 15.619 |
| SSH Server intrusion | 15.214 |
| Con fig u ra tion /admin. mistake | 13.901 |
| URL Poisoning | 13.191 |
| Remote admin is tra tive panel access through bruteforcing | 12.132 |
| Brute force attack | 10.145 |
| Shares misconfiguration | 9.530 |
| RPC Server intrusion | 7.911 |
| Tel net Server intrusion | 7.530 |
| Web Server exter nal mod ule intrusion | 7.368 |
| Mail Server intrusion | 6.260 |
| social engineering | 4.776 |
| DNS attack through cache poisoning | 3.689 |
| DNS attack through social engineering | 2.878 |
| Rerout ing after attack ing the Firewall | 2.550 |
| Rerout ing after attack ing the Router | 2.458 |
| Remote ser vice pass word bruteforce | 1.987 |
| Remote ser vice pass word guessing | 1.917 |
| Access cre den tials through Man In the Mid dle attack | 1.752 |
| Remote admin is tra tive panel access through social engineering | 992 |
| Remote admin is tra tive panel access through pass word guessing | 849 |
| Attack Reason | Year 2010 |
| Heh…just for fun! | 829.975 |
| I just want to be the best defacer | 289.630 |
| Not available | 94.017 |
| Patriotism | 58.970 |
| Polit i cal reasons | 57.083 |
| Revenge against that website | 45.093 |
| As a challenge | 44.457 |
Linux X Windows
| Year | Total deface ments Linux (all distros) | Total deface ments Win dows (all versions) |
| 2000 | 931 | 2.587 |
| 2001 | 4.080 | 13.549 |
| 2002 | 22.693 | 43.441 |
| 2003 | 191.720 | 58.571 |
| 2004 | 247.113 | 119.402 |
| 2005 | 276.294 | 179.945 |
| 2006 | 446.039 | 258.129 |
| 2007 | 305.968 | 139.427 |
| 2008 | 352.449 | 141.061 |
| 2009 | 378.728 | 143.151 |
| 2010 | 1.126.987 | 219.419 |
| Total | 3.076.889 | 1.318.682 |