[WEB SECURITY] Web Attacks Soar

Ryan Barnett rcbarnett at gmail.com
Wed May 11 17:36:46 EDT 2005


SANS included this story in last week's NewsBites Vol. 7 Num. 18
email.  I was contacted by them to comment on the validity of the
numbers presented.

**************************************************
STATISTICS, STUDIES AND SURVEYS
 --Web Server Attacks and Web Site Defacements Up Thirty-Six Percent
(27/26 April 2005)
A report from security firm Zone-H finds that web server attacks and web
site defacements increased by 36% the last year, from 251,000 in 2003
to 392,545 in 2004.  According to the report, 2,500 web servers are
successfully attacked every day.
http://www.theregister.co.uk/2005/04/27/zone-h_defacement_survey/print.html
http://www.newsfactor.com/story.xhtml?story_id=33523
[Editor's Comment (Guest editor, Ryan Barnett): These stats are a bit
inflated since they are tracking solely on individual domains defaced.
More often than not, the defacers are executing mass defacements using
a single vulnerability on a server.  The problem is that that server may
be hosting hundreds of other virtual web sites.  Once the defacers get
a foothold in one virtual host, they can infect others.
(Pescatore): I think Zone-H also counts chat board defacement as a web
site defacement. A lot of discussion groups have very loose sysop
control - technically they are defacements when someone takes over the
board, but it is sort of like counting demolition derby crashes in NHTSA
auto safety statistics.]
**************************************************

As for the most common tricks, it appears that the PHPBB bug is the
most widely used.  If you check out their defacement notification form
page - http://www.zone-h.com/en/defacements/notify - you will see that
they put up this warning message:

PLEASE NOTE THAT WE WILL TRASH ALL THE NOTIFICATIONS CONTAINING FAKE
DATA, FOR EXAMPLE NOTIFICATIONS REPORTING WEB SERVER ATTACK WHEN
ACTUALLY THE INTRUSION WAS A MERE PHPBB HACK.

The fact that they had to put that message on the site should be a
clear indicator that it is the #1 used method.

Here are the other methods of defacement that the defacer can select
when filling out the form -

Access credentials through Man In the Middle attack
Attack against the administrator/user (password stealing/sniffing)
DNS attack through cache poisoning
DNS attack through social engineering
File Inclusion
FTP Server intrusion
Mail Server intrusion
Not available
Other Server intrusion
Other Web Application bug
Remote administrative panel access through bruteforcing
Remote administrative panel access through password guessing
Remote administrative panel access through social engineering
Remote service password bruteforce
Remote service password guessing
Rerouting after attacking the Firewall
Rerouting after attacking the Router
RPC Server intrusion
Shares misconfiguration
SQL Injection
SSH Server intrusion
Telnet Server intrusion
URL Poisoning
Web Server external module intrusion
Web Server intrusion

http://www.zone-h.com/en/stats has some stats on the breakdown of the
percentages of attack methods.

-- 
Ryan C. Barnett
Web Application Security Consortium (WASC) Member
SANS Instructor: Securing Apache
GCIA, GCFA, GCIH, GCUX, GSEC

On 5/11/05, Caleb Sima <csima at spidynamics.com> wrote:
> 
> 
> http://www.theregister.co.uk/2005/04/27/zone-h_defacement_survey/
> 
>  
> 
> " Roberto Preatoni, founder of zone-h, told El Reg that PHP bugs and SQL
> injection attacks were the most common tricks used by hackers in order to
> access to vulnerable systems. "
> 
>  
> 
> About 2-3 years behind the times.. still it's nice to know this is now the
> hot topic plus it has some decent stats
> 
>  
> 
>  
> 
> Caleb Sima
> CTO & Founder
> S.P.I. Dynamics, Inc.
> Cell.: 678.907.4100
> EMail: csima at spidynamics.com
> URL..: www.spidynamics.com
> Start Secure. Stay Secure.
> Security Assurance Throughout the Application Lifecycle
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list