Warning and General Disclaimer
What is a defacement?
A web defacement is when the content of a public web page is altered by someone other than the legitimate person responsible for the machine or pages. This is regardless of reasons or motivation. In simple terms, if someone types a URL into their browser and sees anything but the legitimate page, this is a defacement. One factor that is often forgotten by some (defacers) is that the page must be seen by legitimate users for it to be a defacement. Web surfers do not view IP addresses, obscure named servers that had nothing but a default IIS or Apache page, etc. We make the decision of what to mirror based on whether we think there is already legitimate traffic to the machine that has been reported to us. Therefore, s3k128nsdl39.state.home.com type machines will not be mirrored. People simply do NOT type that into their browser. Just the same, people do not type in 188.8.131.52 into their browser either. So if an IP does not resolve, it isn't a valid defacement.
Defacing is not about getting your name up on this mirror as often as possible. If that is your intent, we may refuse to post your mirrors on our page. We will keep track of them for statistics, but we will not help you use us as a glory board. Running precanned scripts against thousands of hosts an hour is NOT hacking. You are NOT cool. No one is impressed with you. It is sad enough that most defacements are done with skills exhibited in zoo trained monkeys.
How we work:
How do you mirror? How do you hear of defacements?
Many people ask how we learn of the defacements, especially so quickly. In most cases, the person(s) responsible for the defacement send mail to email@example.com with a domain name and sometimes a piece of the page. The staff members of Attrition receive this mail and take the mirror as soon as we can. Sometimes this comes seconds after the defacement occured. To take the mirror, we use a custom utility called aget that utilizes NMAP, wget, and other tools to copy the information needed. aget will use three methods to determine the remote operating system and web server, take a copy of the hacked page, and immediately post to the defaced mail list. Between once and several times a day, one of the staff members updates the actual mirror most people are familiar with.
Timeline of events:
Who gets notified of defacements?
Our aget utility automatically sends notification of the defacement to the Internic contacts of the defaced site. aget also sends email to the defaced mailing list. The email sent to the defaced mailing list includes publically available information, such as the name that was tagged on the defaced page, the operating system and server software of the defaced site, and other such information that was available on the defaced page itself. That same mail is also sent to the National Infrastructure Protection Center (NIPC), a division of the FBI, as well as to the appropriate Computer Emergency Response Team (CERT), based on country. The email sent to firstname.lastname@example.org (and also to NIPC and the relevant CERT) does -not- contain personal information, the email address or email headers of the person who notified us of the defacement, information on how we were contacted or informed of the defacement, or any other data that was not already public information at the time of the defacement. In order for law enforcement to obtain that information, we must receive a federal subpoena.
If you are a defacer and are concerned about this, simply take privacy matters into your own hands. Don't mail us from providers that report your IP address in the mail headers. Don't include anything in the mail that claims you were responsible -- we do not ever make the assumption that the person who notified us was responsible for the defacement. Use some common sense, take some basic protective measures. Alternately, don't deface web pages if you don't want people knowing you've owned their server.
Why do you notify those people?
The crux of this, however, comes back to the same reason we won't remove
a site from the mirror. Attrition's mirror does not exist for the
glorification of defacers or the ridicule of administrators. Attrition's
mirror is a service for historical understanding of trends in defacements
and a tool for statistical gathering. A defacement is a public incident.
By defacing a web page, a system intruder makes it public knowledge that
the server in question is owned. Attrition disseminates and records
public information about a web site's defacement.
What happens from there comes down to the skills of the defacer, the
administrator, and law enforcement...and does not pertain to us.
Why don't you report the vulnerability?
Articles Accompany Mirror
Operating System Abbreviations
Various reasons. We notify the Internic contact of the defaced domain because we feel it's the ethical thing to do. We notify NIPC to help with their crime statistics, and because we are obligated by law to do so, lest we be implicated in the crime as well. We notify the relevant CERT for similar reasons.
One purpose of this archive is to help generate useful and interesting statistics on hacker activity. As time progresses, we will begin to track more and more statistics. These range from how many domains are defaced a day, how many each group has done, how many use obscenity, and more. If you have suggestions for statistics we can generate to help you, feel free to mail us.
Many systems virtually host other domains. Some large companies host thousands of domains on a single machine. Often times when intruders compromise the machine, they will change not only the main corporate page, but all hosted pages as well. This is known as a 'mass hack' and involves two or more domains. Typically, these defacements occur so the same altered page is found on each virtually hosted domain.
HTML allows you to embed comments into the code. This is done with a special tag that looks like <!-- comment -->. Hackers often use this to leave a 'hidden' message. To see these, use your browser to "view source".
People often ask why we don't list the vulnerability in the site. While it is true that we often have a good idea what was vulnerable and exploited based on the operating system and pattern of the hackers, we absolutely will NOT provide this information on the mirror. If we post this information after a defacement, it gives anyone viewing our mirror the site and vulnerability, with no guarantee the hole has been patched. In essence, we would effectively be pointing out STILL exploitable vulnerabilities in a system. The liability and legal implications of this are obvious. This combined with the the vulnerability still being speculation is plenty of reason not to include it. However, administrators contacting us from the defaced domain (or from NIC contact addresses) are welcome to, and we will be glad to share our speculation and offer advice on fixing the problem.
K - Kevin: Many defaced pages include some sort of reference to the 'Free Kevin' movement. For more information on this, visit www.freekevin.com.
B - Banking Institution
S - Computer Security related
N - News Outlet
P - Police or law enforcement
R - Church or religious institution
X - Adult Oriented Site
Y - Youth Organizations (Scouts, etc)
* - Attrition Commentary
As we learn about news articles that cover defacements, we include them along with the mirror. This column indicates we link to more information on the defacement. If you find any articles that you feel we missed, please don't hesitate to mail us about them.
The act of redefacing domains is probably the most pathetic thing that can be done in the script kiddy world. Because of our concerns that people use our mirror to find vulnerable domains and redeface pages shortly after they are reported here, we are no longer reporting redefaced domains. We WILL continue to mirror them and factor them into our statistics, but they will not be listed on our main mirror.
The OS column indicates what OS was being used during the time of defacement. If an abbreviation isn't listed here, then it has not been encountered to date. Monthly stats have been generated.
The crux of this, however, comes back to the same reason we won't remove a site from the mirror. Attrition's mirror does not exist for the glorification of defacers or the ridicule of administrators. Attrition's mirror is a service for historical understanding of trends in defacements and a tool for statistical gathering. A defacement is a public incident. By defacing a web page, a system intruder makes it public knowledge that the server in question is owned. Attrition disseminates and records public information about a web site's defacement.
What happens from there comes down to the skills of the defacer, the administrator, and law enforcement...and does not pertain to us.
Why don't you report the vulnerability?
Articles Accompany Mirror
Operating System Abbreviations
|NT||Windows (NT/Win95/98)||OS||Digital OSF1|
|Bp||Power BSD||Li||Linux (unknown distribution)|
|Lr||Linux (RedHat)||Ls||Linux (Slackware)|
|Lu||Linux (SuSE)||Lc||Linux (Caldera)|
|Lm||Linux (Mandrake)||Lb||Linux (Cobalt)|
|La||Linux (ALZZA)||Ld||Linux (Debian)|
|NW||NetWare||C6||Compaq Tru64 Unix|
|UN||Generic Unix||2k||Windows 2000|
Linking To Us
You may have seen sites like HNN, SecurityFocus, or NTSecurity Net linking directly to the mirrors here. We offer no front end to do this. The sites doing this have implemented their own front end solutions to offer their viewers the links. We fully encourage sites to do this, but we only offer third party utilities to do this. Media outlets, feel free to link to us to support your story. Link directly to the mirror and/or to our main site. Direct credit is not required, but appreciated.
Other sites that utilize 'recent' links: MindSec,
nph-attrition1.pl by email@example.com
nph-attrition2.pl by firstname.lastname@example.org
nph-attrition.cgi by email@example.com
nph-attrition.php by Max@Wackowoh.com
nph-attrition.py by firstname.lastname@example.org
Will you remove a site from the mirror?
On several occasions, Attrition has been asked if we will remove a mirrored defacement. In many cases, a site's administrator feels that since the defacement has been removed from the original site and the security hole has been patched, it's only appropriate that the mirror of the site come down as well.
While this is certainly understandable, Attrition will not remove mirrors of legitimately defaced web pages. There are several reasons for this -- primarily, Attrition's mirror is a service to the security community, just as a news outlet is. We report on defaced sites. As part of our reporting, we gather statistics, serve as a record, and even act as evidence.
Attrition's statistics, for instance, are a very valuable part of the service we provide. Our staff are widely quoted in news media on the subject of web page defacement and current trends in intrusion, and we have been invited to speak at security conferences on the subject. We are the most comprehensive and widely-known source for reporting web page defacements, and not surprisingly the statistics we generate are valuable. To remove a legitimate defacement at the admin's request compromises the integrity of our statistics, as we are no longer preserving the original data on which our statistical conclusions are drawn...and through such action, that part of our service becomes worthless.
Attrition's defacement mirror also acts as a historical record of defacements over time. It can only serve its function if it remains an unadultered, unabashed, and unalterable historical record. By making an exception for one site, we would open ourselves to doing the same for all sites -- we would allow any mirror to be removed by simple request, and the historic nature of this database and the information it preserves would be irrevocably meaningless.
Moreover, our defacement mirror is often utilized by law enforcement agencies during the course of an investigation. Not only could the removal of a site's defacement in our mirror conceivably be construed as destruction of evidence, it would also render our mirror an unreliable source of information for law enforcement in general. This also ties into the historical and statistical value of the mirror, since both facets of this service are valuable to law enforcement.
Most importantly, though, is our ethical stance on the subject -- what our mirror means to us. We feel that the security of the Internet itself is the responsibility of those who use it, and each individual server that is open to attack is a liability to the Internet as a whole. Too many web sites, for fear of bad public relations, go to great lengths to keep security incidents secret...often greater lengths than are taken to actually secure their servers. This has far-reaching consequences if the site is a commercial one with paying customers whose data may be at risk to unauthorized access. If a site has been compromised and defaced, we feel it is irresponsible to sweep the incident under the carpet as if it had not happened. To remove a defacement would, we feel, violate our own ethical stance regarding this tendency to hide or deny security incidents.
That said, we do understand and sympathize with the administrators of defaced servers. If we can assist in any way with the recovery or security of a defaced site, we're glad to help; simply notify email@example.com.
Who References This Mirror?
A number of news organizations utilize this mirror for statistics, reference, and articles: 20/20, Associated Press, CNet News.com, Singapore CNet, Boston Globe, CNN, Currents/Newsbytes, Dallas News, Deandreis (IT), E-Commerce Times, Geek News, Heise (DE), Irish Times, ISN, Maximum PC, MSNBC, Nettavisen (NO), Network Computing, Newsbytes, News Trolls, Nikkei Business Publication, ZDNet PCWeek, Planet (NL), Prosieben (DE), The Register, Sun Microsystems, Tec Channel (DE), USA Today, US News, WinMag, Wired, Yahoo News, ZDTV, ZDNet
Contacting Us about the Mirror