Warning and General Disclaimer
What is a defacement?
A web defacement is when the content of a public web page is altered by someone other
than the legitimate person responsible for the machine or pages. This is regardless
of reasons or motivation. In simple terms, if someone types a URL into their browser
and sees anything but the legitimate page, this is a defacement. One factor that is
often forgotten by some (defacers) is that the page must be seen by legitimate users
for it to be a defacement. Web surfers do not view IP addresses, obscure named servers
that had nothing but a default IIS or Apache page, etc. We make the decision of what
to mirror based on whether we think there is already legitimate traffic to the machine
that has been reported to us. Therefore, s3k128nsdl39.state.home.com type machines will
not be mirrored. People simply do NOT type that into their browser. Just the same,
people do not type in 208.225.201.200 into their browser either. So if an IP does
not resolve, it isn't a valid defacement.
Defacing is not about getting your name up on this mirror as often as possible. If that
is your intent, we may refuse to post your mirrors on our page. We will keep track
of them for statistics, but we will not help you use us as a glory board. Running precanned
scripts against thousands of hosts an hour is NOT hacking. You are NOT cool. No one is
impressed with you. It is sad enough that most defacements are done with skills exhibited
in zoo trained monkeys.
How we work:
Disclaimer:
How do you mirror? How do you hear of defacements?
Many people ask how we learn of the defacements, especially so quickly. In most cases, the person(s)
responsible for the defacement send mail to hacked@attrition.org with a domain name and sometimes
a piece of the page. The staff members of Attrition receive this mail and take the mirror as soon as
we can. Sometimes this comes seconds after the defacement occured. To take the mirror, we use a custom
utility called aget that utilizes NMAP, wget, and other tools to copy the information needed.
aget will use three methods to determine the remote operating system and web server, take
a copy of the hacked page, and immediately post to the defaced mail list.
Between once and several times a day, one of the staff members updates the actual mirror most people are
familiar with.
Timeline of events:
Who gets notified of defacements?
Our aget utility automatically sends notification of the
defacement to the Internic contacts of the defaced site. aget also
sends email to
the defaced
mailing list. The email sent to the defaced mailing list includes
publically available information, such as the name that was tagged on the
defaced page, the operating system and server software of the defaced
site, and other such information that was available on the defaced page
itself. That same mail is also sent to the National Infrastructure
Protection Center (NIPC), a division of the FBI, as well as to the
appropriate Computer Emergency Response Team (CERT), based on country.
The email sent to defaced-at-attrition.org (and also to NIPC and the relevant
CERT) does -not- contain personal information, the email address or email
headers of the person who notified us of the defacement, information on
how we were contacted or informed of the defacement, or any other data
that was not already public information at the time of the defacement. In
order for law enforcement to obtain that information, we must receive a
federal subpoena.
If you are a defacer and are concerned about this, simply take privacy matters into your own hands. Don't mail us from providers that report your IP address in the mail headers. Don't include anything in the mail that claims you were responsible -- we do not ever make the assumption that the person who notified us was responsible for the defacement. Use some common sense, take some basic protective measures. Alternately, don't deface web pages if you don't want people knowing you've owned their server.
Why do you notify those people?
The crux of this, however, comes back to the same reason we won't remove
a site from the mirror. Attrition's mirror does not exist for the
glorification of defacers or the ridicule of administrators. Attrition's
mirror is a service for historical understanding of trends in defacements
and a tool for statistical gathering. A defacement is a public incident.
By defacing a web page, a system intruder makes it public knowledge that
the server in question is owned. Attrition disseminates and records
public information about a web site's defacement.
What happens from there comes down to the skills of the defacer, the
administrator, and law enforcement...and does not pertain to us.
Statistics
Mass Hack
Hidden Comments
Why don't you report the vulnerability?
Other Flags
Articles Accompany Mirror
Redefacing
Operating System Abbreviations
Various reasons. We notify the Internic contact of the defaced domain
because we feel it's the ethical thing to do. We notify NIPC to help with
their crime statistics, and because we are obligated by law to do so, lest we
be implicated in the crime as well. We notify the relevant CERT for similar
reasons.
One purpose of this archive is to help generate useful and interesting statistics on hacker activity.
As time progresses, we will begin to track more and more statistics. These range from how many domains
are defaced a day, how many each group has done, how many use obscenity, and more. If you have
suggestions for statistics we can generate to help you, feel free to mail us.
Many systems virtually host other domains. Some large companies host thousands of
domains on a single machine. Often times when intruders compromise the machine, they will
change not only the main corporate page, but all hosted pages as well. This is known as a
'mass hack' and involves two or more domains. Typically, these defacements occur so the
same altered page is found on each virtually hosted domain.
HTML allows you to embed comments into the code. This is done with a special tag that looks like
<!-- comment -->. Hackers often use this to leave a 'hidden' message. To see these, use your
browser to "view source".
People often ask why we don't list the vulnerability in the site. While it is true that we often
have a good idea what was vulnerable and exploited based on the operating system and pattern of
the hackers, we absolutely will NOT provide this information on the mirror. If we post this
information after a defacement, it gives anyone viewing our mirror the site and vulnerability,
with no guarantee the hole has been patched. In essence, we would effectively be pointing out
STILL exploitable vulnerabilities in a system. The liability and legal implications of
this are obvious. This combined with the the vulnerability still being speculation is
plenty of reason not to include it. However, administrators contacting us from the defaced domain
(or from NIC contact addresses) are welcome to, and we will be glad to share our speculation and
offer advice on fixing the problem.
K - Kevin: Many defaced pages include some sort of reference to the 'Free Kevin' movement. For more information
on this, visit www.freekevin.com.
B - Banking Institution
S - Computer Security related
N - News Outlet
P - Police or law enforcement
R - Church or religious institution
X - Adult Oriented Site
Y - Youth Organizations (Scouts, etc)
* - Attrition Commentary
As we learn about news articles that cover defacements, we include them along with the mirror. This
column indicates we link to more information on the defacement. If you find any articles that you
feel we missed, please don't hesitate to mail us about them.
The act of redefacing domains is probably the most pathetic thing that can be done in the
script kiddy world. Because of our concerns that people use our mirror to find vulnerable
domains and redeface pages shortly after they are reported here, we are no longer
reporting redefaced domains. We WILL continue to mirror them and factor them
into our statistics, but they will not be listed on our main mirror.
The OS column indicates what OS was being used during the time of defacement. If an abbreviation
isn't listed here, then it has not been encountered to date. Monthly
stats have been generated.
Ax | AIX | Bf | FreeBSD |
Bo | OpenBSD | Bn | NetBSD |
BI | BSDI | HP | HPUX |
Ir | IRIX | So | Solaris |
NT | Windows (NT/Win95/98) | OS | Digital OSF1 |
Sc | SCO | MO | MacOS |
DG | Digital UNIX | MX | MacOSX |
Bp | Power BSD | Li | Linux (unknown distribution) |
Lr | Linux (RedHat) | Ls | Linux (Slackware) |
Lu | Linux (SuSE) | Lc | Linux (Caldera) |
Lm | Linux (Mandrake) | Lb | Linux (Cobalt) |
La | Linux (ALZZA) | Ld | Linux (Debian) |
NW | NetWare | C6 | Compaq Tru64 Unix |
UN | Generic Unix | 2k | Windows 2000 |
Su | SunOS | Lv | Vine Linux |
Lt | Conectiva Linux |
Linking To Us
You may have seen sites like HNN,
SecurityFocus, or
NTSecurity Net linking directly to the mirrors here.
We offer no front end to do this. The sites doing this have implemented their own front end solutions
to offer their viewers the links. We fully encourage sites to do this, but we only offer
third party utilities to do this. Media outlets, feel free to link to us to support your story. Link directly
to the mirror and/or to our main site. Direct credit is not required, but appreciated.
Other sites that utilize 'recent' links: MindSec,
Cyber Army,
AntiOnline Eye,
Interrorem News
nph-attrition1.pl by webmaster-at-cyberarmy.com
nph-attrition2.pl by bansh33-at-r00tabega.com
nph-attrition.cgi by webmaster-at-cyberarmy.com
nph-attrition.php by Max-at-Wackowoh.com
nph-attrition.py by mystik-at-twoteeth.net
Will you remove a site from the mirror?
On several occasions, Attrition has been asked if we will remove a
mirrored defacement. In many cases, a site's administrator feels that
since the defacement has been removed from the original site and the
security hole has been patched, it's only appropriate that the mirror of
the site come down as well.
While this is certainly understandable, Attrition will not remove mirrors
of legitimately defaced web pages. There are several reasons for this --
primarily, Attrition's mirror is a service to the security community, just
as a news outlet is. We report on defaced sites. As part of our
reporting, we gather statistics, serve as a record, and even act as
evidence.
Attrition's statistics, for instance, are a very valuable part of the
service we provide. Our staff are widely quoted in news media on the
subject of web page defacement and current trends in intrusion, and we
have been invited to speak at security conferences on the subject. We are
the most comprehensive and widely-known source for reporting web page
defacements, and not surprisingly the statistics we generate are valuable.
To remove a legitimate defacement at the admin's request compromises the
integrity of our statistics, as we are no longer preserving the original
data on which our statistical conclusions are drawn...and through such
action, that part of our service becomes worthless.
Attrition's defacement mirror also acts as a historical record of
defacements over time. It can only serve its function if it remains an
unadultered, unabashed, and unalterable historical record. By making an
exception for one site, we would open ourselves to doing the same for all
sites -- we would allow any mirror to be removed by simple request, and
the historic nature of this database and the information it preserves
would be irrevocably meaningless.
Moreover, our defacement mirror is often utilized by law enforcement
agencies during the course of an investigation. Not only could the
removal of a site's defacement in our mirror conceivably be construed as
destruction of evidence, it would also render our mirror an unreliable
source of information for law enforcement in general. This also ties into
the historical and statistical value of the mirror, since both facets of
this service are valuable to law enforcement.
Most importantly, though, is our ethical stance on the subject -- what our
mirror means to us. We feel that the security of the Internet itself is
the responsibility of those who use it, and each individual server that is
open to attack is a liability to the Internet as a whole. Too many
web sites, for fear of bad public relations, go to great lengths to keep
security incidents secret...often greater lengths than are taken to
actually secure their servers. This has far-reaching consequences if the
site is a commercial one with paying customers whose data may be at risk
to unauthorized access. If a site has been compromised and defaced, we
feel it is irresponsible to sweep the incident under the carpet as if it
had not happened. To remove a defacement would, we feel, violate our own
ethical stance regarding this tendency to hide or deny security incidents.
That said, we do understand and sympathize with the administrators of
defaced servers. If we can assist in any way with the recovery or
security of a defaced site, we're glad to help; simply notify
staff-at-attrition.org.
Who References This Mirror?
A number of news organizations utilize this mirror for statistics, reference, and articles:
20/20,
Associated Press,
CNet News.com,
Singapore CNet,
Boston Globe,
CNN,
Currents/Newsbytes,
Dallas News,
Deandreis (IT),
E-Commerce Times,
Geek News,
Heise (DE),
Irish Times,
ISN,
Maximum PC,
MSNBC,
Nettavisen (NO),
Network Computing,
Newsbytes,
News Trolls,
Nikkei Business Publication,
ZDNet PCWeek,
Planet (NL),
Prosieben (DE),
The Register,
Sun Microsystems,
Tec Channel (DE),
USA Today,
US News,
WinMag,
Wired,
Yahoo News,
ZDTV,
ZDNet
Contacting Us about the Mirror