Few days ago I was searching for information when I came across a website that was defaced. The only evidence of the crime on the page was a title text where hacker left his signature "hacked by ertuqrul" (picture below).
No, I will not reveal the site's name. ;-)
I Googled the name "ertuqrul" and found that visited website was not the only one attacked by this person.
I believe that this page was a victim of SQL Injection attack. Input fields on this server lack any serious input validation. When performing simple test, I received standard error which is usually strong indicator that SQL Injection is possible.
I tried to contact the owners of the website through regular e-mail addresses such as webmaster@...si and info@...siwhich are defined in RFC 2142. Both times I received Non Delivery Report (NDR) indicating that these mailboxes do not exist. I finally found an e-mail on the website which worked. I also notified SI-CERT just in case...
Few thoughts:
- If you are an owner of the web server or web site, make sure it is secure. Make sure that if you have any input fields on the site that you do validation of the data passed to the server. Note that client side validation is not (!!!) enough
- Make sure that general e-mail addresses such as webmaster, postmaster, hostmaster, abuse, etc. valid and monitored
Hijacked servers are not only bad for bad reputation of the owner. They can also be very dangerous for any visitor that comes across it. Hacker could include malicious code on the pages and infect the visitor's computer. As demonstrated earlier this year at RSA Conference in San Francisco, such attacks can be platform and browser independent.
Of course attackers prefer the servers with high volume of visitors such as Super Bowl Web Sites that was hacked this year (2007).
My personal "favorite" attack on the client where malicious website reconfigures your home router. Actually the only thing that it changes is DNS server. Innocent? Not necessarily.
Imagine that you want to visit your online bank. You query (well, your browser does the querying) a DNS server for IP address of your online bank server. The only problem is that now you are using hacker's DNS server and he can take you wherever he wants...
Recommendations:
- In general I would recommend that any "hacked" server is first taken offline
- Consider if you want to legally pursue the attackers, contact law enforcement agencies and follow their advice from here
- Analyze the server for security holes (e.g. lack of security in applications; input validations, etc) and remove them
- It can often be pretty difficult to determine the extent of "damage" on the server. For this reason in the end I usually opt for reinstallation of the server.