A website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.
A message is often left on the webpage stating his or her pseudonym and the output from “uname -a” and the “id” command along with “shout outs” to his or her friends. Sometimes, the Defacer makes fun of the system administrator for failing to maintain server security. Most times, the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware.
Although it sounds simplistic, obtaining usernames and passwords is a very popular and effective technique used by hackers to break into a site and deface it. To retrieve this information, hackers use the following: information-gathering techniques, which exploit vulnerabilities in the system (e.g., read Web pages such as ‘global.asa’ that are supposedly not viewable from the outside), making use of publicly available information (e.g., domain registration records), or using ‘social engineering’ tactics (e.g., calling an employee and posing as a system administrator). If the hacker has a username, he can try to guess the password by going through a list of popular or default choices, or by using intelligent guesses. Social engineering helps here, too—birth dates, names of family members, etc., are all prime candidates. In an amazingly large number of cases, these techniques lead to success: authenticated access to the system. After the hacker is logged on to the system, he tries to escalate his privileges, i.e., obtain system administrator privileges. Both Windows NT and UNIX provide a “superuser” account (administrator in NT, root in UNIX); as this account has full access rights to all system resources, it’s the ultimate goal of any hacker to own it. At this stage, the hacker does some additional information gathering to find out useful tidbits: the exact version and patch levels of the operating system, the versions of software packages installed on the machine, and services and processes enabled. Using this information, he accesses well-known Web sites and easily locates hacks that exploit vulnerabilities existing in the software installed. When these exploits are
executed on the machine, the hacker ends up gaining privileged access rights, and actually controls the machine. At this stage, if he’s interested in defacing the Web site, he simply modifies the content of the pages. To the system, it’s business as usual, as the intruder works in the security context of a privileged entity.
A hacker can apply multiple and different techniques to deface a Web site. He can exploit vulnerabilities in the operating system, the Web server, or within other Internet servers to break into the Web server machine. The diversity of the attack techniques and their different targets requires a multi-layered protection system that provides the following functionality:
1. On-the-spot prevention :-
The attack should be identified at the service request level, probably at the system call or API call invocation. At this stage, the request hasn’t executed yet. This is the perfect time since changes to the page have not yet been made. An effective technique is to use system call and API call interception. The interception routine is transparently activated prior to the execution of the request. It checks if the initiator is allowed to perform the request and whether the request is legitimate, i.e., not part of an attack. If the request is found to be legitimate, execution resumes with no further delay. If, however, the request is malicious, the call is failed and the attack is thwarted.
2. Administrator(root) resistance :-
Most hackers first gain privileged rights and then try to deface the site. Therefore, it’s good practice to restrict the privileges of the Administrator account on a Web server machine. Instead of the ‘Administrator’ account, only a specific predefined user (the Web master) should be allowed to modify the Web site content and configuration. The system should enforce this rule and fail malicious use of the Administrator privileges.
3. Application Access Control :-
It makes no sense for an arbitrary application such as a text editor to modify a Web page (even if the user has the adequate privileges). A single predefined program should be used to edit and/or create Web pages. An effective solution should enforce this rule by making sure that access to Web pages can be done only by using this pride fined program.
4. Web server resources protection:-
Hackers typically need access to Web server resources for them to succeed in their attempts. They may want to kill the Web server process, modify configuration settings, and manipulate the Web server user properties . The resources that must be protected include:
• Configuration files (including the Registry in NT)
• Data files
• Web server process
The access to these resources should be restricted to a predefined set of users and to a predefined set of applications.