Copyright 2000. attrition.org Staff
Presented by Brian Martin / Matt DickersonSlides by Dale Coddington
Feds, Felons and Flakes:
Reflections on the Attrition Mirror
Copyright 2000. attrition.org Staff
IntroductionThis Talk Will Cover:
The attrition mirror How we operate Defacement information and statistics Random other babble
Copyright 2000. attrition.org Staff
Who We Areattrition.org Staff
Brian Martin a.k.a. Jericho
Brian Martin has been involved in computers since the early 80's. Hisexperience spans from first generation home computers to large scaleservers powering the most current business applications today. Working inthe computer security industry for the past five years, he has providedsecurity audit and penetration assessment for foreign banks, Fortune 500companies, Department of Defense and more. He has provided training andconsultation for the Federal Bureau of Investigations, Defense CriminalInvestigative Services, and the National Security Agency. In recentmonths, Brian's articles focusing on security issues have been widelycirculated on the Internet, corporate newsletters, and print magazines.
Copyright 2000. attrition.org Staff
Who We Areattrition.org Staff
Matt Dickerson a.k.a. Munge
Matt Dickerson has worked as an economist and statistician providinglegal consulting for Fortune 500 companies and universities since 1996.While his experience with computers began in the late 1980's, hisinterest in the Unix Operating System coincided with his statisticalprogramming on the Unix platform in the mid-1990's. Since then, he hasprovided administrative, technical, and training support for diverse Unixplatforms for the professional, manufacturing, and banking industries.
Copyright 2000. attrition.org Staff
Who We Areattrition.org Staff
Dale Coddington a.k.a. Punkis
Dale Coddington is a Systems Security Engineer with eEye Digital Security, acomputer security products and consulting company located in sunny SouthernCalifornia. In the past Dale has conducted consulting and training courses at several NASA Centers, State of Washington, Naval Justice Center, the U.S. Department of Justice, and several Japanese Corporations. In 1999 Dale was appointed one of two technical consultants by the Defense Team of Kevin Mitnick.
Copyright 2000. attrition.org Staff
Modus OperandiQualification of Statistics
The statistics and information presented here are based on data collected since November 1998
Attrition began actively mirroring defaced sites in January 1999
Mirrors on the attrition site date back to 1995 Data before January ‘99 is believed to be accurate
but is not 100% confirmed
Copyright 2000. attrition.org Staff
The “Root” of the ProblemHow are These Sites Being Defaced?
Unix:– Remote buffer overflows– Sniffer / trusted path attacks– Poorly-coded CGI’s
Windows NT:– RDS / MSADC– IISHack– MS Front Page misconfigurations– Other misc. CGI/Web exploits
Copyright 2000. attrition.org Staff
DefacementsSpeculation: Why are More NT Boxes Defaced?
Compare the knowledge required to navigate the hacked system: NT : Must know basic DOS Commands.
– echo "i 0wn j00" >> c:\inetpub\index.html
Unix : Must know basic Unix commands – In many cases defacers lack the common skill to even
find the main web page on a system:– find / -type f -name index.html –print– vi /path/to/index.html (wait vi is too hard to use)
Copyright 2000. attrition.org Staff
Why Me?Why Are These Sites Being Defaced?
Tagging, electronic graffiti One-upmanship - who can hit the biggest site The ‘gov/mil’ phenomenon Delusions that what they are doing is impressive
or cool It's trendy - like baggy pants, it just won't go
away. “Hacktivism” (95% convenient excuse)
Copyright 2000. attrition.org Staff
The Fine Art of MirroringThe Steps
Mail comes in ([email protected]) Goes to six people on attrition (and
mirrored off site) Staff verifies the defacement (lynx,
Netscape, etc) Run a custom mirror utility 'aget'
Copyright 2000. attrition.org Staff
The Fine Art of MirroringWhat aget Does
aget Version 4.5 - 866 lines of shell script– check to see if it has been mirrored, avoid duplication– use Netcraft (www.netcraft.com/whats/), NMAP
(www.insecure.org), and lynx to verify the Operating System of the defaced site
– If NMAP OS fingerprint is unknown, mail it to Fyodor– Do a NIC lookup based on the country/TLD– Take traceroute to record upstream provider(s)– Check to see if previously defaced– Check for hidden comments in HTML, DOS signature, etc.
Copyright 2000. attrition.org Staff
The Fine Art of MirroringWhat aget Does (Continued)
– Mail CERT based on country, mail NIPC (heh)– Mail NIC contacts– Mail attrition defaced* mail lists
http://www.attrition.org/security/lists.html– Form letter clearly explaining this is a third party
notification of a security incident on the remote machine – this is just a warning that a site has been defaced, no other information is given
Copyright 2000. attrition.org Staff
Stop Hacking My %^&&* Box!"Defaced Site Administrative Response"
80 – 90%– Friendly, appreciative, asking us for help,
thanking for notification 10 – 20%
– Hostile responses, threats, insults, blame us
Copyright 2000. attrition.org Staff
Stop Hacking My %^&&* Box!Responses
CERT– Recent addition. CERT originally asked to be
removed from notification utility– When challenged on why they exist in the first
place, they agreed to receive notifications
Copyright 2000. attrition.org Staff
Stop Hacking My %^&&* Box!Responses
NIPC– Forwarded notifications on to “the appropriate
people” approximately 20% of the time – some replies state they do not fall under infrastructure threats
– No response for other 80% of notifications
Copyright 2000. attrition.org Staff
Feds UsFederal Agency / Law Enforcement Mirror Utilization
FBI Connecticut Office –– Issued a single 2703(d) subpoena requesting
information on ‘flipz’ and ‘fuqraq’– Attrition Responded and charged $16.00 for
administrative fees– $16.00 is the extent of income from federal
agencies in all of attrition’s history
Copyright 2000. attrition.org Staff
Feds UsFederal Agency / Law Enforcement Mirror Utilization
FBI Mirror Printouts – – Several raid victims have verified that printouts
from the attrition.org mirror were used during those raids
– “Did you hack this site?”
Copyright 2000. attrition.org Staff
Forensics and Mirrors(Not Profiling)
Most defacements are sloppy Leave a nice forensics trail Many patterns in defacement activity
– Easy to match one person operating under different names
– Indications groups/individuals talk before choosing targets (wave of .edu, wave of .br, wave of...)
Copyright 2000. attrition.org Staff
Linking(Public)
Obvious signs – signatures (graphics or text)
Broken Image – pathed to local drive where HTML was created - few
geniuses pathed to c:\microsoft\office\john\doe\ or similar paths that included their real name
Meta tags – Generators, meta names, and more
Greets, misspellings, language, more
Copyright 2000. attrition.org Staff
Linking(Private)
Mail to us is more candid, more verbose Defacers use Hotmail and other freemail sites w/
X-Originating-IP– (grep, quote how many times we see x-originating)– (uniq, how many unique x-originating IPs have we
seen) In some mail the defacer takes credit
– Other times a 'friend' is reporting the hack– Occasionally arbitrary third party reports it (usually on
high profile, high traffic sites).
Copyright 2000. attrition.org Staff
LinkingAnalysis
Looking at all of the above, it is trivial to link different names and group members to each other
Several defacers change name and style for a variety of reasons– A quick check at the forensics/footprints of
their work will reveal a substantial amount
Copyright 2000. attrition.org Staff
Mail Woes
Roughly 33% of mail to hacked@ are false reports Sites are not defaced, do not answer, or show no
signs of intrusions Infrequently, we receive mail of a defacement
before it happens– Typically a minute or less before defacement. Either
way, it obligates us and potentially makes us liable if we do not report the crime before it occurs
Copyright 2000. attrition.org Staff
Blame Us(Everyone Else Does)
We are often accused of encouraging defacements– This is far from the truth
Odds are we have berated and insulted most defacers for their activities - we've questioned them, encouraged them to STOP, etc.
We are not the only mirror. If we close up shop, the other mirrors will pick up our role. This isn't a good idea because we do it better
Copyright 2000. attrition.org Staff
Disclaimer(Of Course)
Conclusions based on the mirror or statistics must be looked at carefully:
Example: Saying "defacements are increasing“ – Yes. there are more defacements today than yesterday in
general – No. roughly the same percentage compared to servers
deployed (?) Example: Saying "XX OS is more secure“
– No. it is likely the OS has not been audited/tested as much as many other OS’s. You must factor if the OS is open source, how long it has been deployed, etc.
Copyright 2000. attrition.org Staff
Why Our Mirror is Better(The Fine Art of Shameless Self Promotion)
All of our information is public (and free) We notify sites of the intrusions as we learn about
them We provide mail lists to keep you informed of
defacements We collect more information about the site We provide breakouts by group, TLD,
organization We provide comprehensive statistics
Copyright 2000. attrition.org Staff
20 Most Active GroupsIncluding Ties
group hacks days active in years
20) kpz 40 185 0.51 20) mozy 40 211 0.58 19) p4riah 41 108 0.30 18) keeblerelves 43 138 0.3817) ehw 43 101 0.28 17) fuqrag 43 74 0.20 17) teaminfinity 43 112 0.31 16) hip 44 233 0.64 16) ytcracker 44 299 0.82
Copyright 2000. attrition.org Staff
20 Most Active GroupsIncluding Ties
group hacks days active in years
16) v00d00 44 183 0.50 15) kryptek 46 191 0.52 14) pentaguard 47 503 1.38 13) fuby 54 289 0.79 13) artech 54 166 0.45 12) teamecho 59 54 0.15 11) hv2k 60 226 0.6210) levelseven 64 233 0.64 9) ph33rtheb33r 67 214 0.59 8) crimeboys 83 156 0.43 7) mcm4nus 86 100 0.27 6) acidklown 93 273 0.75
Copyright 2000. attrition.org Staff
20 Most Active GroupsIncluding Ties
group hacks days active in years
5) dhc 98 271 0.74 4) pakistanhc 100 272 0.74 3) gh 115 268 0.73 2) antichrist 142 163 0.45 1) forpaxe 154 196 0.54
Copyright 2000. attrition.org Staff
20 Longest Running Groups
group days active in years hacks
20) x 312 0.85 4 19) rat 334 0.91 10 18) maverick 338 0.93 3 17) c0rvus 359 0.98 12 16) xessor 377 1.03 12 15) mod 379 1.04 2 14) ez|ne 389 1.07 3 13) ch0jin 390 1.07 2 12) kingstr0ke 403 1.10 4 11) lou 419 1.15 15
Copyright 2000. attrition.org Staff
20 Longest Running Groups
group days active in years hacks
10) druhy 432 1.18 6 9) viper 443 1.21 3 8) sploit 495 1.36 16 7) rewted 498 1.36 7 6) snow 498 1.36 3 5) pentaguard 503 1.38 47 4) xploit 531 1.45 3 3) rootworm 549 1.50 21 2) h4g1s 693 1.90 5 1) adm 811 2.22 3
Copyright 2000. attrition.org Staff
Defacement Counts and PercentagesGeneric Domains
Breakout Defacements Percent
International Organizations (int) 11 0.17
Non-Profit Organizations (org) 473 7.20
U.S. Commercial (com) 2749 41.83
U.S. Educational Institutions (edu) 324 4.93
U.S. Government (gov) 198 3.01
Further stats available at www.attrition.org/mirror/attrition/country.html
Copyright 2000. attrition.org Staff
Defacement Counts and PercentagesCountry Domains
Breakout Defacements Percent
Brazil (br) 359 5.46
United States (us) 236 3.59
United Kingdom (uk) 155 2.36
Mexico (mx) 109 1.66
Thailand (th) 5 0.08
Copyright 2000. attrition.org Staff
1999 vs. 2000 Daily Cumulative Total Comparison
Copyright 2000. attrition.org Staff
Defacements per Day January 1999 - July 2000 : Linear Regression
Copyright 2000. attrition.org Staff
Defacements per DayJanuary 1999 - July 2000
Copyright 2000. attrition.org Staff
Monthly TotalsJanuary 1999 - July 2000
Copyright 2000. attrition.org Staff
Histogram of Defacements per DayJanuary 1999 - June 2000
Copyright 2000. attrition.org Staff
OS Totals by Month
Yellow: NT, White: Linux, Orange: BSD, Green: Solaris, Purple: All Other
Copyright 2000. attrition.org Staff
29-Day Moving AverageAll
Yellow: NT, Green: Solaris, White: Linux, Orange: BSD, Purple: All Other
Copyright 2000. attrition.org Staff
Daily Cumulative TotalsAll
Copyright 2000. attrition.org Staff
Overall OS Shares
Copyright 2000. attrition.org Staff
Holiday Attacks
After selecting 11 holidays per year, we found that while the average was greater than for non-holidays, the holiday average was not significantly different from the non-holiday average, though there were two holidays that when examined individually were significantly greater than non-holidays: new years eve, 1999 and July 4th, 2000.
Defacement activity is not statistically different on holidays than non-holidays
Copyright 2000. attrition.org Staff
The Future
Faster updates of the main mirror page with defacements in real-time
The introduction of dynamically generated pages via user-defined queries against our defacement database(s)
Never before seen on attrition.org, user interaction with actual pages
With the introduction of the SQL database(s), more breakouts pertaining to each defacement mirrored
Copyright 2000. attrition.org Staff
References
Attrition Mirrorhttp://www.attrition.org/mirror
Statistics / Graphshttp://www.attrition.org/mirror/attrition/stats.html
Updated Slide Presentationhttp://www.attrition.org/mirror/presentation.ppt
Copyright 2000. attrition.org Staff
FinContact Information
• Brian [email protected]
• Matt [email protected]
• Dale [email protected]