Exploit the possiblities

i.only.replaced.index.html.txt

i.only.replaced.index.html.txt
Posted Aug 17, 1999

"I only replaced index.html" - How many web sites have you defaced? Did you even bother to _really_ consider the consequences of your actions? Do you have any idea what kind of problems you cause? Read this "slap in the face from reality" and find out. Submitted by a professional security consultant who wishes to remain anonymous. [ed. note: criminals like John Vranesevich who employ script kiddies to hack web sites so they can get exclusive media stories should read this twice.]

tags | paper, web
MD5 | 92dd95102a5c07221b75c71da9af8b71

i.only.replaced.index.html.txt

Change Mirror Download
"I only replaced index.html"
~~~~~~~~~~~~~~~~~~~~~~~~~~

It would appear that the k-r4d kiddies who deface web pages have no concept of WHY their
shenanigans illicit such a violent response from the companies they attack. This brief
article will list some of the behind the scenes events that occur after the "harmless"
replacement of index.html by our oh-so-favorite political activists.

1. The company is notified, usually by a customer, that their web page has been changed.
The server admin, Web Master, or whomever is responsible for the content is usually the
first person to be told of this event as the company probably doesn't have an incident
response plan.

2. The admin shits a brick and tells his manager. The administrator, now in fear for his
job, has to bite the bullet and tell his manager that the company has been "hacked". He's
probably afraid that the attacker got in through his weak password, or one of the boxes he
know he should have upgraded six months ago.

3. Upon hearing this, the manager shits a brick. The mid-level manager now fears for HIS
job knowing that the brunt of upper management's wrath will fall on his shoulders for not
securing the systems. The manager tries desperately to figure out whom to tell in upper
management that will not fire him on the spot. He calls his manager (usually a VP type) and
tells her the news.

4. Upon hearing this, she freaks out and shits a brick. The VP calls Human Resources,
Legal, Security (if it exists), and the Director of Engineering or some other high-level
geek type. The group collectively decides if the site should be taken down or remain up. A
call is also made to the CEO or other chieftain to inform him of the situation. After a
quick consultation with the in-house counsel, the decision to contact or not contact law
enforcement is made. Usually, the upper level types are in knee-jerk mode and want to
aggressively pursue the intruder "no matter what".

5. All this time, the overworked admin has been scouring his systems looking for traces of
how the attacker got in. Despite the attacker's claims that "he only replaced index.html"
the admin's manager wants EVERY system checked and any possible means of entry sealed off.
The admin will now try to perform a comprehensive security audit in an hour.

6. The upper level types contact the Marketing department to figure out how to handle the
impact to the company's image. Never faced with this sort of problem before, the Director
of Marketing frets and calls all her people in for "a brainstorm" on how to handle the
situation.

7. The system is probably backed-up, taken down, and replaced with a newer box or a
significant upgrade (introducing new bugs) is made to the system. This takes the busy admin
the better part of a day. Normally, this could be accomplished in a few hours, but with
visibility on the VP and above level, the admin makes sure he does is perfectly.

8. If law enforcement was called-in, they now spend time with the administrators and lawyers
to figure out if they have a case (probably not, most of the evidence was accidentally
destroyed by the admin in the first 4 hours after the incident).

9. Upper level types now decree that the systems will be secured and that nothing like this
will ever happen again. It's likely that big name consultants are brought in at $200+/hour
to assess the business and make recommendations to improve the site's security. Since the
admin is already busy doing day-to-day tasks, the consulting firm probably implements their
recommendations (at $200+/hour).

10. After a few weeks, things return to normal. The company has new ACLs, a new firewall,
and maybe some new policies.

Now, looking at this, one can see the number of personnel involved and the amount of time
invested in recovering from the "harmless" defacing of index.html. I haven't even addressed
the additional problems posed when the admins discover a trojanized binary or unauthorized
access to source code or other company trade secrets. This is just the simple stuff.

"But the attacker said in his 'message' that he backed-up index.html. All they had to do
was replace it with the original!" No you stupid fool, no. The attacker has publicly
humiliated a corporation, has shown the world that the site's security is inadequate, and
has caused significant personal turmoil for 5 or more people.

Furthermore, if I come home one day to find my front door open and a note attached that
says "Hi. Broke into your place. Only moved your stuff around. Didn't take anything. Love,
r0bb3r" am I supposed to believe that? Would you? If the company affected is publicly
traded, they are legally _required_ to investigate and take measures to ensure that a similar
incident doesn't occur. If they don't, their shareholders can sue for negligence.

Now, I can't possibly justify the tens of millions in losses claimed by companies in cases
like Mitnick or others - that's lunacy. However, reading the above, I hope it becomes clear
that there is significant time and money spent to clean up these "simple" attacks.


-- Anonymous, 5/14/99

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

February 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    15 Files
  • 2
    Feb 2nd
    15 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    13 Files
  • 5
    Feb 5th
    16 Files
  • 6
    Feb 6th
    15 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    15 Files
  • 9
    Feb 9th
    18 Files
  • 10
    Feb 10th
    8 Files
  • 11
    Feb 11th
    8 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    15 Files
  • 14
    Feb 14th
    15 Files
  • 15
    Feb 15th
    17 Files
  • 16
    Feb 16th
    18 Files
  • 17
    Feb 17th
    37 Files
  • 18
    Feb 18th
    2 Files
  • 19
    Feb 19th
    16 Files
  • 20
    Feb 20th
    6 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close