The defacement on our scan site was performed thanks to this exploit in the PHP version: http://www.vulnerability-lab.com/get_content.php?id=1150 (link info credits go to Evolution Security crew 2013)
Another hacked site there: http://urlm.nl/www.babysnowboots.nl
And another with insecure CMS:
Web application version:
WordPress version: WordPress 3.6.1
Wordpress version from source: 3.6.1
Wordpress Version 3.6.1 based on: htxp://www.asjltrading.nl//wp-admin/js/common.js
WordPress directory: htxp://www.asjltrading.nl/wp-content
WordPress theme: htxtp://www.asjltrading.nl/wp-content/themes/Nova/
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.0
Some particularities on this iFrame defacement. For an Iframe injection the attacker has to find vulnerable sites first via google dorks.
Next the attacker has to test a vulnerability first by inserting some iFrame tag inside the webpage. Mostly the attackers are looking for two types of vulnerability - remote or local file include vulnerabilities. Also then a backdoor is installed as a rule based on r57, e99 or local7 shell. See: http://old.honeynet.org/scans/scan13/max.html
Escalation of priviliges takes place via so-called auto-rooters, read: http://www.symantec.com/connect/articles/introduction-autorooters-crackers-working-smarter-not-harder
An online scanner to estimate some risks: http://xss-scanner.com/
Only to be used on a site you own or for which you have been given explicit written permission to scan. Know all scans are being properly logged, else be aware not to share scan results in public or use them against a particular website. This also is so for Dazzlepod IP scan results, Qualys ssl scan results even when the site offers weak vulnerable keys first over secure ones, which is another big problem with obsolete browsers to-day.
What makes a site vulnerable to an above hack scheme for example. Main reason is full patch policy not being followed up. Second reason is bad server security configuration (header security settings and server hardening policies).
Info credits for above particularities on iFrame defacement for educational purposes only go to Kaspersky’s David Jacoby.
polonus (volunteer website security analyzer)
P.S. Security researchers that want to help the security community with forensics and analysis skills can go here: http://old.honeynet.org/scans/
This site had a history of malware and defacement and malware had been detected by avast! http://www.scumware.org/report/4FB906E8C7775AD3F1D0E1EFD73FEEF7.html
Site had HTML/Phishing.Agent.G trojan as avast! detects HTML:Phishing-Q [Trj] - part of bankfraud!
Site is now clean but still vulnerable because of outdated CMS in correlation with PHP vulnerabilities *:
System Details:
Running on: Apache
Powered by: PHP/5.3.10
Web application details:
Application: WordPress 3.5 - htxp://www.wordpress.org
Running cPanel 11.44.1.18: jpalvarezm dom com:2082
Web application version:
WordPress version: WordPress 3.5
Wordpress version from source: 3.5
Wordpress Version 3.5 based on: htxp://jpalvarezm.com//wp-admin/js/common.js
WordPress theme: htxp://jpalvarezm.com/wp-content/themes/jpalvarezm/
Wordpress internal path: /home/jpalvare/public_html/wp-content/themes/jpalvarezm/index.php
WordPress version outdated: Upgrade required.
Outdated WordPress Found: WordPress Under 4.0
Are there still vulnerabilities on site? Powered by: PHP/5.4.32
This was with another domain on same IP:
Up(nil): TR/Crypt.ZPACK.Gen RIPE NL abuse at leaseweb domcom 85.17.199.95 to 85.17.199.95 bontekoewielersport dom nl htxp://bontekoewielersport.nl/facebook/bot.exe
How is the security of the facebook attacker?
Using user-agent for Chrome 30.0-MacOSX
Result Category Name Actual Value Our Recommendation Show All Details
Correct Framing X-Frame-Options DENY Use ‘sameorigin’
Missing Transport Strict-Transport-Security Use ‘max-age=31536000; includeSubDomains’
Correct Content X-Content-Type-Options nosniff Use ‘nosniff’
Correct Content Content-Type text/html; charset=utf-8 Use ‘text/html;charset=utf-8’
Warning XSS X-XSS-Protection 0 Use ‘1; mode=block’
Warning Cookies Set-Cookie datr=zxhJVDxLsTTIPr1…cebook.com; httponly Add ‘secure;’
Warning Cookies Set-Cookie reg_ext_ref=deleted;…domain=.facebook.com Add ‘secure; httponly;’
Warning Cookies Set-Cookie reg_fb_ref=https%3A%…domain=.facebook.com Add ‘secure; httponly;’
Warning Cookies Set-Cookie reg_fb_gate=https%3A…domain=.facebook.com Add ‘secure; httponly;’
Correct Caching Cache-Control private, no-cache, n…ore, must-revalidate Use ‘no-cache, no-store, must-revalidate’
Correct Caching Pragma no-cache Use ‘no-cache’ Details
Correct Caching Expires Sat, 01 Jan 2000 00:00:00 GMT Use ‘-1’. Currently, expiration is current time minus -467391823 seconds.
Missing Access Control X-Permitted-Cross-Domain-Policies Use ‘master-only’
Missing Content Security Policy Content-Security-Policy Try Content-Security-Policy-Report-Only to start. Include default-src ‘self’, avoid ‘unsafe-inline’ and ‘unsafe-eval’
Warning Privacy P3P CP=“Facebook does no…e: http://fb.me/p3p” Remove obsolete header
Recently we experience a lot of defacements via a SSLv3 vulnerability (credits Vanessa, CPanel partner) in cPanel 11.44.1.19 starting 6 days ago, like this one: http://sitecheck.sucuri.net/results/planetkids.se and yes cPanel seems the common denominator here .
Default is/seems fine for cPanel servers, but one might like to change that for LiteSpeed servers, and we have a LiteSpeed server in our example below. In recent SEA defacements some UK sites even went go null routed after defacement. “ConnectBack Backdoor Shell” was a very simple Perl script delivering a reverse shell. The attacker may have found an exploit for a particular vulnerable server configuration and ran a scanner tool to find this target. For our example: http://killmalware.com/planetkids.se/#
this shell has been used rainbow.sh: https://github.com/Viiksipojat/asmrainbow/blob/master/rainbow.sh
Visiting the site may not bring additional malware. More sites on that one and same IP: http://sameid.net/ip/5.9.29.178/
The attentive reader will get alerted to more and more defacement patterns as this thread comes unrolling.
Meta tags report for: htxp://sitesuck.com/
meta tag length value
Title: 18 Hacked by xDrKeeFx
Description: 27 .:: Hacked By xDrKeeFx ::.
Keywords: 26 .:: Hacked By xDrKeeFx ::.
Author: 8 xDrKeeFx
HACKED BY PANIMIN ARDIANSYAH VISIT MY GRUP TRENGGALEK DEFACER NEWBIE
IP info - Illegal 3rd party exploits, including proxies, worms and trojan exploits
https://www.robtex.com/ip/192.185. html
Subnet Masking was explored: http://ccna.exampointers.com/sub.php?ip=192.185.5.240&mask=28
Information from the registry on ip 192.185.5.240 see there.
What malcode originates from that IP - badness history: https://www.virustotal.com/nl/ip-address/192.185.5.240/information/
PAK_Generic.005, Backdoor.Win32.A.Hupigon.799113, Hiderun or Trojan.Win32.HideRun.A is not being detected by avast!
AVG also detects HackTool.SOZ on that IP.