Defacement

There are so many problems with web server software that it is almost inevitable that at some point a hacker will gain some kind of unauthorized access. One of the most common issues has nothing to do with unpatched software, viruses or misconfigured options. It has to do simply with improperly protected assets.

You see, web servers are complex programs with a huge diversity of options. Not only does the server have it's own set of things to be concerned about, but individual web sites, user accounts, directories (folders) and even web pages can have their own settings, privileges and protections. You can image the nightmare of attempting to maintain a web site with tens of thousands of pages, hundreds of authors, dozens of webmasters, and all of them requiring special settings to work properly.

Sometimes these settings are not done correctly. In fact, it may be that incorrect protection of web pages, folders and applications is more common than correct protection. Incorrect web site configuration may be far more prevalent than most people would like to image. This is true for all of the web server platforms, including the major players of Apache and Microsoft's IIS. Operating system and application bugs add still more variables to the equation.

What does this all mean? It means there is fertile ground for hackers, crackers and others to find holes in the security of web sites. These flaws allow the web site to be modified in some way to do something which it's maintainers and designers did not intend.

When someone breaks into a web server, it's quite common for them to want to leave a message behind. They often want someone to know they have done their deed. This might be a message for their friends (as part of a game or contest perhaps), their enemies or it might be a political statement. It all depends upon the motivations and desires of the hacker who breached the security.

Thus, the hacker might deface your web site in some manner. This means he will change one or more pages to contain some message of his or her choosing. It's very embarrassing when it happens, as it immediately tells everyone who visits your site not only the hackers message, but that your security was weak and ineffective as well.

This can be devastating if, for example, your site accepts credit cards or requests personal data from visitors. The fact that it was defaced can easily scare away hundreds, thousands or even more customers, simply out of fear that their credit and other personal information is now at risk.

Web  site defacement is very common, much more common that webmasters and system administrators would like to admit. The number of defacements is on the rise, especially those done for a political message.

So how does a defacement occur? The hacker uses some means to gain entrance to a web server. He might overflow a buffer and insert some code which runs at a raised privilege to give him access. He may break a poorly secured application written in PERL or some other language, depositing some privileged program someplace on the server. Or he might guess or steal a password to an administrator or highly privileged account.

Once he gains access, the hacker will do whatever he intended to do - this might be as innocent as examining the system or as malicious as stealing or destroying databases. 

Once he has done his dirty deeds, the hacker may want to leave a message. This is actually the easiest part of the game. A simple way to do this is to quickly edit the page, adding some graphics or text which communicates the appropriate message.

So how do you prevent your website from being defaced? If you own or operate a dedicated server, then follow the security recommendations of CERT, the NSA and your vendor. Also keep in touch with the various security newsgroups, newsletters and other information so you know what vulnerabilities exist.

Keep your system up-to-patch (although perhaps not up-to-the-minute as sometimes patches can cause undesired site effects) and audit application and file security regularly. Also, be sure and protect your web server with a good firewall, and follow good security practices on your network.