2014 Website Defacements

Defacements are the most visual and obvious hack that a website can suffer from. They also come parcelled with their own exquisite sense of dread. Nothing gives that gut-wrenching feeling of “I’ve been hacked” more than seeing this:

Defaced-Website-Upgrade-Security

Most malware that we see on a daily basis is driven by some desire to profit off of victims – classic pharma spam or theft of credit card details and personal information. By contrast, most defacements have little to no financial incentive. They are almost always done to further some political, religious or ideological goal. Some attackers will try to deface as many sites as possible with their ‘calling card’ just to prove how “l33t” (elite) they are or to give attention to whatever cause they are trumpeting.

These hacks remind me of by-gone days when computer hacking was done primarily for mischief and trouble-making and less associated with the nefarious criminal underworld. A lot of the time all that is tampered with is the site’s index.php file which can easily be restored by downloading a fresh copy of whatever CMS you use.

A more nasty defacement, though, will overwrite your wp-config.php file entirely and if you don’t have a backup, well, make one right now for a rainy day :)

Now, having said all this, while all defacements are primarily about the shock value much of the time they are coupled with malware, too. If this ever happens to your site assume it is fully compromised and act accordingly. Whoever defaces a site will almost certainly place a few backdoors for easy access later on. The more harmful hacks will also attempt to infect end user computers visiting the site.

For this reason, if you ever suffer from this sort of calamity make sure you perform a thorough check for any malicious files! Otherwise you’ll likely end up with the same problem soon after.

There are a whole bunch of ways that this can happen – websites that employ poor password management and/or use out of date software are easy, low-hanging fruit for these vandalists. Naturally, our clients using our CloudProxy firewall are protected against such attacks.

Friday the 13th – A Gallery of Webmaster Nightmares

This post is dedicated to all you geeky horror movie fans out there!

One morning you open your website and don’t recognize it. Something is devastatingly wrong. You wipe the sleep from your eyes, and instantly you know that you’re living your worst nightmare…

As you gain early morning focus from what you thought was a good night sleep, a scary face stares back at you, and declares that you’ve been hacked!

When you see it you know it’s, it’s…it’s…it’s Friday the 13th!!!

Hacked Website Defacement

It’s always Friday the 13th for webmasters of defaced sites, regardless of what their calendar tells. It becomes the most unlucky day in their webmaster life, the day when only bad things can happen.

Hacked Website Defacement 2

We, at Sucuri, come across such hacked sites every day. Every day we help website owners like you survive your Friday the 13th. We restore your sites and make sure this don’t happen again.

When your site is finally restored, and you calm down after the stressful fight for your site, it may eventually occur to you that the defaced page was a piece of some weird modern cyber art.

Hacked Website Defacement 3

OK, maybe you weren’t comparing your defacement to your favorite Van Gogh. We have seen defaced websites every day for the last few years, and after a while you start finding artistic value in some of the “hacked by..” pages you come across.

Sometimes they are disturbing and offensive, sometimes they are scary. Sometimes they are funny, and sometimes they even provide security advice.
In the end, they all reflect the sub-culture of h4x0r$.

Hacked Website Defacement 4

In this post, we’d like to share our collection of screenshots of defaced websites. Lean back and submerge into the world of cyber-chaos.
Once you emerge back from the craziness, think to yourself, and ask yourself the simple question, “Am I prepared to deal with such unfortunate events?”

Hacked Website Defacement 5

Hacked Website Defacement 6

Hacked Website Defacement 7

Hacked Website Defacement 8

Hacked Website Defacement 9

Hacked Website Defacement 10

Hacked Website Defacement 11

Hacked Website Defacement 12

Hacked Website Defacement 13

You can find 100 more screenshots and the whole collection on the Sucuri Facebook page.

——————

Have you encountered such defaced pages on the Internet? Share your own website nightmare, on this eery Friday the 13th!

Dissecting a WordPress Brute Force Attack

Update: Brute force protection now available: http://cloudproxy.sucuri.net/brute-force-protection


Over the past few months there has been a lot of discussion about WordPress Brute Force attacks. With that discussion has come a lot of speculation as well. What are they doing? Is it a giant WordPress botnet? Is it going to destroy the internet? Well, as you would expect of any good geeks we set out to find a way to find out.

This is not to be exhaustive case study or meant to be a representative sample of what all attacks look like, but it does have similar characteristics to the types of attacks and infections we deal with on a daily basis.

In this post, my goal is to highlight a hack that occurred this weekend, July 20th to be exact, against one of our several honeypots. In this specific instance, it was setup and configured approximately 2 months ago. It had been hacked about a month and a half ago and silly me I forgot to configure what I needed to do real forensics, oops. In any event, everything was cleared and pushed out again to see what happened, it was nothing more than a matter of sitting back and waiting.

Sure enough, about 30 days later and it was hacked, this time we were ready to see what happened..

Read More