Feds, Felons and Flakes:

Reflections on the Attrition Mirror

Presented by Brian Martin / Matt Dickerson

Slides by Dale Coddington

Copyright 2000. attrition.org Staff

Introduction
This Talk Will Cover:

 The attrition mirror

 How we operate
 Defacement information and statistics
 Random other babble

Copyright 2000. attrition.org Staff

Who We Are
attrition.org Staff

 Brian Martin a.k.a. Jericho

Brian Martin has been involved in computers since the early 80's. His
experience spans from first generation home computers to large scale
servers powering the most current business applications today. Working in
the computer security industry for the past five years, he has provided
security audit and penetration assessment for foreign banks, Fortune 500
companies, Department of Defense and more. He has provided training and
consultation for the Federal Bureau of Investigations, Defense Criminal
Investigative Services, and the National Security Agency. In recent
months, Brian's articles focusing on security issues have been widely
circulated on the Internet, corporate newsletters, and print magazines.

Copyright 2000. attrition.org Staff

Who We Are
attrition.org Staff

 Matt Dickerson a.k.a. Munge

Matt Dickerson has worked as an economist and statistician providing
legal consulting for Fortune 500 companies and universities since 1996.
While his experience with computers began in the late 1980's, his
interest in the Unix Operating System coincided with his statistical
programming on the Unix platform in the mid-1990's. Since then, he has
provided administrative, technical, and training support for diverse Unix
platforms for the professional, manufacturing, and banking industries.

Copyright 2000. attrition.org Staff

 Who We Are
attrition.org Staff

 Dale Coddington a.k.a. Punkis

Dale Coddington is a Systems Security Engineer with eEye Digital Security, a

computer security products and consulting company located in sunny Southern
California. In the past Dale has conducted consulting and training courses
at several NASA Centers, State of Washington, Naval Justice Center, the U.S.
Department of Justice, and several Japanese Corporations. In 1999 Dale was
appointed one of two technical consultants by the Defense Team of Kevin Mitnick.

Copyright 2000. attrition.org Staff

Modus Operandi
Qualification of Statistics

 The statistics and information presented here are

based on data collected since November 1998
 Attrition began actively mirroring defaced sites in
January 1999
 Mirrors on the attrition site date back to 1995
 Data before January ‘99 is believed to be accurate
but is not 100% confirmed

Copyright 2000. attrition.org Staff

The “Root” of the Problem
How are These Sites Being Defaced?

 Unix:
– Remote buffer overflows
– Sniffer / trusted path attacks
– Poorly-coded CGI’s
 Windows NT:
– RDS / MSADC
– IISHack
– MS Front Page misconfigurations
– Other misc. CGI/Web exploits

Copyright 2000. attrition.org Staff

Defacements
Speculation: Why are More NT Boxes Defaced?

Compare the knowledge required to navigate the hacked system:

 NT : Must know basic DOS Commands.
– echo "i 0wn j00" >> c:\inetpub\index.html

 Unix : Must know basic Unix commands

– In many cases defacers lack the common skill to even
find the main web page on a system:
– find / -type f -name index.html –print
– vi /path/to/index.html (wait vi is too hard to use)

Copyright 2000. attrition.org Staff

Why Me?
Why Are These Sites Being Defaced?

 Tagging, electronic graffiti

 One-upmanship - who can hit the biggest site
 The ‘gov/mil’ phenomenon
 Delusions that what they are doing is impressive
or cool
 It's trendy - like baggy pants, it just won't go
away.
 “Hacktivism” (95% convenient excuse)

Copyright 2000. attrition.org Staff

The Fine Art of Mirroring
The Steps

 Mail comes in (hacked@attrition.org)

 Goes to six people on attrition (and
mirrored off site)
 Staff verifies the defacement (lynx,
Netscape, etc)
 Run a custom mirror utility 'aget'

Copyright 2000. attrition.org Staff

The Fine Art of Mirroring
What aget Does

 aget Version 4.5 - 866 lines of shell script

– check to see if it has been mirrored, avoid duplication
– use Netcraft (www.netcraft.com/whats/), NMAP
(www.insecure.org), and lynx to verify the Operating
System of the defaced site
– If NMAP OS fingerprint is unknown, mail it to Fyodor
– Do a NIC lookup based on the country/TLD
– Take traceroute to record upstream provider(s)
– Check to see if previously defaced
– Check for hidden comments in HTML, DOS signature, etc.

Copyright 2000. attrition.org Staff

The Fine Art of Mirroring
What aget Does (Continued)

– Mail CERT based on country, mail NIPC (heh)

– Mail NIC contacts
– Mail attrition defaced* mail lists
http://www.attrition.org/security/lists.html
– Form letter clearly explaining this is a third party
notification of a security incident on the remote
machine – this is just a warning that a site has been
defaced, no other information is given

Copyright 2000. attrition.org Staff

Stop Hacking My %^&&* Box!
"Defaced Site Administrative Response"

 80 – 90%
– Friendly, appreciative, asking us for help,
thanking for notification
 10 – 20%
– Hostile responses, threats, insults, blame us

Copyright 2000. attrition.org Staff

Stop Hacking My %^&&* Box!
Responses

 CERT
– Recent addition. CERT originally asked to be
removed from notification utility
– When challenged on why they exist in the first
place, they agreed to receive notifications

Copyright 2000. attrition.org Staff

Stop Hacking My %^&&* Box!
Responses

 NIPC
– Forwarded notifications on to “the appropriate
people” approximately 20% of the time – some
replies state they do not fall under infrastructure
threats
– No response for other 80% of notifications

Copyright 2000. attrition.org Staff

Feds Us
Federal Agency / Law Enforcement Mirror Utilization

 FBI Connecticut Office –

– Issued a single 2703(d) subpoena requesting
information on ‘flipz’ and ‘fuqraq’
– Attrition Responded and charged $16.00 for
administrative fees
– $16.00 is the extent of income from federal
agencies in all of attrition’s history

Copyright 2000. attrition.org Staff

Feds Us
Federal Agency / Law Enforcement Mirror Utilization

 FBI Mirror Printouts –

– Several raid victims have verified that printouts
from the attrition.org mirror were used during
those raids
– “Did you hack this site?”

Copyright 2000. attrition.org Staff

Forensics and Mirrors
(Not Profiling)

 Most defacements are sloppy

 Leave a nice forensics trail
 Many patterns in defacement activity
– Easy to match one person operating under
different names
– Indications groups/individuals talk before
choosing targets (wave of .edu, wave of .br,
wave of...)

Copyright 2000. attrition.org Staff

Linking
(Public)

 Obvious signs
– signatures (graphics or text)
 Broken Image
– pathed to local drive where HTML was created - few
geniuses pathed to c:\microsoft\office\john\doe\ or
similar paths that included their real name
 Meta tags
– Generators, meta names, and more
 Greets, misspellings, language, more

Copyright 2000. attrition.org Staff

Linking
(Private)

 Mail to us is more candid, more verbose

 Defacers use Hotmail and other freemail sites w/
X-Originating-IP
– (grep, quote how many times we see x-originating)
– (uniq, how many unique x-originating IPs have we
seen)
 In some mail the defacer takes credit
– Other times a 'friend' is reporting the hack
– Occasionally arbitrary third party reports it (usually on
high profile, high traffic sites).

Copyright 2000. attrition.org Staff

Linking
Analysis

 Looking at all of the above, it is trivial to

link different names and group members to
each other
 Several defacers change name and style for
a variety of reasons
– A quick check at the forensics/footprints of
their work will reveal a substantial amount

Copyright 2000. attrition.org Staff

Mail Woes

 Roughly 33% of mail to hacked@ are false reports

 Sites are not defaced, do not answer, or show no
signs of intrusions
 Infrequently, we receive mail of a defacement
before it happens
– Typically a minute or less before defacement. Either
way, it obligates us and potentially makes us liable if
we do not report the crime before it occurs

Copyright 2000. attrition.org Staff

Blame Us
(Everyone Else Does)

 We are often accused of encouraging defacements

– This is far from the truth
 Odds are we have berated and insulted most
defacers for their activities - we've questioned
them, encouraged them to STOP, etc.
 We are not the only mirror. If we close up shop,
the other mirrors will pick up our role. This isn't a
good idea because we do it better 

Copyright 2000. attrition.org Staff

Disclaimer
(Of Course)

 Conclusions based on the mirror or statistics must be

looked at carefully:
 Example: Saying "defacements are increasing“
– Yes. there are more defacements today than yesterday in
general
– No. roughly the same percentage compared to servers
deployed (?)
 Example: Saying "XX OS is more secure“
– No. it is likely the OS has not been audited/tested as much
as many other OS’s. You must factor if the OS is open
source, how long it has been deployed, etc.

Copyright 2000. attrition.org Staff

Why Our Mirror is Better
(The Fine Art of Shameless Self Promotion)

 All of our information is public (and free)

 We notify sites of the intrusions as we learn about
them
 We provide mail lists to keep you informed of
defacements
 We collect more information about the site
 We provide breakouts by group, TLD,
organization
 We provide comprehensive statistics

Copyright 2000. attrition.org Staff

20 Most Active Groups
Including Ties

group hacks days active in years

20) kpz 40 185 0.51

20) mozy 40 211 0.58
19) p4riah 41 108 0.30
18) keeblerelves 43 138 0.38
17) ehw 43 101 0.28
17) fuqrag 43 74 0.20
17) teaminfinity 43 112 0.31
16) hip 44 233 0.64
16) ytcracker 44 299 0.82

Copyright 2000. attrition.org Staff

20 Most Active Groups
Including Ties

group hacks days active in years

16) v00d00 44 183 0.50

15) kryptek 46 191 0.52
14) pentaguard 47 503 1.38
13) fuby 54 289 0.79
13) artech 54 166 0.45
12) teamecho 59 54 0.15
11) hv2k 60 226 0.62
10) levelseven 64 233 0.64
9) ph33rtheb33r 67 214 0.59
8) crimeboys 83 156 0.43
7) mcm4nus 86 100 0.27
6) acidklown 93 273 0.75

Copyright 2000. attrition.org Staff

20 Most Active Groups
Including Ties

group hacks days active in years

5) dhc 98 271 0.74

4) pakistanhc 100 272 0.74
3) gh 115 268 0.73
2) antichrist 142 163 0.45
1) forpaxe 154 196 0.54

Copyright 2000. attrition.org Staff

20 Longest Running Groups

group days active in years hacks

20) x 312 0.85 4

19) rat 334 0.91 10
18) maverick 338 0.93 3
17) c0rvus 359 0.98 12
16) xessor 377 1.03 12
15) mod 379 1.04 2
14) ez|ne 389 1.07 3
13) ch0jin 390 1.07 2
12) kingstr0ke 403 1.10 4
11) lou 419 1.15 15

Copyright 2000. attrition.org Staff

20 Longest Running Groups
group days active in years hacks

10) druhy 432 1.18 6

9) viper 443 1.21 3
8) sploit 495 1.36 16
7) rewted 498 1.36 7
6) snow 498 1.36 3
5) pentaguard 503 1.38 47
4) xploit 531 1.45 3
3) rootworm 549 1.50 21
2) h4g1s 693 1.90 5
1) adm 811 2.22 3

Copyright 2000. attrition.org Staff

 Defacement Counts and Percentages
Generic Domains

Breakout Defacements Percent

International Organizations (int) 11 0.17
Non-Profit Organizations (org) 473 7.20
U.S. Commercial (com) 2749 41.83
U.S. Educational Institutions (edu) 324 4.93
U.S. Government (gov) 198 3.01

Further stats available at www.attrition.org/mirror/attrition/country.html

Copyright 2000. attrition.org Staff

Defacement Counts and Percentages
Country Domains

Breakout Defacements Percent

Brazil (br) 359 5.46
United States (us) 236 3.59
United Kingdom (uk) 155 2.36
Mexico (mx) 109 1.66
Thailand (th) 5 0.08

Copyright 2000. attrition.org Staff

1999 vs. 2000 Daily Cumulative
Total Comparison

Copyright 2000. attrition.org Staff

Defacements per Day
January 1999 - July 2000 : Linear Regression

Copyright 2000. attrition.org Staff

Defacements per Day
January 1999 - July 2000

Copyright 2000. attrition.org Staff

Monthly Totals
January 1999 - July 2000

Copyright 2000. attrition.org Staff

Histogram of Defacements per Day
January 1999 - June 2000

Copyright 2000. attrition.org Staff

OS Totals by Month

Yellow: NT, White: Linux, Orange: BSD, Green: Solaris, Purple: All Other

Copyright 2000. attrition.org Staff

29-Day Moving Average
All

Yellow: NT, Green: Solaris, White: Linux, Orange: BSD, Purple: All Other

Copyright 2000. attrition.org Staff

Daily Cumulative Totals
All

Copyright 2000. attrition.org Staff

Overall OS Shares

Copyright 2000. attrition.org Staff

Holiday Attacks
 After selecting 11 holidays per year, we found that
while the average was greater than for non-
holidays, the holiday average was not significantly
different from the non-holiday average, though
there were two holidays that when examined
individually were significantly greater than non-
holidays: new years eve, 1999 and July 4th, 2000.
 Defacement activity is not statistically different on
holidays than non-holidays

Copyright 2000. attrition.org Staff

The Future
 Faster updates of the main mirror page with
defacements in real-time
 The introduction of dynamically generated pages
via user-defined queries against our defacement
database(s)
 Never before seen on attrition.org, user interaction
with actual pages
 With the introduction of the SQL database(s), more
breakouts pertaining to each defacement mirrored

Copyright 2000. attrition.org Staff

References
Attrition Mirror
http://www.attrition.org/mirror

Statistics / Graphs
http://www.attrition.org/mirror/attrition/stats.html

Updated Slide Presentation

http://www.attrition.org/mirror/presentation.ppt

Copyright 2000. attrition.org Staff

Fin
Contact Information

• Brian Martin
jericho@attrition.org

• Matt Dickerson
munge@attrition.org

• Dale Coddington
punkis@attrition.org

Copyright 2000. attrition.org Staff