Defacements Statistics 2008 - 2009 - 2010*

27/05/2010 Written by Marcelo Almeida (Vympel)

When Zone-​H started back in 2002, we were receiv­ing an aver­age of 2500 deface­ments monthly, this num­ber keeps on increas­ing year after year. For exam­ple, the last month we reg­is­tered over 95.000 deface­ments, while we only had 60.000 in 2009 for the same period.

What we can also say from these num­bers is that the meth­ods used are still the same: most of the vul­ner­a­bil­i­ties exploited are on web appli­ca­tions. We also know from what we mon­i­tored that reg­is­trar attacks greatly increased the past years even if this num­ber is quite low com­pared to the total of attacks. But not only web appli­ca­tions are guilty, as poor local sys­tem secu­rity on var­i­ous web host­ings usu­ally allow crack­ers to get full access to the servers.

Worms and viruses like mpack/​zeus vari­ants also allow some crack­ers to gather ftp account cre­den­tials, but most of the peo­ple using those tools do not deface web­sites, but pre­fer to back­door those sites with iframe exploits in order to hack more and more users, and to steal data from them. Isko­r­pitx for exam­ple (but many oth­ers do it as well) uses this method to break into host­ings, he usu­ally steals cre­den­tials with viruses and some­times even back­doors the deface­ments for vis­i­tors of the defaced sites to be exploited.
 

Exam­ples of some attacks on reg­is­trars (DNS hijack­ing):
http://​www​.zone​-​h​.org/​a​r​c​h​i​v​e​/​i​p​=​200​.​35​.​148.72
http://​www​.zone​-​h​.org/​a​r​c​h​i​v​e​/​i​p​=​82​.​197​.​131.109

Here are the statistics:

Attacks by month 

  Year 2008  Year 2009   Year 2010 
 Jan  18.562  37.968  53.921
 Feb  51.925  2.919  57.869
 Mar  48.138  7  73.715
 Apr  41.492  60.471  95.090
 May  29.017  48.087  
 Jun  38.445  43.569  
 Jul  39.549  45.480  
 Aug  74.121  83.850  
 Sep  42.379  74.384  
 Oct  54.971  54.462  
 Nov  44.486  43.177  
 Dec  34.374  50.035  

Spe­cial Attacks by month   Year 2008  Year 2009  Year 2010
 Jan  413  669  881
 Feb  553  104  1.847
 Mar  745  2  1.227
 Apr  584  1.976  1.357
 May  782  1.746  
 Jun  712  942
 Jul  895  1.179
 Aug  1.386  1.127
 Sep  587  893
 Oct  963  1.237
 Nov  1.207  1.103
 Dec  774  953
 Total  9.606  11.929 6.395

 Sin­gle attacks by month   Year 2008  Year 2009  Year 2010
 Jan  5.150  14.464  10.335
 Feb  9.395 1.887  10.938
 Mar  13.691 7  11.910
 Apr  12.713  13.107  14.344
 May  8.020  16.565  
 Jun  9.830  14.221
 Jul  13.060  14.241
 Aug  32.668  12.495
 Sep  14.233  9.432
 Oct  17.263  8.777
 Nov  17.616  8.002
 Dec  13.692  8.670
 Total  167.329  121.866 58.045

 Mass attacks by month   Year 2008  Year 2009  Year 2010 
 Jan  13.412  23.504  43.586
 Feb  42.530  1.032  46.931
 Mar  34.447  0  61.805
 Apr  28.779  47.364  80.746
 May  20.997  31.522  
 Jun  28.615  29.348
 Jul  26.489  31.239
 Aug  41.453  71.355
 Sep  28.146  64.952
 Oct  37.708  45.685
 Nov  26.870  35.175
 Dec  20.682  41.365
 Total 350.128  422.539  294.776

 Oper­a­tional System   Year 2008  Year 2009  Year 2010 
 Linux  352.468  378.744  256.648
 Win­dows 2003  117.978  127.128  81.785
 Win­dows 2000  21.929  12.529  2.805
 FreeBSD  13.418  10.050  5.503
 Unknown  4.642  3.933  1.815
 Solaris 910  3.002  7.699  364
 SolarisSunOS  1.629  16  10
 MacOSX  893  510  384
 Win NT9x  440  225  132
 Win 2008  364  2.977  3.165
 Win XP  329  270  72
 HP-​UX  216  85  32
 NetBSDOpenBSD  69  99  39
 Solaris 8  35  41  5
 BSDOS  10  14  2
 AS/​400  6  1  1
 Com­paq Tru64  6  16  2
 NovellNetware  5  5  0
 Unix  3  29  43
 IRIX  3  12  5
 OpenVMS  3  1  0
 AIX  3  1  0
 MacOS  3  0  2
 OpenBSD  1  0  0
 Win Vista  1  1  0
 OpenServer  1  0  0
 Win .NET  1  1  0
 OS2  1  0  5
 Dig­i­tal Unix  0  3  0
 SCO Unix  0  19  2

 Web­server defaced  Year 2008  Year 2009  Year 2010
 Apache  390.141  486.294  319.439
 IIS/6.0  126.403  180.926  113.935
 IIS/5.0  12.551  66.304  23.664
 Unknown  4.974  8.805  16.741
 Zeus   1.059  506  1.972
 NOYB  0  1.308  1.920
 IIS/4.0  5.846  3.952  1.149
 nginx   3.465  870  729
 IIS/5.1  540  412  308
 Rapidsite   158  110  244
 SonataServer  4  557  178
 A-​NETEK RobustWeb   4  4  92
 Zope   106  67  80
 LiteSpeed   3  150  65
 IdeaWebServer   50  191  60
 E-​Neverland DataPalm   15  16  41
 lighttpd   25  33  37
 DinaHTTPd Server   52  89  36
 Boa   6  59  26
 Sil­ver­Stream Server   36  40  20
 SAMBAR   0  18  17
 thttpd   8  29  15
 SunONE Web­Server   165  670  12
 ConcentricHost-​Ashurbanipal   18  12  11
 Lasso   18  26  11
 Cougar   1  21  10
 NetWare-​Enterprise-​Web-​Server  5  3  8
 Sun Java Sys­tem Web Server 6.1   0  6  8
 GWS   2  4  8
 DataPalm   0  7  7
 Abyss   0  0  5
 OBEC-​Web-​Serv   0  13  5
 InfomexWebServer  2  14  4
 tigershark  54  9  4
 4D_​WebSTAR_​S  34  169  4
 IBM HTTP SERVER  7  17  4
 Jetty  0  0  4
 Netscape-​Enterprise  37  21  4
 OmniHTTPd  7  3  4
 AOL server  28  15  3
 IIS/​30  3  4  3
 exteNd Appli­ca­tion Server   3  2  2
 RaidenHTTPD   5  5  2
 Resin   9  25  2
 Replica   1  0  2
 RRRPHP/​942   1  0  2
 CoffeeMaker   0  0  1
 Hix Web­server   0  0  1
 KFWebserver   5  5  1
 NetCache   5  8  1
 Ora­cle AS   0  3  1
 WebLogic Server   27  27  1
 Xitami   7  16  1
 Zort Zirt Server  20  7  1
 Caudium  2  3  0
 VHFFS  15  2  0
 Oracle  33  2  0
 Roxen  87  2  0
 Lotus-​Domino  6  5  0
 Mistral  1  1  0
 Web Cross­ing  0  1  0
 Netscape-​FastTrack  0  2  0
 Web­Sphere Appli­ca­tion Server  0  5  0
 PWS  0  5  0
 Netscape-​Communications  0  1  0

 Attack Method  Total 2008  Total 2009  Total 2010 
 Attack against the administrator/​user (pass­word stealing/​sniffing)  33.141  24.386  10.918
 Shares mis­con­fig­u­ra­tion   72.192  87.313  55.725
 File Inclu­sion   90.801  95.405  115.574
 SQL Injec­tion   32.275  57.797  33.920
 Access cre­den­tials through Man In the Mid­dle attack   37.526  7.385  1.005
 Other Web Appli­ca­tion bug   36.832  99.546  42.874
 FTP Server intrusion   32.521  11.749  5.138
 Web Server intrusion   8.334  9.820  7.400
 DNS attack through cache poisoning   7.541  3.289  1.361
 Other Server intrusion   5.655  10.799  5.123
 DNS attack through social engineering   6.310  2.847  1.358
 URL Poi­son­ing   5.970  6.294  3.516
 Web Server exter­nal mod­ule intrusion   4.967  2.265  1.313
 Remote admin­is­tra­tive panel access through bruteforcing   9.991  6.862  7.046
 Rerout­ing after attack­ing the Firewall   8.143  3.107  1.267
 SSH Server intrusion   6.231  4.624  4.550
 RPC Server intrusion   12.359  5.821  2.512
 Rerout­ing after attack­ing the Router   9.170  2.671  1.327
 Remote ser­vice pass­word guessing  6.641  3.252  1.103
 Tel­net Server intrusion   4.050  3.476  2.562
 Remote admin­is­tra­tive panel access through pass­word guessing   4.915  1.139  422
 Remote admin­is­tra­tive panel access through social engineering   4.431  1.502  472
 Remote ser­vice pass­word bruteforce   5.563  3.658  1.002
 Mail Server intrusion   1.441  2.314  1.121
Not avail­able  70.457  87.684  24.493

 Attack Rea­son  Year 2008  Year 2009  Year 2010
 I just want to be the best defacer   201.270  122.442  78.761
 Heh just for fun!  96.438  176.725  179.707
 As a challenge   61.112  26.921  13.422
 Polit­i­cal reasons  50.578  72.767  19.360
 Patriotism  46.619  40.374  17.877
 Revenge against that website  4.802  23.513  15.147
 Not avail­able  56.640  81.667  28.545

Linux X Win­dows

 

 Year  Total deface­ments Linux (all dis­tros)   Total deface­ments Win­dows (all ver­sions)
 2000  931  2.587
 2001  4.080  13.549
 2002  22.693  43.441
 2003  191.720  58.571
 2004  247.113  119.402
 2005  276.294  179.945
 2006  446.039  258.129
 2007  305.968  139.427
 2008  352.449  141.061
 2009  378.728  143.151
 2010  256.648  87.959
 Total  2.482,663  1.187,222

LEG­END: * In red — Par­tial data
 Text in blue — Site down for main­te­nance

UPDATE: A new fea­ture is avail­able on the Stats page, now you can check out yearly, monthly and daily sta­tis­tics http://​www​.zone​-​h​.org/​stats

Com­plete report of 2010 stats http://​www​.zone​-​h​.org/​n​e​w​s​/​i​d​/4737


Share this content: