[ISN] [defaced-commentary] 3 Microsoft Web sites Defaced, Corrections, IIS5 hole

From: InfoSec News (isnat_private)
Date: Thu May 03 2001 - 17:27:49 PDT

  • Next message: InfoSec News: "Re: [ISN] Staff oblivious to computer security threats"

    ---------- Forwarded message ----------
    Date: Thu, 03 May 2001 19:41:53 -0400
    From: McIntyre <McIntyreat_private>
    To: defaced-commentaryat_private
    Subject: [defaced-commentary] 3 Microsoft Web sites Defaced, Corrections,
         IIS5 hole
    
    Earlier this evening (Eastern Time) the Web sites for Microsoft UK,
    Microsoft Saudi Arabia and Microsoft Mexico were defaced by the group Prime
    Suspectz. This makes 9 times a Microsoft Web site has been defaced
    including other Microsoft global sites in Brazil and Slovenia.
    
    The full list of past Microsoft targets have included:
    
    msrconf.microsoft.com (a supposed retired MS server and the first recorded
    defacement of a Microsoft server) on October 24, 1999
    http://www.attrition.org/mirror/attrition/1999/10/24/msrconf.microsoft.com/CMT/
    
    Microsoft Brazil by IZ corp defaced June 3, 2000
    http://www.attrition.org/mirror/attrition/2000/06/03/www.microsoft.com.br/
    
    The Microsoft Events Server by someone unknown on November 11, 2000
    http://www.attrition.org/mirror/attrition/2000/11/07/events.microsoft.com
    
    Microsoft Slovenia (defaced twice) the first time by Furia.BR on December
    14, 2000 and the second time by BoLoDoRiO 3 days later
    http://www.attrition.org/mirror/attrition/2000/12/14/www.microsoft.si
    http://www.attrition.org/mirror/attrition/2000/12/17/www.microsoft.si
    
    Microsoft New Zealand was also defaced by Prime Suspectz on January, 23rd
    of this year:
    http://www.attrition.org/mirror/attrition/2001/01/23/www.microsoft.co.nz/
    
    CORRECTION:
    
    Last month (April 2001) we had claimed that the Microsoft Greece Web site
    was defaced twice, first by Prime Suspectz and later by World of Hell
    (WoH). We were later informed that the domain www.microsoft.com.gr was
    owned by a man in Greece not by Microsoft and further research led to the
    true Microsoft Hellas (Greece) Web site at: http://www.microsoft.com/hellas/.
    
    
    http://www.attrition.org/mirror/attrition/2001/04/20/www.microsoft.com.gr/
    http://www.attrition.org/mirror/attrition/2001/04/27/www.microsoft.com.gr/
    
    
    COMMENTS ON THE RECENT IIS 5.0 HOLE
    
    While these 3 Microsoft Web sites and the previous NEC USA Web sites have
    all been running Windows 2000 and IIS 5.0, we will not say they are using
    the exploit (jill.c) for the recent IIS hole discovered by eEye until we
    have confirmation from the defacers themselves. Please do not ask - we will
    post something when we know.
    
    ABOUT PRIME SUSPECTZ and OTHER GROUPS
    
    Prime Suspectz is a group known for their regular campaign against Web
    sites of large multinational corporations including NEC USA (a short time
    ago) Nike Brazil, Panasonic Italy, BMW France, Chevrolet Argentina, Samsung
    South Africa, Nintendo Spain and many more. See our previous commentary on
    high profile foreign defacements for a full list -
    http://www.attrition.org/security/commentary/hp-foreign-01.html
    
    NEC USA
    http://www.attrition.org/mirror/attrition/2001/05/03/www.nec.com/
    
    Their targets aren't only limited to the foreign sites of multinational
    corporations. Yesterday Prime Suspectz defaced the Ford Motor Corporation's
    Media Web site.
    http://www.attrition.org/mirror/attrition/2001/01/22/media.ford.com/
    
    A full list of Prime Suspectz previous defacements are available at
    http://www.attrition.org/mirror/attrition/psuspectz.html .
    
    Prime Suspectz isn't the only group defacing high profile foreign sites. So
    far this year, sites for Canon Greece, Canon Turkey, and Xerox India have
    also been defaced. We expect to see this trend continue until these
    companies work to secure their global Web sites as well or better than
    their flagship portals.
    http://www.attrition.org/mirror/attrition/2001/01/22/www.canon.gr/
    http://www.attrition.org/mirror/attrition/2001/01/21/www.canon.com.tr/
    http://www.attrition.org/mirror/attrition/2001/01/21/www.xerox.co.in/
    
    -
    The information and commentary is Copyright 2001, by the individual author.
    Permission is granted to quote, reprint or redistribute provided the text is not
    altered, and the author and attrition.org is credited. The opinions expressed
    in this mail are not necessarily the opinion of all Attrition staff members.
    
    Commentary Archive: http://www.attrition.org/security/commentary/
    The Attrition Mirror: http://www.attrition.org/mirror/attrition/
    Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
    Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
    Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html
    
    Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
    Contacting Attrition Staff: staffat_private
    
    To subscribe to Defaced Commentary, send mail to majordomoat_private
    with "subscribe defaced-commentary" in the BODY of the mail (without
    quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
    the BODY of the mail.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Fri May 04 2001 - 05:26:08 PDT