[ISN] Hackers Deface Web Sites; FBI Issues DDoS Warning

From: InfoSec News (isnat_private)
Date: Mon May 07 2001 - 19:15:00 PDT

  • Next message: InfoSec News: "[ISN] Investigators seek clues to White House Web site attack"

    http://www.internetnews.com/wd-news/article/0,,10_760451,00.html
    
    By Ryan Naraine and Michael Singer
    May 7, 2001
    
    Web page defacement attacks by hackers have escalated dramatically in
    the last 24 hours, with technology news site CNET, Webex and game
    developer Blizzard.com among those hit this morning.
    
    At 2:00 p.m today, 153 defacements were reported by Alldas.de a site
    which archives posts mirrors of hacking attacks around the world.
    
    Executives at Web-based meeting center, WebEx say they can't explain
    the defacement of their home page Monday.
    
    "We have no idea why anyone would be interested in attacking us," says
    one WebEx executive who asked not to be identified.
    
    Visitors to the site were greeted to a black page with bold red
    letters slamming both the U.S. government and another group of
    cybervandals.
    
    "f*** USA Government - f*** PoizonBOx," read the message along with an
    email contact to a Chineese Yahoo! e-mail account.
    
    A copy of the defaced site was immediately posted at Attrition.org, a
    site where hackers also sometimes post their exploits.
    
    The San Jose-based company runs an online service that lets you run
    real-time meetings right through your Internet browser.
    
    As to why a separate hacking group would be named during a defacement,
    Attrition spokesperson Modify could only give these thoughts.
    
    "Because he/she/they have been defacing .tw sites (Taiwan)," says
    Modify.
    
    In March, the British government launched an investigation into
    PoizonBOx after a chain of UK government Web sites had their
    information replaced with graffiti showing a self-styled logo.
    
    Web Attacks On Upswing
    
    Today's defacement barrage comes just days after a hacking group
    calling itself "Prime Suspectz" hit three Microsoft sites. The latest
    round of attacks also include pro-Chinese slogans and seemed to be
    targeting U.S commercial and government Web sites.
    
    Last week, the Federal Bureau of Investigations (FBI) issued a warning
    that U.S sites faced hacking attacks from pro-Chinese groups. The FBI
    said Chinese hacker groups planned to retaliate against U.S attacks on
    Chinese government-owned sites.
    
    This week's attacks coincided with the recent political standoff
    between the two countries and the second anniversary of the NATO
    bombing of a Chinese embassy in Belgrade, according to the FBI.
    
    In the recent round of attacks, Web pages owned by the Inter-American
    Defense Board, The U.S Fish and Wildlife Service, the Department of
    Health and Human Services and several universities in Washington, D.C
    were hit with defacements.
    
    Explicit anti-American messages were posted and defacements included
    the flags of Russia and China.
    
    Separately, the FBI warned there would be ongoing attempts to disrupt
    Web access to several sites. The National Infrastructure Protection
    Center (NIPC), which acts as the FBI's cybercrime unit, said hackers
    planned to use distributed denial-of-service (DDoS) attacks to cripple
    targeted Web sites.
    
    Denial-of-service attacks typically flood Web sites with excess
    traffic, effectively slowing or blocking access to targeted sites.
    
    "The activity has been seen from several networks, and consists
    entirely of fragmented large UDP packets directed at port 80. Analysis
    indicates that this activity may be intended to bypass standard
    port/protocol blocking techniques, as certain major routing equipment
    manufacturer's products will block the first fragment of a large UDP
    packet, but may not block subsequent packets, thereby permitting the
    denial of service to continue," the NIPC said in a warning issued over
    the weekend.
    
    The unit advised systems and network administrators to inspect their
    facilities (firewall logs) for the presence of fragmented UDP packets
    directed at port 80.
    
    "Inbound packets of this type indicate that a denial of service to the
    network in question may be underway. Outbound packets of this type
    indicate that there is a high likelihood that system(s) on the network
    in question are compromised and that DDOS tools are installed.
    Attempting to block this traffic at the IP-only level (as opposed to
    protocol-specific level like UDP) may have improved effectiveness," it
    said.
    
    To determine if a computer system has been infected with a DDoS agent,
    the NIPC has posted a "Find DDoS" tool on its Web site. The tool may
    be downloaded from the NIPC site.
    
    The FBI has also called on targeted sites to report computer
    intrusions to their local FBI office.
    
    Incidents may also be reported online or by dialing
    202-323-3204/3205/3206.
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Thu May 10 2001 - 23:30:05 PDT