domain registration
 
  |   Home   |   Order Hosting   |   Domain Registration   |   Contact Us   |   

Home
Features
Order Hosting
Domain Registration
Resellers
Support
Contact Us
 

The StoKia Network

Free Hosting. No Contracts! No Banners! No Ads!
Discount Premium Web Site Hosting.
iskorpitx Mass IIS Defacement Hack Info
We read on artical on http://www.securityfocus.com/ regarding a mass hack of over 38,500 web sites running on Windows web servers with IIS. More detailed information is available at the defacement archive zone-h.org

Quote from zone-h.org:
"Yesterday the Turkish cracker going by the handle "Iskorpitx", succesfully hacked 21,549 websites in one shot (plus 17,000 as our last update) and defaced (on a secondary page) all of them with a message showing the Turkish flag (with AtaTurk face on it)"

We have done a limited amount of research on this and the mass defacement appears to be related in some way to sites registered or hosted through godaddy or secureserver.net.

zone-h.org has text file that contains a list of the defaced sites at http://www.zone-h.org/defaced/list.txt. We have done a whois search on about 30 sites in the list. All show godaddy as the registrar.

The hack seems to have been done through a asp script that is automatically installed on all hosting customers accounts on these particular servers.

The mass defacement was placed in a sub directory on each site. /ssfm/isko.htm

A search on google for: ' ssfm vulnerability ' (without quotes) returns a google cache result with a godaddy user complaining about being hacked through the ssfm directory, and a response from "hosting support" claiming that the problem "is a vulnerability in the Microsoft IIS".

Quote:
This email is in regards to the issue that you escalated on xx xxxxx 2005. The ssfm hack is not something we can really defend against. It is a vulnerability in the Microsoft IIS webserving system. As Microsoft uses closed source software, we are dependant on them for a fix to this issue. They have not, as of yet, issued a patch for this vulnerability. Rest assured that your passwords have not been compromised. The attacker does not need these to insert his file into the account as it is done through a hole in the IIS system (and this is the only directory that they would have access to).

A search on google for: ' ssfm directory asp ' (without quotes) returns multiple results for godaddy users seeking help with the file 'gdform.asp'. The 'gdform.asp' appears to be a form mail type script. The source code of 'gdform.asp' also contains a reference to the SSFM folder. filename = Server.MapPath("ssfm"). (See the second post at http://forums.aspfree.com/asp-development-5/asp-email-form-on-godaddy-114110.html for the source code to gdform.asp

A search on google for: ' ssfm directory godaddy ' (without quotes) or ' ssfm directory secureserver.net ' (without quotes) returns multiple results for users seeking help with the 'gdform.asp' or 'gdform.php' form mail type scripts.

We have not examined the source code to the asp file in detail or done more than superficial research on this mass defacement, but this does not appear to be a vulnerability in IIS. This appears to be a problem with poor script coding and / or failing to properly validate user form input. I would guess that the hacker is able to inject their own code into the asp or php script being used to send mail.

If anyone has more time to look over the source code and determines where the code could have been injected, or knows of any other goddady scripts that write to the ssfm directory that could be responsible for this mass defacement, we would like to hear your comments at ssfm@stokia.com


StoKia Support Team
Premium Web Site Hosting - At A Great Price
The StoKia Network offers premium web site hosting for less than $3 per month. The standard premium web site hosting package includes free domain registration, spam and virus filtered email, and 500 MB of disk space. The standard premium web site hosting package supports ASP.Net 2.0, ASP, PHP, ColdFusion MX 7, SQL Server 2005 Express, SQLExpress user instances (AttachDBFilename), MySQL, MS Access, multiple FTP accounts, SSL, Stats and much, much more.
SQL Server 2005 Web Site Hosting
The StoKia Network offers Microsoft SQL Server 2005 web site hosting for $9 per month. The SQL Server 2005 web site hosting package includes free domain registration, spam and virus filtered email, and 2 GB (2000 MB) of disk space. The SQL Server 2005 web site hosting package supports all of the features of the standard premium package, plus a free dedicated IP address, a free dedicated SSL certificate, SQL Server 2005 databases, user instances and much, much more.
Free Web Site Hosting
The StoKia Network offers a totally free web site hosting package, with no contracts, no banners and no ads. The totally free web site hosting package includes 25 MB of disk space, FTP access, a web site builder, and more.
Reseller Hosting
The StoKia Network reseller program allows qualified resellers to purchase hosting packages and domain name registration at a significantly reduced rate.
 
For feedback and suggestions ....
 
Terms and Conditions Apply for all products and services.
Copyright 2000 - 2006 The StoKia Network All rights reserved.