Defaced
This is what some Year 10 High School script kiddy did to www.aaconsult.com.au sometime early this morning:
And..
If you want to know how to search on the internet for common vulnerabilities to exploit on widespread web platforms such as Wordpress, then you can contact this joker “hotturk@hotturk.com” - hah! That’s all this guy did.
This is a good lesson to anyone running any kind of web based software that is freely available and widely used to make sure you always update to the latest version as soon as it becomes available. I hadn’t upgraded this site’s Wordpress installation for quite some time. I was running Version 2.0 which clearly must have had some security holes, hence a High School kid has searched on how to exploit Wordpress v2.0 and got into this site by targeting it from a specially directed Google Search. I have now upgraded to the latest version and retrieved the post that was deleted. Ahh Google cache - Its like a free weekly backup.
I was lucky that this particular student only decided to erase my most recent article and change my admin password. I was able to get straight back into the database directly to reset the admin password and upgrade Wordpress - it could have been much more annoying if this guy had no fear. But when they have no fear like that, that’s when they get reported to the Federal Police and people start tracking their IP addresses down geographically. There is always a trail.
I have played around with a lot of ways to exploit web applications and its gobsmackingly scary just how many web sites have enormous gaping holes in them. There are so many extremely simple, common coding oversights which will make a site vulnerable. One time I was playing with a particular exploit which would sometimes let you gain access into other people’s login forms if they were coded in Classic ASP using SQL Server or MS Access as the database. I crafted up a couple of very basic searches in Google to return me a list of affected pages precisely named login.asp. Google brought me back pages of results and I actually went through about the first 8 pages of results trying each and every one of them. I managed to get into about 15 web sites out of 80 - certainly not a bad strike rate when a couple of the sites were fairly prominent Australian sites. A couple of them let me into full featured admin areas where I could add and create other administrator accounts and control the site content - when you are hacking login forms, many of the exploits will give you access to the main admin account of a system simply because more often than not this is the first row in the Users table of someone’s database. Of course I just logged in and logged straight out without touching anything, but either way it illuminated just how many web developers were completely unaware that they were pushing out terribly dangerous web site code on very important, prominent web sites.
And this was merely one particular type of vulnerability!
So many of the web 2.0 sites being rushed out in BETA versions are quite vulnerable at launch time as most of them place a huge emphasis on gaining users quickly as opposed to releasing a perfectly polished product that took an additional 3-6 months to build. That said, I still hands-down agree with the launch fast approach. Noone wants to hack a site that has no users or “weight”. Users are everything, you need as many of them as soon as you can and you can tighten up the cracks later on quietly in the background. If you have developed the site yourself from scratch, then your chances of being targeted are much much lower because noone can easily identify your platform or any commonly documented weaknesses unless they start going over it with a toothpick.
Tags: Web development