Microsoft France Defaced

Here’s the link to the site:

http://experts.microsoft.fr

Link to the mirror in case it gets fixed anytime soon.

http://www.flickr.com/photos/affandesign/169734004/

Like I said, too amusing not to post ;-)

UPDATE:

So I guess Windows Server 2003 isn’t that secure after all, even if configured by Microsoft, really makes you think doesn’t it.

TiTHack has been pretty busy today by the looks of things, check out the Zone-H stats for him today:

http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,TiTHacK/

It’ s also worth noting the amount of Windows Server 2003 instances, are we seeing a new 0 day here by any chance? If so, I mentioned it first ;-)

http://www.zone-h.org/component/option,com_attacks/Itemid,43/filter_defacer,TiTHacK/

UPDATE:

Zone-H had an interview with TiTHack about the methods used in the attack, more here:

http://www.zone-h.org/content/view/4770/31/

Share
  • http://www.BeyondSecurity.com noam

    Looks like a Win2003/IIS 6.0 vulnerability… something default enough to be present on enough servers…

    Good catch.

  • http://networksecurity.typepad.com/ Juha-Matti

    And the message dropped by attacker TiTHack says:
    “next target: microsoft.com”

  • http://www.beskerming.com Carl

    Uh, you weren’t the first to claim holes in Win 2003 / IIS 6:

    http://www.skiifwrald.com/pipermail/alertmailinglist_skiifwrald.com/2006-May/000185.html

    Selected clients were notified of issues even earlier (the middle of last year), based on increasing spates of attacks. While a lot of breaches are due to poor configuration choices, and poor virtual hosting setup, there appears to be a rise in the number of global compromises.

  • Pingback: E-Bitz - SBS MVP the Official Blog of the SBS "Diva"

  • Pingback: SecurityCadets » Blog Archive » Micorsoft France Defaced

  • Pingback: Hackers Blog » Blog Archive » Microsoft France pwned

  • http://networksecurity.typepad.com/ Juha-Matti

    Internet Storm Center has related Diary entry now:
    http://isc.sans.org/diary.php?storyid=1429

  • http://www.xyberpix.com xyberpix

    Hehe, didn’t take ISC long ;-)

  • achtung

    set a filter on zone-h for the 16th of June (defacer (lamer?): tithack), and you will notice:
    Total attacks: 272 of which 1 single ip and 271 mass defacements

    Sorry to stop your orgasm concerning a supposed IIS6 0day exploit.

  • http://www.xyberpix.com xyberpix

    @achtung

    You do have a valid point, but I still wouldn’t be too certain that there’s not one out there. Who knows, maybe TiThack would be willing to post a comment and pass on some more info? Or for that matter anyone that was involved in the 1065 Windows Server 2003 defacements that happened on the 16th. Were they all just bad configurations?

    Even though it’s still early days, today so far there have been 386 reported Windows Server 2003 defacements.

    I’m not saying that you’re wrong at all, and to be honest I really hope that you are right. I know it’d make me feel a lot better. But, just maybe…

  • achtung

    yes 386 for win2k3 today, and today for “linux”:
    Total attacks: 870 of which 478 single ip and 392 mass defacements

    870 (478 real different servers not only vhosts). OH MY GOD NEW 0day LINUX EXPLOIT! =) If you own a big server (example: owned through a tiny bug in a tiny webapp..) that hosts 1’000 vhosts, then you can fool people that don’t know anything cocerning hack.. So from 1 bug, a bug in a little application where only 10 machines on earth are using it, you will have your 1’000 defacement in a couple of minutes (a script that checks VDirs and adds/modifies default page). You will end with a thousand of win2003 servers hacked in a couple of minutes! god it’s a 0day! alert cnet! sans! the whole planet! :) Don’t listen to people that don’t have skills. They are just “journalists”, or wannabes making some money in the computer’s security domain :) So a big title “0day win2k3 IIS6?” is a goldmine for them. 0wn a hosting network you will be able to deface thousands and thousands of vhosts, W0w l33t p30pl3 fr0m h3ll. ;

  • http://www.xyberpix.com xyberpix

    What you’re saying does make perfect sense and I do agree with you about the a server and the 1000 vhosts. I am not entirely disagreeing with you on any of your points.

    All I am saying however is that I really don’t think that we should be ruling out the possibility that a 0 day may exist. I am also not stating that one does or doesn’t exist either.

    I also think that the thing that is most amusing about this whole thing, is never once did I say that this was a new zero day, I only asked it as a question. ;-)

    It now seems that SANS seems to think that there are rumours of a new IIS 6 zero day going around, which to me is just damn hilarious!!

  • achtung

    from http://www.zone-h.org/content/view/4770/31/ :
    “The attacker revealed that he exploited a .net script 0day vulnerability after discovering that expert.microsoft.fr had installed and was running a vulnerable .net nuke script.”

    That was so obvious, I only did 15min of research to notice that it couldn’t be a HTTP server bug. I don’t understand how SANS work, I thought they were professionals? How they work? They only write what the others say or they do some research by themselves?

  • http://robertmoir.com Rob Moir

    “So I guess Windows Server 2003 isn’t that secure after all, even if configured by Microsoft, really makes you think doesn’t it.”

    [...] “The attacker revealed that he exploited a .net script 0day vulnerability after discovering that expert.microsoft.fr had installed and was running a vulnerable .net nuke script.”

    Makes me think that jumping to conclusions is never a good idea.

  • http://www.tithack.com MaTRaX

    —>Bir Türk Dünyaya Bedeldir

  • Pingback: wagthis.com