When the defacement archive is the target of defacement
It appears that because of Christmas season the latest Zone-H.org defacement was not covered in the news.
An incident analysis Ho Ho Ho! Merry Xmas! Santa brought to Zone-H a brand new defacement has been released at Zone-H.org site.
NOTE: Mirror link pointing to defaced Zone-H Forum found on the archive (link here) is not the incident covered by the analysis. Zone-H reports that the incident is not in the Zone-H archive.
This was not the first time when Zone-H had unwanted visitors.
Their own archive lists the following cases:
2002/07/15 by: USG Domain: zone-h.org/en/defacements/onhold OS: SolarisSunOS
2002/03/13 by: 0xff Domain: zone-h.org OS: SolarisSunOS
They are running “Apache/1.3.27 Unix PHP/4.2.3″ nowadays.
What the analysis states is:
The funny part is that the incident happened [yesterday night], exactly when all Zone-H board members where around a table for the x-mas dinner discussing about an hypotethical Zone-H incident and backup policies.
But how did this all continued is worth of reading. The attacker used unpatched Hotmail/MSN Cross Site Scripting Vulnerability (reported in Aug ’06!) to get the Hotmail session cookie of one Zone-H contributor. One of his/her means was unpatched JCE Admin Component for Joomla! vulnerability, in turn (see CVE-2006-6419 for details). The CVSS severity of this issue is 7.0, i.e. High.