fluffi bunny

Generalmente ritengo sbagliato dare risalto a questo genere di
manifestazioni, anche se c'e' da dire che il defacement, anche se
"indiretto" (e' stato cambiato il banner sull'ad server), di un sito come
securityfocus, fa certamente notizia.

C'e' anche da dire che questo fantomatico signor Bunny e' sicuramente un
personaggio particolare nell'ambito dei cracker/defacer/etc. Innanzitutto
sembra essere in grado di scovare autonomanente buchi nei sistemi, oppure
essere ben introdotto nell'ambiente dei fantomatici 0day, inoltre mira quasi
esclusivamente siti "high profile" e/o security related e riesce a essere
spesso piuttosto pungente sia nella scelta degli obbiettivi che nei commenti
che lascia sui siti (si veda il defacement di kill.net e yihat.quelcheera
con valutazioni in realta' abbastanza condivisibili sull'operato del signor
Kimble). Detto questo, non vorrei che si riscatenasse un flame "filosofico"
sui defacement buoni o cattivi (personalmente ho gia' detto la mia - ovvero
che non sono mai buoni - e altri la loro).

bye
Koba (moderatore)

ps: in questo momento il sito di Synnergy Networks (www.synnergy.net) e'
sotto defacement, sempre da parte del signor Bunny, con un messaggio
piuttosto inquietante:

"Mr. Theo Da Radt Not all the changes you make are really a good idea.. you
never know what one might stumble across.."

----- Forwarded message from security curmudgeon <jericho<at>attrition.org> -----

Date: Thu, 29 Nov 2001 22:26:45 -0700 (MST)
From: security curmudgeon <jericho<at>attrition.org>
To: defaced-commentary<at>attrition.org
Subject: [defaced-commentary] SecurityFocus Defaced? Kind of.



SecurityFocus Defaced? Kind of.

Earlier today, various people/sites were reporting that SecurityFocus.com
had been defaced. Initial inspection of the screenshots suggested this was
the case, but further digging revealed what really happened. 

First, one must define a 'defacement'. In the years of running the
Attrition mirror, it was important for us to have a clear definition of
what constituted a defacement. As we posted long ago: 

http://www.attrition.org/mirror/attrition/notes.html#read_me_script_kiddy

  What is a defacement?

  A web defacement is when the content of a public web page is altered by
  someone otherthan the legitimate person responsible for the machine or
  pages. This is regardless of reasons or motivation. In simple terms, if
  someone types a URL into their browser and sees anything but the
  legitimate page, this is a defacement. One factor that is often
  forgotten by some (defacers)  is that the page must be seen by
  legitimate users for it to be a defacement. 

Keep this in mind as you read on. 

The SecurityFocus 'defacement' consisted of an alternate banner at the top
of their site, replacing the normal rotating banner ad. Instead of seeing
an advertisement for a legitimate company or product, visitors saw the
following image: 

http://adj18.thruport.com/banners/Client11/sf468.gif

No other text or image was altered on the SecurityFocus site. Looking at
the above URL, it is clear the altered image lies on the thruport.com
server, not SecurityFocus.com. 

So what apparently occured was Fluffi Bunny replaced that banner ad. If
you poke around thruport.com, you will see that many images were replaced
with the Fluffi banner ad. As a result, various web sites that use the
thruport.com service had the alternate banner appear throughout the day. 

Was SecurityFocus.com compromised? No. 

Was SecurityFocus.com defaced? Yes. 

Yes, although no fault of their own. Like many other sites on the net,
they rely on servers outside their control for various services or
connectivity. Because alternate content displayed when browsing their
page, a defacement occured. This is akin to the RSA "defacement"  that has
been widely misquoted over the past year. 

What is a bit ironic though, is that /Client86/ images were not tampered
with. These images are a banner ad promoting the Security Focus ARIS
service. Also to note, since the file names and directories are left
unchanged, each client is still getting their money for hits. 

Either way, it was a clever hack. 



Jay Dyson and Simple Nomad contributed to this post.

-
The information and commentary is Copyright 2001, by the individual author.
Permission is granted to quote, reprint or redistribute provided the text is not
altered, and the author and attrition.org is credited. The opinions expressed
in this mail are not necessarily the opinion of all Attrition staff members.

Commentary Archive: http://www.attrition.org/security/commentary/
The Attrition Mirror: http://www.attrition.org/mirror/attrition/
Country/TLD Statistics: http://www.attrition.org/mirror/attrition/country.html
Attrition Defacement Statistics: http://www.attrition.org/mirror/attrition/stats.html
Operating System Graphs: http://www.attrition.org/mirror/attrition/os-graphs.html

Other Web Defacement Mailing Lists: http://www.attrition.org/security/lists.html
Contacting Attrition Staff: staff<at>attrition.org

To subscribe to Defaced Commentary, send mail to majordomo<at>attrition.org
with "subscribe defaced-commentary" in the BODY of the mail (without
quotes). To unsubscribe, include "unsubscribe defaced-commentary" in
the BODY of the mail.
----- End forwarded message -----

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List