I am writing this article into 2 parts. In 1st part i am describing about the website defacement and show you the example of website defacement on Unpatched and Mis-configured Server and in 2nd Part I will show you how to prevent website defacement with Symantec Critical System Protection.
What is website defacement
A website defacement is an attack on a website that changes the visual appearance of the site or a webpage. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own.The Website Defacer makes fun of the system administrator for failing to maintain server security. Most times, the defacement is harmless, however, it can sometimes be used as a distraction to cover up more sinister actions such as uploading malware or deleting essential files from the server.
Website defacement Example
I am using Windows Server 2003 R2 Enterprise Edition With IIS 6.0 and FTP Server installed on it. No security patches are installed on this server and FTP server allow anonymous user login with Read/Write Premissions. My Webserver IP Address is 192.168.42.78.
1) I scanned the webserver IP address with nmap for banner grabbing and to know about open ports and service running on this webserver.
2) I got the result about webserver and came to know about open ports and service running on web server. I also came to know about FTP Server Allow. Anonymous Login
3) Now Lets try to connect with Web Server through FTP and try to deface website. I am using Core ftp Software to connect with FTP Server. I enter Host IP Address and select anonymous option.
4) I succesfully logged in Webserver. Now I am able to change the contents of WebSite.
5) I change the content of index.php (Your website is hacked by Invisible) placed in wwwroot folder and Save it.
6) Now open the same website and it show that website is hacked by Invisible.
Another method of website defacement is to change the content of index file through Shell. In this case first we have to upload our shell to webserver.Then we are able to deface a website through shell.
1) Through FTP i upload Shell (ninja.php) in upload folder.
2) Now i access my shell through browser (http://192.168.42.78/upload/ninja.php)
3) I click on files and click on edit index.php and change the content of index page.
4) Save it and now enter the IP address of Webserver in browser and hit enter. It show deface page.
Now in 2nd Part I use Symantec Critical System Protection to prevent Website defacement.