sgCERT Advisory No. 012005 : Mass Defacement of Malaysian Web Sites

Further on the Advisories by myCERT and MCMC on Mass Defacement of Malaysian Web Sites, sgCERT added several additional points to cast more light to better secure Web Servers.

Preventive Measures:

  1. Apply latest patches and upgrades released by software vendors.
    Apply patches to test server first and after confirmed to be working fine, apply patches to production servers.

  2. Harden your servers using hardening tools.

    A guide to harden Windows 2000 server is available at http://www.systemexperts.com/win2k/hardenW2K13.pdf The tools include Internet Information Services (IIS) Lockdown Tool, URL Scan, Baseline Security Analyzer and HFNetchk. For Unix/Linux hardening tools, refer to http://bastille-linux.org

  3. Close all unnecessary applications

    For example, for production servers that do not need to run FTP service, ensure that FTP service is disabled or uninstalled.

  4. Close all unnecessary ports.
    Ports are used by TCP/IP protocol to transfer data for networks services. Open only ports at your firewall or your web server that are needed for traffic to connect to your servers. The list of standard ports are available at http://www.iana.org/assignments/port-numbers

  5. Scan for vulnerabilities
    Download one of the popular web vulnerability scanners and run a security check on your web servers. For example http://www.cirt.net/code/nikto.shtml and http://www.acunetix.com/ .

  6. Scan for suspicious traffic
    Download one of the popular network sniffers and run at your gateway or firewall to detect any suspicious traffic on your LAN. For example http://www.ethereal.com/download.html

  7. Install latest version of TrendMicro antivirus software
To make sure your web server is not planted with backdoor or Trojan programs:
  1. System administrators are advised to regularly monitor / check their systems.

  2. Check for any newly added user accounts in the domain server user list.

  3. Check your log files for any suspicious connection on the open ports, therefore be vigilant of suspicious traffic shown in your log files.

  4. Check for rootkits planted by cracks/hackers

    You may use chkrootkit (Linux platform) from http://www.chkroot.org or flister (Windows platform) from http://invisiblethings.org/tools/flister.zip The main purpose of a rootkit is to allow crackers/hackers to come back to the compromised system to alter and access it without being detected.

  5. Check and look for any suspicious shell programs

    For detailed explanation on Windows platform, go to http://www.windowsitpro.com/Windows/Article/ArticleID/43875/43875.html under the headline "Where to Look."

References

  1. MCMC ISF : Advisory on Web Defacement [15th March 2005]
    Http://www.mcmc.gov.my/Admin/WhatisNew/31806583Information%20Sharing%20Forum.pdf

  2. MYCERT Special Alert : Mass Web Defacement [11th March 2005]
    Http://www.mycert.org.my/advisory/MA-088.032005.html

  3. MYCERT Advisory [9th March 2005]
    Http://www.mycert.org.my/advisory/MA-087.032005.html
[ Back to sgCERT Main Page ]