When it comes to Web site vandalism, attackers target Microsoft software

When it comes to Web site vandalism, attackers target Microsoft software

By William Jackson

GCN Staff

Server software from Microsoft Corp. is the favored target of vandals who deface Web pages, according to a spokesman for Attrition.org, a computer security site.

The U.S. commercial .com domain is the most popular with vandals, although the bragging rights that go with hitting a .gov civilian or .mil military site also make those domains attractive targets, Attrition.org's Brian Martin said.

The www.attrition.org site maintains a mirrored archive of pages that have been defaced, along with a number of other computer security resources. The site has accumulated information about nearly 7,000 incidents dating back to September 1996 and has been doing its own investigations of defacements since last year.

When Attrition.org is notified of a defacement'by the victim, a third party or sometimes by the hacker'the organization staff visits the site to confirm the attack, scan it for Web server software and operating system, and make a mirror image of the defaced page. The hacker's work is analyzed for identifiable traits, such as Hypertext Markup Language coding style, misspellings, repeated use of certain elements and inclusion of names. The organization keeps statistics on recognizable individuals or groups involved.


Lack of Unix knowledge may account for the hacker preference for Microsoft targets, according to Brian Martin of Attrition.org.


Accurate data about such incidents can be difficult to come by, and Attrition.org does not claim high accuracy for its figures. Information prior to last year is suspect because it was gathered from other sources instead of by first-hand examination. But some trends in the Attrition numbers stand out.

'Defacements are increasing in number,' Martin said.

Attrition.org's figures show about 2,800 defacements reported through July of this year, compared with about 1,600 for the same period last year and about 3,750 reported in all of last year. The number of attacks seems to be keeping pace with the number of Web servers deployed.

Martin described most of the vandals who attack sites as 'not bright. Most defacements are sloppy, and they leave a forensic trail,' he said.

Lack of Unix expertise, he said, might explain their preference for Microsoft Internet Information Server, which runs under Windows NT. Although Apache Hypertext Transfer Protocol software from Apache Group of Forest Hill, Md., is the most common Web server application, Microsoft's IIS accounted for 56 percent of the defacements documented by the organization from August 1999 through July 2000. Apache came in a distant second at 28 percent.

'It takes little knowledge to deface an NT page,' Martin said. The NT operating system dominated the defacements reported for the same time period, at 63 percent. Linux and SunSoft Solaris lagged far behind NT.

The .com domain had 2,881 documented incidents since September 1996, more than 40 percent of the total. The .gov domain accounted for 277 incidents, 48 of them on NASA sites alone. In the .mil domain, Navy sites suffered 55 of 146 defacements reported.

On the attack

Attrition.org notifies victims that they have been attacked and also has an e-mail subscription list.

'When almost any government agency is hacked, the next day the administrator subscribes to one of our mail lists,' Martin said.

The group has been accused of encouraging defacement by maintaining a public archive of hacked sites at www.attrition.org/mirror.

'This is far from the truth,' Martin said. Attrition's is only one of a number of mirror sites, he said, and it collects valuable forensic evidence for identifying and tracking hackers.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group