Defacements Statistics 2008 - 2009 - 2010*

27/05/2010 Written by Marcelo Almeida (Vympel)

When Zone-​H started back in 2002, we were receiv­ing an aver­age of 2500 deface­ments monthly, this num­ber keeps on increas­ing year after year. For exam­ple, the last month we reg­is­tered over 95.000 deface­ments, while we only had 60.000 in 2009 for the same period.

What we can also say from these num­bers is that the meth­ods used are still the same: most of the vul­ner­a­bil­i­ties exploited are on web appli­ca­tions. We also know from what we mon­i­tored that reg­is­trar attacks greatly increased the past years even if this num­ber is quite low com­pared to the total of attacks. But not only web appli­ca­tions are guilty, as poor local sys­tem secu­rity on var­i­ous web host­ings usu­ally allow crack­ers to get full access to the servers.

Worms and viruses like mpack/​zeus vari­ants also allow some crack­ers to gather ftp account cre­den­tials, but most of the peo­ple using those tools do not deface web­sites, but pre­fer to back­door those sites with iframe exploits in order to hack more and more users, and to steal data from them. Isko­r­pitx for exam­ple (but many oth­ers do it as well) uses this method to break into host­ings, he usu­ally steals cre­den­tials with viruses and some­times even back­doors the deface­ments for vis­i­tors of the defaced sites to be exploited.

Exam­ples of some attacks on reg­is­trars (DNS hijack­ing):
http://​www​.zone​-​h​.org/​a​r​c​h​i​v​e​/​i​p​=​2​0​0​.​3​5​.​1​48.72
http://​www​.zone​-​h​.org/​a​r​c​h​i​v​e​/​i​p​=​8​2​.​1​9​7​.​1​3​1.109

Here are the statistics:

Attacks by month

Year 2008 Year 2009 Year 2010
Jan 18.562 37.968 53.921
Feb 51.925 2.919 57.869
Mar 48.138 7 73.715
Apr 41.492 60.471 95.090
May 29.017 48.087
Jun 38.445 43.569
Jul 39.549 45.480
Aug 74.121 83.850
Sep 42.379 74.384
Oct 54.971 54.462
Nov 44.486 43.177
Dec 34.374 50.035

Spe­cial Attacks by month Year 2008 Year 2009 Year 2010
Jan 413 669 881
Feb 553 104 1.847
Mar 745 2 1.227
Apr 584 1.976 1.357
May 782 1.746
Jun 712 942
Jul 895 1.179
Aug 1.386 1.127
Sep 587 893
Oct 963 1.237
Nov 1.207 1.103
Dec 774 953
Total 9.606 11.929 6.395

Sin­gle attacks by month Year 2008 Year 2009 Year 2010
Jan 5.150 14.464 10.335
Feb 9.395 1.887 10.938
Mar 13.691 7 11.910
Apr 12.713 13.107 14.344
May 8.020 16.565
Jun 9.830 14.221
Jul 13.060 14.241
Aug 32.668 12.495
Sep 14.233 9.432
Oct 17.263 8.777
Nov 17.616 8.002
Dec 13.692 8.670
Total 167.329 121.866 58.045

Mass attacks by month Year 2008 Year 2009 Year 2010
Jan 13.412 23.504 43.586
Feb 42.530 1.032 46.931
Mar 34.447 0 61.805
Apr 28.779 47.364 80.746
May 20.997 31.522
Jun 28.615 29.348
Jul 26.489 31.239
Aug 41.453 71.355
Sep 28.146 64.952
Oct 37.708 45.685
Nov 26.870 35.175
Dec 20.682 41.365
Total 350.128 422.539 294.776

Oper­a­tional System Year 2008 Year 2009 Year 2010
Linux 352.468 378.744 256.648
Win­dows 2003 117.978 127.128 81.785
Win­dows 2000 21.929 12.529 2.805
FreeBSD 13.418 10.050 5.503
Unknown 4.642 3.933 1.815
Solaris 910 3.002 7.699 364
SolarisSunOS 1.629 16 10
MacOSX 893 510 384
Win NT9x 440 225 132
Win 2008 364 2.977 3.165
Win XP 329 270 72
HP-​UX 216 85 32
NetBSDOpenBSD 69 99 39
Solaris 8 35 41 5
BSDOS 10 14 2
AS/​400 6 1 1
Com­paq Tru64 6 16 2
NovellNetware 5 5 0
Unix 3 29 43
IRIX 3 12 5
OpenVMS 3 1 0
AIX 3 1 0
MacOS 3 0 2
OpenBSD 1 0 0
Win Vista 1 1 0
OpenServer 1 0 0
Win .NET 1 1 0
OS2 1 0 5
Dig­i­tal Unix 0 3 0
SCO Unix 0 19 2

Web­server defaced Year 2008 Year 2009 Year 2010
Apache 390.141 486.294 319.439
IIS/6.0 126.403 180.926 113.935
IIS/5.0 12.551 66.304 23.664
Unknown 4.974 8.805 16.741
Zeus 1.059 506 1.972
NOYB 0 1.308 1.920
IIS/4.0 5.846 3.952 1.149
nginx 3.465 870 729
IIS/5.1 540 412 308
Rapidsite 158 110 244
SonataServer 4 557 178
A-​NETEK RobustWeb 4 4 92
Zope 106 67 80
LiteSpeed 3 150 65
IdeaWebServer 50 191 60
E-​Neverland DataPalm 15 16 41
lighttpd 25 33 37
DinaHTTPd Server 52 89 36
Boa 6 59 26
Sil­ver­Stream Server 36 40 20
SAMBAR 0 18 17
thttpd 8 29 15
SunONE WebServer 165 670 12
ConcentricHost-​Ashurbanipal 18 12 11
Lasso 18 26 11
Cougar 1 21 10
NetWare-​Enterprise-​Web-​Server 5 3 8
Sun Java Sys­tem Web Server 6.1 0 6 8
GWS 2 4 8
DataPalm 0 7 7
Abyss 0 0 5
OBEC-​Web-​Serv 0 13 5
InfomexWebServer 2 14 4
tigershark 54 9 4
4D_​WebSTAR_​S 34 169 4
IBM HTTP SERVER 7 17 4
Jetty 0 0 4
Netscape-​Enterprise 37 21 4
OmniHTTPd 7 3 4
AOL server 28 15 3
IIS/​30 3 4 3
exteNd Appli­ca­tion Server 3 2 2
RaidenHTTPD 5 5 2
Resin 9 25 2
Replica 1 0 2
RRRPHP/​942 1 0 2
CoffeeMaker 0 0 1
Hix Webserver 0 0 1
KFWebserver 5 5 1
NetCache 5 8 1
Ora­cle AS 0 3 1
WebLogic Server 27 27 1
Xitami 7 16 1
Zort Zirt Server 20 7 1
Caudium 2 3 0
VHFFS 15 2 0
Oracle 33 2 0
Roxen 87 2 0
Lotus-​Domino 6 5 0
Mistral 1 1 0
Web Crossing 0 1 0
Netscape-​FastTrack 0 2 0
Web­Sphere Appli­ca­tion Server 0 5 0
PWS 0 5 0
Netscape-​Communications 0 1 0

Attack Method Total 2008 Total 2009 Total 2010
Attack against the administrator/​user (pass­word stealing/​sniffing) 33.141 24.386 10.918
Shares misconfiguration 72.192 87.313 55.725
File Inclusion 90.801 95.405 115.574
SQL Injection 32.275 57.797 33.920
Access cre­den­tials through Man In the Mid­dle attack 37.526 7.385 1.005
Other Web Appli­ca­tion bug 36.832 99.546 42.874
FTP Server intrusion 32.521 11.749 5.138
Web Server intrusion 8.334 9.820 7.400
DNS attack through cache poisoning 7.541 3.289 1.361
Other Server intrusion 5.655 10.799 5.123
DNS attack through social engineering 6.310 2.847 1.358
URL Poisoning 5.970 6.294 3.516
Web Server exter­nal mod­ule intrusion 4.967 2.265 1.313
Remote admin­is­tra­tive panel access through bruteforcing 9.991 6.862 7.046
Rerout­ing after attack­ing the Firewall 8.143 3.107 1.267
SSH Server intrusion 6.231 4.624 4.550
RPC Server intrusion 12.359 5.821 2.512
Rerout­ing after attack­ing the Router 9.170 2.671 1.327
Remote ser­vice pass­word guessing 6.641 3.252 1.103
Tel­net Server intrusion 4.050 3.476 2.562
Remote admin­is­tra­tive panel access through pass­word guessing 4.915 1.139 422
Remote admin­is­tra­tive panel access through social engineering 4.431 1.502 472
Remote ser­vice pass­word bruteforce 5.563 3.658 1.002
Mail Server intrusion 1.441 2.314 1.121
Not avail­able 70.457 87.684 24.493

Attack Reason Year 2008 Year 2009 Year 2010
I just want to be the best defacer 201.270 122.442 78.761
Heh just for fun! 96.438 176.725 179.707
As a challenge 61.112 26.921 13.422
Polit­i­cal reasons 50.578 72.767 19.360
Patriotism 46.619 40.374 17.877
Revenge against that website 4.802 23.513 15.147
Not available 56.640 81.667 28.545

Linux X Win­dows

Year Total deface­ments Linux (all dis­tros) Total deface­ments Win­dows (all ver­sions)
2000 931 2.587
2001 4.080 13.549
2002 22.693 43.441
2003 191.720 58.571
2004 247.113 119.402
2005 276.294 179.945
2006 446.039 258.129
2007 305.968 139.427
2008 352.449 141.061
2009 378.728 143.151
2010 256.648 87.959
Total 2.482,663 1.187,222

LEG­END: * In red — Par­tial data
Text in blue — Site down for main­te­nance

UPDATE: A new fea­ture is avail­able on the Stats page, now you can check out yearly, monthly and daily sta­tis­tics http://​www​.zone​-​h​.org/​stats

Com­plete report of 2010 stats http://​www​.zone​-​h​.org/​n​e​w​s​/​i​d​/4737


Share this content: