Israeli m0sad hackers crack 480 sites

Fears that other hackers would follow last week's super-attack on 700 websites were confirmed on Saturday when a second hacker turned over a large number of sites.

A pro-Israeli defacing group, m0sad, hit 480 websites in a political hack that probably took less than a minute.

The attack follows another last week where more than 700 "virtually hosted" websites were hit in a single attack. Some security experts feared that this would be just the beginning of a spate of copycat attacks.

m0sad broke into a web server owened by Corpex Internet, which hosted 480 sites. The machine is running Apache on FreeBSD.

Once the defacers had administrator-level access, a script quickly replaced all index pages with a pro-Israeli rant. "Sorry, but the whole hosting defaced because one site that is hosted here: al-aqsa.org... our little country got raped, and we just can't look on this and do nothing, we just can't!"

Al-aqsa.org is a pro-Islamic website allegedly containing a number of speeches inciting violence towards Israel.

All the sites were virtually hosted. Virtual hosting is a cost-effective method of running a site where a number of websites are hosted on the same server, with each site usually held in its own individual folder.

But should a hacker manage to get system-level access to the server, it is child's play to set up a script to overwrite every index.html file found on the machine and replace it with the hacker's own page.

The attack bears certain similarities to Friday's mass defacement by World of Hell (WoH), in which 679 sites were hit.

In this case WoH exploited a vulnerability in Microsoft IIS/Windows 2000 Internet Printing Protocol, first discovered in May.

Microsoft has had a patch available for the flaw for almost two months now, so it would seem that lax security updates by hosting provider Ready Hosting were to blame for the hit.

Apparently WoH used a simple Perl script to also overwrite all the index pages on the server.

A few of the sites defaced were hosted elsewhere on a Unix box, showing the same trick works across different platforms and that by not regularly updating patches on virtual hosting servers, a provider could be putting all its eggs in one virtual basket.

A mirror of the defaced sites can be found here.