I wanted to revisit the results of a few posts last year on how to track website defacements and see how things have changed since then. In case you're wondering how this data is collected, I've created a video that shows in real-time the commands I used to generate the data:

Here's the Top 10 Website Defacers as of January 2016:

1. GHoST61: 51
2. Kadimoun: 39
3. AnonCoders: 35
4. r00t-x: 31
5. Shor7cut: 28
6. Owner Dzz: 27
7. Toxic Phantom FROM BANGLADESH BLACK HAT HACKERS: 27
8. TechnicaL: 21
9. virus3033: 21
10. Yuba: 17

GHoST61 also topped the ranking last year and remains at the top at the moment. Other familiar names are: r00t-x (moved down 1 rank), TechnicaL (moved down 2 ranks) and virus3033 (moved down 2 ranks). This means that 4 of out of the previous top 10 are still around, while the other 6 weren't listed before.

In terms of organizations containing defaced websites, the Ecommerce Corporation remains the most affected by far. At this point it seems a given that Ecommerce will have the worst ranking so lets look at the other organisations on the list. The full ranking is:

1. Ecommerce Corporation
2. Unified Layer (+1)
3. GoDaddy (-1)
4. CyrusOne
5. iServer Hosting
6. SoftLayer Technologies
7. Media Temple (-1)
8. Peer1 Dedicated Hosting (-4)
9. New Dream Network
10. Digital Ocean

The top 3 have remained the same, though GoDaddy and Unified Layer switched spots. New entries on the list are: CyrusOne, iServer Hosting, SoftLayer, New Dream Network and Digital Ocean. At this point it's clear that there are a few hosting providers with on-going problems and it doesn't look like they've made any impactful changes to reduce the number of compromised websites.

In terms of products, the vast majority of affected websites were running Apache:

I'm planning on periodically revisiting this subject to see how things change over time, especially with regards to the newly-listed organisations!

PS: Credit to @Viss for the dramatic hacker background image at the top.

I wanted to revisit the results of an earlier post this year on how to track website defacements and see how things have changed since then. In case you're wondering how this data is collected, I've created a video that shows in real-time the commands I used to generate the data:

Here's the Top 10 Website Defacers as of June 2015:

1. GHoST61: 49
2. El Moujahidin: 31
3. r00t-x: 29
4. Ashiyane Digital Security Team
5. Best Cracker: 22
6. TechnicaL: 20
7. virus3033: 17
8. A.N.T: 15
9. KkK1337: 14
10. MR Error ..: 14

GHoST61 also topped the ranking earlier this year and remains at the top at the moment. Other familiar names are: r00t-x (moved up 4 ranks), TechnicaL (moved up 3 ranks) and Best Cracker (moved up 1 rank). This means that 4 of out of the previous top 10 are still around, while the other 6 weren't listed before.

In terms of organizations containing defaced websites, the Ecommerce Corporation remains the most affected by far. After publishing the last blog post some people rightly questioned whether Ecommerce corporation had just been hit with an attack and I happened to do my report right afterwards. This follow-up data makes it clear that there are systemic problems at the company and how they setup/ respond to incidents.

A lot of website defacements leave the signature of the attacker. Whether it's the Syrian Electronic Army or a lone individual, they like leaving a message to get credit for their successful attack.

One thing they tend to have in common though is that they start their signature with "Hacked by". That makes it very easy to find hacked websites with Shodan:

https://www.shodan.io/search?query=title%3A%22hacked+by%22

Based on this information there are roughly 2,000 websites the have been compromised recently and advertise it using the string "Hacked by". Unsurprisingly, the majority of the compromised websites are running on port 80 (HTTP):

What did surprise me however was that a huge chunk of the compromised websites were located on a single hosting provider:

The Ecommerce Corporation accounts for 25% of the "hacked by" results in Shodan. Almost all servers are running Apache and PHP, though they're not all on the same version. Their website talks about helping businesses grow and doesn't immediately discuss hosting, but the About page does mention their affiliation with IX Web Hosting. Whatever they're doing, they are configuring their systems in a way that appears to make them a big target for defacements.

I was curious to see which attacker had compromised the most hosts, so I downloaded the data using the shodan command-line tool:

shodan download --limit -1 hacked 'title:"hacked by"'

This saves the results into a file called hacked.json.gz, which I then ran the following command on:

shodan parse --fields title hacked.json.gz | \
    grep -i "hacked by" | \
    sed -e 's/.*hacked by//i' | \
    sort | \
    uniq -c | \
    sort -k1nr -k2d | \
    head -10

The shodan parse command extracts the title information out of the banners, which are then filtered using grep to ensure only websites that contain "hacked by" in that order get further analyzed. Then I strip out everything that is shown before the "hacked by" string using sed thereby creating a list of attacker names. That list is then sorted, the uniques are counted, sorted by number of occurrence and finally the top 10 results get printed to the terminal. And with that I can present the Top 10 Website Defacers:

1. GHoST61: 57
2. OxFoRD & Omis Exe: 54
3. Kuroi'SH: 41
4. Oum99: 40
5. Oussama911: 37
6. Best Cracker: 35
7. r00t-x: 31
8. Prodigy TN: 25
9. TechnicaL: 25
10. koat_halk_palesten: 24

Note that I only counted unique names, i.e. if the attacker mis-spelled their name (ex. Elmaghiribi vs Elmaghribi) or has several variations (ex. muhmademad vs MuhmadEmad) then they would get counted separately. And much the same way Time magazine's person of the year 2006 was you, apparently you is also accountable for at least 4 of the defacements.

PS: The header image for this post was created by the amazing Viss and you can find the whole gallery at https://imgur.com/gallery/W7f8K