Tracking Hacked Websites

on research, defacements

A lot of website defacements leave the signature of the attacker. Whether it's the Syrian Electronic Army or a lone individual, they like leaving a message to get credit for their successful attack.

One thing they tend to have in common though is that they start their signature with "Hacked by". That makes it very easy to find hacked websites with Shodan:

https://www.shodan.io/search?query=title%3A%22hacked+by%22

Based on this information there are roughly 2,000 websites the have been compromised recently and advertise it using the string "Hacked by". Unsurprisingly, the majority of the compromised websites are running on port 80 (HTTP):

What did surprise me however was that a huge chunk of the compromised websites were located on a single hosting provider:

The Ecommerce Corporation accounts for 25% of the "hacked by" results in Shodan. Almost all servers are running Apache and PHP, though they're not all on the same version. Their website talks about helping businesses grow and doesn't immediately discuss hosting, but the About page does mention their affiliation with IX Web Hosting. Whatever they're doing, they are configuring their systems in a way that appears to make them a big target for defacements.

I was curious to see which attacker had compromised the most hosts, so I downloaded the data using the shodan command-line tool:

shodan download --limit -1 hacked 'title:"hacked by"'

This saves the results into a file called hacked.json.gz, which I then ran the following command on:

shodan parse --fields title hacked.json.gz | \
    grep -i "hacked by" | \
    sed -e 's/.*hacked by//i' | \
    sort | \
    uniq -c | \
    sort -k1nr -k2d | \
    head -10

The shodan parse command extracts the title information out of the banners, which are then filtered using grep to ensure only websites that contain "hacked by" in that order get further analyzed. Then I strip out everything that is shown before the "hacked by" string using sed thereby creating a list of attacker names. That list is then sorted, the uniques are counted, sorted by number of occurrence and finally the top 10 results get printed to the terminal. And with that I can present the Top 10 Website Defacers:

  1. GHoST61: 57
  2. OxFoRD & Omis Exe: 54
  3. Kuroi'SH: 41
  4. Oum99: 40
  5. Oussama911: 37
  6. Best Cracker: 35
  7. r00t-x: 31
  8. Prodigy TN: 25
  9. TechnicaL: 25
  10. koat_halk_palesten: 24

Note that I only counted unique names, i.e. if the attacker mis-spelled their name (ex. Elmaghiribi vs Elmaghribi) or has several variations (ex. muhmademad vs MuhmadEmad) then they would get counted separately. And much the same way Time magazine's person of the year 2006 was you, apparently you is also accountable for at least 4 of the defacements.

PS: The header image for this post was created by the amazing Viss and you can find the whole gallery at https://imgur.com/gallery/W7f8K