mau-yong Posted May 27, 2007 Share Posted May 27, 2007 I am seeing right now defaced web pages supposedly by one kerem125 and another by_gsy. I accidentally found this while going to one of my favorite web site and saw that "Hacked by kerem125 and gsy aciklarinizi kapatiniz...!" written all over it. I also maintain a couple of websites and I am much concerned about this.Afte googling for "kerem125", I saw many web sites that are affected and it appears that all are using Microsoft-IIS/6.0 powered by ASP.NET. Though some sites are not (yet) affected, this emanates much concern regarding IIS 6.0 (Windows Server 2003) security.Further investigation led me to the site of kerem125 and the exploit of devami.asp to launch their attacks.The purpose of this post is for concerned web admins (especially MSFN members ) to back-up now their sites so they can easily recover after the "storm" has passed. Link to comment Share on other sites More sharing options...
Stoic Joker Posted May 27, 2007 Share Posted May 27, 2007 According to www.SecurityFocus.com this is a SQL injection attack specific to RunawaySoft Haber Portal 1.0 ... Not a Windows issue.But thanks for letting folks know about it. Link to comment Share on other sites More sharing options...
mau-yong Posted May 29, 2007 Author Share Posted May 29, 2007 According to www.SecurityFocus.com this is a SQL injection attack specific to RunawaySoft Haber Portal 1.0 ... Not a Windows issue.But thanks for letting folks know about it.I watched the HTTP headers of the affected sites including these ones: (the address are in the filename.jpg (slash are converted to dash -)) and all of them are using asp and -Server: Microsoft-IIS/6.0X-Powered-By: ASP.NETServer: Microsoft-IIS/5.0X-Powered-By: ASP.NETServer: Microsoft-IIS/6.0MicrosoftOfficeWebServer: 5.0_PubX-Powered-By: ASP.NETServer: Apache ( which in my opinion uses Windows as OS, Nmap can resolve this, but I just depended on HTTP headers only)as I have yet to see affected websites that are using systems like Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-19The exploit in securityfocus uses devami.asp as launching of the attack and I don't know if MySQL (regularly used in Linux servers) has this file or just Microsoft's SQL.Securityfocus reported this on May 16 2007, and I am still seeing this now, [thelist] Hacked by kerem125 reported this as early as February 2 2007. Therefore, this has been on going for about 3 months now and I suspect that it will still go on for some time. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now