Analysis of Defacement of Indian Web Sites by K. N. Srijith
This paper analyses publicly available reports of defacements of Indian Web sites. The primary aim of the paper is to present the raw information available as understandable statistical details. It also discusses the trends in the defacement activities and tries to find out the motive behind the defacement activities.Contents
Introduction
Methodology
Analysis
Conclusion
Introduction
The Internet, the worldwide network of interconnected machines, has evolved over the last couple of years from a research project, to a geek's medium, and into a common communication medium. Web sites have been sprouting everywhere, creating an online presence for companies, institutions, organisations and individuals. However, along with the rise of Internet, there has also been a corresponding rise in the number of Internet related thefts, fraud and system compromises. As more and more bugs in server implementation are discovered, they are promptly used to break into online systems and gain access to restricted information.
India is not an exception to this trend. As the number of Indian Web sites has increased, so have the attacks directed against them. The media and the security industry are slowly realising the extent of the problem. It was felt that research needed to be done to gather statistical and empirical information on the state and trends of defacement activities targeted against Indian Web sites, as there has not been any previously reported study or survey on this topic.
Most of the information used in this paper is taken from Project India Cracked [ 1], a Web project run by the author, that has been monitoring defacement of Indian Web sites since the year 2000.
Methodology
Source of data
The data regarding the defacement of Web sites are primarily obtained from defacement mirroring Web sites http://www.attrition.org [ 2], http://alldas.de [ 3] (later changed to http://www.alldas.org [ 4]), http://www.zone-h.org [ 5] and http://www.safemode.org [ 6]. Some of the defacement events were recorded by the author as a result of e-mail from those groups responsible for the defacements.
Which Web sites were considered?
Since the aim of the paper is to look into defacement activities targeted against Indian sites, the following kind of domains were included in the study:
- .co.in, .net.in, .gov.in, .org.in, .nic.in, .ac.in, .ernet.in and .res.in that is, servers representing .in top level domain (country code top level domain — ccTLD).
- .com, .net, .org and .edu servers of Indian institutions. Indian institutions can either be institutions physically located in India or an Indian branch of an international organisation.
All of these Web sites will be collectively referred to as "Indian Web sites" from now on. As mentioned earlier, this paper relies on data provided by different defacement mirroring Web sites. These sites have different criteria to determine that a defacement has occurred. For example, http://www.alldas.org does not consider multiple defacement of the same Web site within a certain time frame as valid defacement, nor does it consider defacement of IP addresses that do not resolve to a domain name as valid. However, other mirroring Web sites such as http://zone-h.org have a slightly different set of rules. As for this paper, any defacement reported by any of the Web sites mentioned earlier is considered valid.
Date range of data
All defacement reported between January 2000 and August 2002 were considered in this paper. A total of 715 defacement reports were analysed for this report.
Cracking vs. defacement
Technically there is a difference between the cracking of a Web site and the defacement of a site. Cracking means that the system that hosts the Web site has been compromised and that the attacker potentially has access to other files in the system. Defacement, on the other hand, means that the Web content hosted on a server has been modified illegally. It need not indicate a full system compromise. An example is the PHPNuke vulnerability bug that allows a person to illegally alter data.
For this study, however, these differences are ignored. Since the study tries to analyse attacks against Indian Web sites, there is no reason to distinguish between a system-wide compromise and a local code compromise, as both result from attacks on a site. The word defacement is used in this paper to collectively describe an attack that is either defacement or a more serious host compromise.
Analysis
Attacker Statistics
Detailed analysis of the data shows that a total of 135 different individuals or groups were responsible for defacing of Indian Web sites over the 17 months under consideration. The breakdown of the top five defacers' statistics is given in Table 1.
Table 1: Defacement statistics of top five defacers.
Defacer Number of defacements Percentage AIC 160 22.28 GForce Pakistan 116 16.16 Silver Lords 101 14.07 WFD 53 7.38 TheBuGz 12 1.67
The group "AIC" (Anti India Crew) has the highest number of defacements to its credit, followed by "GForce Pakistan" and then the group "Silver Lords." It is interesting to note that the defacers "AIC," "GForce Pakistan" and "Silver Lords" are responsible for around 52.7 percent of the total defacements. The rest of the 133 other defacers contribute the other 47.3 percent.
Table 2 shows the statistics of various domains that the top five defacers have attacked, while Table 3 show the detailed breakdown of statistics of the .in ccTLD.
Table 2: Domain statistics of top five defacers.
Defacer .in .com .net .org .edu AIC 77 75 1 6 1 GForce 36 72 3 5 0 Silver Lords 46 49 3 3 0 WFD 29 23 0 1 0 TheBuGz 2 8 0 2 0
Table 3: ".in" tld statistics of top five defacers.
Defacer .co.in .gov.in .net.in .org.in .nic.in .ac.in .ernet.in .res.in AIC 13 9 6 6 14 8 15 6 GForce 6 2 4 0 9 4 8 3 S Lords 25 1 2 0 4 3 10 1 WFD 16 2 0 2 3 3 3 0 TheBuGz 1 0 0 0 0 0 0 1
Statistics in Table 2 and Table 3 reveal some interesting observations. It can be seen that "AIC" is the only group that has defaced a .edu Web site, and that it has also defaced the maximum number of .co.in and .com Web sites — 88.
Of the top three defacers, Silver Lords has defaced the highest percentage of .co.in and .com Web sites — 73 percent of it total defacements, while "TheBuGz" has defaced only two .in Web sites out of its total of 12 TLD defacements. "WFD" (World Fantabulous Defacers) and "TheBuGz" have not defaced a .net domain.
Domain Statistics
Table 4 shows statistics on domains that have been defaced.
Table 4: Statistics of defaced domains.
Domain .co.in .gov.in .net.in .org.in .nic.in .ac.in .ernet.in .res.in .com .net .org .edu Number 112 29 23 14 44 31 56 20 347 18 20 1
Again some interesting observations can be made from the table. .com is the most defaced TLD, while on the other hand, other than the .edu, (that is defaced once only) .net is the least defaced TLD. .org.in is the least defaced .in domain.
Indian vs. World Trends
The comparison of Indian and worldwide defacement activity can be seen in figures 1 and 2.
Figure 1: Trend in defacement of Web sites around the world 2000-2002.
Figure 2: Trend in defacement of Indian Web sites 2000-2002.
These figures show some interesting trends. For both worldwide and Indian defacements, the month of December seems to show an increase in activity compared to previous months. Another interesting point is the general peak in the activity of Indian defacement around the months of January and August. This is probably due to the fact that the defacers try to coincide the defacements with Indian Republic Day (26 January) and Independence Day (15 August).
The value of the correlation coefficient calculated between the number of defacements per month for worldwide and Indian Web sites shows a very low correlation between the two events. Table 5 gives the details.
Table 5: Correlation between worldwide and Indian defacements.
Year Correlation Coefficient 2000 0.408794 2001 0.149603 2002 0.808435
Note again that 2002 results are suspect for a couple of reasons. One of the primary defacement recording websites was offline during the month of February 2002 and hence a large number of defacements were not recorded. Furthermore, the report only looks at defacements recorded until the end of August 2002, and not for the whole year. This low coefficient shows that the trends in the worldwide defacement scene do not affect the defacement activity geared against Indian sites. Rather, other factors are at play when it comes to motives behind the defacement of Indian sites.
Most Defaced Sites
Table 6: Most defaced hosts.
Site URL Number of Defacements http://www.rrlbhu.res.in 7 http://www.lbsnaa.ernet.in 6 http://www.aiims.ac.in 4 http://www.ushacomm.co.in 4
In Table 6, computers are differentiated according to sub domains. Hence http://www.srijith.net is considered different from http://pic.srijith.net. For many professional hosting services, sub domains are hosted on different machines to reduce the load on individual servers.
Table 6 shows that http://www.rrlbhu.res.in is the most defaced site, the site for the Regional Research Laboratory, Bhubaneswar (Orrisa). This site has been defaced by the groups "Cyber Yodha," "PCW," "r00t.br," "TheBuGz," "xst," and "war4" (twice) between October and December 2001. According to Netcraft [ 7], this computer is either a Microsoft Windows NT 4 or Microsoft Windows 98 machine running Microsoft IIS 4.0 Web server.
The second most defaced host is http://www.lbsnaa.ernet.in, the site of the Lal Bahadur Shastri National Academy of Administration. This host was defaced between October 2000 and August 2001 by groups "AIC," "WFD," "Pakistan Net Army," "edge & kartoon.ak.47," "pSYC0M0DEN," and "icefist." An interesting observation about this host is that the machine was running on Microsoft Windows NT4/98 and using Microsoft IIS 4.0 until September 2001, after which it changed to an IBM HTTP Server. The defacements occurred during the time it was using IIS 4.0 and seem to have stopped once it was changed to an IBM server.
The host http://www.aiims.ac.in hosts the site of All India Institute of Medical Sciences and has been defaced between August and October 2001 by groups "AIC" (twice), "Hax0rs Lab" and "Crime Lordz", while the machine http://www. ushacomm.co.in was defaced in October 2001 and January 2002 by groups "DeathSymb0L," "Killer Team," "woot-project" and "DrSnake."
Motives
As Table 5 indicated, the defacement scene of Indian Web sites does not follow the same trend of worldwide activity. This indicates that peaks of activity for Indian defacements do not coincide with announcements of exploitable security holes in systems, since the worldwide defacements seem to peak around those occasions [4].
Furthermore, of the top three defacers, AIC and GForce Pakistan use defacements to propagate anti-Indian sentiments and literature. Silver Lords, the other group in the top three, is not operating solely on anti-Indian sentiments. However, all of the defacements of Indian Web sites made by Silver Lords contain anti-Indian propaganda.
These characteristics, together with inferences from Figure 2 showing increases in defacement activity around the months of January and August, suggest that the primary motive is anti-Indian sentiments.
Conclusion
In this paper, defacement activities targeted against Indian Web sites were examined and studied. A statistical analysis and comparison of worldwide and Indian defacement trends showed that the basic motive behind the defacement of Indian Web sites is the expression of anti-Indian sentiments
About the Author
K.N. Srijith is a teaching assistant at School of Computing, National University of Singapore. He is currently finishing his M.Sc. in the area of TCP congestion control algorithms.
Web: http://www.srijith.net
E-mail: srijith@srijith.net
Notes
1. K.N. Srijith, "Project India Cracked.", at http://www.srijith.net/indiacracked.
2. "Attrition," at http://www.attrition.org.
3. "Alldas.de," at http://www.alldas.de.
4. "Alldas.org," at http://www.alldas.org.
5. "Zone-h.org - IT Security Information Network," at http://www.zone-h.org.
6. "Safemode.org," at http://www.safemode.org.
7. "Netcraft Website Finder," at http://www.netcraft.com.
Editorial history
Paper received 12 November 2002; accepted 29 November 2002.
Copyright ©2002, First Monday
Copyright ©2002, K.N. Srijith
Analysis of Defacement of Indian Web Sites by K. N. Srijith
First Monday, volume 7, number 12 (December 2002),
URL: http://firstmonday.org/issues/issue7_12/srijith/index.html
