Last week, I was on a Web forum where someone taked about his Web site being defaced. He’d been running an insecure install of phpNUKE without keeping on top of security patches, and his site was taken down and replaced with a page reading “Hacked by GHoST61” and a picture of the first president of Turkey.
I did some investigating, and discovered that GHoST61 is a prolific Turkish hacker who defaces Web pages in a very characteristic way; he or she replaces the home page with the message “Hacked by GHoST61” and sometimes a picture of the Turkish president, sometimes a missive against the Iraqui war, and sometimes a combination of both.
GHoST61 generally strikes me as being more of a script kiddie than a serious, knowledgable hacker. A Google search for the phrase “Hacked by Goost61” currently turns up about 30,000 results, the majority of which look like sites running old, outdated, insecure installs of phpNUKE, Drupal, ZenCart, osCommerce, or other server apps with known security holes. The attacks are probably automated, with point-n-drool tools that search for known vulnerabilities in popular Web application and content management packages.
In other words, GHoST61, whoever he or she is, mostly goes after low-hanging fruit.
Just because it’s what I do, I started wading through the Google results and checking to see where the hacked sites were hosted. And I found something of a surprise.
I checked several results, and found the majority of them were living on a single ISP, ecommerce.com (which does Web hosting under the names iX Web Hosting and WebHost.biz).
Curious, I kept digging, choosing random Google results to examine (in case the order of the Google results were determined by time, and the hacker just happened to be searching in IP space belonging to ecommerce.com recently). What I discovered was that the majority of hacked sites all across Google’s results, by a large margin, were hosted in the same place.
The next thing I thought was that it could be simply a question of the ISP’s size. After all, if the Web sites that had been defaced were spread out evenly across many ISPs, and one ISP hosted a million sites whereas another ISP hosted only ten thousand sites, I’d expect to see more hacked sites hosted on the larger ISP, right?
But this didn’t hold water, either. The ISP ecommerce.com advertises that it hosts about 500,000 sites. Much larger Web hosting companies such as Peer 1 hosted a far smaller number of hacked sites.
So I started counting. I grabbed a bunch of Google results at random, looked to see who was hosting them, and recorded the results. Here’s what I found (number of hacked sites on the vertical axis, Web hosting company on the horizontal axis):
It seems to me that ecommerce.com has a problem here. While GHoST61 will hack vulnerable Web sites with security holes no matter where they’re hosted, there is a very, very large cluster of hacked sites living on ecommerce.com servers.
This may indicate that ecommerce.com doesn’t enforce good security practices, or that ecommerce.com is slow to respond to hack attacks. Or it may indicate a more systemic problem at ecommerce.com, such as some sort of server-level vulnerability that allows easy penetration of many of their Web sites.
Whatever the problem, it definitely appears that ecommerce.com has some sort of issue here.