GOVERNMENT OF INDIAMINISTRY OF RAILWAYS

(RAILWAY BOARD)

The General ManagersAll Indian Railways,Core & Production Units

Director GeneralRSC,VadodaraRDSO, Lucknow

CAOCOFMOW,DMW /PatialaRCF/RBL/DKZ

Directors,All Centralised Training Institutes

Managing Director,Centre for Railway Information Systems,Chanakyapuri, New Delhi.

In the wake of recent cyber attacks on the Government Websites, a letter has been receivedfrom the office of Indian Computer Emergency Response Team (Cert-in) advising website administratorsto follow best practices to secure their web applications and web servers, for which CERT-in securityguidelines can be referred through their linked sites (copy of the letter attached).

The attachment sent by CERT-In alongwith the above mentioned letter indicating summary ofdefacements of website in Feb 2012 and in March 2012 is available on the C&15 Dte page (section for ITsecurity) of Railway Board's website.

• Director General

D.0 No. 2(7)/2012-CERT-In

%TR-a- flichii

20.04.2012

Dear Shri Das,

CERT-In is tracking defacement of Indian websites on regular basis. A total of 2460 & 2486 Indian websites were defaced by various defacers during the month of February & March 2012 respectively. Similarly 475 & 296 number of websites have been compromised and links to malicious websites were planted on these sites during corresponding months. Summaries of monthly website defacements depicting domain-wise and network-wise break-up of the websites defaced, top defacers and vulnerabilities which are largely exploited are attached.

In view of growing attacks on websites, you are requested to advise website administrators to follow best practices to secure web applications and web servers.

The following CERT-In security guidelines may be referred:

• Web Server Security Guidelines http://www.cert - in.orcLin/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=Guideline CISG-2004-04

â Securing IIS /7.0 Web Server Guidelines http://www.cert - in.orq.in/s2cMainServlet?pacieid=GUIDLNVIEW02&refcode=Guides CISGu-2010-01

â Guidelines for Auditing and Logging http://www.cert- in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=Guideline CISG-2008-01

With regards,

Encl: As above

tOzili Tr4"T 44.Alritf

faUTrt virazr 3TNrIff lirci6#41 (*-3-4)

$c".)ci , 6, 1:11.,,3.1).. chT1-14(44.0, 1-- m11 - 1 10003

Government of India Ministry of Communications and Information Technology

Department of Information Technology Indian Computer Emergency Responce Team (CERT-in)

Electronics Niketan, 6, C.G.O. Complex, New Delhi-110003 Tel. : 24368544, Fax : 24366806 E-mail : grai(a)mit.gov.in

Shri R.B. Das Executive Director ( Computers & Information Technology), Railway Board, Ministry of Railways Rafi Marg, New Delhi-110001

me L

•

3'4= 71.77.79 :17.]

-vizzrj

nci n or pitr T r 31.c,,7 "rfi 13 i2 17i :717 I)

Department of Information Technology Ministry of Communications and Information TechnoloT/

o Ci ci 1 "a

• '3--

f72 7.7 - s

CONTENTS

intro dut c tie ...... ..... ......... ..... .......... ...... .......... , ...... .„ ..... ...... ....... 2. Distribution of defaced domains 2.1 Percentage Distribution of defaced domains 3. Hacker wise Defacer_rients 3.1 Top Defacers (TLDs)._ ..... ................... ..... ............. ..... ....... ......, ..... 3.2 Top Deface_ _ .... ......

3.3 Details c .:=Lrla , e, Defaced I s f ..... ..„ ...... ....... T1%,.ffa:e.

..... ..... ....................... .......... .............

5,1 At- ... . ............ „, ...... „,. .. .. ..... . ...... ..... ..... ... „„ ........

1 Co

of 3

•

Introduction

This report summarizes Indian website defarep.ients du -ring

In all 2460 Indian websites were defaced during the month of February 2,012

- against 1420 defacements in January 2:012.

2, Distribution of defaced domains

The defaced domains inclu

3 rn rr

te_;cle tep dema:nn

.edu.in and :_ces.in).

Fi ,ure 2: Dist:ibution of Defaced Domains (ccTLDs)

3 cf S

(^,

In themonth of February 2012 a total (3 -'2160 Indian ,,vebsite ,. -,vere defaced. Out of these 52% wejosites were on .in domain and11.5% websites were on .com domain. Figure 3 shows the percentage distriblrion of defaced site in to level domains (Thi)s).

Figure 3: % Distribution of Defaced Domains (1.71..,2s)

Figure 4 shows percentage distribution of In domain (eel' the 1233 defaced websites, 6 were w domain 23% id . co iarid

demair.rs.

Figure 4: % Distribut or: of Defaced 'Domains (ccrELDs)

S

•

3. Hacks: 7777

3.1_ Top Defacers (TLDs)

1 H4x0rL1f3 248

ZCornparri Eackir, Crew,

178

3 LOLD

5 Banglacl,r,s11. Cy'oer Arrnii

-

Table 1: Top Defacers. .TLD wise

(r , 7), i'171 .

)

„ 1

•,-2,, , i':( --.) i-VI,J..".:n ,,,:',",'„': -.. , " N --sL T. 1 ., ,. I

;_, I 171-)

2 .-...L.,,[a:',11:1EIC.',:l':',:c

1 ,-.:11:0 ._;',.' co:rn ';' ,.-::1, 73

.1 ./,',._ ...nrip ,3.i.:: I rc.:1:•: -:: ::,

Cl-cw

1 L3a1-1.71a2,os',--1C ,:t::„....-.1- ,--,. ,,, -.,-)-;

a iiiii , ,, LI.L,S -'" i t,'..i.',. 1

7 1 1-irnoi.7

9 DR-MTNIRD 43

10 sksking

Table 2: Top Defacers cc= wise

0 1 74.32,111.179 THERLAN'TT 1

' 1 17.1 1 71"j0 13 •

(,-."1":1,•1;

4,1 Moat "Fa:gated i'letwarP,

• CO1NF1f.D ,•1 -11;=.1..

T.- -- ..t.-2127

0 o -7.)3") 3:;-;DetaJs - .1-,

No. IP ISP Marne

5 LocntIon

Defacer OS VI .'D,F,' ,-:-.nir 0,'

1 64 33. 4 6.210 LAYER3-A3N-? 1S 71Cornp ,,,i-o;

1 HaL1<ir;c Cr.--:\N

vi,-, ri5/0.

7003

2 72.51.38.59 PEER1 AL.MaX

US HaCKEr

n 1 i 1).n IT.S'7 C

T_'90"3 199

3 50.97.145.130 SOFTLAYER US

,,-

H4x0r...1f3 Lin...ix i A -:.‘,9:;m,

SMOOKO

I:D1

1 1 C — -.,--,

it has been observed that most (88%) o Inchian websites defaced We n-7 • •

37 62

•

Fig -LIre 5: Defaced website cour.try -wise

Fa 6 c' 3

InIcet_.._

D. -L

5.1 Attack Methodolo eU

Atta ck raett•,cdolopi.o,-; cone r 1130 dr' h

J Attacks againsii the adminisiratorluser (bass ,,vo, rti,

a Shared rnis - con. g,urations

▪ SQL Injection

Y, eo

screaeni

tyiisie,

0, 1 e't)

i7,Ltacl ,- • :tot,

C r'Ve i )

Telnet, Server .intrusion•

Th:7, Vulrie.).abilities v„Thich are lei t- tor the

0rooinle!

2011 - 2 .7 10 - 20 11 - 250

scripttinc): (NS'S) vrtinerabili Petition -N- orle recolide

SQL _ction vulneraoility Iota:Ion

rnedule 6.x b e

1./1-ultiple cross-site scribting i‘i\SS) vulnerabilities in phio:NlivAti

(CV E - 2012 - 0914)

3 Authentication bonass - (c_7\,.." -2n

) Vulnerabilities in .Microsoft SharePoini Could Allow Elevati(-)il

Privilege (C1VN-2011 - 0152)

CON7-1D17\71AL

-7,,--facel-lift , 7_3

2003 & Windows Vista (CL-0-2010 - 0064) Apache Tomcat HTTP DIGEST .. ,, ,azhentication (CTVN-

9011-0169)

6, 5.-.91.-iggesteci Count-a-nue a:sures

.Apply appropriate updates/patches at the OS and .au olicat'eon level

regularly.

'',.-alieraete and sarlitiz_,, all input, errec -

•••,' -,70(II {;;);F • ',..;•H i'l;-; -, ',0•-'er , 'L•

• 107ai,e.tf-111-.1;LJT.:;. ,:i-

Periodically check the web se. rver di -rectories Dr any malicious/unknown web shell files and remove as and when noticed.

r-= Use an a -,i-)plication firewall to controls inpoti , 0 ,L the Iveb aoelication.

a rld.br n.), CU°

"-I: '310 ' H. 0

Sec

t,t

0 L O G - -

Securing I15 /7.0 Web Server Guidelines

/...

CI S Gil - 201C - 01

Guidelines for Audizing and Loczzin ,J.- httu:// ,,,,,,,..,,..cort-

in.c-f<z.inis2c_NiainSerilet?pa9,- eici=j1- TIT) _•.:7; 7 1-7'",,,I.: (. -Y)

CISG - '7.003 - 01.

S AS

•

77,7:7.2\

••:;' 11? !..7

• ;

•

- • •-•?-=',,-) C72, 7-1 f'

T-1 •

r • ‘_ ' L 1 t.

Department of Information T ,e.chnoi.oey :71-Ylinist .:ry of 1:::orn rnun3 cati.011::; .11.11.(1 fc:)rrna oi

• CCY,i7:113F1`-rriAL

r •-• -• - '722, - r-

CO TENTS

J. introduction 2. Distribiition of defaced domains 2.1 Percentage Distribution of defaced domains 3. Hacker wise Defacements 3.1 'fob Defacers (TI.11).3) .......... . ........... ..... ......... .. , .. .......... .„., „ ..... 3. 9 Too Defacers (ccTLDs) 3.3 Details of -neFacfed FP; dur-Ln

4.1 Most, Targeted Networks Atca.c1 ,. -. 71:., ends .................................. ...........

5,

.... . . ..... , ..... .....

Sr.I.gested_ Counte:'1 e ..... „„ .. , . ..... ...............

S

• C

CERT-In D iitactinn..en

1, Introduction

This report su=arizes Indian welesite defacements during 201.2. Tr, all 2480 Inthan websites, were dofeced during the month 2460 defacements in _F'obruar i

2. Distribution of defaced domain ,;

Mae defaced domai.... , U. C.

,s1 code top level —

. 1 1.1111

0,,

Fig'.ne 2: D Kri'-pution of Defaced Doidams (.0o,TL'I) ,\,' D.)

„„,

• of

2.1 Percentage Distribution of defaced domains

In the month of March 2012 a total of 2486 Indian -websites defaced. Out of these 52.5% -websites were on .in domain. and zt: ?,% ;,,,b s it es

were on.cofn domain. Figure shows the parce,, ntage distribuc, ion n:F: de Iiro_:od site in top level domains (TLDs).

5 .,

Figure 3: tribLaida of Defaced Domains Ciit,T.

Figure 4 shows percentage dist -fbutinn of .in dom',dn (co'ff,111)s,)

cf the 1309 defaced -,,,,, ebsites. .69% were in d:ddorie.ain, 2d,'*6 .00±1_

rjof

Figure 4 % Distribution of Defaced Domains (ccTLDsS

3

1 lim Mus 1:17-eration

Army

2 ciri 113 r

23 I

• CE T - _ 1.,

3, Tr-Tac:Ke:Tiffi e Defacer-.erats

3.1 Top Defacers (TLDs)

Table, 1: Top Defacers TI.D Y.

10 3=11- 3

c"11.:0 wise:

PAz- `0'8

• oiNFtnENTDV___

n - r_ DF.facern ,-nts C 17'

3.3 Detalin3 of Mass Defaced March

No I? IS? Name

IS? Detiecer Location

OS iWieb.SErier

If S/6.0

I Oi

!Pi?

277

174.37,211.193 S OFTLAYER US NIUSI Liberation ;Army

I' 2003

118.67.248.123 NET4INDIA IN Hmei7 n

2008

3 208.43.91.92 SOFTLAYER US PCA-Master Unwe. Apron:

.4 ceoi7e 4 ! -11 P.178.177 IN

i) 98,131.154.2 SCONNERI2Ei. • US w3bOiriiiiii,t - •

boo Targeted. ..LNet.,; ,70 ..2.LS

It hoe been observed that roost (78%) of Indian v;ebsites defaced were hosted T

• Ottf., S1CV,- I

SC 75

Figure 5: Defaced 1,velosite hosting country - wise

Pc 6 el23

CONFIDENTIAL

CERT-In Defacements Summary March 2012

5. Attack Trends

5.1 Attack Methodologies

Attack methodologies which are generally used to deface a website are:

• Attacks against the administrator/user (password stealing/ sniffing)

• Shared mis-configurations

• File Inclusion

• SQL Injection

• Web shell uploading

• Access credentials through Man in the Middle attack

• FTP Server Intrusion

• Web Server Intrusion

• DNS attack through cache poisoning

• Remote administrative panel access through brute forcing

• SSH server Intrusion

• RPC Server intrusion

• Telnet Server intrusion

5.2 Vulnerabilities

The Vulnerabilities which are largely exploited for the defacements

• XSS vulnerability in D-Mack Media Currency Converter module in

Joomla! (CVE - 2012 - 1018)

• SQL injection vulnerability in the JS Calendar component for Joomla!

(CVE - 2010- 4795)

• SQL injectiOn vulnerability in the Maian Media Silver component for

Joonila! (CVE-2010 - 4739)

Multiple cross - site scripting (XSS) vulnerabilities in Joomla! (CVE -

2011-2710, CVE-2011-2509)

'' Cross - site scripting (XSS) vulnerability in the Petition Node module for

Drupai (CVE - 2011 - 4560)

• SQL injection vulnerability in Drupal Translation Management

module 6.x before 6.x - 1.21 (CVE - 2011 - 1663)

• Multiple cross - site scripting (XSS) vulnerabilities in phpMyAdmin

(CVE - 2012 - 0914)

• Authentication bypass vulnerabilty in phpMyAdmin (CVE-2010 - 4481)

• Vulnerabilities in Microsoft SharePoint Could Allow Elevation of

Privilege (CIVN - 2011 - 0152)

Page 7 of 8

• CONFIDENTIAL

CERT-In Defacements Summary March 2012

• Multiple Vulnerabilities in Microsoft products Windows Server 2008, 2003 & Windows Vista (CIAD - 2010- 0064)

• Apache Tomcat HTTP DIGEST Authentication Vulnerability (CIVN-2011-0169)

6. Suggested Countermeasures

• Apply appropriate updates/patches at the OS and application level regularly.

• Validate and sanitize all user input, and present error messages that reveal little or no useful information to the user to prevent SQL injection attacks.

• Enable and maintain logs of different devices and servers and maintain the same for all the levels.

• Conduct auditing for web application & configuration settings of web server periodically.

• Periodically check the web server directories for any maliciou's/unknown web shell files and remove as and when noticed.

• Use an application firew all to controls input, output, and/or access to the web application.

• Install a good antivirus and keep it updated and running.

• The following CERT-In security guidelines may be referred :

Web Server Security Guidelines littp://wWw.cert-

in.org.in/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=Guideline CISG - 2004 - 04

•â Securing IIS /7.0 Web Server Guidelines littli://www.cert-

in.org.in/s2cMainServlet?Itageic1=GUIDLNVIEW02&refcode=Guictes CISGu - 2010 - 01

Guidelines for Auditing and Logging http://www.cert-in.orgin/s2cMainServlet?pageid=GUIDLNVIEW02&refcode=Guideline CISG - 2008 - 01

Page 8 of 8