Massive defacing of GoDaddy sites

Published 01 June 06 02:01 PM | Billy 

Last week saw the largest single attack in history against web applications. A Turkish defacer named Iskorpitx defaced over 21,000 websites only a few hours. How did he accomplish this?

All of the sites that were defaced were hosted by a single provider, GoDaddy. In addition to cheap domain name registeration, GoDaddy also offers hosting services. Customers receive space and bandwidth, as well as a few pages and scripts. It appears one of these supplied scripts didn’t properly validate its input. Experts speculate that the culprit was “gdform.asp” which allows website visitors to email the website owner. This script would write the mail message to a temporary file. Iskorpitx exploited vulnerability to inject code that would redirect the where the mail message was written into an HTML page. This HTML page contained the defaced content.

The moral of the story: Scripts that are supplied to you may contain vulnerabilities. You should turn off or remove those that you aren’t using. If you must use a shared script, look at the code yourself or do some Google searches to see if there are any known issues.

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# The SPI laboratory said on October 29, 2007 11:15 AM:

When you pay someone to host your website, chances are your site isn’t running on a single box

Leave a Comment

(required) 
(optional)
(required) 

About Billy

Billy Hoffman is the lead researcher for SPI Labs.