?

Log in

No account? Create an account

Previous Entry | Next Entry

ecommerce.com: hacked by GHoST61

Last week, I was on a Web forum where someone taked about his Web site being defaced. He'd been running an insecure install of phpNUKE without keeping on top of security patches, and his site was taken down and replaced with a page reading "Hacked by GHoST61" and a picture of the first president of Turkey.

I did some investigating, and discovered that GHoST61 is a prolific Turkish hacker who defaces Web pages in a very characteristic way; he or she replaces the home page with the message "Hacked by GHoST61" and sometimes a picture of the Turkish president, sometimes a missive against the Iraqui war, and sometimes a combination of both.

GHoST61 generally strikes me as being more of a script kiddie than a serious, knowledgable hacker. A Google search for the phrase "Hacked by Goost61" currently turns up about 30,000 results, the majority of which look like sites running old, outdated, insecure installs of phpNUKE, Drupal, ZenCart, osCommerce, or other server apps with known security holes. The attacks are probably automated, with point-n-drool tools that search for known vulnerabilities in popular Web application and content management packages.

In other words, GHoST61, whoever he or she is, mostly goes after low-hanging fruit.

Mostly.

Just because it's what I do, I started wading through the Google results and checking to see where the hacked sites were hosted. And I found something of a surprise.

I checked several results, and found the majority of them were living on a single ISP, ecommerce.com (which does Web hosting under the names iX Web Hosting and WebHost.biz).

Curious, I kept digging, choosing random Google results to examine (in case the order of the Google results were determined by time, and the hacker just happened to be searching in IP space belonging to ecommerce.com recently). What I discovered was that the majority of hacked sites all across Google's results, by a large margin, were hosted in the same place.

The next thing I thought was that it could be simply a question of the ISP's size. After all, if the Web sites that had been defaced were spread out evenly across many ISPs, and one ISP hosted a million sites whereas another ISP hosted only ten thousand sites, I'd expect to see more hacked sites hosted on the larger ISP, right?

But this didn't hold water, either. The ISP ecommerce.com advertises that it hosts about 500,000 sites. Much larger Web hosting companies such as Peer 1 hosted a far smaller number of hacked sites.

So I started counting. I grabbed a bunch of Google results at random, looked to see who was hosting them, and recorded the results. Here's what I found (number of hacked sites on the vertical axis, Web hosting company on the horizontal axis):



It seems to me that ecommerce.com has a problem here. While GHoST61 will hack vulnerable Web sites with security holes no matter where they're hosted, there is a very, very large cluster of hacked sites living on ecommerce.com servers.

This may indicate that ecommerce.com doesn't enforce good security practices, or that ecommerce.com is slow to respond to hack attacks. Or it may indicate a more systemic problem at ecommerce.com, such as some sort of server-level vulnerability that allows easy penetration of many of their Web sites.

Whatever the problem, it definitely appears that ecommerce.com has some sort of issue here.


Comments

( 8 comments — Leave a comment )
gushi
May. 17th, 2010 09:04 am (UTC)
Ooh, and they're HIRING, asking for people who have experience with Redhat 7.3!!!!

mouser
May. 17th, 2010 11:28 am (UTC)
I's also possible that GHoST61 targeted ecommerce.com specifically, not just because it was easier.
fallingupthesky
May. 18th, 2010 12:17 am (UTC)
It's also possible that ecommerce's sites tend to appear high on google listings.
tacit
May. 18th, 2010 12:43 am (UTC)
Generally, they don't; the pagerank of a site and other factors weigh more than the ISP the site is hosted on (in fact, I don't think the ISP is factored in at all). Just to be sure, though, I took the sites I looked at from many pages of the results, not from the first page of results; these figures show 73 sites taken randomly from the first 22 pages of Google results.
jonnymoon
May. 18th, 2010 06:28 pm (UTC)
Just a snarky comment...seems that your graph would have looked better as a bar graph. This one reminds me so much of a process spread out over time instead of a list of many separate things.

But hey, FWIW, it's an intersting blog.
(Anonymous)
Nov. 13th, 2010 11:43 pm (UTC)
ghost61
Haha, at school the other day in my computer class we were logging onto our accounts, and our homepage on the school computers is the school website, and we opened up IE and our school homepage has been hacked by ghost61! :P
(Anonymous)
Dec. 18th, 2010 08:10 am (UTC)
The script kiddie has progressed
The "script kiddie" has moved it up a notch. A week ago s/he hacked my site and put in SEO poisoning files. For those who don't know what that is, do a little Google search; it is the most malicious, viscous, pointless kind of attack you can imagine.

I found another site that has listings of over 260 000 reports of attacks by GHoST61.

I wonder if hacking is addictive behaviour, like kleptomania? More of a disease than a profession...
illegalpress.wordpress.com
Jan. 12th, 2011 11:21 pm (UTC)
This post was pwned! ..ops, naked!
http://illegalpress.wordpress.com/2010/12/25/pwned_by_ghost61/
( 8 comments — Leave a comment )