Hackers get chance for their work to find place in history

PUBLISHED : Tuesday, 15 May, 2001, 12:00am
UPDATED : Tuesday, 15 May, 2001, 12:00am

For a street artist, the thrill of painting a wall and getting away with it is only part of the art. The other great source of inspiration is the knowledge that the paint is likely to be around for a long time and seen by many people.

Life is not so satisfying to the wired expressionist. The online equivalent to the spray-can graffiti artist, most Web defacers want nothing more than a bit of outlaw attention.

The trouble is, most defaced Web sites are repaired quickly, leaving nothing to show for the defacer's efforts.

The recent eruption of site defacements that followed the US spy plane incident was tagged as a cyberwar by the world's media. But this was a war with few visible casualties.

Reporters would hear of some hacking action, but by the time they found the site, the attackers have gone and the damage was repaired.

So the hacking community launched defacement mirrors to preserve their work. Now, when hackers wreck a Web site, the first thing they do is notify their favourite mirror, which diligently records the incident for the world to see.

Until recently, the only mirror worth visiting was the Attrition page (www.attrition.org).

Now in its seventh year online, the Attrition mirror is showing its age, but is still an excellent resource.

The basic mirror lists date, operating system, defacer, any special attributes, site's name, IP address and the actual mirror. To get the real value of Attrition, dig a little deeper. Under the statistics page, hacking incidents can be checked according to domain.

So, for example, a click on Hong Kong will show that Attrition has logged just 50 Hong Kong defacements in the past two years, the most recent being Teens Weekly, which was hacked last Thursday. This counts only hacks using the .hk domain.

Windows NT is identified as the most popular target for defacement artists, despite the fact that it runs less than 20 per cent of the world's Web servers. Of local defacements, 33 per cent involve NT boxes - 26 per cent below the global average.

While Attrition still leads the field, a group of European hackers based in Norway have launched a mirror that is far more intuitive. The Alldas.de defacement archive, at defaced.all

das.de, lists the basic elements - date, URL, archive, hacker, operating system and comment. To see the site's real functionality, you need to click on the listings.

Each entry has been hyperlinked to allow for pages to be called up according to the hacker's name, operating system or comment.

Each entry also offers a quick port scan of the victim's Web server, to show how the intruders got in.

Dutch mirror Safemode.org lacks frills but stays fairly well updated and offers a few functions such as a search form and port scans.

In honour of the recent hostilities, Safemode has published a page documenting sites defaced by the warring hackers. The page at http://www.safemode.org/

china-vs-us.html lists 360 hacked sites - far less than the two sides claimed - but still makes for an interesting visit.

During the cyberwar, Chinese hackers were unwilling to communicate with the overseas mirrors, so reports of assaults often went unnoticed.

Security site DanceFires.com has the biggest single archive of sites hacked by the Chinese side. At last count, the site detailed over a thousand incidents.

The archive reports the standard details - date, Web site address, hacker's handle, target system, description and the defaced page.

Unfortunately, it generally posts a screen shot of the hack rather than a replication. This means that any hack longer than one screen or deeper than one page will not be fully recorded.

A Brazilian group named Hiss (Hacker Internet Security Services) maintains another popular mirror site (defaced.hacker.com.br). The archive has been maintained for more than three years, and is the central point of a Portuguese site dedicated to security news and tools.

Hacks are recorded by date, URL, group and operating system. Drop-down menus allow browsing through defacements by operating system or hacker's nickname, or search by domain name.

All of the mentioned sites maintain e-mail alert lists, the best method of keeping a close watch on hacking incidents.

Graphic: hack15gwz