Tracking Hacked Websites

A lot of website defacements leave the signature of the attacker. Whether it's the Syrian Electronic Army or a lone individual, they like leaving a message to get credit for their successful attack.

One thing they tend to have in common though is that they start their signature with "Hacked by". That makes it very easy to find hacked websites with Shodan using the http.title search filter:

Based on this information there are roughly 2,000 websites the have been compromised recently and advertise it using the string "Hacked by". Unsurprisingly, the majority of the compromised websites are running on port 80 (HTTP):

Interestingly, a huge chunk of the compromised websites are located on a single hosting provider:

The Ecommerce Corporation accounts for ~10% of the "hacked by" results in Shodan. Almost all servers are running Apache and PHP, though they're not all on the same version. Their website talks about helping businesses grow and doesn't immediately discuss hosting, but the About page does mention their affiliation with IX Web Hosting. Whatever they're doing, they are configuring their systems in a way that appears to make them a big target for defacements.

To get a closer look at who is compromising these websites we can download the data using the Shodan command-line interface:

$ shodan download --limit -1 hacked 'http.title:"hacked by"'

This saves the results into a file called hacked.json.gz. At this point, we want to extract the http.title* from the banners, grab the name of the person/ group that is taking credit and then count how many websites they've defaced.

$ shodan parse --fields http.title hacked.json.gz | \ # Extract the HTTP title from the banners
    grep -i "hacked by" | \ # Make sure all results we're getting have the exact words "hacked by" in the title
    sed -e 's/.*hacked by//i' | \ # Remove the "hacked by" text from the title so we're left with only the person taking credit
    sort | \
    uniq -c | \
    sort -nr | \
    head -10 # Get the top 10 people that have defaced websites

The shodan parse command extracts the http.title information out of the banners, which are then filtered using grep to ensure only websites that contain "hacked by" in that order get further analyzed. Then we strip out everything that is shown before the "hacked by" string using sed thereby creating a list of attacker names. That list is then sorted, the uniques are counted, sorted by number of occurrence and finally the top 10 results get printed to the terminal. And with that we can present the Top 10 Website Defacers:

  1. AnonymousFox: 122
  2. GX40: 54
  3. Dead Haxor >> <<: 45
  4. GHoST61: 31
  5. ReKaN Err0r: 24
  6. TheWayEnd: 22
  7. D.R.S Dz Team: 16
  8. Ayy?ld?z Tim ...: 16
  9. ZeDaN-Mrx: 13
  10. virus3033: 12

Note that we only counted unique names, i.e. if the attacker mis-spelled their name (ex. Elmaghiribi vs Elmaghribi) or has several variations (ex. muhmademad vs MuhmadEmad) then they would get counted separately.

Finally, here's a short video that wraps up everything we did above: