CSP-CERT® Resources:
Security Advisory Series – Defacement Pages in the PH Domain

by CSP-CERT® Red Team
posted July 2018

Website defacement is an attack wherein the contents of a website are altered by exploiting a website’s vulnerability. It is a cyber vandalism that is used to convey messages to the visitors and owners of the website.

Defacements are done by replacing a vulnerable website’s homepage to be seen as the domain is visited. But some are done by creating a separate page or just by injecting their content anywhere on the website. The content can be a message to mock the security or a politically motivated message usually done by hacktivists. These threat agents aren’t usually shy on including their pseudonyms and disposable contact details in the defacement pages.

Some defacements are hidden in plain sight just to test if the administrators or owners could find them or are monitoring their website.

How do they do this? Everything usually starts from a motive. Then with the use of search engines such as google, threat agents will look for targets that they could exploit by using SQL injection, brute-force, zero-day exploit and many more with a particular end game of uploading shell-codes to have root access on the server to upload their defacement pages and maintain access to the website.

Using the same method used by threat agents to find their targets, we found and verified live defacement pages in the .PH domain and as of writing, there are 71 defacement pages still accessible to anyone who finds them.

As seen on the chart above, most of the defacement pages found were hosted on websites owned by private entities with a mixture of local and international threat agents that have left their marks on these sites. The numbers would spike when there are political issues or events that trigger hacktivists to express their stance on the event that has transpired.

One thing is for sure, website defacement is tantamount to a vulnerable website. If you’re site has been defaced or will be defaced, make sure you identify the entry point or vulnerability, remediate or mitigate and remove the backdoors or shell codes.