Index
1.Introduction
This paper is an extension to the earlier white paper “Analysis of Defaced Indian websites under .in ccTLD” [Ref 1]. While the earlier analysis considered all defaced .in ccTLD records from 1998 onwards, this analysis has been done using the .in ccTLD defacement records for the year 2004.
In this analysis, emphasis has been placed on the defacement trends of the year 2004, without the trend being influenced by the defacement statistics of earlier years.
The data used in this analysis has been collected from primarily from two defacement mirrors: zone-h [Ref. 2] and delta5 [Ref. 3].
2. Distribution of defaced domains by second level ccTLD
Fig 1
|
Domain |
co.in |
.gov.in |
.ac.in |
.ernet.in |
.nic.in |
.net.in |
.org.in |
.res.in |
.mil.in |
.spectrum.in |
|
Number |
89 |
45 |
29 |
2 |
3 |
2 |
7 |
1 |
3 |
1 |
|
Percentage of the Total defacemments |
48.90 |
24.73 |
15.93 |
1.10 |
1.65 |
1.10 |
3.85 |
0.55 |
1.65 |
0.55 |
The trend observed in the previous analysis was repeated in the year 2004 too, with the domain .co.in having the highest no of defacements among the 2nd level domains. It was more than 48 % of the total defacements. It was also almost twice the number of .gov.in sites defaced in 2004.
3. Defacements Time distribution
3.1.Defacements by year
On analyzing the defacement statistics along the years, it was observed that though there was a steep decline in defacements after 2001, there was a growth in the number of sites defaced during the past three years. The total no of sites defaced in 2004 was 182 compared to 131 in 2003.
| |
1998 |
1999 |
2000 |
2001 |
2002 |
2003 |
2004 |
|
Sites defaced |
1 |
4 |
75 |
219 |
121 |
131 |
182 |
|
Percentage of total defaced sites |
0.14 |
0.55 |
10.23 |
29.88 |
16.51 |
17.87 |
24.83 |
Fig 3: .in defacements Year wise
| |
1998 |
1999 |
2000 |
2001 |
2002 |
2003 |
2004 |
|
Sites defaced |
0 |
1 |
7 |
11 |
22 |
43 |
45 |
|
Percentage of total defaced sites |
0 |
0.78 |
5.43 |
8.53 |
17.05 |
33.33 |
34.88 |
Fig 4: .gov.in defacements Year wise
A growth in defacements of .gov.in domains was also observed over the years, though the increase in 2004 from 2003 was marginal.
3.2. Defacements by month
The fig. 5 details the month-wise defacements. The month of February had the highest number of defacements, while May had the least number of defacements.
Fig 5: .in defacements Month wise
3.3. Highest Defacements in a single day
The highest number of defacements of .in ccTLD sites occurred on 5th February 2004. There were 27 defacements on that day.
| |
Date |
Defacements |
|
1 |
5/2/2004 |
27 |
|
2 |
1/2/2004 |
15 |
|
3 |
23/10/2004 |
15 |
|
4 |
19/12/2004 |
12 |
|
5 |
30/6/2004 |
10 |
Fig 6: .in defacements
This was as a result of a mass defacement on the NET4 network. Some of the sites defaced on 5th February were rpcb.gov.in, atimysore.gov.in, sonatech.ac.in, psgim.ac.in, jnec.ac.in, stellar.co.in, vdc.co.in.
The second highest number of defacements on a single day occurred on 1st February, when there were 15 defacements.
| |
Date |
Defacements |
|
1 |
30/06/2004 |
10 |
|
2 |
6/2/2004 |
3 |
|
3 |
5/2/2004 |
2 |
|
4 |
9/6/2004 |
2 |
|
5 |
10/8/2004 |
2 |
Fig 7: .gov.in defacements
The highest number of defacements of .gov.in sites in a single day occurred on 30th June 2004. 10 sites were defaced on that day. Some of the sites defaced were newsletter.gujarat.gov.in, bisag.gujarat.gov.in, btm.gujarat.gov.in Infact, all the sites defaced were of the .gujarat.gov.in domain and were hosted on the GNFC network.
4. Hacker wise defacements. in ccTLD
Top Hackers, % of defacement
The group Command Tribulation (said to be Brazilian) defaced the most number of .in ccTLD sites in the year 2004. They were responsible for around 11 % of the total .in ccTLD sites defaced in 2004. The other top defacers were AIC, TimeOut, Fatal Error and HBT. Some of the top hackers in the previous analysis (‘silver lords', ‘GForce', ‘FBH' etc) do not appear in the top hackers list of 2004.
The break up of the .in ccTLD sites defaced by the top ten hacker groups is shown in fig. 8
|
Defacer |
Number of defacements |
Percentage of Total .in ccTLD Defacements
|
|
Command Tribulation |
21 |
11.54 |
|
AIC |
18 |
9.89 |
|
TimeOut |
17 |
9.34 |
|
Fatal Error |
13 |
7.14 |
|
Kernel_Attack |
13 |
7.14 |
|
H.B.T |
9 |
4.95 |
|
Powhack |
8 |
4.40 |
|
DaemonOptik |
7 |
3.85 |
|
GhostIRC |
4 |
2.20 |
|
Moroccan GanGsters |
4 |
2.20 |
Fig 8: .in defacements hacker wise
The group Fatal Error has the highest number of defacements for the .gov.in domain, as shown in fig.9
|
Defacer |
Number of defacements |
Percentage of total gov.in defacements |
|
Fatal Error |
13 |
28.89 |
|
GhostIRC |
4 |
8.89 |
|
DarkBicho |
3 |
6.67 |
|
powHacK |
3 |
6.67 |
|
H.B.T |
2 |
4.44 |
|
HMB |
2 |
4.44 |
|
ION |
2 |
4.44 |
|
Moroccan GanGsters |
2 |
4.44 |
Fig 9: .gov.in defacements hacker wise
5. Defacement by domain and Network
5.1. Most targeted network
The network NET4 had the highest no of defacements, as shown in fig.10. It had 59 defacements comprising more than 30% of the total .in ccTLD defacements of the year 2004.
|
Network |
Number of defacements |
Percentage of total defacements |
|
NET4 |
59 |
32.42 |
|
VSNL IN |
18 |
9.89 |
|
VASNET AP |
14 |
7.69 |
|
GNFC |
10 |
5.49 |
|
TXFER FAST USLEC BLK 3 |
10 |
5.49 |
|
PEER1 IDIGITAL 05 |
5 |
2.75 |
|
BSNLNET |
4 |
2.20 |
|
NICNET |
4 |
2.20 |
Fig 10: .in defacements by network
5.2. Most Defaced IP
The top 10 defaced IPs is shown in fig 11. It includes mass defacements Here too, NET4 appears four times in the list of most defaced IPs.
|
No. |
IP |
Defacements |
Network |
Some Domains defaced |
|
1 |
202.71.129.55 |
23 |
NET4 |
ecrtenders.gov.in
stellar.co.in |
|
2 |
202.4.160.9 |
14 |
VASNET-AP |
mim.ac.in
staloysius.ac.in |
|
3 |
202.71.130.9 |
12 |
NET4 |
rmrc.res.in
aiht.ac.in |
|
4 |
203.163.160.35 |
10 |
GNFC |
gujarat.gov.in
gidc.gov.in |
|
5 |
202.71.129.116 |
9 |
NET4 |
rpcb.gov.in
atimysore.gov.in |
|
6 |
203.200.89.84 |
7 |
VSNL |
mirandahouse.ac.in
davim.ac.in |
|
7 |
202.71.144.146 |
6 |
NET4 |
caddcentre.co.in |
|
8 |
203.197.88.12 |
5 |
VSNL |
www.ikf.co.in |
|
9 |
202.146.192.145 |
4 |
Spectrum |
www.spectrum.net.in
www.cepihrd.ac.in |
|
10 |
207.106.22.27 |
4 |
USLC |
rajasthan.gov.in
dop.rajasthan.gov.in |
Fig. 11 : .in defacements by IP
5.3. Defacement by Hosting Country
The fig 12 details the hosting of .in websites in various countries. 144 of .in sites were hosted in India, while 30 sites were hosted in US, 5 sites were in Canada and 1 each in Belgium, Australia and Great Britain.
Fig 12: .in defacements by hosting country
The fig 13 shows the details of .gov.in sites hosted country-wise. Several .gov.in sites hosted abroad have been defaced.
Fig 13: .gov.in defacements by hosting country
6. Hosting Platform
The fig 14 details the hosting platforms on which .in sites were hosted. Though the world wide defacement trends [Ref 5] indicate a higher level of defacements on the Linux family of servers in the period Jan 2003 – Jan 2004, the statistics indicate Windows 2000 had the highest number of defacements for .in ccTLD. However the statistics may have been influenced by the deployment ratio of the two families of servers in Indian ccTLD context. Statistics could also indicate the wide use of windows 2000 as a hosting platform even after a year of the release of Windows 2003.
Fig 14: .in defacements by platform
The fig 15 details the Web Server platforms on which .in sites were hosted.
Fig 15: .in defacements by Web Server
The fig16 details the hosting platforms on which .gov.in sites were hosted.
Fig 16: gov.in defacements by platform
7. Errata
The data has been collected from various defacement mirrors [Ref. 2] [Ref. 3] and the accuracy of this analysis is thus dependent on the data available on these defacement mirrors.
8. References
- Analysis of Defaced Indian websites under .in ccTLD
www.cert-in.org.in/knowledgebase/whitepapers/CIWP-2004-01.pdf
- www.zone-h.org
- mirror.delta5.com.br
- www.dnsstuff.com
|
