Let me start off by saying that I know this deface is a surprise to absolutely nobody. It doesn’t necessarily warrant the attention I gave it, but it’s a neat exercise that taught me a few things about the culture surrounding defacements and gave me some neat ideas for future research.

The deface is simple enough. The attackers uploaded two images and blacked out the rest of the page. They added the standard “lol u got owned” bit at the bottom of the page and went off to run automated attack tools against some other sites.

So, what do we have to look at?

What I really found interesting (and what dragged me down this rabbit hole) is that there was EXIF data in “we_resist.jpg” that indicates that it was created in 2015 in Adobe Photoshop CS6. The image below it featuring Donald Trump (1.jpg) didn’t have any such data. Seeing that almost every major image hosting site and social media site removes this data, this was an interesting anomaly.

Just interesting enough to warrant some digging.

After a short bit of googling, things started falling into place. Searching for the image name turned up a site izumino.jp. Luckily for me, Izumino.jp is focused on collecting relevant metadata about defacements, so it returned a hit on the image name in the source code of a previous defacement that I otherwise would never be able to find.

The image was originally uploaded to an Persian-language image hosting site Picofile, where it can still be found (http://s6.picofile.com/file/8223803084/we_resist.jpg) The image was first used in a breach indexed 2015–12–02 against the supersexshop[dot]com[dot]br and a number of times after in the month of December on different, equally opportunistic defaces.

These defaces were reported to the defacement leaderboard known as Zone-H by IRAN-CYBER who have some 2.447 defacement “notifications” in their name, reaching back to late 2015. There’s a whole lot of interesting stuff to unpack there too, but that’s for another blog post. It’s worth noting that nobody claimed the FDLP defacement on Zone-H as of this blog post, even though IRAN-CYBER has remained active on the site in recent months.

History of FDLP.gov

Dating back to the first Wayback Machine snapshot in 2008, FDLP.gov has always been a Joomla site. There’s been code modified throughout the years, a template change in 2014, and plugins have came and went. However, when looking at the source code from the most recent snapshot before the defacement, it appears that many plugins (like MooTools) and external dependencies (like Bootstrap) hadn’t been updated since some time in 2012, based on copyright strings and release dates of version numbers. This makes sense because this Joomla tire fire has been defaced before back in… May 2012!

Deface. Patch. Deface. Patch

… and again on August 6th, 2014. The in the Internet Archive article about the defacement it’s attributed to “SoWa BeZ OkA — which translates from Polish into ’Owl without an eye.’”

thanks to @tkpsf for the tip on this one

Attack Surface

Since we’ve established that much of the code on the site hadn’t been updated since 2012, let’s look at what we could glean from the source related to plugins and components. Browsing through two pages we find these paths that stand out.

media/com_rsform

media/com_hikashop

media/mod_rsseventspro_upcoming

modules/mod_djmegamenu

plugins/system/maximenuckmobile

Okay, these could all be interesting. However, one of them is literally built to publicly accept and process user inputs… So let’s start with RSForm.

I first noticed it on the page fdlp.gov/collection-tools/claims that first appeared in March of 2014. The note at the end there suggest it’s RSForm 1.4 r48 and that makes sense looking at the dates in the RSForm changelogs.

A quick search reveals this RSForm vulnerability less than half a year old reported by KingSkrupellos (who has Zone-H score of 4,172 notifications, for those keeping track at home.) A SQLi and RFI claiming to be for RSForm 1.5, but I’d be willing to bet it’s also applicable to our slightly older version as well.

Outro

I’m at the point where if I write any more I’ll have to take the word BRIEF out of the title of this article. This is my first actual security-related blog, so feedback is appreciated. You can find me at @sshell_ on Twitter, and look out for new season of @ThugCrowd coming soon!

Thanks for reading, friends.