Web Site Warning: Defacement Contest Sunday

The winner of the Web site defacement challenge will be the one who defaces the most sites within the six-hour time limit.

Crackers and low-level online vandals are planning some post-Independence Day fireworks this weekend with a so-called Web site defacement challenge. The goal is for participants to deface as many sites as possible within the six-hour time limit.

Some government organizations have issued warnings to their constituent agencies, cautioning them about the contest and urging them to ensure that their Web servers are secured. The New York State Office of Cyber Security and Critical Infrastructure Coordination implored state agencies to take simple steps such as changing default passwords, removing unused sample applications from production servers and backing up their Web servers.

Internet Security Systems Inc. on Wednesday sent out a bulletin about the contest that said the companys X-Force research team has seen increased levels of reconnaissance-type scans on Web servers, presumably from participants scouting vulnerable servers for the contest. The competition is set to begin Sunday, and the winner will be the first person or team to deface 6,000 sites, or whoever has defaced the most sites within the time limit if no one reaches 6,000.

A further list of rules is laid out on a rudimentary Web site that advertises the contest in miserable, sometimes indecipherable English. There is also a version of the site in Portuguese, which might indicate the organizers of the event are members of the extremely active Brazilian hacking scene.

Participants will be awarded points based on the operating system running on the Web servers they deface. Windows machines get just one point, while the less common HP-UX and Macintosh systems are awarded the maximum of five points.

These kinds of contests among crackers are not uncommon, but the potentially huge scope and public advertisement of the defacement challenge make it somewhat unusual.