Brief Analysis of the Deface

Image for post
Image for post

Let me start off by saying that I know this deface is a surprise to absolutely nobody. It doesn’t necessarily warrant the attention I gave it, but it’s a neat exercise that taught me a few things about the culture surrounding defacements and gave me some neat ideas for future research.

The deface is simple enough. The attackers uploaded two images and blacked out the rest of the page. They added the standard “lol u got owned” bit at the bottom of the page and went off to run automated attack tools against some other sites.

So, what do we have to look at?

What I really found interesting (and what dragged me down this rabbit hole) is that there was EXIF data in “we_resist.jpg” that indicates that it was created in 2015 in Adobe Photoshop CS6. The image below it featuring Donald Trump (1.jpg) didn’t have any such data. Seeing that almost every major image hosting site and social media site removes this data, this was an interesting anomaly.

Image for post
Image for post
Just interesting enough to warrant some digging.

After a short bit of googling, things started falling into place. Searching for the image name turned up a site Luckily for me, is focused on collecting relevant metadata about defacements, so it returned a hit on the image name in the source code of a previous defacement that I otherwise would never be able to find.

Image for post
Image for post

The image was originally uploaded to an Persian-language image hosting site Picofile, where it can still be found ( The image was first used in a breach indexed 2015–12–02 against the supersexshop[dot]com[dot]br and a number of times after in the month of December on different, equally opportunistic defaces.

These defaces were reported to the defacement leaderboard known as Zone-H by IRAN-CYBER who have some 2.447 defacement “notifications” in their name, reaching back to late 2015. There’s a whole lot of interesting stuff to unpack there too, but that’s for another blog post. It’s worth noting that nobody claimed the FDLP defacement on Zone-H as of this blog post, even though IRAN-CYBER has remained active on the site in recent months.

History of

Dating back to the first Wayback Machine snapshot in 2008, has always been a Joomla site. There’s been code modified throughout the years, a template change in 2014, and plugins have came and went. However, when looking at the source code from the most recent snapshot before the defacement, it appears that many plugins (like MooTools) and external dependencies (like Bootstrap) hadn’t been updated since some time in 2012, based on copyright strings and release dates of version numbers. This makes sense because this Joomla tire fire has been defaced before back in… May 2012!

Image for post
Image for post
Deface. Patch. Deface. Patch

… and again on August 6th, 2014. The in the Internet Archive article about the defacement it’s attributed to “SoWa BeZ OkA — which translates from Polish into ’Owl without an eye.’”

thanks to @tkpsf for the tip on this one

Attack Surface

Since we’ve established that much of the code on the site hadn’t been updated since 2012, let’s look at what we could glean from the source related to plugins and components. Browsing through two pages we find these paths that stand out.


Okay, these could all be interesting. However, one of them is literally built to publicly accept and process user inputs… So let’s start with RSForm.

I first noticed it on the page that first appeared in March of 2014. The note at the end there suggest it’s RSForm 1.4 r48 and that makes sense looking at the dates in the RSForm changelogs.

Image for post
Image for post
Image for post
Image for post

A quick search reveals this RSForm vulnerability less than half a year old reported by KingSkrupellos (who has Zone-H score of 4,172 notifications, for those keeping track at home.) A SQLi and RFI claiming to be for RSForm 1.5, but I’d be willing to bet it’s also applicable to our slightly older version as well.


I’m at the point where if I write any more I’ll have to take the word BRIEF out of the title of this article. This is my first actual security-related blog, so feedback is appreciated. You can find me at @sshell_ on Twitter, and look out for new season of @ThugCrowd coming soon!

Thanks for reading, friends.

Quidquid latine dictum sit, altum videtur.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store