Hacker Releases Second Video of Enhanced XerXeS DoS Attack on Apache Vulnerability

Thursday, March 11, 2010

Anthony M. Freed


By Anthony M. Freed, Managing Editor and for the Infosec Island Network, with

Analysis of DoS Vulnerabilities by Michael Menefee, Principal at WireHead Security

There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly… The Jester

Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS attack recently developed by the infamous patriot-hacker known only as The Jester (th3j35t3r).

This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations.

Second video of XerXes DoS Attack from Infosec Island on Vimeo.

(View Fullscreen most for the best experience)

As noted below in an analysis of DoS vulnerabilities by security consultant Michael Menefee, more than half of all the websites in the world use Apache, which means this exploit potentially poses a very serious problem should it ever be utilized by nefarious elements.

The weaknesses in Apache are fairly well known amongst the savvy tech elite, but it was only since The Jester came along with his non-distributed DoS attack that the unpatched vulnerabilities in Apache finally became the subject of much concern.

Should someone decide to use a tool like XerXeS in combination with a zombie army consisting of thousands of hijacked PC’s, the implications for critical systems security could be extremely serious.

Q: Tell us what is different in this video from the first you one sent me?

Well, I produced this new video to keep people in the loop with the progress of Project XerXeS. As you can see XerXes can now affect multiple server flavors – some still more are under development. This time I dropped a Secured server which is supposed have the Apache setup that is impervious to a XerXeS hit.

Q: Can you talk about more the Apache vulnerability exploit?

The Apache vulnerability you speak of is only the tip of the iceberg; Xerxes is also evolving to hit IIS - pretty easy by the way - a simple modification on the Apache vector is all, still in the experimental stages but works.

 It's the backend databases that are really interesting they hold much of the content that the HTTP server pushes out, so if you knock the database over it has the same effect as taking out the HTTP server.

The aim is to create a single cohesive attack platform that will knock out with precision and no side-effects anything it comes up against, for any specified period.

Another vector I am working to build into XerxeS is the ability to auto-inject code into a site's landing page that causes the viewers browser to crash, no damage just hang up the browser, but disabling the site from the client-side instead of the server.

Q: One of our Members at the Infosec Island Network posed the question on a forum: Jester, whom do you serve?

I am quite clear on this. I 'serve' all the people who support my methods and want to make things difficult for the bad-guys.

At this time I am not officially funded, supported or otherwise sponsored in any way. I operate and develop this alone, and hope it is making a dent in the terrorists efforts, the feedback I am receiving says that it is working, alemarah.info (the official Taliban Shadow Government Website) and ansarnet.info have been down for 2 weeks now, as a direct result of the pressure XerXeS exerted on the target.

Also on another Ansar site, its members have been forbidden from even mentioning the XerXeS attacks, so somebody is more than a little annoyed.

I know there are some that consider all this morally, socially and ethically wrong, not to mention unlawful - but there is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly.

Q: Many critics of your tactics still object based in the argument that you may be interfering with Western intelligence operations your retort?

The intelligence gathering argument is really starting to wear thin. I know the value of good intel, but it must be actionable. There is very limited actionable intel to be gleaned from most of these sites.

They serve only 2 purposes: 1) to recruit homegrown terrorists (by invitation no less), and 2) to waste our sec services teams time trying to honey-trap them.

Why should we allow a site that actively recruits homegrown terrorists to operate, merely so it can be 'monitored' just in case we maybe get some intel? While we ‘monitor’ they are still going about the business of recruiting and coordinating.

 And it's not like these servers are hosted on the moon! Most are hosted in the US and Europe. Why can't CT agencies just go after the hosting provider for this 'valuable intel'?

By knocking out the jihadi sites for random short periods, it causes them to be unable to rely on the site for recruitment, or co-ordination, this in turn will have the effect of drawing them out into the open and in person to do the recruiting, where the CT agencies really come into their own doing what they do best, which is intercepting and apprehending suspects.  It’s a joke…

Brief History of Modern Web Server Vulnerabilities by Michael Menefee, Principal at WireHead Security

Q:  Denial of Service (DDoS) attacks have been around for a long time, what is the difference between them and the attacks we are seeing today?

Michael Menefee:  In January, 2007, Adrian Ilarion Ciobanu posted a thread to securityfocus.com describing a potential DoS scenario against Apache web servers (http://www.securityfocus.com/archive/1/456339/30/0/threaded).

The basic premise to this attack is that by sending (but never fully completing) numerous requests to Apache, one could get the Apache process to consume all system resources and stop serving up the actual web content.

Unlike traditional TCP-based Denial of Service attacks, which require many machines sending many, many packets, this attack can be performed by a single machine with relatively few  packets to bring down the application only.

Think of this as sort of a “temporary denial of service”, because once the attacker stops sending requests, the server resumes normal operations

Q:  Several forums have postulated that Jester is using “Slowloris”, which he adamantly denies – what is Slowloris and where did it come from?

Michael Menefee:  In June of 2009, Robert “Rsnake” Hansen released the exploit tool called “Slowloris” (http://ha.ckers.org/slowloris/) which takes advantage of this vulnerability in Apache (and several other web servers, as it turns out).

Administrators rushed to implement various work-arounds to the problem on their own servers, while others port the Slowloris tool into other programming languages.

Q:  If Jester is not using Slowloris, how is he performing these DoS attacks?

Michael Menefee:  XerXeS is a much more complex attack tool which possibly exploits the same vulnerability.

Essentially, XerXeS is a weaponizing of the Slowloris-like attack model, and appears to utilize a network of anonymous proxies to amplify the attack against the targeted web server.

Q  What makes XerXeS so special?

Michael Menefee:  The attack is performed on a single low-spec computer, and while The Jester sends relatively few packets from his own machine, the attack results in brief outages of the target site.

Although mitigation strategies against this attack do exist, the web server software itself is still vulnerable to the Denial of Service condition.

Q:  How widespread are these vulnerabilities?

Michael Menefee:  With over 57% of the world’s websites (according to Netcraft) being run by various versions of Apache, the potential footprint for exploitation is huge. And –again- it’s not just Apache that is vulnerable.

Imagine if a coordinated, sustained global attack utilizing new or existing botnets (with millions of nodes) simultaneously targeted millions of websites globally—the result could be enormous financial costs for the global economy with disruption of commerce, travel, communications and vital infrastructure.

Q:  Is there anything else like XerXeS out there now?

Michael Menefee:  There is a new DoS attack vector effective against almost all web server software, including IIS and Lighttpd, both of which are supposedly immune to the Slowloris attack, which has been devised to utilize the same fundamental timeout exploitation model, whereby the web server’s resources are exhausted to the point of not being able to perform their primary function.

Although this emerging attack method has yet to see a publicly-released exploit tool, anyone with fundamental programming knowledge could write a basic attack tool similar to Slowloris, which could be used in an even larger global attack scenario.

There is speculation that th3j35t3r may be using something similar to this new attack vector with his latest release of XerXes, although who's to know for sure, except The Jester.


The debate continues as to the ethicality of The Jester’s one-hacker crusade. Currently, the poll at Infosec Island has the majority of security professionals registering their support for The Jester’s exploits.

Watch the video demonstration, and then register your opinion in the comments field below.

© 2010 Infosec Island - All rights reserved

Possibly Related Articles:
Enterprise Security Security Awareness Vulnerabilities Webappsec->General
Apache Hacks Jester Patriot Hackers DoS DDoS th3j35t3r Hacktivist
Post Rating I Like this!
dan mc yin and yang forever...
can't just read and regurgitate, this
is an artform, the creative have
a platform to strive here and I hope to
be a 10th as gifted as Jester, he's a great talent and I'm glad he's on our side..
Luis Santana HackTalk Security's HTH recently interviewed Jester and a full writeup of the conversation can be found at
Genevieve Walters " It's the backend databases that are really interesting they hold much of the content that the HTTP server pushes out, so if you knock the database over it has the same effect as taking out the HTTP server." Jester seems to be trying to do good with exposing Apache's faults. It is scary to think that all of the data can be knocked out. Are there security patches available to prevent this? Could you use something like Datanumen AEXR to recover your data?
Genevieve Walters I wanted to follow up with my last post about protecting your database. I was doing some research on data recovery software and came across this site: www.coop-systems.com and wondered what your thoughts are on it? Thanks for your help.
Genevieve Walters Its me again. I just came across this website: http://www.neverfailgroup.com
Do you think that something like this would help me if hacker got into my database? I am nervous that a hacker will make me lose all of my data on my server.
M Davis In response to Genevieve's comment about database protection: I've experiencing a of DoS attack in the past at http://www.myranchosantaferealestate.com & am wondering what the best course of action would be to prevent any further attacks/damage to my site.
M Davis Just want to add: I am semi-new to the whole server lingo, so please go easy on any recommendations that you may have, thanks.
Peter Noone This is retarded. Th3j35t3r says its not slowloris, so you just believe him because he shows you a GUI and tells you he uses TOR? PyLoris is a python implementation of slowloris that has a scripting interface and is integrated with TOR, anyone can spend an afternoon throwing together a GUI with Qt or a hundred other rapid GUI builders for python. Th3j35t3r is the biggest poser anyone's ever seen and you guys have your noses way up his ass -- wtf? You guys excited by his "patriot" image and SEAL Team 6 cornball lingo? He publishes NONE of his work or suposed exploits, he just talks about secret 0days and all these people just gobble it up, its embarrassing. I'm embarrassed FOR YOU.
Michael Menefee Peter,

The im sure you wouldnt mind building us a little demo this afternoon of your pyloris GUI? Im mean its easy....either way, who cares? This article is over a year old and happened way before all the hype and hacks and script kiddies and everything else. Thanks for putting it back on the front page by commenting on it :)
Peter Noone The PyLoris project is older than the Jester, that might have been obvious if anyone interviewing this guy had bothered to use google for more than 2 minutes to research what he's been doing all along. The original author already has a GUI, but if you still think it's necessary to see me writing one that looks like the Jester's just to prove what should be obvious to you if you graduated from 8th grade and aren't blind, here you go: http://tinyurl.com/5rduv8f
Peter Noone Just incase you still fail: http://motomastyle.com/pyloris/
Michael Menefee The article clearly states that XerXes appears similar to Slowloris, what pyLoris was initially based on. Either way the point of this article was to document that (back in March 2010) we would see more advanced DoS and DDoS attacks creep up, which we certainly have this year, whatever codebase they are built on
Peter Noone Michael, I've read the article, I know it was also about DoS, DDoS, etc. The rest of the article is treating the Jester like a celebrity, emphasis "exclusive video of xerxes" etc, showcasing this guy like he's a rockstar. Other articles on this site trash Lulzsec and Anonymous, and the hypocrisy is obvious. You guys jumped on a bandwagon including Fox News, to worship a "patriot hacker" while you regularly trash every other denomination of hacker. Why is was offered reverential treatment, and not challenged in his claims?
Michael Menefee I realize in retrospect, this article appears to single him out as the only good hacker on earth, but we've pissed of jester a few times with our articles calling him out on some things...

We neither support or defend the jester or anyone engaged in illegal hacking. I will say this though, of the 3 groups: jester, lulzsec and anonymous, jester's the only one that hasn't launched a DoS attack against us
Randy Mueller gee peter. sound mad. the special treatment might be because we all really dont like 9/11. if you could show us you work on jihad sites we will lift you up too.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.