Designing IA for AI - Information Architecture Conference 2024
Anatomy of a Web Server Hack and Pharma Spam Attack
1. Anatomy
of
a
Web
Server
Hack
(it
wasn’t
fun
or
profitable)
(for
me)
Patrick
Laverty
Brown
University
OWASP
Rhode
Island
BSides
Rhode
Island
TwiGer:
@ProvWebAppSec
1
2. Who
Am
I?
• Programmer/WebSec
guy
at
Brown
University
• PaulDotCom
Intern
• hGp://www.securitybsides.com/BSidesRI
• OWASP
Rhode
Island
2
5. Step
Back
-‐
Timeline
• Holiday
weekend,
1
dept
site
down
• Reports
pharmaspam
in
Google
results
5
6. Step
Back
-‐
Timeline
• Holiday
weekend,
1
dept
site
down
• Reports
pharmaspam
in
Google
results
• 7
pm,
database
server
maxed
out
• Kill
processes,
they
come
back
• Renaming
databases,
sites
down
6
7. Step
Back
-‐
Timeline
• Holiday
weekend,
1
dept
site
down
• Reports
pharmaspam
in
Google
results
• 7
pm,
database
server
maxed
out
• Kill
processes,
they
come
back
• Renaming
databases,
sites
down
• But
most
importantly…
7
12. OK,
Really
Why?
• Two
words:
File
Permissions
• >1200
accounts
• 600
GB
of
files
• Hundreds
of
sites
12
13. OK,
Really
Why?
• Two
words:
File
Permissions
• More
history:
– Solaris
Web
Server
– 16
groups
per
user
max
– Web
server
user
– Thousands
of
groups
on
server
– World
Readable
13
36. Why
the
DoS?
What
Happens?
• Google
as
Referrer
-‐>
hit
page
in
.htaccess
• Page
pulls
in
code
from
files-‐uploader.com
• Shows
page
selling
Viagra
• Brown
University
=
Online
Pharmacy
• Plus,
high
Google
ranking
36
38. How’d
We
Fix
It?
Immediate
Steps
– Deleted
the
current
offending
uploader
script
&
redirecSng
.htaccess
files
– Traffic
dropped
off
immediately
38
39. How’d
We
Fix
It?
Ongoing
Steps
– Remove
all
shell
files
– Remove
all
uploader
files
– Find
and
fix
the
.htaccess
files
– Remove
the
web
server
user
as
much
as
possible
– Weakened
the
shell
files
– Set
up
shell
file
password
search
in
logs
– Monthly
meeSngs
to
review
39
40. How
Else
is
it
Being
Fixed?
• One
Word…
• FilePermissions!
40
41. How
Else
is
it
Being
Fixed?
• One
Word…
• FilePermissions!
• Three
OpSons
for
Site
Owners
41
42. OpSon
1
• One
web
editor?
• rwxr-‐x-‐-‐-‐
• Web
server
user
in
the
group
42
43. OpSon
2
• MulSple
web
editors
• rwxrwxr-‐x
• Web
server
user
NOT
in
the
group
• Back
to
original
security
problem
43
44. OpSon
3
• Virtual
Machine
• Do
whatever
you
want!
44
45. BoGom
Line
• Keep
file
permissions
Sght
• Keep
so‚ware
current
• Keep
users
off
server
45
46. QuesSons?
Contact
Info:
Patrick
Laverty
Brown
University
Patrick@brown.edu
@provwebappsec
or
@BSidesRI
46