uweb meeting presentation - website exploits
TRANSCRIPT
![Page 1: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/1.jpg)
Web Server Compromises
Ellen Mitchell, CISSP
12/09/2014
![Page 2: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/2.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process (open web server, respond)?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 3: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/3.jpg)
What is a Web Server Compromise?
• Defacement
• Pharmacy Spam (viagra, cialis)
![Page 4: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/4.jpg)
Defacement
• Defacement is a type of vandalism that involves damaging the appearance or surfaceof something.
![Page 6: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/6.jpg)
Other defacement examples
![Page 7: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/7.jpg)
Another defacement example
![Page 8: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/8.jpg)
Another defacement example –(this also has sound)
![Page 9: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/9.jpg)
Pharmacy Spam
• Malicious code injected on legitimate but compromised sites
• There is also a twist – referer links, user agents, etc. can prevent admins from discovering this easily
![Page 10: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/10.jpg)
Spam Classified by Category
MessageLabs Intelligence - February 2010]
![Page 11: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/11.jpg)
Legitimate site
![Page 12: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/12.jpg)
Hosting Pharmacy Spam
![Page 13: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/13.jpg)
Sample Google Search
![Page 14: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/14.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 15: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/15.jpg)
Participants?
• Host “owners” as recorded in “NIM”
![Page 16: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/16.jpg)
Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
![Page 17: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/17.jpg)
Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
![Page 18: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/18.jpg)
Typical Process to Launch Web Server
• Contact Security Team
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
![Page 19: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/19.jpg)
Sample Scan Output
![Page 20: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/20.jpg)
Typical Process to Launch Web Server
• Contact Security Team
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
• Fix any problems
• Port(s) are opened on the campus firewall
![Page 21: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/21.jpg)
Common Issues We See (1/3)
• Software can permit execution of arbitrary commands, re-direct to other sites, inclusion of files, loss of data
• Out of date versions:– PHP
– Apache
– Drupal
– WordPress
– Joomla
![Page 22: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/22.jpg)
Common Issues We See (2/3)
• Configuration
– SSLv2, SSLv3 should be disabled, use TLS
• https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
• https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
– Self-signed certificates
• Get one at no cost from cert.tamu.edu
![Page 23: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/23.jpg)
Common Issues We See (3/3)
• Configuration
– Forums not locked down
– WordPress default configuration allows someoneto create their own blog
• See owasp.org “top 10” list of problems (Open Web Application Security Project)
• Doing research, we found many of the “top 10” problems from 2006 were same as today
![Page 24: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/24.jpg)
OWASP Top 10 problems from 2006
• Unvalidated input• Broken access control• Broken authentication and session management• Cross-site scripting (XSS)• Buffer overflows• Injection flaws (shell commands and sql)• Improper error handling• Insecure storage• Denial of service• Insecure configuration management
![Page 25: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/25.jpg)
OWASP Top 10 problems from 2013
• Injection• Broken authentication and session management• Cross-site scripting (XSS) • Insecure direct object references• Security misconfiguration• Sensitive data exposure• Missing function level access control• Cross-site request forgery• Using components with known vulnerabilities• Unvalidated redirects and forwards
![Page 26: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/26.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 27: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/27.jpg)
How Can We Prevent Compromise? (1/2)
• Vulnerability scans
• Keep up-to-date with software, patches
• Secunia Corporate Software Inspector
• Back up your content
• Code review – sanitize input
![Page 28: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/28.jpg)
Prevention (2/2)
• Microsoft Baseline Security Analyzer (Windows 7,
Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP)
• Antivirus
• Be careful what you install
– Toolbars – source of spyware
– Cnet.com – often software comes pre-installed with undesirable add-ons
![Page 29: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/29.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 30: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/30.jpg)
How Can We Detect It?
• In-house tools (IDS)
![Page 31: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/31.jpg)
Notices from IDS
![Page 32: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/32.jpg)
IDS, Continued
![Page 33: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/33.jpg)
IDS, Continued
![Page 34: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/34.jpg)
Analyze trends on campus (1/2)
![Page 35: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/35.jpg)
Analyze trends on campus (2/2)
![Page 36: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/36.jpg)
A note about Mudrop
• Windows malware
• Talks to “Mother Ship” and downloads additional files
• Bypasses personal firewall settings
• Affects Master Boot Record and registry
![Page 37: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/37.jpg)
A note about Zeus
• Windows malware
• Keylogger, can steal financial information
• Used to install CryptoLocker ransomware
• Hard to detect and prevent
• Often obtained via phishing, “drive-by” downloads
![Page 38: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/38.jpg)
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
![Page 39: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/39.jpg)
US-CERT
![Page 40: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/40.jpg)
REN-ISAC
![Page 41: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/41.jpg)
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
• Phone calls, email to [email protected]
![Page 42: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/42.jpg)
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
• Phone calls, email to [email protected]
• Google Webmaster Tools
![Page 43: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/43.jpg)
Google Webmaster Tools
![Page 44: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/44.jpg)
Google Webmaster Tools
• Fetch as googlebot
• The fetch and render mode tells Googlebot to crawl and display your page as browsers would display it to your audience. […] You can use the rendered image to detect differences between how Googlebot sees your page, and how your browser renders it.
![Page 45: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/45.jpg)
How Can We Detect It?
• In-house tools
• Receive notices from off-campus
• Phone calls, email to [email protected]
• Google Webmaster Tools
• Review log files (ours and yours)
![Page 46: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/46.jpg)
Correlating Log Files
![Page 47: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/47.jpg)
Strange Characters in Log Files
• http://host/cgi-bin/lame.cgi?file=../../../../etc/motd• "%20" Requests• "%00" Requests• "|" Requests• http://host/cgi-
bin/helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
![Page 48: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/48.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 49: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/49.jpg)
What Do We Do if Compromised?
• Please contact us if we haven’t contacted you– We can cross-reference and notify others
– We contact the NIM-owner (or best guess)
• Determine what happened– We may be able to help, with scans/logs, forensic
service contract
• Close firewall ports?
• Restore content?
• Reinstall?
![Page 50: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/50.jpg)
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
![Page 51: Uweb Meeting Presentation - Website Exploits](https://reader033.vdocuments.site/reader033/viewer/2022051516/55a472c71a28ab97568b4778/html5/thumbnails/51.jpg)
Additional Resources
• us-cert.gov• isc.sans.org• owasp.org• Providers such as php mailing list, etc.• www.cgisecurity.com/papers/fingerprint-
port80.txt• aw-snap.info
• am-compadmin (listserv.tamu.edu)• tamunet (listserv.tamu.edu)