Web Server Compromises Ellen Mitchell, CISSP 12/09/2014
Jul 14, 2015
Web Server Compromises
Ellen Mitchell, CISSP
12/09/2014
Outline
• What is a web server compromise?
• Background - who participates in campus process (open web server, respond)?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
What is a Web Server Compromise?
• Defacement
• Pharmacy Spam (viagra, cialis)
Defacement
• Defacement is a type of vandalism that involves damaging the appearance or surfaceof something.
Added to www.tamu.edu (in 2005)
Other defacement examples
Another defacement example
Another defacement example –(this also has sound)
Pharmacy Spam
• Malicious code injected on legitimate but compromised sites
• There is also a twist – referer links, user agents, etc. can prevent admins from discovering this easily
Spam Classified by Category
MessageLabs Intelligence - February 2010]
Legitimate site
Hosting Pharmacy Spam
Sample Google Search
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
Participants?
• Host “owners” as recorded in “NIM”
Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
Participants?
• Host “owners” as recorded in “NIM”
– “Liaisons” on behalf of a professor/customer
– Web server maintainers (the “mechanic”)
– Web content managers (the “driver”)
– From student workers -> professional IT staff
• Security team
• Your web audience
Typical Process to Launch Web Server
• Contact Security Team
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
Sample Scan Output
Typical Process to Launch Web Server
• Contact Security Team
• Vulnerability Scan
– Self-service: scan.tamu.edu or
– We’ll scan for you
• Fix any problems
• Port(s) are opened on the campus firewall
Common Issues We See (1/3)
• Software can permit execution of arbitrary commands, re-direct to other sites, inclusion of files, loss of data
• Out of date versions:– PHP
– Apache
– Drupal
– WordPress
– Joomla
Common Issues We See (2/3)
• Configuration
– SSLv2, SSLv3 should be disabled, use TLS
• https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html
• https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-poodle-sslv3-vulnerability
– Self-signed certificates
• Get one at no cost from cert.tamu.edu
Common Issues We See (3/3)
• Configuration
– Forums not locked down
– WordPress default configuration allows someoneto create their own blog
• See owasp.org “top 10” list of problems (Open Web Application Security Project)
• Doing research, we found many of the “top 10” problems from 2006 were same as today
OWASP Top 10 problems from 2006
• Unvalidated input• Broken access control• Broken authentication and session management• Cross-site scripting (XSS)• Buffer overflows• Injection flaws (shell commands and sql)• Improper error handling• Insecure storage• Denial of service• Insecure configuration management
OWASP Top 10 problems from 2013
• Injection• Broken authentication and session management• Cross-site scripting (XSS) • Insecure direct object references• Security misconfiguration• Sensitive data exposure• Missing function level access control• Cross-site request forgery• Using components with known vulnerabilities• Unvalidated redirects and forwards
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
How Can We Prevent Compromise? (1/2)
• Vulnerability scans
• Keep up-to-date with software, patches
• Secunia Corporate Software Inspector
• Back up your content
• Code review – sanitize input
Prevention (2/2)
• Microsoft Baseline Security Analyzer (Windows 7,
Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP)
• Antivirus
• Be careful what you install
– Toolbars – source of spyware
– Cnet.com – often software comes pre-installed with undesirable add-ons
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
How Can We Detect It?
• In-house tools (IDS)
Notices from IDS
IDS, Continued
IDS, Continued
Analyze trends on campus (1/2)
Analyze trends on campus (2/2)
A note about Mudrop
• Windows malware
• Talks to “Mother Ship” and downloads additional files
• Bypasses personal firewall settings
• Affects Master Boot Record and registry
A note about Zeus
• Windows malware
• Keylogger, can steal financial information
• Used to install CryptoLocker ransomware
• Hard to detect and prevent
• Often obtained via phishing, “drive-by” downloads
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
US-CERT
REN-ISAC
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
• Phone calls, email to [email protected]
How Can We Detect It?
• In-house tools (IDS)
• Receive notices from off-campus
• Phone calls, email to [email protected]
• Google Webmaster Tools
Google Webmaster Tools
Google Webmaster Tools
• Fetch as googlebot
• The fetch and render mode tells Googlebot to crawl and display your page as browsers would display it to your audience. […] You can use the rendered image to detect differences between how Googlebot sees your page, and how your browser renders it.
How Can We Detect It?
• In-house tools
• Receive notices from off-campus
• Phone calls, email to [email protected]
• Google Webmaster Tools
• Review log files (ours and yours)
Correlating Log Files
Strange Characters in Log Files
• http://host/cgi-bin/lame.cgi?file=../../../../etc/motd• "%20" Requests• "%00" Requests• "|" Requests• http://host/cgi-
bin/helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
What Do We Do if Compromised?
• Please contact us if we haven’t contacted you– We can cross-reference and notify others
– We contact the NIM-owner (or best guess)
• Determine what happened– We may be able to help, with scans/logs, forensic
service contract
• Close firewall ports?
• Restore content?
• Reinstall?
Outline
• What is a web server compromise?
• Background - who participates in campus process?
– Typical steps to launch web server on campus
• How can we prevent compromise?
• How can we detect it?
• What do we do if compromised?
• Additional resources
Additional Resources
• us-cert.gov• isc.sans.org• owasp.org• Providers such as php mailing list, etc.• www.cgisecurity.com/papers/fingerprint-
port80.txt• aw-snap.info
• am-compadmin (listserv.tamu.edu)• tamunet (listserv.tamu.edu)