Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What should I do when my website got hack?

1,309 views

Published on

How to analyst web application log to find web application attack

Published in: Internet

What should I do when my website got hack?

  1. 1. What should I do when my website got hack? Sumedt Jitpukdebodin Security Engineer I-SECURE Co., Ltd.
  2. 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Engineer@I-SECURE Co., Ltd. • Hobbies: Hacking, Forensic, Cartoon, Series (Recommended: Mr Robot), Etc. • Website: www.techsuii.com, www.r00tsec.com • Social Network: @materaj, fb.com/ sumedt.jitpukdebodin
  3. 3. # ls objective • Web Application Threat Growth Statistic • Web Server x Web Application • Sample of access.log • How to start web application attack analysis • Tools for analysis • How to defend web application
  4. 4. Web Application Threat Growth Statistic
  5. 5. Web Application Threat Growth Statistic By Imperva's Web Application Attack Report (October 2014) http://www.imperva.com/DefenseCenter/WAAR
  6. 6. Web Application Threat Growth Statistic By McAfee Labs Threats Report (Febuary 2015) http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf
  7. 7. # top target • WordPress is the most attacked Content Management System (CMS) • PHP applications suffer three times as many Cross Site Scripting attacks as .NET applications PHP applications suffer almost 3X more Cross Site Scripting (XSS) attacks than ASP applications. PHP applications suffer almost 2X more Directory Traversal (DT) attacks than ASP applications. ASP applications suffer almost 2X more SQL Injection attacks than PHP applications. • Websites containing some form of consumer information suffer up to 59% of the attacks.
  8. 8. # top target
  9. 9. # stats target
  10. 10. # stats target
  11. 11. Web Server X Web Application
  12. 12. Web Server X Web Application
  13. 13. Sample of access.log
  14. 14. # cat access.log # cat access.log | grep -v bot | more
  15. 15. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" combined
  16. 16. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" Client IP
  17. 17. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" identity of the user determined by identd
  18. 18. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" user name determined by HTTP authentication
  19. 19. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" the time the server finished processing the request
  20. 20. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" request line from the client
  21. 21. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" status code
  22. 22. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" size of the response
  23. 23. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" Referer
  24. 24. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" User-agent
  25. 25. # awk { print %d } access.log • awk ‘{print $1}’ access.log # ip address (%h) • awk ‘{print $2}’ access.log # RFC 1413 identity (%l) • awk ‘{print $3}’ access.log # userid (%u) • awk ‘{print $4,5}’ access.log # date/time (%t) • awk ‘{print $9}’ access.log # status code (%>s) • awk ‘{print $10}’ access.log # size (%b) • awk -F” ‘{print $2}’ access.log # request line (%r) • awk -F” ‘{print $4}’ access.log # referer
  26. 26. How to start web application attack analysis
  27. 27. The Art Of War
  28. 28. OWASP Top 10 2013 • A1-Injection • A2-Broken Authentication and Session Management • A3-Cross-Site Scripting (XSS) • A4-Insecure Direct Object Reference • A5-Security Misconfiguration • A6-Sensitive Data Exposure • A7-Missing Function • A8-Cross-Site Request Forgery(CSRF) • A9-Using Components with known vulnerabilities • A10-Unvalidated Redirect and Forwards
  29. 29. Log path • /var/log/apache2/ • /var/log/nginx/ • C:WindowsSystem32LogFilesW3SVC1
  30. 30. SQL Injection • Filter: union, order by, select, concat, group_concat, version, %27, %27%20, %2527, --, exec, varchar,cast
  31. 31. Example filter SQLi • cat access.log | grep union | more
  32. 32. Local File Inclusion Remote File Inclusion • Filter: ../, /etc/passwd, windows/system32/ drivers/etc/hosts, ../boot.ini, =http://, =php://
  33. 33. Example filter LFI & RFI • cat access.log | grep “/etc/passwd” | more
  34. 34. XSS • Filter: javascript, document.cookie, img src, alert
  35. 35. Example filter XSS • cat access.log | grep “alert” | more
  36. 36. Brute Forcing • cat access.log| grep “POST” | grep “login.php | more
  37. 37. Shellshock • Filter: () {
  38. 38. Example filter Shellshock • cat access.log | grep "() {" | more
  39. 39. Tools for analysis
  40. 40. # ls /opt/ • Splunk (Limit 500 MB/day) • Elastic Search + LogStach + Kibana • Elastic Search + Graylog2 • Apache-Scalp • OSSEC • Etc.
  41. 41. Splunk
  42. 42. ELK
  43. 43. Graylog2
  44. 44. How to defend web application attack
  45. 45. What should I do when my website got hack? • Shut it down ? • Get website back with backup ? • Before website back • Find the root clause, Fix the vulnerability. • If not web application, try another view with hacker view.
  46. 46. # apt-get upgrade • Secure Coding • OWASP - https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide • Mozilla - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Web Application Firewall • Naxsi • ModSecurity • AQTRONIX for IIS • Penetration Testing
  47. 47. End %00

×