Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web Server Compromises 
Ellen Mitchell, CISSP 
12/09/2014
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process (open web server, respond)...
What is a Web Server Compromise? 
• Defacement 
• Pharmacy Spam (viagra, cialis)
Defacement 
• Defacement is a type of vandalism that 
involves damaging the appearance or surface 
of something.
Added to www.tamu.edu (in 2005)
Other defacement examples
Another defacement example
Another defacement example – 
(this also has sound)
Pharmacy Spam 
• Malicious code injected on legitimate but 
compromised sites 
• There is also a twist – referer links, us...
Spam Classified by Category 
MessageLabs Intelligence - February 2010]
Legitimate site
Hosting Pharmacy Spam
Sample Google Search
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process? 
– Typical steps to launc...
Participants? 
• Host “owners” as recorded in “NIM”
Participants? 
• Host “owners” as recorded in “NIM” 
– “Liaisons” on behalf of a professor/customer 
– Web server maintain...
Participants? 
• Host “owners” as recorded in “NIM” 
– “Liaisons” on behalf of a professor/customer 
– Web server maintain...
Typical Process to Launch Web Server 
• Contact Security Team 
– security@tamu.edu 
• Vulnerability Scan 
– Self-service: ...
Sample Scan Output
Typical Process to Launch Web Server 
• Contact Security Team 
• Vulnerability Scan 
– Self-service: scan.tamu.edu or 
– W...
Common Issues We See (1/3) 
• Software can permit execution of arbitrary 
commands, re-direct to other sites, inclusion 
o...
Common Issues We See (2/3) 
• Configuration 
– SSLv2, SSLv3 should be disabled, use TLS 
• https://www.sslshopper.com/arti...
Common Issues We See (3/3) 
• Configuration 
– Forums not locked down 
– WordPress default configuration allows someone 
t...
OWASP Top 10 problems from 2006 
• Unvalidated input 
• Broken access control 
• Broken authentication and session managem...
OWASP Top 10 problems from 2013 
• Injection 
• Broken authentication and session management 
• Cross-site scripting (XSS)...
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process? 
– Typical steps to launc...
How Can We Prevent Compromise? 
(1/2) 
• Vulnerability scans 
• Keep up-to-date with software, patches 
• Secunia Corporat...
Prevention (2/2) 
• Microsoft Baseline Security Analyzer (Windows 7, 
Windows 8, Windows 8.1, Windows Server 2003, Windows...
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process? 
– Typical steps to launc...
How Can We Detect It? 
• In-house tools (IDS)
Notices from IDS
IDS, Continued
IDS, Continued
Analyze trends on campus (1/2)
Analyze trends on campus (2/2)
A note about Mudrop 
• Windows malware 
• Talks to “Mother Ship” and downloads 
additional files 
• Bypasses personal fire...
A note about Zeus 
• Windows malware 
• Keylogger, can steal financial information 
• Used to install CryptoLocker ransomw...
How Can We Detect It? 
• In-house tools (IDS) 
• Receive notices from off-campus
US-CERT
REN-ISAC
How Can We Detect It? 
• In-house tools (IDS) 
• Receive notices from off-campus 
• Phone calls, email to president@tamu.e...
How Can We Detect It? 
• In-house tools (IDS) 
• Receive notices from off-campus 
• Phone calls, email to president@tamu.e...
Google Webmaster Tools
Google Webmaster Tools 
• Fetch as googlebot 
• The fetch and render mode tells Googlebot to 
crawl and display your page ...
How Can We Detect It? 
• In-house tools 
• Receive notices from off-campus 
• Phone calls, email to president@tamu.edu 
• ...
Correlating Log Files
Strange Characters in Log Files 
• http://host/cgi-bin/lame.cgi?file=../../../../etc/motd 
• "%20" Requests 
• "%00" Reque...
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process? 
– Typical steps to launc...
What Do We Do if Compromised? 
• Please contact us if we haven’t contacted you 
– We can cross-reference and notify others...
Outline 
• What is a web server compromise? 
• Background - who participates in campus 
process? 
– Typical steps to launc...
Additional Resources 
• us-cert.gov 
• isc.sans.org 
• owasp.org 
• Providers such as php mailing list, etc. 
• www.cgisec...
Upcoming SlideShare
Loading in …5
×

Uweb Meeting Presentation - Website Exploits

1,163 views

Published on

Presentation given by Ellen Mitchell of the CIS security team on website exploits - what do we see at Texas A&M, how can you prevent them, what should you do if your site is hacked.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Uweb Meeting Presentation - Website Exploits

  1. 1. Web Server Compromises Ellen Mitchell, CISSP 12/09/2014
  2. 2. Outline • What is a web server compromise? • Background - who participates in campus process (open web server, respond)? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  3. 3. What is a Web Server Compromise? • Defacement • Pharmacy Spam (viagra, cialis)
  4. 4. Defacement • Defacement is a type of vandalism that involves damaging the appearance or surface of something.
  5. 5. Added to www.tamu.edu (in 2005)
  6. 6. Other defacement examples
  7. 7. Another defacement example
  8. 8. Another defacement example – (this also has sound)
  9. 9. Pharmacy Spam • Malicious code injected on legitimate but compromised sites • There is also a twist – referer links, user agents, etc. can prevent admins from discovering this easily
  10. 10. Spam Classified by Category MessageLabs Intelligence - February 2010]
  11. 11. Legitimate site
  12. 12. Hosting Pharmacy Spam
  13. 13. Sample Google Search
  14. 14. Outline • What is a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  15. 15. Participants? • Host “owners” as recorded in “NIM”
  16. 16. Participants? • Host “owners” as recorded in “NIM” – “Liaisons” on behalf of a professor/customer – Web server maintainers (the “mechanic”) – Web content managers (the “driver”) – From student workers -> professional IT staff • Security team • Your web audience
  17. 17. Participants? • Host “owners” as recorded in “NIM” – “Liaisons” on behalf of a professor/customer – Web server maintainers (the “mechanic”) – Web content managers (the “driver”) – From student workers -> professional IT staff • Security team • Your web audience
  18. 18. Typical Process to Launch Web Server • Contact Security Team – security@tamu.edu • Vulnerability Scan – Self-service: scan.tamu.edu or – We’ll scan for you
  19. 19. Sample Scan Output
  20. 20. Typical Process to Launch Web Server • Contact Security Team • Vulnerability Scan – Self-service: scan.tamu.edu or – We’ll scan for you • Fix any problems • Port(s) are opened on the campus firewall
  21. 21. Common Issues We See (1/3) • Software can permit execution of arbitrary commands, re-direct to other sites, inclusion of files, loss of data • Out of date versions: – PHP – Apache – Drupal – WordPress – Joomla
  22. 22. Common Issues We See (2/3) • Configuration – SSLv2, SSLv3 should be disabled, use TLS • https://www.sslshopper.com/article-how-to-disable-ssl- 2.0-in-iis-7.html • https://www.digitalocean.com/community/tutorials/ho w-to-protect-your-server-against-the-poodle-sslv3- vulnerability – Self-signed certificates • Get one at no cost from cert.tamu.edu
  23. 23. Common Issues We See (3/3) • Configuration – Forums not locked down – WordPress default configuration allows someone to create their own blog • See owasp.org “top 10” list of problems (Open Web Application Security Project) • Doing research, we found many of the “top 10” problems from 2006 were same as today
  24. 24. OWASP Top 10 problems from 2006 • Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) • Buffer overflows • Injection flaws (shell commands and sql) • Improper error handling • Insecure storage • Denial of service • Insecure configuration management
  25. 25. OWASP Top 10 problems from 2013 • Injection • Broken authentication and session management • Cross-site scripting (XSS) • Insecure direct object references • Security misconfiguration • Sensitive data exposure • Missing function level access control • Cross-site request forgery • Using components with known vulnerabilities • Unvalidated redirects and forwards
  26. 26. Outline • What is a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  27. 27. How Can We Prevent Compromise? (1/2) • Vulnerability scans • Keep up-to-date with software, patches • Secunia Corporate Software Inspector • Back up your content • Code review – sanitize input
  28. 28. Prevention (2/2) • Microsoft Baseline Security Analyzer (Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP) • Antivirus • Be careful what you install – Toolbars – source of spyware – Cnet.com – often software comes pre-installed with undesirable add-ons
  29. 29. Outline • What is a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  30. 30. How Can We Detect It? • In-house tools (IDS)
  31. 31. Notices from IDS
  32. 32. IDS, Continued
  33. 33. IDS, Continued
  34. 34. Analyze trends on campus (1/2)
  35. 35. Analyze trends on campus (2/2)
  36. 36. A note about Mudrop • Windows malware • Talks to “Mother Ship” and downloads additional files • Bypasses personal firewall settings • Affects Master Boot Record and registry
  37. 37. A note about Zeus • Windows malware • Keylogger, can steal financial information • Used to install CryptoLocker ransomware • Hard to detect and prevent • Often obtained via phishing, “drive-by” downloads
  38. 38. How Can We Detect It? • In-house tools (IDS) • Receive notices from off-campus
  39. 39. US-CERT
  40. 40. REN-ISAC
  41. 41. How Can We Detect It? • In-house tools (IDS) • Receive notices from off-campus • Phone calls, email to president@tamu.edu
  42. 42. How Can We Detect It? • In-house tools (IDS) • Receive notices from off-campus • Phone calls, email to president@tamu.edu • Google Webmaster Tools
  43. 43. Google Webmaster Tools
  44. 44. Google Webmaster Tools • Fetch as googlebot • The fetch and render mode tells Googlebot to crawl and display your page as browsers would display it to your audience. […] You can use the rendered image to detect differences between how Googlebot sees your page, and how your browser renders it.
  45. 45. How Can We Detect It? • In-house tools • Receive notices from off-campus • Phone calls, email to president@tamu.edu • Google Webmaster Tools • Review log files (ours and yours)
  46. 46. Correlating Log Files
  47. 47. Strange Characters in Log Files • http://host/cgi-bin/lame.cgi?file=../../../../etc/motd • "%20" Requests • "%00" Requests • "|" Requests • http://host/cgi-bin/ helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA
  48. 48. Outline • What is a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  49. 49. What Do We Do if Compromised? • Please contact us if we haven’t contacted you – We can cross-reference and notify others – We contact the NIM-owner (or best guess) • Determine what happened – We may be able to help, with scans/logs, forensic service contract • Close firewall ports? • Restore content? • Reinstall?
  50. 50. Outline • What is a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
  51. 51. Additional Resources • us-cert.gov • isc.sans.org • owasp.org • Providers such as php mailing list, etc. • www.cgisecurity.com/papers/fingerprint-port80. txt • aw-snap.info • am-compadmin (listserv.tamu.edu) • tamunet (listserv.tamu.edu)

×