Download to read offline
![Spam Classified by Category
MessageLabs Intelligence - February 2010]](https://image.slidesharecdn.com/uweb-website-security-141210091500-conversion-gate02/75/Uweb-Meeting-Presentation-Website-Exploits-10-2048.jpg)
![Google Webmaster Tools
• Fetch as googlebot
• The fetch and render mode tells Googlebot to
crawl and display your page as browsers
would display it to your audience. […] You can
use the rendered image to detect differences
between how Googlebot sees your page, and
how your browser renders it.](https://image.slidesharecdn.com/uweb-website-security-141210091500-conversion-gate02/75/Uweb-Meeting-Presentation-Website-Exploits-44-2048.jpg)
More Related Content
Similar to Uweb Meeting Presentation - Website Exploits
Uweb Meeting Presentation - Website Exploits
- 1. Web Server Compromises Ellen Mitchell, CISSP 12/09/2014
- 2. Outline • Whatis a web server compromise? • Background - who participates in campus process (open web server, respond)? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 3. What is aWeb Server Compromise? • Defacement • Pharmacy Spam (viagra, cialis)
- 4. Defacement • Defacementis a type of vandalism that involves damaging the appearance or surface of something.
- 5. Added to www.tamu.edu(in 2005)
- 6.
- 7.
- 8. Another defacement example– (this also has sound)
- 9. Pharmacy Spam •Malicious code injected on legitimate but compromised sites • There is also a twist – referer links, user agents, etc. can prevent admins from discovering this easily
- 10. Spam Classified byCategory MessageLabs Intelligence - February 2010]
- 11.
- 12.
- 13.
- 14. Outline • Whatis a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 15. Participants? • Host“owners” as recorded in “NIM”
- 16. Participants? • Host“owners” as recorded in “NIM” – “Liaisons” on behalf of a professor/customer – Web server maintainers (the “mechanic”) – Web content managers (the “driver”) – From student workers -> professional IT staff • Security team • Your web audience
- 17. Participants? • Host“owners” as recorded in “NIM” – “Liaisons” on behalf of a professor/customer – Web server maintainers (the “mechanic”) – Web content managers (the “driver”) – From student workers -> professional IT staff • Security team • Your web audience
- 18. Typical Process toLaunch Web Server • Contact Security Team – [email protected] • Vulnerability Scan – Self-service: scan.tamu.edu or – We’ll scan for you
- 19.
- 20. Typical Process toLaunch Web Server • Contact Security Team • Vulnerability Scan – Self-service: scan.tamu.edu or – We’ll scan for you • Fix any problems • Port(s) are opened on the campus firewall
- 21. Common Issues WeSee (1/3) • Software can permit execution of arbitrary commands, re-direct to other sites, inclusion of files, loss of data • Out of date versions: – PHP – Apache – Drupal – WordPress – Joomla
- 22. Common Issues WeSee (2/3) • Configuration – SSLv2, SSLv3 should be disabled, use TLS • https://www.sslshopper.com/article-how-to-disable-ssl- 2.0-in-iis-7.html • https://www.digitalocean.com/community/tutorials/ho w-to-protect-your-server-against-the-poodle-sslv3- vulnerability – Self-signed certificates • Get one at no cost from cert.tamu.edu
- 23. Common Issues WeSee (3/3) • Configuration – Forums not locked down – WordPress default configuration allows someone to create their own blog • See owasp.org “top 10” list of problems (Open Web Application Security Project) • Doing research, we found many of the “top 10” problems from 2006 were same as today
- 24. OWASP Top 10problems from 2006 • Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) • Buffer overflows • Injection flaws (shell commands and sql) • Improper error handling • Insecure storage • Denial of service • Insecure configuration management
- 25. OWASP Top 10problems from 2013 • Injection • Broken authentication and session management • Cross-site scripting (XSS) • Insecure direct object references • Security misconfiguration • Sensitive data exposure • Missing function level access control • Cross-site request forgery • Using components with known vulnerabilities • Unvalidated redirects and forwards
- 26. Outline • Whatis a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 27. How Can WePrevent Compromise? (1/2) • Vulnerability scans • Keep up-to-date with software, patches • Secunia Corporate Software Inspector • Back up your content • Code review – sanitize input
- 28. Prevention (2/2) •Microsoft Baseline Security Analyzer (Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Vista, Windows XP) • Antivirus • Be careful what you install – Toolbars – source of spyware – Cnet.com – often software comes pre-installed with undesirable add-ons
- 29. Outline • Whatis a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 30. How Can WeDetect It? • In-house tools (IDS)
- 31.
- 32.
- 33.
- 34. Analyze trends oncampus (1/2)
- 35. Analyze trends oncampus (2/2)
- 36. A note aboutMudrop • Windows malware • Talks to “Mother Ship” and downloads additional files • Bypasses personal firewall settings • Affects Master Boot Record and registry
- 37. A note aboutZeus • Windows malware • Keylogger, can steal financial information • Used to install CryptoLocker ransomware • Hard to detect and prevent • Often obtained via phishing, “drive-by” downloads
- 38. How Can WeDetect It? • In-house tools (IDS) • Receive notices from off-campus
- 39.
- 40.
- 41. How Can WeDetect It? • In-house tools (IDS) • Receive notices from off-campus • Phone calls, email to [email protected]
- 42. How Can WeDetect It? • In-house tools (IDS) • Receive notices from off-campus • Phone calls, email to [email protected] • Google Webmaster Tools
- 43.
- 44. Google Webmaster Tools • Fetch as googlebot • The fetch and render mode tells Googlebot to crawl and display your page as browsers would display it to your audience. […] You can use the rendered image to detect differences between how Googlebot sees your page, and how your browser renders it.
- 45. How Can WeDetect It? • In-house tools • Receive notices from off-campus • Phone calls, email to [email protected] • Google Webmaster Tools • Review log files (ours and yours)
- 46.
- 47. Strange Characters inLog Files • http://host/cgi-bin/lame.cgi?file=../../../../etc/motd • "%20" Requests • "%00" Requests • "|" Requests • http://host/cgi-bin/ helloworld?type=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAA
- 48. Outline • Whatis a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 49. What Do WeDo if Compromised? • Please contact us if we haven’t contacted you – We can cross-reference and notify others – We contact the NIM-owner (or best guess) • Determine what happened – We may be able to help, with scans/logs, forensic service contract • Close firewall ports? • Restore content? • Reinstall?
- 50. Outline • Whatis a web server compromise? • Background - who participates in campus process? – Typical steps to launch web server on campus • How can we prevent compromise? • How can we detect it? • What do we do if compromised? • Additional resources
- 51. Additional Resources •us-cert.gov • isc.sans.org • owasp.org • Providers such as php mailing list, etc. • www.cgisecurity.com/papers/fingerprint-port80. txt • aw-snap.info • am-compadmin (listserv.tamu.edu) • tamunet (listserv.tamu.edu)