Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo...

Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it

LINUXDAY 2013

Mi hanno bucato il server, e adesso?Matteo Sgalaberni

Monday, October 28, 13

LINUXDAY 2013

Matteo Sgalaberni

LINUXDAY 2013

C'era una volta...

Ragazzo

Server

WebApp (PHP)

LINUXDAY 2013

Obiettivo

sicurezza reattiva

LINUXDAY 2013

Agenda

Usi e costumi

Target

Capire

Reagire

Correggere

LINUXDAY 2013

Usi e costumi

PrevenzioneSistemistiProgrammatoriProcesso

http://www.bazl.admin.ch/themen/sicherheit/00296/index.html?lang=it

ProcessoGestione sicurezza proattivaUfficio Federale Aviazione CivileSvizzera

LINUXDAY 2013

E’ STATO INSUFFICIENTESIETE STATI

SFONDATI!

LINUXDAY 2013

Metodo

CorrezioneNiente Panico

Analisi

LINUXDAY 2013

Se hai un problema, trova la causa e risolviloaltrimenti riaccadrà!

quindi se non trovi da dove sono entrati e risolvi

TI RIBUCHERANNO!

LINUXDAY 2013

Perchè proprio te?!

Rubare

Modificare

Farti un dannoforse ma...

LINUXDAY 2013

per soldi(li guadagnano loro!)

LINUXDAY 2013

Source:McAfee Threats Report: First Quarter 2012 27

Un brutto mondo!Monday, October 28, 13

LINUXDAY 2013

TI SFRUTTANO PER FARE

SpamPhishingAdvertisementVirus

MalwareData leakageDOSDDOS

LINUXDAY 2013

Target

Web Application

Account SMTP

Account FTP

Rete LAN

LINUXDAY 2013

Ma mi hanno bucato?! Come me ne accorgo?!

RetePostaSito Web

Alertes. Nagios/ZimbraAbuse notificationBlacklist

IPSIDSFirewall CONOSCENZA!

Server non rispondeSito lentoTimeout servizi

LINUXDAY 2013

BRUTTO?!

LINUXDAY 2013

server:~# ps afx|grep apache2|wc -l593

BRUTTO?!

LINUXDAY 2013

server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623

BRUTTO?!

LINUXDAY 2013

DIPENDE

Conoscenza

Normalità

Confronto (Analisi del delta)

LINUXDAY 2013

ma come si manifesta ilvero

MALE!?

LINUXDAY 2013

Un bel giorno sul server di Daniele

SMTP: CRITICAL - Socket timeout after 10 secondsPOP3: CRITICAL - Socket timeout after 10 secondsHTTP: CRITICAL - Socket timeout after 10 seconds

DAAA DAAAA DAAA DAAA DAAA!

LINUXDAY 2013

Ma da dove sono “entrati”?!

FTPSMTPWeb App / PHP

LINUXDAY 2013

FTP?!?!?SMTP?!?

passwordMonday, October 28, 13

LINUXDAY 2013

Web AppWordpressJoomlaPlugins

File upload validation

Remote file execution

<?php if (isset( $_GET['COLOR'] ) ){ include( $_GET['COLOR'] . '.php' ); }?>

http://en.wikipedia.org/wiki/File_inclusion_vulnerabilityhttps://www.owasp.org/index.php/Unrestricted_File_Upload

Attacks on application platform

Upload .jsp file into web tree - jsp code executed as web user

Upload .gif to be resized - image library flaw exploited

Upload huge files - file space denial of service

Upload file using malicious path or name - overwrite critical file

Upload file containing personal data - other users access it

Upload file containing "tags" - tags get executed as part of being "included" in a web page

PHP shellPHP backdoorHTML/JS infected

LINUXDAY 2013

Informazioni: ma dove sono?!

Semplice!

LogFile Creati

Timestamp

LINUXDAY 2013

find -ctime 0stat files...less filesgrep

Nuovi fileFile con nomi “strani”File con contenuti “strani”eval(base64_decode($_REQUEST['comment'])));JS offuscato/incomprensibile

TRUCCO

LINUXDAY 2013

php shit

LINUXDAY 2013

28Monday, October 28, 13

LINUXDAY 2013

~/$ clamscan newsp15.php newsp15.php: PHP.Trojan.Spambot FOUND

----------- SCAN SUMMARY -----------Known viruses: 2424225Engine version: 0.97.7Scanned directories: 0Scanned files: 1Infected files: 1Data scanned: 0.00 MBData read: 0.00 MB (ratio 1.00:1)Time: 4.204 sec (0 m 4 s)

LINUXDAY 2013

JS shit

LINUXDAY 2013

FTPPHP shell

PHP backdoor

HTML with infected javascript

perl in CGI-BIN

LINUXDAY 2013

54.244.119.54 - - [07/Oct/2013:17:00:30 +0200] "POST /listN3A.php HTTP/1.1" 200 717 "-" "-"

stat /httpdocs_bucato/listN3A.phpFile: `listN3A.php'Size: 7325 Blocks: 16 IO Block: 4096 regular fileDevice: 808h/2056dInode: 10928437 Links: 1Access: (0644/-rw-r--r--) Uid: (10669/fsfsadfd) Gid: ( 2524/ psacln)Access: 2013-10-07 16:18:07.000000000 +0200Modify: 2013-10-04 11:19:06.000000000 +0200Change: 2013-10-04 11:19:06.000000000 +0200

LINUXDAY 2013

zgrep listN3A.php xferlog*xferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r o sito1 ftp 0 * c

sesedefdfs:/opt/psa/var/log# grep 37.139.47.33 xferlog*xferlog.processed:Tue Oct 1 12:39:35 2013 0 37.139.47.33 7325 /var/www/vhosts/sito2.it/httpdocs/newsp15.php b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:08 2013 0 37.139.47.33 2005 /var/www/vhosts/sito2.it/httpdocs/.htaccess b _ d r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 400 /var/www/vhosts/sito2.it/httpdocs/aLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:54 2013 0 37.139.47.33 136 /var/www/vhosts/sito1.it/httpdocs/.htaccess b _ d r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:55 2013 0 37.139.47.33 378 /var/www/vhosts/sito1.it/httpdocs/rTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:56 2013 0 37.139.47.33 395 /var/www/vhosts/sito1.it/httpdocs/aTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:34:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1

LINUXDAY 2013

<html><head> <meta http-equiv="refresh" content="2; url=http://thespeedshop.ca/robotsfR6w/bar/index.html"></head><body><h1>Loading...</h1></body>

Ma cosa c’era in quel file?!?

LINUXDAY 2013

35Monday, October 28, 13

LINUXDAY 2013

server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623Received: (qmail 3931 invoked by uid 33); 22 Oct 2013 11:55:22 +0200Date: 22 Oct 2013 11:55:20 +0200Message-ID: <20131022095520.3906.qmail@server999>To: thompx4@comcast.netSubject: Voice Message NotificationFrom: "WhatsApp Messaging Service" <service@dominiodelcliente.it>X-PHP-Originating-Script: 10035:infoKSw.phpX-Mailer: Oudmlr(ver.3.4)Reply-To: "WhatsApp Messaging Service" <service@dominiodelcliente.it>Mime-Version: 1.0Content-Type: multipart/alternative;boundary="----------138243572052664B8811717"

http://php.net/manual/en/mail.configuration.php

LINUXDAY 2013

server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623

Received: (qmail 11447 invoked from network); 21 Oct 2013 10:24:11 +0200Received: from hostbruttorusso.ru (HELO UserHP) (99.99.99.99) by mioserver.it with ESMTPA; 21 Oct 2013 10:24:09 +0200Return-Receipt-To: "Monica" <monica@dominiodelcliente.it>From: "Monica" <monica@dominiodelcliente.it>To: <aaaaaa@destinatario.it>Subject: I: RQST FATTURADate: Mon, 21 Oct 2013 10:24:10 +0200MIME-Version: 1.0Content-Type: multipart/related; boundary="----=_NextPart_000_004B_01CECE47"X-Mailer: Microsoft Office Outlook 11

Oct 25 12:37:08 server6 smtp_auth: SMTP user luisa@dominiocliente.it : logged in from hostbruttorusso.ru [99.99.99.99]

LINUXDAY 2013

Identifico le caselle compromesse

Cambio le password

Iptables ip logged in

Cancello le email dalla coda

Risposta ad un accesso SMTP

LINUXDAY 2013

Un bel giorno sul server di Daniele

5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 20388 ? S 0:00 couriertls -localfd=4 -tcpd -server 6159 ? S 0:00 couriertls -localfd=4 -tcpd -server 6908 ? S 0:00 couriertls -localfd=4 -tcpd -server16593 ? S 0:00 couriertls -localfd=4 -tcpd -server17308 ? S 0:00 couriertls -localfd=4 -tcpd -server 9631 ? S 0:00 perl udpflood.pl 9632 ? S 0:00 perl udpflood.pl 9633 ? S 0:00 perl udpflood.pl 9634 ? S 0:00 perl udpflood.pl 9635 ? S 0:00 perl udpflood.pl 9636 ? S 0:00 perl udpflood.pl 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd

5638 ? S 0:00 \_ /usr/sbin/apache2 -k start 5655 ? S 0:00 \_ /usr/sbin/apache2 -k start 5662 ? S 0:00 \_ /usr/sbin/apache2 -k start 5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 4292 ? S 0:21 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config 4587 ? Ss 0:02 drwebd.real 4588 ? S 1:10 \_ drwebd.real 4589 ? S 1:14 \_ drwebd.real 4590 ? S 1:10 \_ drwebd.real 4591 ? S 1:07 \_ drwebd.real 9631 ? S 0:00 /usr/sbin/apache2 -k start 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd

LINUXDAY 2013

Un bel giorno sul server di Marco

LINUXDAY 2013

Mani in alto!#!/bin/bashecho -n "starting collecting data..."dateTMPFILE=`tempfile`netstat -tanp >>$TMPFILElsof -n >>$TMPFILEps afx >>$TMPFILEstat /tmp/* >>$TMPFILEbzip2 $TMPFILEecho -n "ending collecting data..."dateecho "Trace salvato in :" ${TMPFILE}.bz2exit 0

perl 32373 www-data 509w REG 254,2 0 170 /tmp/sess_e96a2502073e0061e5f88a9ca9bc3dab

Data collecting

Trigger - iptables log

Trigger - swatch

LINUXDAY 2013

/etc/php5/apache2/php.iniallow_url_fopen = Offdisable_functions = "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,parse_ini_file,show_source"

MA ALMENO QUESTO FATELO

LINUXDAY 2013

E se non lo becco?!

tcpdump -s0 -w -C <maxsize> -W <maxcountfile> tcpslicewiresharkngrep (live gathering)

LINUXDAY 2013

Strumentitopps afxlsof -p [PID]netstat -tanpstatfind -ctime 0

lastnetstat -tanpchkrootkitrkhunterclamavwireshark

Intelligenza!

Conoscenza!

LINUXDAY 2013

ALLORAanalisipuliziacorrezionecontrollo

LINUXDAY 2013

GRAZIE PER L'ATTENZIONE

Le slides e le riprese audio/videodell'intervento saranno disponibili su:

http://erlug.linux.it/linuxday/2013/

Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo...

Documents

Transcript of Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo...

LinuxDay 2013lightstorage.ecodibergamo.it/media/attach/2013/10/ProgrammaLD13… · -,(*. 1/-"(,(-#$* -+2,$#( $/& +- 00$00-/ 1- ** 01/26(-,$ .-/1 $+.-*(!$/-$ -*(1("'$ (-3 ,(*(LinuxDay

Sviluppo Android (LinuxDay TO 2010)

GNU/Linux Kernel Module Programmingerlug.linux.it/linuxday/2006/contrib/rubino.pdf · Moduli – Cosa sono Codice che può essere caricato e rimosso dinamicamente Si possono pensare

Mister Clean - Bucato

LinuxDay 2009 - Quali programmi?

Un CMS per la scuola - linuxday 2010

e-learning @ scuolaerlug.linux.it/linuxday/2006/contrib/ragno.pdfdidattica “open source” in molti casi docenti che studiano queste tecnologie e innovano le pratiche didattiche

Linuxday at OpenLabs - Milano

Linux e il mondo della scuola - LinuxDay 2010 (Pistoia)

Linuxday 2011 - Baslug - Zeno

Roma linuxday 2013 - nodejs

Virtualizzazione con KVM su sistemi operativi Ubuntuerlug.linux.it/linuxday/2008/contrib/7_stablum_virtualiz... · 2008-10-27 · 3 Vantaggi: scalabilità Possono essere in esecuzione

Ing. Davide Bolcionierlug.linux.it/linuxday/2005/contrib/bolcioni.pdf · Strumenti – Eclipse (1) Soluzione immediata per Accesso a CVS Rudimentale sviluppo Java (creazione .jar)

LinuxDay 2005: Computer Virus e rilevamento

Catalogo Raro - Il tuo bucato

MIGRAZIONE AL SOFTWARE LIBERO IN UNA …erlug.linux.it/linuxday/2007/contrib/4_volta_linux_day...MIGRAZIONE AL SOFTWARE LIBERO IN UNA SCUOLA UNA SCELTA VINCENTE Bologna 27/102007 L'ESPERIENZA

Linuxday 2009: Introduzione al Software Libero

Uno strumento non per tuttoerlug.linux.it/linuxday/2012/contrib/ronchi_boschetti... · 2013-01-08 · Groupware incluso in Zentyal, ofre funzioni molto simili a Google Apps ed è

Programmazione Android per esseri umanierlug.linux.it/linuxday/2013/contrib/slides/... · Qpython: python for Android. Roberto Bettazzoni, Programmazione Android per esseri umani.

LinuxDay 2012: introduzione al Raspberry Pi

LinuxDay 2013lightstorage.ecodibergamo.it/media/attach/2013/10/ProgrammaLD13… · -,(. 1/-"(,(-#$ -+2,$#( $/& +- 00$00-/ 1- ** 01/26(-,$ .-/1 $+.-(!$/-$ -(1("'$ (-3 ,(*(LinuxDay