Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
1
Mi hanno bucato il server, e adesso?Matteo Sgalaberni
ERLUG
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
2
Matteo Sgalaberni
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
3
C'era una volta...
Ragazzo
Server
WebApp (PHP)
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
Obiettivo
4
sicurezza reattiva
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
5
Agenda
Usi e costumi
Target
Capire
Reagire
Correggere
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
6
Usi e costumi
PrevenzioneSistemistiProgrammatoriProcesso
http://www.bazl.admin.ch/themen/sicherheit/00296/index.html?lang=it
ProcessoGestione sicurezza proattivaUfficio Federale Aviazione CivileSvizzera
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
7
E’ STATO INSUFFICIENTESIETE STATI
SFONDATI!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
8
Metodo
CorrezioneNiente Panico
Analisi
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
9
Se hai un problema, trova la causa e risolviloaltrimenti riaccadrà!
quindi se non trovi da dove sono entrati e risolvi
TI RIBUCHERANNO!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
10
Perchè proprio te?!
Rubare
Modificare
Farti un dannoforse ma...
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
11
per soldi(li guadagnano loro!)
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
12
Source:McAfee Threats Report: First Quarter 2012 27
Un brutto mondo!Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
13
TI SFRUTTANO PER FARE
SpamPhishingAdvertisementVirus
MalwareData leakageDOSDDOS
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
14
Target
Web Application
Account SMTP
Account FTP
Rete LAN
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
15
Ma mi hanno bucato?! Come me ne accorgo?!
RetePostaSito Web
Alertes. Nagios/ZimbraAbuse notificationBlacklist
IPSIDSFirewall CONOSCENZA!
Server non rispondeSito lentoTimeout servizi
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
16
BRUTTO?!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
17
server:~# ps afx|grep apache2|wc -l593
BRUTTO?!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
18
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623
BRUTTO?!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
19
DIPENDE
Conoscenza
Normalità
Confronto (Analisi del delta)
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
20
ma come si manifesta ilvero
MALE!?
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
21
Un bel giorno sul server di Daniele
SMTP: CRITICAL - Socket timeout after 10 secondsPOP3: CRITICAL - Socket timeout after 10 secondsHTTP: CRITICAL - Socket timeout after 10 seconds
DAAA DAAAA DAAA DAAA DAAA!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
22
Ma da dove sono “entrati”?!
FTPSMTPWeb App / PHP
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
23
FTP?!?!?SMTP?!?
passwordMonday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
24
Web AppWordpressJoomlaPlugins
File upload validation
Remote file execution
<?php if (isset( $_GET['COLOR'] ) ){ include( $_GET['COLOR'] . '.php' ); }?>
http://en.wikipedia.org/wiki/File_inclusion_vulnerabilityhttps://www.owasp.org/index.php/Unrestricted_File_Upload
Attacks on application platform
Upload .jsp file into web tree - jsp code executed as web user
Upload .gif to be resized - image library flaw exploited
Upload huge files - file space denial of service
Upload file using malicious path or name - overwrite critical file
Upload file containing personal data - other users access it
Upload file containing "tags" - tags get executed as part of being "included" in a web page
PHP shellPHP backdoorHTML/JS infected
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
25
Informazioni: ma dove sono?!
Semplice!
LogFile Creati
Timestamp
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
26
find -ctime 0stat files...less filesgrep
Nuovi fileFile con nomi “strani”File con contenuti “strani”eval(base64_decode($_REQUEST['comment'])));JS offuscato/incomprensibile
TRUCCO
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
27
php shit
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
28Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
29
~/$ clamscan newsp15.php newsp15.php: PHP.Trojan.Spambot FOUND
----------- SCAN SUMMARY -----------Known viruses: 2424225Engine version: 0.97.7Scanned directories: 0Scanned files: 1Infected files: 1Data scanned: 0.00 MBData read: 0.00 MB (ratio 1.00:1)Time: 4.204 sec (0 m 4 s)
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
30
JS shit
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
31
FTPPHP shell
PHP backdoor
HTML with infected javascript
perl in CGI-BIN
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
32
54.244.119.54 - - [07/Oct/2013:17:00:30 +0200] "POST /listN3A.php HTTP/1.1" 200 717 "-" "-"
stat /httpdocs_bucato/listN3A.phpFile: `listN3A.php'Size: 7325 Blocks: 16 IO Block: 4096 regular fileDevice: 808h/2056dInode: 10928437 Links: 1Access: (0644/-rw-r--r--) Uid: (10669/fsfsadfd) Gid: ( 2524/ psacln)Access: 2013-10-07 16:18:07.000000000 +0200Modify: 2013-10-04 11:19:06.000000000 +0200Change: 2013-10-04 11:19:06.000000000 +0200
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
33
zgrep listN3A.php xferlog*xferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r o sito1 ftp 0 * c
sesedefdfs:/opt/psa/var/log# grep 37.139.47.33 xferlog*xferlog.processed:Tue Oct 1 12:39:35 2013 0 37.139.47.33 7325 /var/www/vhosts/sito2.it/httpdocs/newsp15.php b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:08 2013 0 37.139.47.33 2005 /var/www/vhosts/sito2.it/httpdocs/.htaccess b _ d r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 400 /var/www/vhosts/sito2.it/httpdocs/aLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:54 2013 0 37.139.47.33 136 /var/www/vhosts/sito1.it/httpdocs/.htaccess b _ d r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:55 2013 0 37.139.47.33 378 /var/www/vhosts/sito1.it/httpdocs/rTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:56 2013 0 37.139.47.33 395 /var/www/vhosts/sito1.it/httpdocs/aTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:34:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
34
<html><head> <meta http-equiv="refresh" content="2; url=http://thespeedshop.ca/robotsfR6w/bar/index.html"></head><body><h1>Loading...</h1></body>
Ma cosa c’era in quel file?!?
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
35Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
36
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623Received: (qmail 3931 invoked by uid 33); 22 Oct 2013 11:55:22 +0200Date: 22 Oct 2013 11:55:20 +0200Message-ID: <20131022095520.3906.qmail@server999>To: [email protected]: Voice Message NotificationFrom: "WhatsApp Messaging Service" <[email protected]>X-PHP-Originating-Script: 10035:infoKSw.phpX-Mailer: Oudmlr(ver.3.4)Reply-To: "WhatsApp Messaging Service" <[email protected]>Mime-Version: 1.0Content-Type: multipart/alternative;boundary="----------138243572052664B8811717"
http://php.net/manual/en/mail.configuration.php
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
37
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623
Received: (qmail 11447 invoked from network); 21 Oct 2013 10:24:11 +0200Received: from hostbruttorusso.ru (HELO UserHP) (99.99.99.99) by mioserver.it with ESMTPA; 21 Oct 2013 10:24:09 +0200Return-Receipt-To: "Monica" <[email protected]>From: "Monica" <[email protected]>To: <[email protected]>Subject: I: RQST FATTURADate: Mon, 21 Oct 2013 10:24:10 +0200MIME-Version: 1.0Content-Type: multipart/related; boundary="----=_NextPart_000_004B_01CECE47"X-Mailer: Microsoft Office Outlook 11
Oct 25 12:37:08 server6 smtp_auth: SMTP user [email protected] : logged in from hostbruttorusso.ru [99.99.99.99]
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
38
Identifico le caselle compromesse
Cambio le password
Iptables ip logged in
Cancello le email dalla coda
Risposta ad un accesso SMTP
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
39
Un bel giorno sul server di Daniele
5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 20388 ? S 0:00 couriertls -localfd=4 -tcpd -server 6159 ? S 0:00 couriertls -localfd=4 -tcpd -server 6908 ? S 0:00 couriertls -localfd=4 -tcpd -server16593 ? S 0:00 couriertls -localfd=4 -tcpd -server17308 ? S 0:00 couriertls -localfd=4 -tcpd -server 9631 ? S 0:00 perl udpflood.pl 9632 ? S 0:00 perl udpflood.pl 9633 ? S 0:00 perl udpflood.pl 9634 ? S 0:00 perl udpflood.pl 9635 ? S 0:00 perl udpflood.pl 9636 ? S 0:00 perl udpflood.pl 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd
Monday, October 28, 13
5638 ? S 0:00 \_ /usr/sbin/apache2 -k start 5655 ? S 0:00 \_ /usr/sbin/apache2 -k start 5662 ? S 0:00 \_ /usr/sbin/apache2 -k start 5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 4292 ? S 0:21 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config 4587 ? Ss 0:02 drwebd.real 4588 ? S 1:10 \_ drwebd.real 4589 ? S 1:14 \_ drwebd.real 4590 ? S 1:10 \_ drwebd.real 4591 ? S 1:07 \_ drwebd.real 9631 ? S 0:00 /usr/sbin/apache2 -k start 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
40
Un bel giorno sul server di Marco
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
41
Mani in alto!#!/bin/bashecho -n "starting collecting data..."dateTMPFILE=`tempfile`netstat -tanp >>$TMPFILElsof -n >>$TMPFILEps afx >>$TMPFILEstat /tmp/* >>$TMPFILEbzip2 $TMPFILEecho -n "ending collecting data..."dateecho "Trace salvato in :" ${TMPFILE}.bz2exit 0
perl 32373 www-data 509w REG 254,2 0 170 /tmp/sess_e96a2502073e0061e5f88a9ca9bc3dab
Data collecting
Trigger - iptables log
Trigger - swatch
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
42
/etc/php5/apache2/php.iniallow_url_fopen = Offdisable_functions = "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,parse_ini_file,show_source"
MA ALMENO QUESTO FATELO
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
43
E se non lo becco?!
tcpdump -s0 -w -C <maxsize> -W <maxcountfile> tcpslicewiresharkngrep (live gathering)
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
44
Strumentitopps afxlsof -p [PID]netstat -tanpstatfind -ctime 0
lastnetstat -tanpchkrootkitrkhunterclamavwireshark
Intelligenza!
Conoscenza!
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
45
ALLORAanalisipuliziacorrezionecontrollo
Monday, October 28, 13
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
46
GRAZIE PER L'ATTENZIONE
Le slides e le riprese audio/videodell'intervento saranno disponibili su:
http://erlug.linux.it/linuxday/2013/
Monday, October 28, 13
Top Related