Case study | Analysis of a website's hacked intrusion track

Case study | Analysis of a website's hacked intrusion track
0x00 Introduction

In this article, I will briefly introduce the website Upload Vulnerability and finally introduce the protection methods.

0x01 background

In September 15, 2015, a well-known website suddenly had to access only the homepage of the website, and none of the other pages were accessible. Find the dongle technology to help solve the problem. After Remotely accessing the server, all files on the website are copied to another drive letter. Only the home page file is left. After confirmation, the server administrator has only one person and has not performed this operation, so it is suspected that it is hacked.

0x02 Log Analysis

A large number of intrusion attempts, website scans,

From the analysis of dongle software logs, dongle has a certain protective effect, blocking a large number of attacks and intrusions. However, website programs have vulnerabilities and network horses and cannot be completely intercepted, attackers may log on to the server to obtain server permissions by scanning a large number or bypassing known network horses.

Server-to-server cloud alert analysis:

The iisuser account remotely logs on to the server from 03:49:25, IP113.xx. xxx. xx, source: China-xx province-xx city.

Network horse scan:

System log analysis:

1) system login log analysis: Thu Sep 17 IP113.xx. xxx.35 abnormal remote login server.

2) Message Log Analysis: received syn flooding Attacks and nginx crash records.

3) Secure Log Analysis:

4) root USER command execution path analysis:

Intruders get the root permission (rootkit user) through webshell or other methods, stop iptables, disable all server security dog detection, re-debug, deploy resin, and disable nginx, attackers can bypass website dongle protection.

5) website program scan results: a large number of webshells and webhorses exist.

6) web Log Path Analysis:

To sum up, IP113.xx. xxx. xx: access the server through the known network Horse to obtain the permission, IP183.xx. xxx. xx no image filtering by registering a new user. The upload vulnerability exists. Multiple intruders exist on the server. Attackers can exploit the upload vulnerability on the website to obtain the shell and disable and avoid dongle protection, and install webshell and webhorse in the website program.

0x03 concept of website Upload Vulnerability intrusion

Website Upload Vulnerability intrusion is currently the most widely used method for website intrusion.

According to the survey, most websites with the upload function have the Upload Vulnerability. File Upload is one of the most common functional requirements on the Internet. For example, QQ avatar, avatar, and Forum attachments all need to upload files. Generally, the file upload vulnerability means that the user uploads an executable script file and obtains the ability to execute commands on the server.

Causes of the file upload vulnerability:

One of the reasons:

When the website provides the file upload function, it does not detect the files uploaded by users.

For example, the upload file type is not restricted, resulting in this vulnerability.

Cause 2:

The file upload check is not rigorous.

For example, if the file type is limited, attackers can manually modify the POST package and add % 00 bytes to some functions to determine the file name. For example, xxx. php [\ 0]. JPG. For a server that only allows the upload of JPG format, this file can bypass the File Upload check.

Cause 3:

Improper WEB server configuration.

PUT is a method defined in WebDav. WebDav greatly extends HTTP functions such as GET, POST, and HEAD. It contains the PUT method that allows users to upload files to a specified path, which is easily exploited by attackers.

In many Web servers, this method is disabled by default, or the types of files that can be uploaded are strictly limited. However, in IIS, if the directory supports write permission and WebDav is enabled, the PUT method is supported, you can rewrite the file that is only allowed to upload text files to allow the upload of script files to execute webshell. Whether the MOVE operation is successful depends on whether the "script support access" check box is selected for the IIS container. If you select support, it is easily exploited by attackers.

In general, attackers should first use the OPTIONS method to detect the HTTP method types supported by the server. If PUT is supported, they should use PUT to upload a specified text file, finally, the script file is changed to the script file through MOVE to achieve the attack purpose.

Cause 4:

Use blank segments in the file header to write horses.

 

Hazards of the file upload vulnerability:

1. Attackers can directly access normally uploaded files and interpret and execute user-uploaded scripts using the WEB Container of the server, resulting in code execution;

2. Attackers exploit the WEB Container Parsing Vulnerability to access malformed files that are illegally uploaded, use the WEB container to explain and execute the code;

3. Attackers can upload file phishing images or images containing scripts. Some browsers execute these images as scripts to perform phishing or fraud;

4. when only the size of the uploaded file is limited, attackers can upload a Trojan horse by bypassing the file name, use the IIS parsing vulnerability, and use tools such as the Chinese kitchen knife, to establish a connection with a Trojan horse on the website server, you can not only manage the files on the current site (you can add or delete files), but also upload the Trojan horse in this way, then, you can directly access the trojan file and perform other operations to ultimately control the entire server.

0x04 website Upload Vulnerability Verification

Register a Common Account

Go to upload photo

Upload a web horse directly, upload more than 50 k, and change to another small jsp web horse (no more than 50 k)

Obtain the address of the uploaded file and access it directly. Upload the jsp Trojan through the small jsp web horse.

Access the uploaded jsp Trojan

Access the jsp network horse and you can see the server information, with the resin

High permission for running resin

You can directly add system accounts with high permissions.

Permission is granted, but the account cannot be added. It may be because/etc/passwd has a hidden permission.

Check the hidden permissions of/etc/passwd and/etc/shadow.

Remove/etc/passwd and/etc/shadow to hide permissions.

Add another system account

Add a script to set the account password

Add another account

Add execution permission for the script

Run this script

 

Modify the/etc/passwd file to the root account.

Test SSH remote connection

SSH remote connection successful

After successful SSH, all the remaining operations are understood...

0x05 what did we do after the intrusion?

1. Scan the Web horse file of the website program on the server. After backing up the file, clear the Web horse file.

2. Check server accounts and logs and back up relevant log files.

3. Clear the risk account and repair the website directory permissions.

4. Re-check the linux Server dog settings and add them to the dongle cloud.

5. Fix the resin and oracle databases on the server and modify the resin ports.

6. nginx website dog has been installed for nginx reinforcement, fixed and restored nginx, and forwarded nginx requests to resin.

7. strictly restrict the server port. Only port 80 is reserved for external use. All other ports are subject to IP restrictions.

8. Because the vendor is currently preparing to change the website program, the program is not repaired. Therefore, the upload function has been disabled.

0x06 Summary

The file upload vulnerability is characterized by the following three conditions:

1. The files uploaded by the attacker are executable or can affect server behavior. Therefore, the uploaded files must be in the path overwritten by the WEB container;

2. Attackers can access the uploaded file from the WEB, so that the WEB Container can interpret and execute the file;

3. files uploaded by attackers must undergo website security checks and will not be formatted or compressed, resulting in changes to the uploaded file content.

File Upload Vulnerability protection:

The exploitation of the file upload vulnerability must meet the preceding three conditions. Therefore, we can attack the Organization's file upload by blocking any one of the conditions:

1. most effectively, set the File Upload directory to unexecutable: For Linux, revoke the 'X' permission of the directory, in reality, upload applications of many large websites are stored in independent storage for static file processing. One is convenient to use cache acceleration to reduce energy consumption, and the other is to eliminate the possibility of script execution;

2. check the file Type: we strongly recommend that you use the whitelist method, MIME Type, suffix check, and other methods. In addition, you can use the compression function or the resize function for image processing, attackers can modify the format of the files uploaded by attackers and prevent them from being executed;

3. the random number is used to rewrite the file name and file path, so that attackers cannot easily access the files they upload and block the attacks.

0x07 server security O & M suggestions

1. In addition to necessary security reinforcement settings for servers, installing server security protection software is also necessary. We can see that in this process, the dongle has a protective effect. However, due to website program vulnerabilities, server permissions are extracted, and dongle software protection is disabled, resulting in loss of protection effect and eventually hacking.

2. Back up logs on the server so that logs can be queried when logs need to be analyzed later. As we can see, in this event, the complete log cannot be obtained because the system log part is cleared, causing a lot of inconvenience to the intrusion analysis. After the server is added to the server cloud, the dongle software synchronizes the protection logs to the server cloud, which helps us analyze the logs.

3. After the protection software is installed on the server, it does not take effect once and for all. manual inspection is also required. In this incident, we can see that some of the attacks by attackers are intercepted by dongle. If the Server Manager promptly inspects Server Protection logs and system operation logs, you can promptly adjust protection rules for protection. If relevant troubleshooting can be performed in a timely manner, this hacking event can be avoided.

4. In addition, we recommend that you regularly back up data on the server so that data can be restored when data is lost. It is lucky that the data is not deleted in this hacked event. However, if it is deleted, you have to consider restoring it. At this time, it will be much better if there is a backup. Therefore, it is very important to develop the habit of regular data backup.