This document summarizes trends in web application attacks from August 2011 to March 2012 based on data from DreamHost's web application firewall. It finds that most attacks originate from compromised hosting providers and datacenters and are automated. The motivations for attackers are financial gain through installing backdoors and monetizing traffic through techniques like phishing, spam, and traffic theft. It also provides examples of various types of backdoors found on websites and recommendations for auditing systems to detect backdoors through file monitoring and log analysis.
9. OWASP
Source of this trend...
Attacks are automated.
Lead time for attack code update.
Successful compromise adds a new node.
This creates an exponential growth.
15. OWASP
0-day to Pay-day
Install backdoors
Sell access to backdoors on the black market
Phishing
Spam
BlackHat SEO
Traffic Theft
Install more backdoors
23. OWASP
Collection
Pulled the remote site from any .htaccess
matching the previous example.
1000 unique domains found
Compared them against sitecheck.com
30. OWASP
Make your kung fu stronger.
Monitoring
Vulnerability released,
Incident
Assessment,
Incident Response
Evaluation,
Update
31. OWASP
Make your kung fu stronger.
Monitoring
Vulnerability released,
Incident
Assessment,
Incident Response
Evaluation,
Update
32. OWASP
Auditing nitty gritty
File monitoring (you did this right?)
Logs (correlate timestamps)
Logs (sort by request!)
No logs? Malware detection by hand
37. OWASP
No success?
Lets get into some backdoor auditing
These backdoors were found in the wild
Show you what to look for
Learn more about the attacker's methods
54. OWASP
Further Reading
Mikko Hypponen (TED talks)
http://blog.spiderlabs.com
http://blog.dreamhost.com/category/security
Want to follow up?
Email: robert.rowley@dreamhost.com
Notas do Editor
Collected using mod_security across out entire network Let's jump right in!
Nice average Trending down?
Broken down between SQLI, file upload, File inclusion, and arbitrary code execution attacks
Showing an example of “background noise” These attacks have been aroudn 1+ year
A wild zeroday appears Released beginning of august
Exponential growth until they're caught/cleaned up.
Many just forward the complaint to their customer (whomever owns the server assigned the IP address) An unsettling few are unable to address this and request help with it (to which we oblige the best we can) These responses let us know who the attackers are, and it's no surprise!
It should be no surprise that compromised sites are the leading attack source. Compromised sites are used to attack other sites.
Be ethical
I pretty much exclusively see money as the motivating factor. There are exceptions though, quoting Mikko Hypponen, the top three are money, ideology, and espionage So, how do they get money from compromising sites?
The people taking the first step may not be the same who take the final step.
Two examples how this was done via .htaccess
SiteCheck.com's report on the domain being redirected to.
Breakdown of the TLD used for the domreg.
Domain name registrar breakdown
IP addrss the domains resolved to.
Do not confuse the two, thinking about long term fixes when your site is down is wasting precious time. Thinking that you fixed that “one” hole is good enough is not really a good long term fix.
Example “flow cycle” Presumes you've addressed all other security concerns (backups, updates, policy, etc..)
Never stop improving
Time stamp correlation with file creations, logs, etc... Note the POST request … shady!
Awk/grep/sort madness!
Awk/grep/sort madness!
This eventually breaks down the the old standard “eval(base64_decode...”