What should I do when my website got hack?
•
7 likes•1,577 views
The document provides information on analyzing web application attacks from server logs. It begins with statistics on common targets and attacks. It then explains how to read information from server access logs, including the client IP, request details, and user agent. Tools for log analysis like Splunk and ELK are listed. The document concludes with recommendations for defending websites, such as securing coding practices, using a web application firewall, and conducting penetration testing.
Report
Share
What should I do when my website got hack?
- 1. What should I do when my website got hack? Sumedt Jitpukdebodin Security Engineer I-SECURE Co., Ltd.
- 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Engineer@I-SECURE Co., Ltd. • Hobbies: Hacking, Forensic, Cartoon, Series (Recommended: Mr Robot), Etc. • Website: www.techsuii.com, www.r00tsec.com • Social Network: @materaj, fb.com/ sumedt.jitpukdebodin
- 3. # ls objective • Web Application Threat Growth Statistic • Web Server x Web Application • Sample of access.log • How to start web application attack analysis • Tools for analysis • How to defend web application
- 4. Web Application Threat Growth Statistic
- 5. Web Application Threat Growth Statistic By Imperva's Web Application Attack Report (October 2014) http://www.imperva.com/DefenseCenter/WAAR
- 6. Web Application Threat Growth Statistic By McAfee Labs Threats Report (Febuary 2015) http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf
- 7. # top target • WordPress is the most attacked Content Management System (CMS) • PHP applications suffer three times as many Cross Site Scripting attacks as .NET applications PHP applications suffer almost 3X more Cross Site Scripting (XSS) attacks than ASP applications. PHP applications suffer almost 2X more Directory Traversal (DT) attacks than ASP applications. ASP applications suffer almost 2X more SQL Injection attacks than PHP applications. • Websites containing some form of consumer information suffer up to 59% of the attacks.
- 8. # top target
- 10. # stats target
- 12. Web Server X Web Application
- 14. # cat access.log # cat access.log | grep -v bot | more
- 15. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-agent}i"" combined
- 16. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" Client IP
- 17. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" identity of the user determined by identd
- 18. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" user name determined by HTTP authentication
- 19. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" the time the server finished processing the request
- 20. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" request line from the client
- 21. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" status code
- 22. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" size of the response
- 23. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" Referer
- 24. # man access.log 114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to- setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1;WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36" User-agent
- 25. # awk { print %d } access.log • awk ‘{print $1}’ access.log # ip address (%h) • awk ‘{print $2}’ access.log # RFC 1413 identity (%l) • awk ‘{print $3}’ access.log # userid (%u) • awk ‘{print $4,5}’ access.log # date/time (%t) • awk ‘{print $9}’ access.log # status code (%>s) • awk ‘{print $10}’ access.log # size (%b) • awk -F” ‘{print $2}’ access.log # request line (%r) • awk -F” ‘{print $4}’ access.log # referer
- 26. How to start web application attack analysis
- 27. The Art Of War
- 28. OWASP Top 10 2013 • A1-Injection • A2-Broken Authentication and Session Management • A3-Cross-Site Scripting (XSS) • A4-Insecure Direct Object Reference • A5-Security Misconfiguration • A6-Sensitive Data Exposure • A7-Missing Function • A8-Cross-Site Request Forgery(CSRF) • A9-Using Components with known vulnerabilities • A10-Unvalidated Redirect and Forwards
- 29. Log path • /var/log/apache2/ • /var/log/nginx/ • C:WindowsSystem32LogFilesW3SVC1
- 30. SQL Injection • Filter: union, order by, select, concat, group_concat, version, %27, %27%20, %2527, --, exec, varchar,cast
- 31. Example filter SQLi • cat access.log | grep union | more
- 32. Local File Inclusion Remote File Inclusion • Filter: ../, /etc/passwd, windows/system32/ drivers/etc/hosts, ../boot.ini, =http://, =php://
- 33. Example filter LFI & RFI • cat access.log | grep “/etc/passwd” | more
- 34. XSS • Filter: javascript, document.cookie, img src, alert
- 35. Example filter XSS • cat access.log | grep “alert” | more
- 36. Brute Forcing • cat access.log| grep “POST” | grep “login.php | more
- 37. Shellshock • Filter: () {
- 38. Example filter Shellshock • cat access.log | grep "() {" | more
- 40. # ls /opt/ • Splunk (Limit 500 MB/day) • Elastic Search + LogStach + Kibana • Elastic Search + Graylog2 • Apache-Scalp • OSSEC • Etc.
- 41. Splunk
- 42. ELK
- 43. Graylog2
- 44. How to defend web application attack
- 45. What should I do when my website got hack? • Shut it down ? • Get website back with backup ? • Before website back • Find the root clause, Fix the vulnerability. • If not web application, try another view with hacker view.
- 46. # apt-get upgrade • Secure Coding • OWASP - https://www.owasp.org/index.php/ OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide • Mozilla - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines • Web Application Firewall • Naxsi • ModSecurity • AQTRONIX for IIS • Penetration Testing
- 47. End %00