what should i do when my website got hack?

What should I do when my website got hack?

Sumedt JitpukdebodinSecurity Engineer

I-SECURE Co., Ltd.

# whoami

• Name: Sumedt Jitpukdebodin

• Jobs: Security Engineer@I-SECURE Co., Ltd.

• Hobbies: Hacking, Forensic, Cartoon, Series (Recommended: Mr Robot), Etc.

• Website: www.techsuii.com, www.r00tsec.com

• Social Network: @materaj, fb.com/sumedt.jitpukdebodin

http://www.techsuii.com

http://www.r00tsec.com

http://fb.com/sumedt.jitpukdebodin

# ls objective

• Web Application Threat Growth Statistic

• Web Server x Web Application

• Sample of access.log

• How to start web application attack analysis

• Tools for analysis

• How to defend web application

Web Application Threat Growth Statistic

Web Application Threat Growth StatisticBy Imperva's Web Application Attack Report (October 2014)

http://www.imperva.com/DefenseCenter/WAAR

http://www.imperva.com/DefenseCenter/WAAR

Web Application Threat Growth StatisticBy McAfee Labs Threats Report (Febuary 2015)

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf

http://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q4-2014.pdf

# top target• WordPress is the most attacked Content Management System (CMS)

• PHP applications suffer three times as many Cross Site Scripting attacks as .NET applications

PHP applications suffer almost 3X more Cross Site Scripting (XSS) attacks than ASP applications.

PHP applications suffer almost 2X more Directory Traversal (DT) attacks than ASP applications.

ASP applications suffer almost 2X more SQL Injection attacks than PHP applications.

• Websites containing some form of consumer information suffer up to 59% of the attacks.

# top target

# stats target

Web ServerX

Web Application

Web Server X Web Application

Sample of access.log

# cat access.log

# cat access.log | grep -v bot | more

# man access.log

114.109.95.176 - - [26/Oct/2014:07:07:40 -0400] "GET /2014/09/09/how-to-setup-dns-server-in-ubuntu/ HTTP/1.1" 200 58536 "https://www.google.co.th/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/38.0.2125.104 Safari/537.36"

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" combined

# man access.log


Client IP

# man access.log


identity of the user determined by identd

# man access.log


user name determined by HTTP authentication

# man access.log


the time the server finished processing the request

# man access.log


request line from the client

# man access.log


status code

# man access.log


size of the response

# man access.log


Referer

# man access.log


User-agent

# awk { print %d } access.log

• awk ‘{print $1}’ access.log # ip address (%h)

• awk ‘{print $2}’ access.log # RFC 1413 identity (%l)

• awk ‘{print $3}’ access.log # userid (%u)

• awk ‘{print $4,5}’ access.log # date/time (%t)

• awk ‘{print $9}’ access.log # status code (%>s)

• awk ‘{print $10}’ access.log # size (%b)

• awk -F\” ‘{print $2}’ access.log # request line (%r)

• awk -F\” ‘{print $4}’ access.log # referer

How to start web application attack

analysis

The Art Of War

OWASP Top 10 2013• A1-Injection

• A2-Broken Authentication and Session Management

• A3-Cross-Site Scripting (XSS)

• A4-Insecure Direct Object Reference

• A5-Security Misconfiguration

• A6-Sensitive Data Exposure

• A7-Missing Function

• A8-Cross-Site Request Forgery(CSRF)

• A9-Using Components with known vulnerabilities

• A10-Unvalidated Redirect and Forwards

Log path

• /var/log/apache2/

• /var/log/nginx/

• C:\Windows\System32\LogFiles\W3SVC1

SQL Injection

• Filter: union, order by, select, concat, group_concat, version, %27, %27%20, %2527, --, exec, varchar,cast

Example filter SQLi

• cat access.log | grep union | more

Local File InclusionRemote File Inclusion

• Filter: ../, /etc/passwd, windows/system32/drivers/etc/hosts, ../boot.ini, =http://, =php://

Example filter LFI & RFI• cat access.log | grep “/etc/passwd” | more

XSS

• Filter: javascript, document.cookie, img src, alert

Example filter XSS

• cat access.log | grep “alert” | more

Brute Forcing

• cat access.log| grep “POST” | grep “login.php | more

Shellshock

• Filter: () {

Example filter Shellshock

• cat access.log | grep "() {" | more

Tools for analysis

# ls /opt/

• Splunk (Limit 500 MB/day)

• Elastic Search + LogStach + Kibana

• Elastic Search + Graylog2

• Apache-Scalp

• OSSEC

• Etc.

Splunk

Graylog2

How to defend web application attack

What should I do when my website got hack?

• Shut it down ?

• Get website back with backup ?

• Before website back

• Find the root clause, Fix the vulnerability.

• If not web application, try another view with hacker view.

# apt-get upgrade

• Secure Coding

• OWASP - https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

• Mozilla - https://wiki.mozilla.org/WebAppSec/Secure_Coding_Guidelines

• Web Application Firewall

• Naxsi

• ModSecurity

• AQTRONIX for IIS

• Penetration Testing

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

End%00

what should i do when my website got hack?

Internet