BG - Max Level Web App Security - Robert Rowley

ready all right everybody I'm going to get started here so if you can all quiet down thank you no not that much of a jerk so my name is Robert Ry I'm going to be talking about the state of web application security uh the title for this talk is supposed to be actually Max web security uh I unfortunately forgot to change my slides uh basically this is a synopsis of a lot of the web application security stuff that I've seen where I work dream host uh who here has heard of dream host like third of you ah probably more of you know but yeah we're a fairly large shared web hosting environment which hosts somewhere upwards of a million

domains I'm not trying to pimp the service it's just simply the fact that we have a lot of sites hosted which gives us a key and unique Insight on the web- based attacks and web based malware things that are going on with web application security uh there's my contact information I'm going to have it again later so if you want to harass me so the breakdown of this talk is pretty easy I'm going to go over some basic Trends uh tell you basically what we're seeing as I mentioned how we're and where we're what we're tracking cool stuff that we're that's going on as well as knowing a little bit more about what the attackers motivation factors are cuz

that's key to know if you want to be able to stop somebody from what they're doing you have to know why they're doing it and you can cut them off in the source uh as well as then when we have time which you probably will I'll go into a lot of auditing back doors as well as release some of the basically not really source code but the tools and and the source of how to clean up your site if it's been hacked a lot of the utilities that I use on a day-to-day basis that can do very complex and very powerful things with you'll probably be surprised that uh I'm going to do this uh you'll probably be surprised about

how easy it is so yeah I'm going to just kiss the mic now I have to do this every time so without further Ado I'm going to go into some Trends the data that's collected with these graphs that I'm going to show you and how we identify these Trends is uh all log that are generated using our web application firewall which we end up using as mod security which is the Apache plugin it's running on about a million or more websites which again gives you a large sample set the logs for the system are actually all centrally logged across all 20 to 30,000 of our servers they all get pulled to a central location and that's where I

basically do some analytics and review about what's going on uh dig in further into what the attackers are doing motivations Etc so forth so so the data set is actually 26 million records uh it generates about right now it's generating about 3 to 5 million per month uh this is about a year about uh worth of data and with let's just get into this graph so I have to explain graphs kind of suck I'm sorry uh these are this is a day-to-day graph of the total number of attacks based on some key common attacks that we see on our Network you can see that it averages around 50,000 55,000 this line so about 50,000 would be right

about here 40,000 be right about here so 40 to 50,000 this is between August 22nd and uh March I believe uh unfortunately like this graph I didn't extend it along but this is the average per day attack and I'll do a quick breakdown of some generic uh generic uh complexity or basically generic types of attacks the red here at the Top This is a percentage now stacked line graph but the uh the right here at the top is a file upload based type of attack uh the green is SQL injection the yellow Mass majority is local file inclusion as well as remote file inclusion attempts uh these are fairly common you you probably all seen

these in your website access logs if somebody just put a variable as dot do doc password uh it's like the I don't know who's doing that still I don't think they're ever successful but it's like constant and then uh the bottom here is code execution attacks these are if some PHP code or some other like a web based script is so badly written that you can just do a direct call to PHP or you know code execution in your attack so these next graphs what I'm going to show is uh some very specific attacks against specific software vulnerabilities exactly um this isn't a this isn't an attempt to knock on e107 which is a Content management system nor

zencart it's just simply these are good examples that I have the data for uh and they're very old exploits so they've been well sense patched uh the first one is example of a remote code execution uh this was very unfortunate uh for e107 to have uh because it was a very powerful attack for the attacker point of view the vulnerability was pretty much exactly this you tell one of the variables uh in the get request to be PHP and BB code which was just put square brackets around PHP and then you can type in any PHP code after that and the server the E 107 content management system would happily execute that PHP code so the entire attack existed only

right here uh this was released in May 20 10 the cve code is right there if you want to look into it some more uh and the other one I'm going to go into is zencart Zen cart's very popular uh web like open source web shopping cart uh the attack here was released in May 2009 there's cve code it was actually SQL injection execution uh I'm not going to go into specific into the details on it here uh as for one as in comparison to e107 because it's complex but U so these two attacks even in 201 2011 is which is when this graph starts in August 2011 goes on to May or March uh 2012 the average attacks are still

around 10,000 per day per each one of these known exploits and then now these exploits are 2 three years old and they're still attempted to be compromised every single day you can also notice that they're very similar um number of attacks per day for two very different uh type of types of a compromises or two very different exploits uh so this I can identify as pretty much a good steady trend of this is the background noise about what a baseline for new vulnerabilities or exploits will get you on a a a tax per day on our Network on any given day even years later now I'm going to add a little bit more something more interesting is that

Tim thumb who here has heard about the Tim Thum vulnerability who here was affected by it sorry so Tim Thum vulnerability was a again I'm not knocking on Tim Thum it's not it's not anything intention it's just a good example and I have good data to show you uh the vulnerability here was released in August 2011 basically when these graphs started there's a cve Code it basically allowed arbitrary file upload the script is a thumbnail generator script which you can give it a URL and it will basically download a copy of that image and then resize it for your blog the problem is it didn't when it downloaded a copy of it it didn't change the extension so it always

presumed jpeg will should end with JPEG and it uploaded it to your cache directory kept the same file and it was just called the do whatever jpeg problem is you could tell it to go download some PHP code and it automatically downloads that PHP code and uploads it to your site's cache directory and keeps it PHP so then you just turn around and go into the cache directory and call that file name that you just told it to download for you with PHP and it will basically happily run as PHP script uh this is a popular WordPress theme component which was pretty much the reason why it became so popular and was so impactful when it

happened uh and I should note that this was not part of Wordpress core nor was it a plugin this was simply something that was added to a lot of very popular WordPress themes uh not the core themes either it was just very common to have people add in because it was easy to easy for these developers to add this code in which did this thumb resizing for them unfortunately there was vulnerability it was insecure and it was also very difficult to explain to people your WordPress is up to date but your theme over here that you're not even using is has this script in it that's being compromised up to no end so just get rid of it or do

something so here's that same graph before I shrink it down so I can fit some more some more data and this is actually between August and June end of June this year so there's Tim thumb's effect in the beginning of August uh there's a little Spike right here a short while later about two months later there's that major spike and that's really where majority of the action happened if you were compromised uh by tin Thum vulnerability you likely were compromised in November or you noticed it in November what's interesting is there that there's that two-month Gap where it kind of dropped down and disappeared and then onward even towards this end of the year it's still getting

it it almost evened out with the other types of attacks but then it's still getting a very good solid uh actually double or triple times the normal uh attacks that we're seeing this is how I show what I call the life cycle of an exploit in the wild the initial uh basically the initial phase of the infancy there's going to be a spike there's people searching checking to see how how many hosts are affected and then there's the puberty the puberty stage is when goes insane you like this is getting 70,000 hits on any on basically all through November he's getting between 50 you know spiky spikes between 50 and 70,000 uh per day that's just one day uh of

attacks and that's when it's going to get the worse that's when it's going to infect the most number of hosts and then from there on out it's kind of the maturity level or it just kind of rolls on out like this man getting another drink it just rolls on out and lives its life so I have a theory about this uh attacks are automated this is pretty much known uh all these web base attacks are all automated scripts that are just going through scanning trying new exploits trying new exploits uh but if attacks are automated that means there's code involved and there's definitely lead time for the attack code to be updated now when the attack code gets

updated that's when puberty hits and that's when hits a fan if you haven't comp you haven't secured by that time you're going to get compromised now uh as well as uh note that what happens during that puberty stage why it gets so explosive is that a compromised site adds a new node to their botnet so your compromised site will then participate in compromising other websites uh this creates an exponential growth and it it'll vary a little bit but it'll be certainly an exponential growth in the size of the botnet in the size of the number of attacks per day so I'm going to talk again now about a new exploit who who here knows about

the C PHP CGI remote code execution exploit this was a really cool one basically allowed arbitrary code execution it also allowed source code source code disclosure as well as a denial service you pretty much do anything you wanted if uh the host that you're running on was running PHP in CGI mode and didn't have this patch applied this was released in May 2012 so it's much more sooner our staff was actually notified before May uh because this was this was actually identified on our Network and we applied our p P to PHP as well as a virtual patch in mod security so I can do some logging and uh this was all rolled out well before the zero day

release which gives me really good graphs so this is that same graph I just showed you zencart e107 and Tim Thum and now this is the PHP CGI vulnerability here's where it was discovered there were almost no attacks when it was discovered uh there's a little trickle right beforehand and I think actually those are just false positives but right there right that day this day is the day it was released and I guess in the infamous words of MC I think it was French a lot on the very first day it's already too late is certainly true in this case the day it was released because this complexity of this attack was so simple everybody and

their mom and I don't even know but everybody was doing this attack there were two within a week there were two million uh yeah this Spike here is 2 million uh attacks on a one day uh of just people scanning trying to find out how many hosts are like compromisable for this for this type of attack it was averaging out uh exactly what uh the WordPress timum was and then uh basically went on there what's interesting though is just like with WordPress there was a spike a lull and a spike again and the same thing happened it's also almost the exact same time about two month uh two months difference between this Spike and this Spike as

well as over there those two spikes of red and that's very interesting because again that it kind of shows the same lead time to attack same lead time to update their code to do more initiating attacks and when I inspect the individual log lines of these the first grouping of attacks here especially for the PHP CGI one that's a lot of Discovery that's just people interested and curious uh I actually there was 1 million hits from one host on one day um that I found that very interesting because I'm like why would this one guy do this and I presume it was simply a security researcher looking into things trying to find out how many what

percentage of the internet is affected but then this 2 months later it completely changes it's a very variety of hosts trying the same exploit and they're all trying the same thing uh and so those are basically probably the malicious people at that point in time so and overlaying my simple ideology of there's an infancy Spike there's a puberty Spike the puberty spike is going to be worse longer more intense and uh it hasn't hit maturity yet unfortunately but I'll probably have more information in the next time I give this talk so that's the basic idea about how bad things really are how quickly an exploit and gets to be effective and can be a problem so we take these logs we

don't just I don't just make pretty graphs with them I actually do things with them every day I have an automated system that sends notifications to the isp's abuse desk whenever we get uh too many attacks from a certain IP address uh about 90 or so isps are notified on any given day and the vast majority of them are non-responsive I'm not knocking on them for not being responsive I understand that job is very difficult and very trying and very busy uh I do that job as well so but there's something to be said about the fact that I know that most of them are not being responsive and most of them are likely not capable of taking

care of the action and they're not doing the right thing because the same IPS are coming up again and again and again and it's a very complex talk that's a talk in itself of doing abuse test stuff but back to uh so what's interesting is 20% of those attack sources are appear to be home isps or business isps while 80% appear to be hosting or data center IP address ranges this also makes sense because in the um in the idea that the compromised websites are then attacking other websites is pretty much the world that it is and the botnet gets very large very quickly very and becomes very bad so I talk a little bit about

incident response uh I kind of feel as if it's obligatory response breakdown if you have a compromised site it's pretty easy it's do immediate mitigation you just want to want to put out the fire you want to monitor for changes and you want to review what's going on what caused the issue in the first place and then do a long-term fix uh this is might include correcting your business policy and or securing your code configurations applying virtual better virtual patches Etc so forth the standard approach is this circle I feel everybody needs to have a circle or some sort of graph that shows you representation about how you should be doing your job and I say oh there's a better graph

uh so it's basically monitoring and always evaluate and update don't ever presume that your site or your code or your systems are all functioning right just always presume that they're going to get uh compromised look into them it doesn't have to be every day just look into once a quarter look to see what's going on see if there's anything that is out of the ordinary so now more interesting though is I'll do some auditing nitty-gritty uh this is what I see majority of our customers who have compromised sites that have really bad issues when it gets really nasty uh this is what they weren't doing and this is what they need to do to make sure that

this problem never becomes a big issue again uh this starts off with file monitoring uh as well as reviewing some logs via VIA various methods and even I'll give you guys some information about what utilities and what scripts I use to do uh Mal word detection by hand it's very easy and uh hopefully I have more more stuff to go on for that uh file system monitoring is actually also very easy uh it's should be part of your backups because you don't want to waste all your file IO and your main server be even if you run your own uh dedic ated server for even one website or whatever you don't want to wait if you're peaked

out on your file IO or your CPU or your resources you shouldn't be doing your file system monitoring on that system because it's going to always cause an issue uh and you don't want to have file system monitoring cause an outage on your main server instead use your backup server like you should have backups I should PR this with the fact that you should already have backups and you should have a dedicated backup server that server is probably sitting idle 90% of the time and you have all the resources on there a CPU a system some memory you can do file comparisons based on your newest backup to your last backup and amazingly enough rsync has

this built in already so if you're using rsync as your backup system you already have your solution there you just need to take that output and have somebody review it uh there's more nuances to this but it at least gets you 90% of the way there if that doesn't fit for you uh you can also use I notify which is a current kernel level uh file system monitoring hook basically like library and hook system uh as well as trip wire which is mostly open or mostly free but you can pay for their premium service uh it works pretty well it runs as a Damon or service uh you can also do it yourself I don't recommend doing it

yourself it's sounds like the easiest thing in the world of doing MD FS against all your files and doing the comparison on your own but reality is you're just going to be wasting resources uh because things already exist to do backups for or file system monitoring for you so when a site's compromised this is pretty much the first thing I can I do and I always find like typically what's going on what's broken whatnot uh so this is uh an example of like a a back tour found on a website uh the area in red is you know a timestamp you then just GP for that timestamp in your website's access logs and you most

likely find something interesting like a poster request to this plugin page called hello.php that is most likely the first step hello.php in this case will most likely be a back door most of the time you're not going to be this lucky and catch it soon enough so that you can actually do this inspection cuz your access logs May rotate out but that's part of the detection process is being able to know your site's compromise sooner than later if that doesn't work like let's say it was too late or you couldn't find uh you don't know where the initial back door is and you're just kind of digging around uh use uh just use a and sort in

a very interesting way here you just basically print out the line of the request basically number seven here for o print 7 uh is the column in the access logs which is the file that's being requested pipe it through sort unique sort which is seems redundant but it works magic it will give you a list of the files being requested on your website and basically the number of times the first number here is the number of times they've been requested what's interesting about this this is actually my sit's access logs you can see I get only about 200 hits a day but a lot of them are to PHP my admin for some reason I don't have PHP M been

installed but this would show me that well there's people trying attempts to hit PHP my admin most likely an exploit most likely a bot trying to scan for a known vulnerability in PHP my admin so if you even have no success with that just use find it's amazing find will find things on your system this is this is part of the this is my my little special script that works magic and wonders and it's so simple because it literally is it's not even a oneliner it's one command but it uses find in a very interesting way uh so you can use find uh uh you know how to use find it's just find the PATH and

then you give it some arguments the difference is you're going to want to run man find so you can read the manual page and you're going to find out that find has a lot of options one of them being exec so exec calls a another basically uh command and takes a response and puts runs that command against the file takes a response from that and gives it a yes or no whether or not it's a match in this case I'm finding everything in this path and then I'm executing GP for this finger print uh fingerprint would be a variable you set earlier but if grep finds that fingerprint it reports back to find uh positive and then find outputs the name

of that file in this case you're It's seems kind of redundant because you can just run GP against all your files and then par that out yourself but I'll get into how this is really powerful very shortly you can use generic fingerprints uh these are what we see and I'm going to go in at the end I'm going to show you a lot of back doors uh not the malicious back doors web based back doors web web shells what they're called but these are just some generic ones eval P replace exec assert uh anybody else know any PHP commands like functions that actually execute code there's like two dozen of them it's fairly annoying but there's a lot of

them so find them all you can look for some generic ones and find out either a a compromise webshell or uh some piece of your code that is really stupid because it's running eval for some reason because it can't do it whatever functionality it needs to do in PHP itself um and you can also use fingerprints for known back doors this is a much better way to do it but you have to have a lot of back doors a good sample set I'll also show you how to gather your own back doors I should stop saying back doors this gu so let's get into how find gets really powerful this is a very interesting way to run it this is the

same example I gave earlier find and then give it a path you can do exact GP fingerprint you can also do name file size Etc so forth but I'm not worried about that here you can chain exec commands together so when you run find and then EXA grep for that fingerprint grep reports back to find this file is confirmed it has this fingerprint in it you can then run another exec immediately afterwards and find will only run this exec on the files that match the previous rule so exec rep this file has this malicious code in it also run this command change mod zero remove the permissions for the file so it's no longer a threat to the website uh that's

pretty much the the magic sauce There is that it works it's fast because because it's using find a pre-existing tool and it will disable any known back doors the problem is it will also disable non-b doors if your fingerprint is not good enough what I also see is a lot of back doors are injected on the first line the last line or a random line in the middle of a file so you have to do another option using the same tool exact find to exec and grab for that fingerprint use said to remove just one line from that file or just the Matched fingerprint from that file so exec said and then do a search and place for the fingerprint

replace it with nothing uh I do apologize these are kind of somewhat uni Unix complex Advanced commands but you should also all learn these if you don't know them already find exec GP o uh said uh yeah they're very important but uh so anyways it'll basically search out for that fingerprint and remove it from just that one fingerprint from the file if you have an infected site that every single page on your site has has some HTML entity added to the bottom of it that's doing some nasty and you didn't have backups and you're pretty much screwed already this will save your ass this will run through and you can give it the fingerprint of the malicious

code and it will remove all the malicious code from the site so who here knows what the attacker's motivating factor is nobody who here what's your motivating factor let's know money yes you're right there's other options but the vast majority of what I see on our network of automated attacks that are just grinding away at two-year-old exploits in web web software is money they are trying to do things that earn them money and that's kind of annoying because that's not really what hackers do like hackers are interested in finding and breaking in the exploration uh are trying to use that to make money off of it and when hack yeah but so if you find an exploit if

you're that type of person that likes to find the exploits and you're not the uh yeah there's Bounty Bounty programs out there Facebook PayPal they all have them uh you actually can earn money for finding exploits if you do responsible disclosure if you do it enough you're actually going to get a name for yourself and everybody we will know that you're the right you're the type of person that's trustable reputable and you'll get a nice paying job uh don't become a criminal because frankly the criminal Avenue is not wellp paying they're not good they're not good people to work with and majority of the stuff that I see if anybody you are criminals you're going to come up here

and punch me afterwards your code sucks I'm sorry a lot of the criminal code is not that good it's very interesting it's fun it makes my job easy but uh the majority of what I see when in these Auto I should say with these automated attacks it's not state sponsored stuff it's not the really high-end Espionage this is just the automated attacks and just this grind and I imagine that these programmers are basically have this guy like this crazy Bly guy over them like yelling at them to program better PHP but so I'm going to go from zero to explain how OD day to Payday Works uh this is what I see on our Network they

basically install the back door and then they sell access to the back door on the black market the people they're selling access to are trying to run fishing scams send spam do some blackhead SEO seal theft uh tra steal traffic from the site and send it to their own site or just install more back doors because frankly that's what they do uh what's interesting too is I didn't mention it earlier is that a lot of these back doors when they're installed they take the attacker will take no action for a short period of time this may be weeks and may be months this is in this is actually fairly smart of them I should say uh that they know that if

they take no action for a short period of time the access logs or any logs that will identify the initial point of intrusion will be uh overwritten basically rotated out and that kind of hides their tracks uh if you did use the fine that I used before that's how you get R basically find all those malicious back doors anyways and still get through so every does anybody here not know what fishing is all right good I'm going to send you all emails to test you later spam everybody knows spam everybody gets spam black at SEO this is a newish thing in the last 10 years because of SEO services and because of popularity of Google Bing everything uh

people basically hide links on websites you probably have all seen a site with hidden Links at the bottom of it they all kind of match the background or they're hidden CSS div uh basically they they take the they their intention is they're trying to get them more link backs to their site to increase their SEO ranking what's funny is Google and beinging and every major reputable search engine has figured this out already so it actually de them for doing this uh what what the inverse like completely silly mode of this all is now people use black at SEO against their competitors to try to ruin their competitor search engine thing and like so it's like this weird back and forth

where they might be helping the their competitors accidentally or they they're trying to hurt them and it actually ends up being a very weird case um and there's yeah I won't get into the specifics on how weird and obscure that ends up being a little bit a little bit on traffic theft this is a method to take the visitor to the legitimate visitor to the website and send it to another malicious website this was kind of blackhead SEO is it's kind of like affiliate marketing esque they're basically trying to send you to some site that will try to sell you something or just send you to a site because you're you're one extra number on some

traffic board that where they're saying like they'll sell per view or something like that uh this is a very similar to the flashback Trojan and I'll go into more into that in a bit but and also the finally those uh back doors obviously you're selling things on the black market and these people already know they know they want access to back doors the back door code is pretty well out there like there you can just go to like PHP shells. net or I don't know I just made that up but there it probably exists um there's there's a lot of sites out there they just have huge indexes of of example PHP back doors and you just go download that you

go get access to some other person's backd door Network and you tell that back door Network to upload your own file turns out you're just uploading your own back door so you have free access in the future this makes sense cuz why not steal from the people who are stealing uh a little bit on traffic theft in quarter 1 this year uh we actually saw a huge influx it was very interesting to see what happened suddenly all these all of our customer sites were or not all I shouldn't say that an alarming number of sites uh were were're shown identity basically we're shown that we're compromised with this known like see this method of traffic

theft where they were trying to redirect the visitors to another site and I was like wow this is very interesting like this is more this is kind of newish and it was kind of after the Tim Thum thing so I wouldn't blame it I wouldn't correlate CU I have no hard data but it seems like a coincidential that the timing is about the same uh actions were taken data was data was recorded and uh I'll show you here so here's an example about the infections that we were seeing uh it was an HT access infection and it would add lines like this error document 404 to congrats. Ru and the URLs didn't matter there were a lot of a lot of

or they would add this rewrite condition that basically said if the refer was Google Yahoo Etc if it was a search engine uh send the rewrite rule to go back to congiu this was the malicious site it would attempt to redirect the visitors and do things like uh example from earlier is it would try to install the flashback uh a trojan horse on OS 10 systems that was actually a fairly serious problem which is now cleared up but uh this was one of the methods they used for Distributing their malware onto systems uh I should also add that the the code for this was on the congi site was very smart it knew what type of

browser you were hitting it with and would send you special specialized payloads so if you're hitting with OS 10 it would try flashback it was if it was a Windows system it would try various uh know exploits for those Windows systems uh I didn't note anything for Linux but or iOS or mobile but I'm certain that there plausibly could have been so I basically grabbed those rules over here I did a quick grab of every one of our customers like they scan our entire network for anything like this I using basically the fine script that I showed you earlier I I grabbed every one of these and I cleaned them up for the customers I notified the customers and

uh I let uh basically I grabbed that URL and I saved it to a file so I so I got a list of all the malicious URLs being used there were about a thousand unique domains found using this method uh so I'm going to break it down the vast majority of them I scanned all of them against site check.com uh 2% were safe uh about 40% were unknown which I'm going to presume also means they just not known be to be malicious yet and the majority were low-risk or known malicious sites uh this shows that this was very good information that I had on this list of URLs the top level domains for these were I would say no surprise

but it's quential just simply that or. Ru then.com thenino uh this isn't a knock on. Ru it's simply that I can identify that the people using this were either trying to mimic or they were just they had a good registar that Ru domains were really cheap so I looked up the registers surprise reg Ru was a was half of them uh then it was directy and various other ones in GoDaddy uh these cases again it's it's no surprise you knowu reg. Ru chess are they got a deal or they scam their system there and they registered a crap ton of domains the IP addresses show the IP addresses that these domains resolve to didn't show a lot of information um they

were various there the a third of them were random uh and then 20887 35 was 22% uh and then so on and so forth there wasn't a lot of good information in that sorry so any questions yet

yeah no uh a lot of that stats I mean I could pull it now but it would be kind of too late uh but the specific name servers no I can't recall off hand uh it would probably be improper for me to try to call off hand uh how many different name servers we Ed for those

very plausibly doing the name servers uh going to have to be good but there's so many free ones uh it would be a good metric to know exactly how many they use for those types of attacks but sorry I can look it up now it's just probably not going to be useful about six months later so I'm going to go into back door uh basically I'm going to audit I'm going to show you guys the evolution of back doors that the malicious people use uh this is pretty fun stuff it's pretty neat I'm going to presume you know a little bit of PHP or at least can read code so this is the method I use for collection this

is what's really interesting is I Ed it I basically scan compromised sites for malicious files and grabb those and then I looked at attack logs and the attack logs actually give you locations of uh back doors and I basically scan those in total I have 14 15 2000 uh or 15 14 1500 or 2,000 or so back doors that are unique uh if anybody's interested in having this list let me know just have to verify yourself as a researcher not as a jackass so getting the back doors from the attack logs was really interesting because the Thim Tim thumb attack uh basically like I mentioned earlier the Tim thumb attack you gave it a URL and

it would download that URL and dump it into the catch directory it turns out that attack gave you a big big huge exact identifier of what the where the back door was so I ran would run through our attack logs every day or what what was it 50 or 70,000 attacks against Tim Thum per day and then go download all the back door that they were using uh so yeah you basically get the URL download it and then you can review it and it's like oh yeah that's a r57 PHP shell I think that's exactly what that one was they even what's funny is they actually even give you version numbers and some of the attacks I was seeing were using

versions from 2009 I don't know why uh the PHP CGI vulnerability had a similar uh method that I could pull attacks from or basically pull back doors from uh it would do this Dash D and then this long string of of various PHP specific commands and then eventually you say prend this file which is add this file to the to the file being executed and it would tell the file location which could be a URL which is kind of annoying but anyway so that's how the back door gets injected so download it again r57 shell it's one of the most popular ones again but in this case it was using 1. 666 uh they're only about 6 to 8 months

apart these vulnerabilities yet they use completely different back doors uh these back door versions so I'll go into exactly how these back doors work uh so this is dead simple anybody here can't read that good it evales a post payload and then they get a little bit more complicated they'll use a md5 cookie or basically value of a cookie and do some authentication before they allow somebody to execute code so nobody can just run around executing code on their back door there's also some back doors that are very well documented these are these are funny because they they act like they very much intent on being good code and having good documentation explaining to people who may not understand how

they work how to use them like create password use use password true and false default and like okay uh I should also note that de decompiling these passwords and reading them is very very useful because you can do things like you can find the passwords used in the previous case you can find the md5 uh value right here and if you can crack this hash then uh you can do a specialized rule that will disable this back door against the entire network as well as identify compromise uh websites on your network so then it gets a little bit more complicated uh eval Bas 64 decode and then this really long string of basic4 encoded string what will happen

here is it basically decodes the string and then evaluates the thing when it's deop fiscated uh this is my favorite way to handle these is use said again I highly recommend you guys all know how to use said there's many other ways in fact I searched online I think I saw an R netc uh somebody was linking to various other methods tools and websites that you can just inject dump this code in it and it will like it will scan through it this I basically say switch out reval with print and then execute the code and it basically eventually will output uh something that looks like this and effectively what's interesting though is that this is the same back

door as we saw previously it will be r57 every time we run these de Offa skaters it will always end up being the same initial back door so I know it's the same people running the same basic box Nets cuz that's how they control it and then it gets a little more a little interesting they find out basic C4 decoded strings are easy to detect so they basic C4 encode a gz string uh basically gunzip or gzip and then they run any Val against it again and this this one was interesting because they actually set the code in a variable instead of setting it as the exact argument I give this guy a gold star

because he basically just added an extra little level rot 13 it's it's silly but honestly it will it will correct things it'll defeat the pre-existing uh pre-existing signatures yeah uh of course I'll be very interested to find anybody who has a valid use for these four functions together so at that point in time like everything any sort of signature they use is easily detected U it's what I call Rex revent uh it uses Pearl regular expression it basically does a search and replace uh in this example uh for some reason PHP decided that doing a search and replace you might want to just execute the code that you're rep that basically the string that you're searching and

replacing as code for some reason so they gave P replace the- e flag which says evaluate or execute whatever the the the code matched is in this casear means match anything in the next argument or match everything in the next argument and execute it which is exactly an easy very easy way to just execute code up there uh the- x65 67 or 76 that's hex that's just hex for eval and then it looks exactly like when it's all decoded it looks exactly like this so it's they're just reusing the same the same back doors over and over again they're doing different methods and all in hopes that they'll get around detection methods uh and the variables

as functions this is very interesting so who here knows what's this is doing anybody yeah same as the other one yeah that's great this one's a little bit different but what happens is once again per PHP has a very interesting way of handling things and they decided that they want the developer to be able to assign the name of a function to a to a variable you can then call that V that function uh from using the variable using an at sign and then it basically execute whatever the value of that Str of that variable is as the function so in this case that you can see the as this value as is here that there's an e

and there's an r and a t and there's a b and a 64 that basically it eventually adds up to being assert Bas 6 C4 decode which is pretty much the same thing but they're using assert now instead of eval but once again it's exact same thing and you can and because PHP allows you to assign the value of a function to a string and then execute the value the string it's hard to explain that but execute the string as the function that its value is it's pretty messed up and then this is a really good one I I'll give a beer to anybody who knows what this is doing except for Steven ber anybody anybody want to take a guess and

don't say the same thing as before it's not this one's actually very different uh the method of officiation here is probably the most advanced uh that I've seen it uses bitwise operators it Compares these two strings using an or and assigns it to that then it compares these with ANS uh and assigns it to this one in the end it it ends up actually looking very similar to this one where they use an at sign and they execute the variable uh the function value of the variable and it ends up being the same thing eval basic c4d code uh but they use bitwise operators and bitwise operators pretty much give you an almost infinite number of comparable uh strings

that will be very difficult to detect and remove which adds to my conclusion of basically uh I can show you showing you right here attackers are evolving their code every day uh most of the time it's it's very trivial changes that they make but they're they're functional for fingerprint matching to to deter fingerprint matching against a compromised website uh fingerprint so fingerprints are completely un trustworthy seriously monitor your file system you should be part of your you should be doing backups put it on your backup server to monitor your file system and you're going to be have you're going to have a much better time so I would like to thank everybody here at bsides uh as well as oasp uh who

have given the conference uh this talk at as well as a trustway for pretty much their work with Mod security without that this I wouldn't have any of the data here dreamhost and our customers as well as every right hat security researcher out there and so and here are some links for further reading me compion I just mingled this his name that's great uh he does a great lot of great TED talks about the motivating factors Behind these attacks uh the spider lab's blog is fantastic to find out the as well motivating factors as well as Tech te techniques the attackers are using and I go ramble every once in a while on the dream host blog about

security uh if you want to follow up here's my email on my Twitter go harass me tell me I'm an idiot or come find me if you're going to punch me uh just give me fair warning but thank you any any questions good [Applause] ask awesome I got swag