• No results found

How to detect hackers on your web server

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How to detect hackers on your web server"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

How to detect hackers on your web

server

Catch hackers red handed through real-time security event

log monitoring

A discussion of the methods used by hackers to attack IIS web servers, and

how you can use event log monitoring on your web server to be alerted to

successful attacks immediately.

(2)

Introduction

This white paper focuses on how administrators can set up their web servers successfully and safely. Describing the tools used by hackers to gain backdoor access to your IIS web servers, this paper details the necessary steps to detect successful intrusions on your network, as well as explaining how to prevent such attacks to your web server.

Introduction...2

Hacking a web server is not difficult ...2

Tools of the hacker trade...3

Intrusion detection by monitoring key system files...5

How to detect attacks on your server ...6

About GFI LANguard Security Event Log Monitor (S.E.L.M.) ...11

About GFI ...12

Hacking a web server is not difficult

Internet Information Services (IIS) web servers are highly popular among business organizations, with more then 6 million installations worldwide. Unfortunately, this makes IIS web servers also a popular target amongst hackers. As a result, every so often, new exploits emerge which endanger your IIS web server’s integrity and stability.

Many administrators have a hard time keeping up with the various security patches released for IIS to cope with each new exploit, making it easy for malicious users to find a vulnerable web server on the Internet. Taking advantage of an exploit is not difficult with the appropriate hacker tools – these enable the average teenage hacker to easily attack and even control your web server, with the possibility of penetrating your internal network.

In other words, it is not too difficult for outsiders to access proprietary corporate information. Worse still, hackers need not be teenagers out for a thrill, as is commonly presumed: disgruntled employees and competitors, for instance, may have their own reasons for breaking into confidential areas of your network.

Few hacker attacks are actually instantly recognizable as such, and fewer still become high profile affairs reported in the media. Most attacks are not easy to discover because many intruders prefer to remain hidden so that they can use the IIS web server they have hacked as a launch base for attacks on far more important or popular web servers. Apart from endangering your own web site’s integrity, such use of your server can render you liable should it be used to launch an attack on another organization.

(3)

Tools of the hacker trade

Many tools exist to facilitate hackers who wish to deface a web site. Such tools are so easy to use that even someone with no prior hacking experience can make a mess out of a web server in no time at all.

The Internet Printing Protocol (IPP) exploit

IPP exploit made easy

A program that makes use of this exploit is Internet Printing Protocol Exploit v.0.15 (see figure above). This is based on the infamous original exploit code in a C program file named “jill.c”, made public by a hacker using the alias “dark spyrit”.

This application uses a vulnerability in the IPP buffer overflow on an IIS web server. All the hacker needs to do is type in the name of the targeted web server (or a computer with IIS installed on it) and click on “Connect”.

Upon connecting, the application will send the actual string that overflows the stack, leading to the execution of custom code (that is known as shell code) and connecting the file cmd.exe to the specified port on the attacker’s side (default being 31337).

This can bypass typical firewall configurations and other similar security measures.

Once that is done, the hacker is presented with a command line and SYSTEM access, from where he/she could carry out a number of activities that an administrator would definitely not have authorized, such as gaining access to databases that could contain credit card details and other such confidential data.

(4)

The UNICODE and CGI-Decode exploits

Unicode exploit using Internet Explorer

Two other exploits preferred by web site defacers include the UNICODE and CGI-Decode exploits. Here, the hacker can simply use the browser itself to do anything on a target machine that is running an un-patched version of IIS. All it takes is Internet Explorer and a “magic string” to execute anything under the anonymous account of the IIS. The above screenshot shows a directory dump of C:\ of the IIS server in the web browser itself! This is just a simple example to demonstrate that the hacker can gain access to your web server’s hard disk.

Initially, this access is limited to the user rights of the IIS anonymous user account (IUSR_computername). Once the hacker has IIS anonymous access, he can easily upload an ASP file, which can escalate his access to SYSTEM privileges. Such an action would give him full access to the hacked computer, meaning he can do anything.

Custom-made applications

Some web site cracker groups prefer to produce their own applications to automate the process of defacing a web site.

IIS Storm by m0sad

(5)

named IIS Storm v.2. An excerpt from the IIS Storm manual runs: “IIS Storm is a tool made for Remote Web Site Defacement that is running IIS (Internet Information Server [NT platform]) and that also vulnerable to the Unicode Exploit.”

Tools such as this give full hacking capabilities to both skilled and unskilled hackers. IIS Storm also allows users to hide their original IP address through anonymous proxies, and to easily replace files on the target website with their own custom HTML pages.

PoizonB0x, another notorious group of self-proclaimed “cyber-terrorists” and “net-warriors”, created iisautoexp.pl, an automated tool that handles all the legwork required to gain access and perform defacing operations.

To deface a web site, all the malicious user has to do is give the name of the web site to the script and run it. If the web site is vulnerable to attack (that is, if it does not have the appropriate patches applied), the front page (index.htm, default.htm, default.asp or variants) is changed to read “PoizonB0x Ownz YA”. This way, hackers can create a batch file with the names of their target web sites, producing a mass defacement of IIS web servers. This script can be adapted and run on both Windows and UNIX machines.

Knowing that your web server has been attacked is easy if your web page is defaced. However, many hackers prefer stealth and install a Trojan to siphon off data or perform other malicious activity. They will make sure not to leave any traces of their intrusion.

Intrusion detection by monitoring key system files

So how can one protect against this potential onslaught of attacks? Well, almost all exploit tools for IIS servers make use of one or more system files. By monitoring the activity on these files in real time, an administrator can catch a hacker red-handed. The following system files are frequently used by hacker tools:

1. cmd.exe: This is the command line emulation program in Windows; from here, users can administer the server

2. ftp.exe: The command line FTP client available with all Microsoft Windows platforms; hackers use this to obtain the files they need on the server machine from a remote FTP server

3. net.exe: This program enables machine administration; under the system account, hackers can use this tool to create backdoor users and groups, start and stop services, access other machines on the network, and more

4. ping.exe: This program simply sends an ICMP echo packet to remote hosts; hackers can use your server together with other vulnerable servers to run ping against a target host, thus creating a DDoS (Distributed Denial of Service attack) on the target

5. tftp.exe: This is a TFTP client that is also available with all Microsoft Windows machines; some hackers prefer this to ftp.exe and will use it to get the files they need to further

(6)

penetrate the IIS server.

When a cracker runs cmd.exe using the UNICODE exploit, it is actually run by the Internet Guest Account (IUSR_machinename). Since this user has no business running this file, a network-wide event log monitor such as GFI LANguard S.E.L.M. can log any events in which this account runs cmd.exe. This way, GFI LANguard S.E.L.M. can immediately inform the administrator of the intrusion.

Buffer overflow attacks obtain the SYSTEM account instead. This means that from here, the malicious user who has already intruded the machine can change to any other user and basically do anything that the operating system itself can. However if GFI LANguard S.E.L.M. is enabled to monitor cmd.exe and log whenever the SYSTEM account has accessed this file, the network administrator will now be able to detect such activity - because to change to another user, tools make use of the command line itself.

How to detect attacks on your server

After examining how intruders operate, administrators can now configure their server and GFI LANguard S.E.L.M. to catch hackers red-handed.

Step 1: Configuring your web server to audit objects

To monitor commonly used files, object auditing must be enabled in Windows web servers.

Audit Policy – object access

If the web server is a standalone server, to enable object auditing, you must: 1. Go to the Administrative Tools – Local Security Policy

(7)

3. Double-click on Audit Object Access and select Success and Failure.

If the web server is part of the domain, you must enable object auditing as a Domain Policy (rather than just Local Policy). This is done in the same manner via Administrative Tools – Domain Security Policy.

Once that is done, the files you want to audit must be specified. In this case we want to audit: cmd.exe, ftp.exe, net.exe, ping.exe and tftp.exe.

The auditing tab

To enable object access auditing to log each time the SYSTEM account and Internet guest account attempt to run cmd.exe:

1. Right-click on cmd.exe and select Properties 2. Next select the Security tab and click on Advanced 3. Select the Auditing tab and click on Add

4. Now you can enter which users should get logged when they try to access the Object (cmd.exe): Select the SYSTEM account

5. To enable full auditing on cmd.exe / SYSTEM account, select all Successful and Failed options

(8)

6. Press OK, select Add and do the same for the IUSR account.

7. This procedure must be followed for ftp.exe, net.exe, ping.exe, and tftp.exe.

Access to these files by the System or IUSR account will now be logged to the security event log.

Configuring auditing

Step 2: Configuring GFI LANguard S.E.L.M. to monitor for these events and alert administrator

Now you have configured file access auditing, you must configure GFI LANguard S.E.L.M. to detect these security events:

(9)

GFI LANguard S.E.L.M configuration console

1. In the GFI LANguard S.E.L.M. Configuration, ensure that the web server is listed in the Computers to monitor node

2. Now go to the Event Processing Rules > Security Event Log > Object Access node. Select the node, right-click and select New > Processing rule

3. Click on add, and add the events numbered 560 and 562. These events will identify an intrusion. Event 560: Object Open – Meaning the object (e.g. cmd.exe was run) was accessed, and Event 562: Handle Closed – Meaning that the object is no longer in use (e.g. Cmd.exe was closed)

4. By default the rule will be applied to all computers that GFI LANguard SELM monitors. To specify the web server only, go to the general tab and specify the web server computer name. Specify a clear description too

(10)

Creating a new object access rule

GFI LANguard S.E.L.M. will now monitor your web server for these events, and if CMD.exe is run, it will notify you immediately!

Step 3: Testing your new IDS

Once you have configured the above, you can test it. You can do this by creating a new ASP script. If you have properly set up your auditing policies and enabled object access on the indicated files, this script will create and trigger an object audit rule. GFI LANguard S.E.L.M will then collect the generated event from the security event log, and – because a matching rule exists – it will send an email alert to the administrator to advise that cmd.exe has been accessed.

The script below will simply run cmd.exe and make a directory listing of the C:\ in the background. You can place this file on your IIS server and try to access it via the web browser. <%@ Language=VBScript %>

<%' --- ' SELM_test.asp : used to test Languard S.E.L.M ' By : Sandro Gauci <Sandro@gfi.com>

(11)

' --- Dim oScript

On Error Resume Next

Set oScript = Server.CreateObject("WSCRIPT.SHELL") Call oScript.Run ("cmd.exe /c dir C:\", 0, True)

%> <HTML> <BODY>

You should now receive an alert from GFI LANguard S.E.L.M </BODY>

</HTML>

This ASP script can be downloaded from: ftp.gfi.com/testselm.zip

About GFI LANguard Security Event Log Monitor (S.E.L.M.)

GFI LANguard Security Event Log Monitor (S.E.L.M.) performs event log based intrusion detection and network-wide event log management. GFI LANguard S.E.L.M. archives and analyzes the event logs of all network machines and alerts you in real time to security issues, attacks and other critical events. GFI LANguard S.E.L.M.'s intelligent analysis means you do not need to be an 'Event Guru' to be able to: Monitor users attempting to access secured shares and confidential files; Monitor critical servers and create alerts for specific events and conditions occurring on your network; Back up and clear event logs automatically on remote machines; Detect attacks using local user accounts; and much more!

For more info on GFI LANguard S.E.L.M. and to download your free trial, please visit http://www.gfi.com/lanselm/.

(12)

© 2006 GFI Software Ltd. All rights reserved. The information contained in this document represents the current view of GFI on the issues discussed as of the date of publication. Because GFI must respond to changing market conditions, it should not be interpreted to be a commitment on the part of GFI, and GFI cannot guarantee the accuracy of any information presented after the date of publication. This White Paper is for informational purposes only. GFI MAKES

About GFI

GFI is a leading provider of network security, content security and messaging software. Key products include the GFI FAXmaker fax connector for Exchange and SMTP mail servers; GFI MailSecurity email content/exploit checking and anti-virus software; GFI MailEssentials server-based anti-spam software; GFI MailArchiver an email archiving solution; GFI LANguard Network Security Scanner (N.S.S.) security scanning and patch management software; GFI Network Server Monitor that automatically sends alerts, and corrects network and server issues; GFI LANguard Security Event Log Monitor (S.E.L.M.) that performs event log based intrusion detection and network-wide event log management; GFI EndPointSecurity that enables network-wide control of removable media[angelica@gfi.com] and GFI WebMonitor, HTTP/FTP monitoring and anti-virus software for ISA Server. Clients include Microsoft, Telstra, Time Warner Cable, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has offices in the US, the UK, Germany, Cyprus, Romania, Australia and Malta, and operates through a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion (GEM) Packaged Application Partner of the Year award. For more information about GFI, visit http://www.gfi.com.

References

Download now ( PDF - 12 Page - 135.55 KB )

Related documents

Monthly Mortgage Amortization Schedule Excel

Nominal annual percentage of mortgage schedule determines the excel loan amortization schedule will have other loan using the majority of time.. Borrower to this, mortgage

Neuroinflammatory Alterations via CD-36 in Traumatic Brain Injury

Here, we additionally tested whether stem cell therapy alone or in combination with sRAGE targeting human cells (i.e., human neural progenitor cells or hNP1),

“Books Like This Cannot Be Useless”: The Political and Popular Reception of Victor Hugo’s Les Misérables in Civil War America

The Continental critic writes, “Vulgarity is the open doorway to vice, and philosophize as we may, sketches of thieves and vagabonds, gamins, prostitutes and liars are vulgar

Bayesian logistic regression for presence-only data

The new formalization using the stratified sample design with non-overlapping strata, allows to consider rigorously all the mathematical details of the model as for instance

Status of Filing in Domicile:

Author: Holly Parenti Disposition Date: 04/10/2009 Date Submitted: 04/08/2009 Disposition Status: Filed Implementation Date Requested: On Approval Implementation Date: State

Hopper Design Solids Notes

The forces acting on the powdered material stored in a hopper tend to (1) compact the powder (i.e., reduce its bulk density), and (2) the shear stresses in the material tend to

Association of response to TNF inhibitors in rheumatoid arthritis with quantitative trait loci for CD40 and CD39

Objectives We sought to investigate whether genetic effects on response to TnF inhibitors (TnFi) in rheumatoid arthritis (ra) could be localised by considering known