forensic analysis of a linux
play

Forensic analysis of a Linux web server 1 www.nbs-system.com - PowerPoint PPT Presentation

Mar 24, 2023 •308 likes •603 views

Mathieu Deous Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What

  1. Mathieu Deous – Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com

  2. Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What about privilege escalation ? How has rootkit detection evolved ? 2 www.nbs-system.com

  3. Who are we ? • Security guys doing both offensive and defensive stuff • Our company is hosting 3000+ sites in a private cloud 3 www.nbs-system.com

  4. Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What about privilege escalation ? How has rootkit detection evolved ? 4 www.nbs-system.com

  5. Performing forensic analysis on a compromised web server Some people think finding out what attackers did on a server is an easy task since their activities are « obviously malicious » : - Sending spam - Scanning /DoSing other servers - Hosting phishing sites But sometimes there can be days, weeks, months between a compromise and illegal activities … 5 www.nbs-system.com

  6. Performing forensic analysis on a compromised web server You end up trying to find files which don’t exist anymore Sometimes access to webshells are sold on underground markets:  Tons of different IP addresses  Who first dropped the malicious files ?  How did the attacker(s) compromise the web server ?  What did the attacker(s) do ? 6 www.nbs-system.com

  7. Performing forensic analysis on a compromised web server 7 www.nbs-system.com

  8. Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What about privilege escalation ? How has rootkit detection evolved ? 8 www.nbs-system.com

  9. What to search, where, how ? Logs Detecting a compromise using logs: - You know what the backoffice URI is, you can check for: - Bruteforce attempts - Login success and sort the IP addresses - You found a malicious file: - Check the logs for it  Apply the iterative process  Find other IP addresses  Potentially find other malicious file or compromise source - On a wordpress blog: upon successful authentication, the user is redirected using a 302 HTTP code, you can easily find if an attacker successfully logged into the wordpress backoffice ! « Know your web applications ! » 9 www.nbs-system.com

  10. What to search, where, how ? php-malware-finder Do you know Yara? From https://github.com/plusvic/yara : “YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples .” Thanks to Julien Voisin, we now have a set of yara rules to detect most of the PHP malwares usually found on our customers ’ compromised servers. Get it at http://github.com/nbs-system/php- malware-finder 10 www.nbs-system.com

  11. What to search, where, how ? php-malware-finder Example usage: $ php-malware-finder – f /var/www/customer/prod/ ObfuscatedPhp /var/www/customer/prod/blog/wp-content/uploads/2015/06/maink.php ObfuscatedPhp /var/www/customer/prod/blog/wp-content/plugins/nrelate-related-content/nrelate- related.php ObfuscatedPhp /var/www/customer/prod/var/usimpleup/unpacked/Unirgy_StoreLocator.zip/app/code/community/Unirgy/S toreLocator/Helper/Protected.php ObfuscatedPhp /var/www/customer/prod/lib/PEAR/SOAP/WSDL.php DodgyStrings /var/www/customer/prod/lib/phpseclib/Net/SSH1.php ObfuscatedPhp /var/www/customer/prod/lib/Zend/Session.php DodgyPhp /var/www/customer/prod/lib/Zend/Ldap/Converter.php The maink.php file is a malware, others are false positives ;) 11 www.nbs-system.com

  12. What to search, where, how ? php-malware-finder Can’t you get rid of false positives ? Not sure, look at this « legitimate » Magento module: $ less ./Model/Mysql4/Enginecategory.php <?php ${"GLO\x42\x41LS"}["w\x73\x74h\x72si"]="\x75\x70\x64\x61\x74e\x51\x75\x65\x72\x79";${"\x47\x4c\x4 f\x42\x41\x4c\x53"}["\x6b\x6e\x77\x64\x62q\x6e"]="\x63\x61\x74a\x6c\x6fg\x43a\x74\x65go\x72y\x45\ x6e\x74\x69t\x79Te\x78tT\x61\x62\x6c\x65";${"\x47\x4cO\x42\x41\x4cS"}["\x75\x6feh\x70\x6f"]="\x72 \x65s\x75\x6ct";${"\x47LOB\x41\x4cS"}["sp\x63g\x72\x65\x76l\x63b\x65"]="\x77\x68\x65\x72e";${"\x4 7\x4c\x4fB\x41\x4cS"}["que\x6ae\x78\x74\x6b\x75"]="\x69\x74\x65m";${"\x47\x4c\x4fB\x41L\x53"}["\x 68h\x63il\x6biq\x74us\x70"]="i\x74e\x6d\x73";${"\x47\x4cO\x42A\x4cS"}["\x70\x65\x65\x6c\x69\x6cy\ x66\x6cdf"]="\x76\x61\x6c\x75es";${"\x47\x4c\x4fB\x41LS"}["hh\x6fz\x6a\x70\x64\x62b\x6b\x62\x75"] ="\x63\x6fl\x75\x6dn\x73";${"\x47\x4c\x4fB\x41\x4c\x53"}["k\x64\x79o\x61\x6cj"]="\x65\x6d\x70\x74 y\x52e\x63\x6f\x72d";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["t\x69\x72\x6at\x6c\x65\x7aon"]="\x72\x6f\ x77";${"\x47\x4c\x4f\x42\x41L\x53"}["\x65\x6f\x70i\x78\x78\x6c\x69"]="i";${"G\x4c\x4f\x42\x41\x4c \x53"}["\x76\x69\x67\x67\x68dq\x67u"]="\x73\x71l";${"\x47\x4c\x4f\x42ALS"}["e\x6e\x78b\x6cx\x71uo \x71\x72\ 12 www.nbs-system.com

  13. What to search, where, how ? Offensive tools « To survive the war, you gotta become the war » There are opensource tools to test the security of web applications. Let’s stick to our WordPress blog and find tools to exploit vulnerabilities: - WIG: Webapp Information Gatherer - Sucuri wordpress scanner or Vane (wordpress scanner fork) - CMSmap - Arachni 13 www.nbs-system.com

  14. Performing forensic analysis on a compromised web server First step is to determine as much as you can about the web application, wig aims at providing information. Tools such as wpscan maybe give you hint about which vulnerability the attacker(s) used: Title: WordPress Slider Revolution Vulnerability Reference: https://wpvulndb.com/vulnerabilities/7540 Reference: http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being- exploited.html Reference: http://marketblog.envato.com/general/affected-themes/ Reference: http://osvdb.org/109645 Reference: http://www.exploit-db.com/exploits/34511/ Reference: http://www.exploit-db.com/exploits/35385/ 14 www.nbs-system.com

  15. Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What about privilege escalation ? How has rootkit detection evolved ? 15 www.nbs-system.com

  16. What about privileges escalation ? Most illegal activities don’t require high privileges : - Hosting a phishing site can be done only with Apache right - Sending spam is possible even for a low privilege account - Simple (d)DoS tools But sometimes, the attacker gets root privileges, because: - There was an obvious unpatched local vulnerability on your server - He/She was determined (did someone say APT ?) 16 www.nbs-system.com

  17. What about privileges escalation ? How would you detect such escalation ? One answer is: snoopy snoopy is merely a shared library that is used as a wrapper to the execve() function provided by libc as to log every call to syslog (authpriv). system administrators may find snoopy useful in tasks such as light/heavy system monitoring, tracking other administrator's actions as well as getting a good 'feel' of what's going on in the system (for example Apache running cgi scripts). .. And don’t forget to centralize your logs ;-) 17 www.nbs-system.com

  18. What about privileges escalation ? How would you prevent it from happening ? By hardening your system: - Use a Grsec patched kernel ( that’s what we do) - Contain applications using AppArmor - Regularly assess your system - Unix-privesc-check - Lynis 18 www.nbs-system.com

  19. What about privileges escalation ? [+] Debian Tests ------------------------------------ - Checking for system binaries that are required by Debian Tests... - Checking /bin... [ FOUND ] … - Checking /usr/local/sbin... [ FOUND ] - Authentication: - PAM (Pluggable Authentication Modules): - libpam-tmpdir [ Not Installed ] … - File System Checks: - DM-Crypt, Cryptsetup & Cryptmount: - Checking / on /dev/sda1 [ NOT ENCRYPTED ] … - Software: - apt-listbugs [ Not Installed ] - apt-listchanges [ Installed and enabled for apt ] … 19 www.nbs-system.com

  20. What about privileges escalation ? You can look at your system activity too ! • Using what ? Strace on processes ? • Please, we’re in 2015 ;) Sysdig can be really helpful and it has many modules: $ sysdig – c topprocs_net $ sysdig – c topconns And last but not least: $ sysdig – c spy_users 20 www.nbs-system.com

  21. What about privileges escalation ? $ sysdig -c topprocs_net Bytes Process ------------------------------ 788.63M /usr/sbin/httpd 69.69M /usr/local/bin/selks 5.27M sshd 2.38M wget 20.81KB httpd 9.94KB httpd 6.40KB bash $ sysdig -c topconns Bytes Proto Connection ------------------------------ 3133.7M udp 10.0.0.3:14929->5.43.24.212:80 4.91M tcp 192.168.135.30:29421->10.0.0.3:22 21 www.nbs-system.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic

Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic

Linux and Law Enforcement Challenges and Opportunities Dr. Joshua I. James Digital Forensic Investigation Research Laboratory SoonChunHyang University Joshua@cybercrimetech.com http://forensics.sch.ac.kr whoami Dr. Joshua I. James

399 views • 36 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung,

Forensic evaluation of nine miniSTR loci to aid analysis of degraded DNA in Koreans Ukhee Chung, Hwan Young Lee, Myung Jin Park, Sang-Ho Cho, Kyoung-Jin Shin and Woo Ick Yang Department of Forensic Medicine, Yonsei University College of

554 views • 13 slides
T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

T and Science of Forensic Monitoring Forensic Monitor may be employed by one Board or a

11/5/2015 The T and Science of Forensic Monitoring Robert N. Baker, PhD Jeannie Cool, PCC-S Lottie Gray, MSSA, LISW, CDCA Julia King, PsyD, MBA T and Science of Forensic Monitoring Has your boss just told you? You are our New Forensic

389 views • 24 slides
Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18,

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

1.29k views • 67 slides
Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

Outline of presentation MPS in forensic genetics Developed 3 in-house MPS panels

2017-09-05 Implementing Massively Parallel Sequencing for Forensic DNA Analysis Using In-house PCR Panels Kyoung-Jin Shin, Ph.D. Dept. of Forensic Medicine Yonsei University College of Medicine Seoul, Republic of Korea Outline of

710 views • 23 slides
THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations

THE NEW FORENSIC PATIENT Learning Objectives Review the epidemiology of forensic populations Explore various clinical presentations seen in forensic settings Implement evidence-based and novel treatment strategies to the new forensic

946 views • 80 slides
Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on

Forensic Feature Extraction and Cross-Drive Analysis Simson L. Garfinkel Center for Research on Computation and Society Harvard University 1:15pm, Tuesday, August 15, 2006 1 Todays forensic tools are designed for one drive at a time.

552 views • 34 slides
A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides
Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric

Forensic Voice Comparison and Forensic Acoustics 1 Value and Interpretation of Biometric Evidence in Forensic Automatic Speaker Recognition Dr. Andrzej Drygajlo Speech Processing and Biometrics Group Swiss Federal Institute of Technology

546 views • 44 slides
Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its

Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its

2014-12-08 Massive Sequence Analysis of Forensic STR Loci using Next Generation Sequencing and Its Application to Mixture Analysis Eun Hye Kim, In Seok Yang, Sang-Eun Jung, Hwan Young Lee, Woo Ick Yang, and Kyoung-Jin Shin Department of

124 views • 9 slides
Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic

Regional Forensic Trainings 2013 Pathways to Conditional Release: An Overview of the Forensic Mental Health System Robert N. Baker, PhD Assistant Chief Office of Forensic Services, ODMH Objectives Provide an overview of the forensic

581 views • 40 slides
Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati

Hardening PHP - Some basic security measures. Antonio Bonifati &lt;http://ninuzzo.freehostia.com&gt; ABSTRACT A summary of the most important PHP settings aimed at improving security of PHP web servers. Whenever you have to harden a PHP

615 views • 5 slides
Catch Your Own Bugs: Including all Engineers in the Automation Cycle Laura Bright McAfee, Inc .

Catch Your Own Bugs: Including all Engineers in the Automation Cycle Laura Bright McAfee, Inc .

Catch Your Own Bugs: Including all Engineers in the Automation Cycle Laura Bright McAfee, Inc . Laura_Bright@mcafee.com October 9, 2012 Introduction End-to-end automation frameworks provide many benefits Continual monitoring of product

423 views • 23 slides
Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical

Your web server has been hacked now what? Archzilon Eshun-Davies (@laudarch)_ CISO/CEO Tactical Intelligence Security OWASP Ghana 2019 Who is this talk for? - Individuals, developers and sys admins. Are you sure youve been hacked? Q1:

247 views • 11 slides
A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel

A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel

A Big Data Architecture for the Detection of Anomalies within Database Connection Logs Swapneel Mehta, Prasanth Kothuri, Daniel Lanza Garcia European Organisation for Nuclear Research Meyrin, Geneva {swapneel.sundeep.mehta, prasanth.kothuri,

253 views • 6 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Introduction Introduction Welcome to the course! Instructor: Dr. Charles J. Antonelli

209 views • 10 slides
FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO

FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO

FLEET COMMANDER THE EFFICIENT WAY OF MANAGING THE DESKTOP PROFILES OF YOUR FLEET! FABIANO FIDNCIO OLIVER GUTIRREZ WHAT IS A DESKTOP PROFILE? A GROUP OF DESKTOP RELATED SETTINGS ASSOCIATED TO A USER, GROUP, HOST OR HOSTGROUP WHAT IS FLEET

816 views • 14 slides
A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda

A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda

A First Look at Traffic on Smartphones by Falaki et al. Andrew Zafft CS Department Agenda Objective Study Structure Outcomes &amp; Observations Future Work / Citations Conclusions 2 Worcester Polytechnic Institute

581 views • 21 slides
LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic

Outline Launching of t he LHC Logging proj ect Mandat e, scope and obj ect ives LHC LOGGING Timeline of t he proj ect , resources Cont ext : where does logging f it in? Basic f unct ionalit ies Filt ering of dat a I nt erf acing t o ot

667 views • 3 slides

More recommend