Site Hacking: Simple Security Tips
Hackers never fail. For example, only according to one hacking site zone-h.org (see the Onhold section), hundreds of sites are hacked daily. Your site is definitely not there?
For hacking, you do not need to be a professional hacker; the article deals with the so-called “kulkhackers” using the fruits of foreign “labors” and the simplest cases of hacking. The article is in no way howto how to hack the site. The goal is to show how easy it is to hack and recommend measures to protect the site and actions in case of hacking by “Kosovo Albanians”.
An example of a successful hacker search by Russian law enforcement agencies is given.
The most common ways to get to the site are:
I will explain on the example of Joomla + CKForms. In order not to introduce into temptation, I do not publish a link to the description, it is too easy to use it, but it is also easy to find . Vulnerabilities in the CKForms module allow you to perform SQL injection or PHP inclusion, and, through simple manipulations, get access to the admin panel. The vulnerability is exploited through a simple request in the address bar of the browser.
')
The case is literally five minutes and does not require serious knowledge from a cracker. Further steps depend on the author's hacking fantasy - from unpleasant defacement to the destruction of the site and the attempt to seize control of other sites and the server.
How on a virtual hosting hacker can get access to other sites, if all known measures taken by the owner of the site? Indeed, almost everywhere access to sites sites is delimited by user logins, and it would seem that this should protect the site from its neighbors.
We confine ourselves to one case. Serious danger is running scripts under the Apache module, for example mod_perl. In this case, the script is run under the Apache user, who has access to the data of users of the sites.
The hacker, as described above, gains access to the site of a single site. Then the console script is placed, for example cgi-telnet . And if the rights to the configuration files of other users' sites are set to 644 (or 777, all the more!), It is easy to read the contents of the files with passwords from the console. But! Only if the perl-script is launched under the Apache user, i.e. under mod_perl (a similar situation with mod_php). When working, for example, under FastCGI, this method will not give access to files. You can protect yourself from this by installing 600 rights on critical files and using FastCGI.
I will give one common example for Linux-systems. Similarly, you first need access to the site of a single site.
There are several vulnerabilities in the kernel through a null pointer that affects dozens of Linux systems, for example: Linux Kernel 'sock_sendpage ()' NULL Pointer Dereference Vulnerability . Exploits are also described there(be careful, it works!) .
Despite the fact that this problem has been known for a long time, there are many unpatched servers, including in Russia. The easiest way to protect is described, for example, here .
It does not guarantee 100% protection, because for example, when setting wine, the mmap_min_addr parameter can be reset back to 0. It is strongly recommended to use patches that can be taken on the page specified above or in official sources.
Discussion on this issue was conducted in Habré .
The responsibility for protecting against these exploits lies with the server administrator.
“Healing” by recovering from backup is not enough; once having hacked the site, you will be returned to it. What to do to the site owner?
To punish a hacker, especially if he acts under the jurisdiction of another state and takes all measures so that he cannot be traced - it is difficult or almost impossible. But there are successful examples.
The Department of the City of N initiated a criminal case under Article 272 of the Criminal Code of the Russian Federation "Illegal access to legally protected computer information ..." against a citizen of the Russian Federation at the request of a legal entity (site owner). In February of 2010, the production site of one of the Russian design studios was hacked (a “self-written” script), through a vulnerability found by the attacker in the site code. The purpose of hacking was the placement of advertising banners. The attacker brought his written apologies to the site owner with the request for a pretrial settlement - in addition to the criminal article, he is also threatened with expulsion from the university. So to say - in the interests of the investigation details were not disclosed.
If the damage is significant, and the IP address is “local” (even dynamic and belongs to the Internet provider), and not the “Chinese proxy”, you can apply to the law enforcement agencies with the application and available materials, and specifically to department K. The investigators themselves they will ask the hosting provider for an official letter with magazines and explanations of the situation, for the Internet provider - to whom the IP address was allocated. Companies are required to provide this information at the request of law enforcement.
Communication with law enforcement agencies will deliver a lot of unpleasant hours to an attacker, especially if there are traces of illegal activity on the computer, not to mention apossible prosecution.
The security of your site is the task of not only the developer and the hoster, who is obliged to ensure maximum security of the servers, but also the site administrator.
Trivial advice to the site owner:
Assessing the chances of finding an attacker - you can and should contact the law enforcement agencies.
PS: the article does not pretend to be absolutely complete and is not aimed at an IT guru, of course, other means can be used for targeted hacking of a specific server or site. I will be glad to add on comments of the community, including other examples.
And in brief about the actions when hacking the site .
For hacking, you do not need to be a professional hacker; the article deals with the so-called “kulkhackers” using the fruits of foreign “labors” and the simplest cases of hacking. The article is in no way howto how to hack the site. The goal is to show how easy it is to hack and recommend measures to protect the site and actions in case of hacking by “Kosovo Albanians”.
An example of a successful hacker search by Russian law enforcement agencies is given.
How is the site hacked?
The most common ways to get to the site are:
- busting simple password access to admin panel / ftp (“domain name”, 12345, admin, test, etc.) - a large number of hacks, oddly enough, this is what happens;
- use of script vulnerabilities (CMS and modules).
I will explain on the example of Joomla + CKForms. In order not to introduce into temptation, I do not publish a link to the description, it is too easy to use it
')
The case is literally five minutes and does not require serious knowledge from a cracker. Further steps depend on the author's hacking fantasy - from unpleasant defacement to the destruction of the site and the attempt to seize control of other sites and the server.
I took action, but how was the site hacked?
How on a virtual hosting hacker can get access to other sites, if all known measures taken by the owner of the site? Indeed, almost everywhere access to sites sites is delimited by user logins, and it would seem that this should protect the site from its neighbors.
We confine ourselves to one case. Serious danger is running scripts under the Apache module, for example mod_perl. In this case, the script is run under the Apache user, who has access to the data of users of the sites.
The hacker, as described above, gains access to the site of a single site. Then the console script is placed, for example cgi-telnet . And if the rights to the configuration files of other users' sites are set to 644 (or 777, all the more!), It is easy to read the contents of the files with passwords from the console. But! Only if the perl-script is launched under the Apache user, i.e. under mod_perl (a similar situation with mod_php). When working, for example, under FastCGI, this method will not give access to files. You can protect yourself from this by installing 600 rights on critical files and using FastCGI.
How can I access the management of the server itself?
I will give one common example for Linux-systems. Similarly, you first need access to the site of a single site.
There are several vulnerabilities in the kernel through a null pointer that affects dozens of Linux systems, for example: Linux Kernel 'sock_sendpage ()' NULL Pointer Dereference Vulnerability . Exploits are also described there
Despite the fact that this problem has been known for a long time, there are many unpatched servers, including in Russia. The easiest way to protect is described, for example, here .
It does not guarantee 100% protection, because for example, when setting wine, the mmap_min_addr parameter can be reset back to 0. It is strongly recommended to use patches that can be taken on the page specified above or in official sources.
Discussion on this issue was conducted in Habré .
The responsibility for protecting against these exploits lies with the server administrator.
The sequence of actions to eliminate the effects
“Healing” by recovering from backup is not enough; once having hacked the site, you will be returned to it. What to do to the site owner?
- Try to immediately determine which files have been replaced, it can be both index.php and files of templates, images, etc .;
- Take screenshots of the effects;
- Be sure to notify the hosting provider and agree on their further actions;
- Save the site files in a separate directory; the time of file modification will help you to determine the malicious person in the future;
- Restore the site from a backup or contact the host for this;
- Download logs of errors and access to the site or ask the hosting provider to provide them, it is better to copy them into a separate directory so that they will not be deleted when logs are rotated;
- Analysis of file change times and comparisons with log entries allow determining the nature of the vulnerability used and the attacker's IP address;
- Update scripts or (if this is not possible) refuse to use vulnerable modules;
- Be sure to change all passwords.
Crime and Punishment
To punish a hacker, especially if he acts under the jurisdiction of another state and takes all measures so that he cannot be traced - it is difficult or almost impossible. But there are successful examples.
The Department of the City of N initiated a criminal case under Article 272 of the Criminal Code of the Russian Federation "Illegal access to legally protected computer information ..." against a citizen of the Russian Federation at the request of a legal entity (site owner). In February of 2010, the production site of one of the Russian design studios was hacked (a “self-written” script), through a vulnerability found by the attacker in the site code. The purpose of hacking was the placement of advertising banners. The attacker brought his written apologies to the site owner with the request for a pretrial settlement - in addition to the criminal article, he is also threatened with expulsion from the university. So to say - in the interests of the investigation details were not disclosed.
If the damage is significant, and the IP address is “local” (even dynamic and belongs to the Internet provider), and not the “Chinese proxy”, you can apply to the law enforcement agencies with the application and available materials, and specifically to department K. The investigators themselves they will ask the hosting provider for an official letter with magazines and explanations of the situation, for the Internet provider - to whom the IP address was allocated. Companies are required to provide this information at the request of law enforcement.
Communication with law enforcement agencies will deliver a lot of unpleasant hours to an attacker, especially if there are traces of illegal activity on the computer, not to mention a
Brief conclusions
The security of your site is the task of not only the developer and the hoster, who is obliged to ensure maximum security of the servers, but also the site administrator.
Trivial advice to the site owner:
- never store access credentials;
- use long complex passwords and non-standard logins, periodically perform their change;
- timely update scripts with the release of updates;
- when selecting a component, check for open vulnerabilities;
- monitor the rights to script files and especially critical configuration files;
- using a web server (for example, .htaccess and .ftpaccess) to allow access only from your IP;
- Yes, copyright authors of scripts should be saved, but according to them, as well as fragments of the address bar of the modules, the attackers are looking for vulnerable sites - change at least the standard addresses to access the scripts;
- periodically, including external services, to check the availability of specific sections of the site;
- have local backup sites.
Assessing the chances of finding an attacker - you can and should contact the law enforcement agencies.
PS: the article does not pretend to be absolutely complete and is not aimed at an IT guru, of course, other means can be used for targeted hacking of a specific server or site. I will be glad to add on comments of the community, including other examples.
And in brief about the actions when hacking the site .
Source: https://habr.com/ru/post/94356/
All Articles