Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo...
Transcript of Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo...
![Page 1: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/1.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
1
Mi hanno bucato il server, e adesso?Matteo Sgalaberni
ERLUG
Monday, October 28, 13
![Page 2: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/2.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
2
Matteo Sgalaberni
Monday, October 28, 13
![Page 3: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/3.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
3
C'era una volta...
Ragazzo
Server
WebApp (PHP)
Monday, October 28, 13
![Page 4: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/4.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
Obiettivo
4
sicurezza reattiva
Monday, October 28, 13
![Page 5: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/5.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
5
Agenda
Usi e costumi
Target
Capire
Reagire
Correggere
Monday, October 28, 13
![Page 6: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/6.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
6
Usi e costumi
PrevenzioneSistemistiProgrammatoriProcesso
http://www.bazl.admin.ch/themen/sicherheit/00296/index.html?lang=it
ProcessoGestione sicurezza proattivaUfficio Federale Aviazione CivileSvizzera
Monday, October 28, 13
![Page 7: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/7.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
7
E’ STATO INSUFFICIENTESIETE STATI
SFONDATI!
Monday, October 28, 13
![Page 8: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/8.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
8
Metodo
CorrezioneNiente Panico
Analisi
Monday, October 28, 13
![Page 9: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/9.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
9
Se hai un problema, trova la causa e risolviloaltrimenti riaccadrà!
quindi se non trovi da dove sono entrati e risolvi
TI RIBUCHERANNO!
Monday, October 28, 13
![Page 10: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/10.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
10
Perchè proprio te?!
Rubare
Modificare
Farti un dannoforse ma...
Monday, October 28, 13
![Page 11: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/11.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
11
per soldi(li guadagnano loro!)
Monday, October 28, 13
![Page 12: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/12.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
12
Source:McAfee Threats Report: First Quarter 2012 27
Un brutto mondo!Monday, October 28, 13
![Page 13: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/13.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
13
TI SFRUTTANO PER FARE
SpamPhishingAdvertisementVirus
MalwareData leakageDOSDDOS
Monday, October 28, 13
![Page 14: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/14.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
14
Target
Web Application
Account SMTP
Account FTP
Rete LAN
Monday, October 28, 13
![Page 15: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/15.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
15
Ma mi hanno bucato?! Come me ne accorgo?!
RetePostaSito Web
Alertes. Nagios/ZimbraAbuse notificationBlacklist
IPSIDSFirewall CONOSCENZA!
Server non rispondeSito lentoTimeout servizi
Monday, October 28, 13
![Page 16: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/16.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
16
BRUTTO?!
Monday, October 28, 13
![Page 17: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/17.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
17
server:~# ps afx|grep apache2|wc -l593
BRUTTO?!
Monday, October 28, 13
![Page 18: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/18.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
18
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623
BRUTTO?!
Monday, October 28, 13
![Page 19: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/19.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
19
DIPENDE
Conoscenza
Normalità
Confronto (Analisi del delta)
Monday, October 28, 13
![Page 20: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/20.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
20
ma come si manifesta ilvero
MALE!?
Monday, October 28, 13
![Page 21: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/21.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
21
Un bel giorno sul server di Daniele
SMTP: CRITICAL - Socket timeout after 10 secondsPOP3: CRITICAL - Socket timeout after 10 secondsHTTP: CRITICAL - Socket timeout after 10 seconds
DAAA DAAAA DAAA DAAA DAAA!
Monday, October 28, 13
![Page 22: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/22.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
22
Ma da dove sono “entrati”?!
FTPSMTPWeb App / PHP
Monday, October 28, 13
![Page 23: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/23.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
23
FTP?!?!?SMTP?!?
passwordMonday, October 28, 13
![Page 24: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/24.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
24
Web AppWordpressJoomlaPlugins
File upload validation
Remote file execution
<?php if (isset( $_GET['COLOR'] ) ){ include( $_GET['COLOR'] . '.php' ); }?>
http://en.wikipedia.org/wiki/File_inclusion_vulnerabilityhttps://www.owasp.org/index.php/Unrestricted_File_Upload
Attacks on application platform
Upload .jsp file into web tree - jsp code executed as web user
Upload .gif to be resized - image library flaw exploited
Upload huge files - file space denial of service
Upload file using malicious path or name - overwrite critical file
Upload file containing personal data - other users access it
Upload file containing "tags" - tags get executed as part of being "included" in a web page
PHP shellPHP backdoorHTML/JS infected
Monday, October 28, 13
![Page 25: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/25.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
25
Informazioni: ma dove sono?!
Semplice!
LogFile Creati
Timestamp
Monday, October 28, 13
![Page 26: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/26.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
26
find -ctime 0stat files...less filesgrep
Nuovi fileFile con nomi “strani”File con contenuti “strani”eval(base64_decode($_REQUEST['comment'])));JS offuscato/incomprensibile
TRUCCO
Monday, October 28, 13
![Page 27: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/27.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
27
php shit
Monday, October 28, 13
![Page 28: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/28.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
28Monday, October 28, 13
![Page 29: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/29.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
29
~/$ clamscan newsp15.php newsp15.php: PHP.Trojan.Spambot FOUND
----------- SCAN SUMMARY -----------Known viruses: 2424225Engine version: 0.97.7Scanned directories: 0Scanned files: 1Infected files: 1Data scanned: 0.00 MBData read: 0.00 MB (ratio 1.00:1)Time: 4.204 sec (0 m 4 s)
Monday, October 28, 13
![Page 30: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/30.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
30
JS shit
Monday, October 28, 13
![Page 31: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/31.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
31
FTPPHP shell
PHP backdoor
HTML with infected javascript
perl in CGI-BIN
Monday, October 28, 13
![Page 32: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/32.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
32
54.244.119.54 - - [07/Oct/2013:17:00:30 +0200] "POST /listN3A.php HTTP/1.1" 200 717 "-" "-"
stat /httpdocs_bucato/listN3A.phpFile: `listN3A.php'Size: 7325 Blocks: 16 IO Block: 4096 regular fileDevice: 808h/2056dInode: 10928437 Links: 1Access: (0644/-rw-r--r--) Uid: (10669/fsfsadfd) Gid: ( 2524/ psacln)Access: 2013-10-07 16:18:07.000000000 +0200Modify: 2013-10-04 11:19:06.000000000 +0200Change: 2013-10-04 11:19:06.000000000 +0200
Monday, October 28, 13
![Page 33: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/33.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
33
zgrep listN3A.php xferlog*xferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r o sito1 ftp 0 * c
sesedefdfs:/opt/psa/var/log# grep 37.139.47.33 xferlog*xferlog.processed:Tue Oct 1 12:39:35 2013 0 37.139.47.33 7325 /var/www/vhosts/sito2.it/httpdocs/newsp15.php b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:08 2013 0 37.139.47.33 2005 /var/www/vhosts/sito2.it/httpdocs/.htaccess b _ d r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Thu Oct 3 12:00:09 2013 0 37.139.47.33 400 /var/www/vhosts/sito2.it/httpdocs/aLlSMF.html b _ i r sito1 ftp 0 * cxferlog.processed:Fri Oct 4 11:19:06 2013 0 37.139.47.33 7325 /var/www/vhosts/sito1.it/httpdocs/listN3A.php b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:54 2013 0 37.139.47.33 136 /var/www/vhosts/sito1.it/httpdocs/.htaccess b _ d r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:55 2013 0 37.139.47.33 378 /var/www/vhosts/sito1.it/httpdocs/rTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:19:56 2013 0 37.139.47.33 395 /var/www/vhosts/sito1.it/httpdocs/aTLsk.html b _ i r sito2 ftp 0 * cxferlog.processed:Sun Oct 6 12:34:09 2013 0 37.139.47.33 378 /var/www/vhosts/sito2.it/httpdocs/rLlSMF.html b _ i r sito1
Monday, October 28, 13
![Page 34: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/34.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
34
<html><head> <meta http-equiv="refresh" content="2; url=http://thespeedshop.ca/robotsfR6w/bar/index.html"></head><body><h1>Loading...</h1></body>
Ma cosa c’era in quel file?!?
Monday, October 28, 13
![Page 35: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/35.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
35Monday, October 28, 13
![Page 36: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/36.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
36
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623Received: (qmail 3931 invoked by uid 33); 22 Oct 2013 11:55:22 +0200Date: 22 Oct 2013 11:55:20 +0200Message-ID: <20131022095520.3906.qmail@server999>To: [email protected]: Voice Message NotificationFrom: "WhatsApp Messaging Service" <[email protected]>X-PHP-Originating-Script: 10035:infoKSw.phpX-Mailer: Oudmlr(ver.3.4)Reply-To: "WhatsApp Messaging Service" <[email protected]>Mime-Version: 1.0Content-Type: multipart/alternative;boundary="----------138243572052664B8811717"
http://php.net/manual/en/mail.configuration.php
Monday, October 28, 13
![Page 37: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/37.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
37
server:~# /var/qmail/bin/qmail-qstatmessages in queue: 5963messages in queue but not yet preprocessed: 623
Received: (qmail 11447 invoked from network); 21 Oct 2013 10:24:11 +0200Received: from hostbruttorusso.ru (HELO UserHP) (99.99.99.99) by mioserver.it with ESMTPA; 21 Oct 2013 10:24:09 +0200Return-Receipt-To: "Monica" <[email protected]>From: "Monica" <[email protected]>To: <[email protected]>Subject: I: RQST FATTURADate: Mon, 21 Oct 2013 10:24:10 +0200MIME-Version: 1.0Content-Type: multipart/related; boundary="----=_NextPart_000_004B_01CECE47"X-Mailer: Microsoft Office Outlook 11
Oct 25 12:37:08 server6 smtp_auth: SMTP user [email protected] : logged in from hostbruttorusso.ru [99.99.99.99]
Monday, October 28, 13
![Page 38: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/38.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
38
Identifico le caselle compromesse
Cambio le password
Iptables ip logged in
Cancello le email dalla coda
Risposta ad un accesso SMTP
Monday, October 28, 13
![Page 39: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/39.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
39
Un bel giorno sul server di Daniele
5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 20388 ? S 0:00 couriertls -localfd=4 -tcpd -server 6159 ? S 0:00 couriertls -localfd=4 -tcpd -server 6908 ? S 0:00 couriertls -localfd=4 -tcpd -server16593 ? S 0:00 couriertls -localfd=4 -tcpd -server17308 ? S 0:00 couriertls -localfd=4 -tcpd -server 9631 ? S 0:00 perl udpflood.pl 9632 ? S 0:00 perl udpflood.pl 9633 ? S 0:00 perl udpflood.pl 9634 ? S 0:00 perl udpflood.pl 9635 ? S 0:00 perl udpflood.pl 9636 ? S 0:00 perl udpflood.pl 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd
Monday, October 28, 13
![Page 40: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/40.jpg)
5638 ? S 0:00 \_ /usr/sbin/apache2 -k start 5655 ? S 0:00 \_ /usr/sbin/apache2 -k start 5662 ? S 0:00 \_ /usr/sbin/apache2 -k start 5671 ? S 0:00 \_ /usr/sbin/apache2 -k start 5672 ? S 0:00 \_ /usr/sbin/apache2 -k start 5673 ? S 0:00 \_ /usr/sbin/apache2 -k start 5674 ? S 0:00 \_ /usr/sbin/apache2 -k start 4292 ? S 0:21 /usr/sbin/sw-cp-serverd -f /etc/sw-cp-server/config 4587 ? Ss 0:02 drwebd.real 4588 ? S 1:10 \_ drwebd.real 4589 ? S 1:14 \_ drwebd.real 4590 ? S 1:10 \_ drwebd.real 4591 ? S 1:07 \_ drwebd.real 9631 ? S 0:00 /usr/sbin/apache2 -k start 4626 ? SN 0:00 /usr/sbin/zabbix_agentd 4671 ? SN 28:24 \_ /usr/sbin/zabbix_agentd 4672 ? SN 0:00 \_ /usr/sbin/zabbix_agentd 4673 ? SN 0:00 \_ /usr/sbin/zabbix_agentd
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
40
Un bel giorno sul server di Marco
Monday, October 28, 13
![Page 41: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/41.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
41
Mani in alto!#!/bin/bashecho -n "starting collecting data..."dateTMPFILE=`tempfile`netstat -tanp >>$TMPFILElsof -n >>$TMPFILEps afx >>$TMPFILEstat /tmp/* >>$TMPFILEbzip2 $TMPFILEecho -n "ending collecting data..."dateecho "Trace salvato in :" ${TMPFILE}.bz2exit 0
perl 32373 www-data 509w REG 254,2 0 170 /tmp/sess_e96a2502073e0061e5f88a9ca9bc3dab
Data collecting
Trigger - iptables log
Trigger - swatch
Monday, October 28, 13
![Page 42: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/42.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
42
/etc/php5/apache2/php.iniallow_url_fopen = Offdisable_functions = "exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,parse_ini_file,show_source"
MA ALMENO QUESTO FATELO
Monday, October 28, 13
![Page 43: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/43.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
43
E se non lo becco?!
tcpdump -s0 -w -C <maxsize> -W <maxcountfile> tcpslicewiresharkngrep (live gathering)
Monday, October 28, 13
![Page 44: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/44.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
44
Strumentitopps afxlsof -p [PID]netstat -tanpstatfind -ctime 0
lastnetstat -tanpchkrootkitrkhunterclamavwireshark
Intelligenza!
Conoscenza!
Monday, October 28, 13
![Page 45: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/45.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
45
ALLORAanalisipuliziacorrezionecontrollo
Monday, October 28, 13
![Page 46: Presentazione Linux Day 2012erlug.linux.it/linuxday/2013/contrib/slides/Slide_Matteo...Matteo Sgalaberni, Mi hanno bucato il server, e adesso? Bologna, 2013-10-26 ERLUG: Emilia Romagna](https://reader036.fdocuments.net/reader036/viewer/2022062403/5fe0c13e4fdde935d848ebfb/html5/thumbnails/46.jpg)
Matteo Sgalaberni, Mi hanno bucato il server, e adesso?Bologna, 2013-10-26 ERLUG: Emilia Romagna Linux Users Group – http://erlug.linux.it
LINUXDAY 2013
46
GRAZIE PER L'ATTENZIONE
Le slides e le riprese audio/videodell'intervento saranno disponibili su:
http://erlug.linux.it/linuxday/2013/
Monday, October 28, 13