Website breach is getting the unauthorized access to web site files or to the administrator panel of the content management system by the attacker. There are two types of website defacements:
Target breach — in this case the attacker eager to breach the particular website, e.g. to get access to visitors’ or website owner’s private data. This type of breach is rare, so we will not consider it here. However, the countermeasures here are the same as for massive breach.
Massive breach — in this case there is no difference between any particular website. The attacker eager to get access to maximal number of arbitrary websites to use them later for own purposes. Exactly this type of breach we are considering in this paper.
As a result of breach, the attacker can download to website arbitrary files, launch scripts and modify the content of website as well as eavesdrop the data exchanged between website and visitors. By breaching the website the attacker: first, get the free and anonymous hosting to execute arbitrary scripts and to post any information to breached website or distribute unsolicited messages; and second, get access to the website’s audience and infect the computers of visitors by viruses or redirect them to fraudulent websites.
Compromised website might be used to execute DDoS attacks, breach other websites and launch any other malware, since the hosting account where the website is hosted, - is full-fledged user account of hosting’s server operating system that allow launching any applications.
In order to breach the website the fraudster might use any approach that allow modifying the files of website.
The most popular ways of breaching:
1. using viruses on computer, from which the owner or website developer connects to server via FTP. The attacker steals the password of FTP account, after that he can connect to account and change or modify any files. Since the website is often located in folder having the same name as website itself, it is an easy job for attacker to determine which website he breached. In addition, information about website name often resides within FTP connection settings stolen by fraudster.
2. Similar to FTP access the attacker can get stolen access via SSH. The only difference is that SSH does not require addressing to website located on account for execution of arbitrary programs.
3. In addition, the attacker can steal the password of administer panel of content management system intended to webpages edition. Administer panel, as a rule, gives the possibility to download arbitrary files to website. Using this feature the attacker downloads malicious script to the website, through which the further operation with website is perpetrated even without login to administer panel.
4. Discovering the FTP’s, SSH’s or website administer panel’s password by attacker using brute force attack or dictionary attack in case of complicated password.
5. Website intrusion without using password via exploiting vulnerability within CMS or one of its extensions. In this case, the attacker use the flaws in program logic and force the system behave differently than was planned by website’s developer. As a result of these actions, the attacker can download a script to website, through which the further activity is perpetrated. There are exist the vulnerabilities databases that allow any user to get information about how to apply one or another vulnerability to exploit CMS systems. This approach is very popular, since the information about new CMS vulnerabilities is frequently added, and the website owners rarely update CMSs or its extensions till newest not vulnerable releases.
6. By penetrating into the website, the attacker able to get access into other websites hosted on the same hosting account. Thus, the attacker able to breach the website even in case when it has no vulnerabilities and access via FTP or SSH is impossible — only because of it is hosted on the same account as vulnerable website.
After breach, the attacker often places one or several scripts on website enabling the attacker to penetrate into website even if vulnerability is already fixed and all passwords are changed. As a rule, the attacker strives to hide such scripts placing them deeply inside the folder tree or assigning to them names similar to CMS scripts. Besides, the penetration code might be embedded into one of existing CMS files —thus, the fact, that an attacker avoids creation of new files complicates detection of malicious code.
Since the attacker eagers to infect as many websites as possible rather than target particular website. He tries to get access to every website. In order to get the list of websites for examination it is sufficient to use search engine. If some website is breached, it happens because of the attacker by accident found it by making search requests or brute-force search of names or website has vulnerability or website access passwords compromised.
Thus, someone cannot consider the website is secure only because “no one knows about it”. In order to provide the website defense, it is necessary to take corresponding measures: make in time CMS’s and its extensions’ upgrade, work with website from PCs protected by antivirus software and prevent website’s and hosting account’s passwords disclose.
General ways of webserver protection
There are three levels of webserver protection:
Level 1. Minimal protection level.
1. Modification of existing software and patch installation.
2. Using single customization (policy) for all servers.
3. Removing of unnecessary applications.
Level 2. Countering actions to intrusion.
1. External firewall installation.
2. Remote administration of security systems.
3. Limitations to scripts usage.
4. Webserver defense using packet filtration.
5. Stuff training and assignment of access privileges.
6. Using the solutions enlisted in Level 1.
Level 3. Attack detection and reducing its impact.
1. Privilege sharing.
2. Hardware defense systems.
3. Internal firewall.
4. Network intrusion detection systems.
5. Intrusion detection systems installed on servers (hosts).
6. Using solutions enlisted in Level 2.
The ways to provide the webserver protection
We can distinguish following most common ways of webserver protection:
· Removing of unnecessary software (applications);
· Detection of trials of webserver protection violations;
· Fixing the defects within installed software;
· Mitigation the consequences of network attack;
· Defense of remaining network in case of webserver compromise.
Software modification /Patch installation
It is one of most simple, at the same time most effective risk reducing approaches. All existing webservers should always be tested whether the latest software updates and patches are installed or not.
The requirement of software update is explained by the fact, that hacker might use every installed on webserver software to penetrate into the system. This includes operating systems, software to work with network packets or used by administrators of network and security system.
Software examination should be done according to following approach:
· Make the list of software with pointing out the release number;
· Verify that you have last software releases on your web server;
· Find and install patches for corresponding software releases taking into account instruction provided by vendor. At that to provide the system operation the patches should be installed in number ascending order;
· Check whether your patches operate properly.
Using dedicated servers
The information security requires sharing the separate resource (PC) for every task. Ultimately, the flow within security system might destroy the operation of several services at once. Particularly, it is undesirable to locate email server, webserver and database server on the same computer. However, every new server should be equipped by defense system; otherwise, it might turn into an easy target to hacker.
Removing of unnecessary applications
All privileged software not necessary to webserver should be removed. In this particular case, the privileged software means software dealing with network packets or executed by administrator permission. Some operating systems launch privileged software by default, however the administrators frequently simply do not know about their existence. Meanwhile, eventually the hacker potentially can use any of this software to perpetrate the attack to web server. Sometimes in order to improve the security the administrators remove all software (not only privileged) which not used to provide webserver operation.
Firewall installation between corporate (internal) network and public access webservers do not allow penetration of "undesirable" packets into corporate network: if the attacker penetrates into external webserver, then intrusion into organization’s corporate network via firewall will be hard. If however, webserver is located inside corporate network, the hacker after penetration into it, can on the base of captured resource destroy the operation of total network and get the full control over it.
Since the server administration through physical console frequently is not convenient, the system administrators install software for remote control to webservers. From viewpoint of security, such practice might imply the serious issues.
In cases, when remote administration inevitable, it should be accompanied by following activities:
· Encrypt the traffic of remote administration (do not allow the attacker to take traffic control, get the passwords and embed malicious commands);
· In remote administration use packet filtration (see description below) from intended to this purposes host configuration;
· for this configuration support higher level of security;
· do not use packet filtration instead of encryption since hackers able to make packet spoofing (distribute the packets with headers where his own IP address replaced by other value).
Limitations to scripts usage
Majority of websites contain scripts (tiny programs) triggered when user enters special page. The hacker can use this scripts (via exploiting bugs in code) to make intrusion to the website. In order to detect such holes he need not to know source code. Hence, the scripts should be thoroughly examined, before upload to website. Script should not permit execution of random commands or third party (dangerous) software, should allow the users execution of particular dedicated tasks as well as limit the number of parameters of inbound traffic. The last measure necessary to avoid perpetration of buffer overflow attacks. (During such attack perpetration the attacker tries force the system to execute the arbitration software to get additional information). Finally, script should not possess the administrator rights.
Routers with packet filtration
The routers are installed to isolate the webservers from remaining network. This step helps to prevent many attacks not allowing penetration of "strange" (wrong) packets. Usually, the routers discard all packets that not intended for webserver (e.g., to port 80) or to ports used for remote administration. In order to improve the security level it is necessary to enlist all permitted packets. Thus, hacker will have fewer opportunities to intrude into network. The router with packet filtration feature is more effective in attack prevention based on assumption that all needless software is removed from the server (the attacker unable to request the non-standard service). However, it should be noted that packet filtration applications reduce the router’s throughput and increase the risk of “valid” packet loss.
Frequently hackers penetrate into the system due to the network administrators have no knowledge in the field of security protection or neglect security issues. Therefore, the employees occupying this position should continuously improve their skills and knowledge by studying network security systems and applying lesson learned on practice. Several excellent books and study seminars also will help your administrators.
Despite all trials and seriousness of measures taken for webserver security protection, it is impossible to exclude completely the probability of penetration. In anyway, if penetration occurs, it is important to mitigate attack consequences. Privileges sharing represents the effective method to gain the aim: every user can launch only particular software. Hence, the hacker who has penetrated into the network using compromised data of particular user, able to make only constrained damage. In particular, the user has own pages on website, but other pages are not accessible by him. Therefore, the hacker, after getting the data of first user, will be unable to influence other resources (pages). The similar situation takes place for software. In order to improve the security protection for users having permission “to write” the special personal subfolders should be created.
Hardware, in aspect of privileges sharing, has the higher level of security, since unlike the software it is not easily modifiable. However, via software vulnerabilities hacker can get access to hardware resources. One of the most accessible protection approaches against this threat is to forbid the permission to “write” to external devices. Usually, in order to prevent the attacks the webserver should be configured to “read only” mode.
Up-to-date webservers deal with distributed systems. The webservers able to communicate with other hosts, to receive or to transmit data. In this case, the temptation to place the computers behind the firewall within corporate network to provide the data protection on them exists. However, if attacker succeed in breaching the webserver, he further can use it as a launching point of attack to these systems. In order to exclude such situation, it is necessary to separate the systems communicating with webserver from remaining network by internal firewall. Then penetration into webserver and outside the webserver do not lead to compromise of entire corporate network.
Network intrusion detection systems
Despite all your trials to install patches to webserver and to make secure configuration gaining the warrant exclusion of all vulnerabilities is impossible. Moreover, the webserver protected from external attacks might be taken down by destroying one of its services. In this case, it is important to get latest information about such events to minimize the consequences to quick service operation recovery. In order to get such information the intrusion detection systems are in use. Network intrusion detection systems (IDS) scan entire network traffic and detect unauthorized activity, violations of protection system or server blocking. Up-to-date IDSs generate report about all detected violations, simultaneously notifying the administrators via pager, email or monitor. Typical automated reports include network connections failure and list of blocked IP addresses.
Intrusion detection systems installed on servers (hosts)
Intrusion detection systems installed on servers are better detect the network state, than network IDS. In many cases, the server IDSs having all features of network IDSs, are better detect the temptation to violate security policies since they have higher level of access to webserver condition.
However, this approach has own disadvantages. If hacker breaches the webserver, he might disable server IDS, by doing so blocks the delivery of message about attack by administrator. Remote denial of service attacks (DoS attacks) also block IDS while server exhausted. Since DoS attacks allow the attackers block the server without penetration to it, the IDS, installed on server, should be complemented by network intrusion detection system.
Limitations of existing solutions and additional measures
The security experts recommend using secure software, but in some cases, their installation is impossible because of their high price or lack of time. Additionally, the secure software become outdated after some period of time, and it is necessary to install new releases. That’s why, the use of outdated software and standard methods of security procedures do not guarantee the server defense. However, the resilience of webserver to such attacks might be gained by adherence to aforementioned solutions of security protection accompanied by reliable software. The reliable software here means software having particular level of security.
The level of software security can be assessed by, first, investigation of earlier perpetrated attacks to servers where the same (or similar) software have been installed. The number of attacks shows to what extent the software resilient to them. At that, the software reliability directly depend on their quality. Defective software do not take into account all requirements to security systems. Only for this reason, it is unreliable. Second, assessment of software security level can be done by its examination to vulnerabilities existence. There are exist a number of audit companies focusing on servers’ security audit. These companies have special software allowing detect vulnerabilities within security systems in hand.
In preparation of this article, KZ-CERT used open source information.