Threat Level: green Handler on Duty: Richard Porter

SANS ISC: Internet Storm Center - SANS Internet Storm Center Internet Storm Center


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Back to Basics: Backups and Data Recovery "The Home Office Edition"

Published: 2018-04-19
Last Updated: 2018-04-19 22:59:10 UTC
by Richard Porter (Version: 1)
0 comment(s)

Back to Basics: Backups and Data Recovery “The Home Office Edition”

The Point of the Matter

On the subject of backups, here it is 2018…. The Information Technology professional has had the subject pushed hard and backups ‘should’ be axiomatic. It started with a simple question on our  team Slack channel “Hey, <blah blah> backup home lab, blah blah” and come to find out? We as knowledge professionals may not *cynical humor with serious undertones* be doing the best of jobs at backing up our ‘underground lair’ [1] so to speak.

This then lead down a path of asking other handlers more questions, finding out what colleagues were doing, asking some clients what they do at home. The deeper I examined, the more it became apparent that data may not be backed up effectively (if at all!).

 

Observations

One of the major anecdotal observations is we may not be doing the best job at backing up our personal data, me included. Using myself as a (bad) example, with over 30 terabytes (TB) of data in various arrays, I have been falsely comfortable with RAID. I can still hear Dr. Eric Cole’s (Mr. Back then) voice “RAID is not a backup solution” yet, here I am. Laptops are backed up via TimeMachine to one of the array’s and that has proven effective and saved me a couple of times. The Windows devices in the house are not really backed up, however, cloud storage (e.g., Box, DropBox, etc) is used heavily.

Another anecdotal piece of evidence comes from a client meeting today (thanks guys for answering me honestly, you know who you are :)). Some built in backups, RAID array of drives, and that’s about it. We shared a good chuckle, and agreed that we need to get better about it.

 

Reported Solutions

Disclaimer: The Internet Storm Center does not endorse products or solutions. The following are listed as what was in use at the time of investigation. 

  • A good combination of Crashplan [2] + Apple TimeMachine [3] 
  • Only TimeMachine [3]
  • Drobo Storage Arrays [4] + Apple TimeMachine [3] + A False Sense of Security [10] (this is me :))
  • QNAP Array (RAID) [5] + TimeMachine
  • QNAP Array (RAID) [6] + “Ignoring the problem”
  • Borg Backup [7] (reported to compress virtual machines excellently) + Apple TimeMachine [3] + Wasabi Cloud [8]
  • DropBox [9] + External USB Hard Drive

 

Conclusion

Protecting our ‘Secret Underground Lairs’ seems to be an area that needs some attention. PC Magazine has a pretty good article reviewing cloud backup solutions of 2018 [11] and worth a review. The heart of the matter is, how ‘backed up’ is your data at home, from family photo’s, to hours of work on virtual machines. Ask yourself what needs to be done to protect yourself @home. We all do risk management and attack surface reduction at $dayjob, and seems that we could do a better job with our personal stuff.

 

Please hit me up @packatalien and or here on the forums if you have any ideas, suggestions, things that work, still use tape drives, or any other Back to Basics topics that need review. Short of it, I'm not done with this topic! Please send ideas as I plan to expand on this. 

 

[1] https://www.youtube.com/watch?v=SW0Q0IQydAg

[2] https://www.crashplan.com/en-us/

[3] https://support.apple.com/en-us/HT201250

[4] http://www.drobo.com/storage-products/

[5] https://www.qnap.com/en-us/how-to/tutorial/article/time-machine-support

[6] https://www.qnap.com/en-us/

[7] https://github.com/borgbackup

[8] https://wasabi.com/

[9] https://www.dropbox.com/

[10] https://www.sciencedirect.com/science/article/pii/S0747563210000373

[11] https://www.pcmag.com/article2/0,2817,2288745,00.asp

[12] http://tvtropes.org/pmwiki/pmwiki.php/Main/TheCobblersChildrenHaveNoShoes

 

0 comment(s)

Webshell looking for interesting files

Published: 2018-04-18
Last Updated: 2018-04-18 07:05:02 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday, I found on Pastebin a bunch of samples of a webshell that integrates an interesting feature: It provides a console mode that you can use to execute commands on the victim host. The look and feel of the webshell is classic:

But the "Console" menu looked interesting. It gives access to a preset of commands used to search for juicy files. Here is the full list of “aliases” as defined in the source code. Note that the webshell supports both Linux and Windows:

"find all suid files" => "find / -type f -perm -04000 -ls",
"find suid files in current dir" => "find . -type f -perm -04000 -ls",
"find all sgid files" => "find / -type f -perm -02000 -ls",
"find sgid files in current dir" => "find . -type f -perm -02000 -ls",
"find config.inc.php files" => "find / -type f -name config.inc.php",
"find config* files" => "find / -type f -name \"config*\"",
"find config* files in current dir" => "find . -type f -name \"config*\"",
"find all writable folders and files" => "find / -perm -2 -ls",
"find all writable folders and files in current dir" => "find . -perm -2 -ls",
"find all service.pwd files" => "find / -type f -name service.pwd",
"find service.pwd files in current dir" => "find . -type f -name service.pwd",
"find all .htpasswd files" => "find / -type f -name .htpasswd",
"find .htpasswd files in current dir" => "find . -type f -name .htpasswd",
"find all .bash_history files" => "find / -type f -name .bash_history",
"find .bash_history files in current dir" => "find . -type f -name .bash_history",
"find all .fetchmailrc files" => "find / -type f -name .fetchmailrc",
"find .fetchmailrc files in current dir" => "find . -type f -name .fetchmailrc",
"locate httpd.conf files" => "locate httpd.conf",
"locate vhosts.conf files" => "locate vhosts.conf",
"locate proftpd.conf files" => "locate proftpd.conf",
"locate psybnc.conf files" => "locate psybnc.conf",
"locate my.conf files" => "locate my.conf",
"locate admin.php files" =>"locate admin.php",
"locate cfg.php files" => "locate cfg.php",
"locate conf.php files" => "locate conf.php",
"locate config.dat files" => "locate config.dat",
"locate config.php files" => "locate config.php",
"locate config.inc files" => "locate config.inc",
"locate config.inc.php" => "locate config.inc.php",
"locate config.default.php files" => "locate config.default.php",
"locate config* files " => "locate config",
"locate .conf files"=>"locate '.conf'",
"locate .pwd files" => "locate '.pwd'",
"locate .sql files" => "locate '.sql'",
"locate .htpasswd files" => "locate '.htpasswd'",
"locate .bash_history files" => "locate '.bash_history'",
"locate .mysql_history files" => "locate '.mysql_history'",
"locate .fetchmailrc files" => "locate '.fetchmailrc'",
"locate backup files" => "locate backup",
"locate dump files" => "locate dump",
"locate priv files" => "locate priv”

For windows, the list is much smaller:

"Find index.php in current dir" => "dir /s /w /b index.php",
"Find *config*.php in current dir" => "dir /s /w /b *config*.php",

Note that other commands are available like the classic ‘ps’ or ‘netstat’ but I listed only command related to searches for juicy files.

The sample that I found was not available on VT but it was scored at 21/60[1]. I also found similar samples:

Webshells viper aXE0jHW2.php > fuzzy
[*] 6 relevant matches found
+-------+--------------+------------------------------------------------------------------+
| Score | Name         | SHA256                                                           |
+-------+--------------+------------------------------------------------------------------+
| 94%   | aSSzGh3w.php | 3c6bee8ae3e18600131913a5fb4fd3efe36742efd3533575756550054102b2b7 |
| 96%   | GSzBAdEj.php | 1f405d7be1b43c68f6623fb9f2ec1b5682509399c587570b3a6a9fc312b58db5 |
| 99%   | qTmUtjrQ.php | 5cbdbf9164ea0398e1bac1a7a99c305272e1e91928b67c5a948e590b39a467fa |
| 99%   | YLNem9K9.php | 42d1ac86f9391d36a8d02955f1bf430b7220833472c37edbfb0b119331ca6145 |
| 71%   | nTA4uxMM.php | 6d00a27c8d988a85147c0a2e32aca4ce158a0620efcd8acc53cee95e220d2c61 |
| 99%   | uQfnLbS7.php | 3abc47b7d3ea3d6d4265d78f94451803c2f2e73ad5b8081e98e845bc789a1d74 |
+-------+--------------+------------------------------------------------------------------+

To prevent webshells to access such kind of files, always run your web server with a dedicated UID that has restricted access to the underlying filesystem and chroot the process. Better, run your web server in a container.

[1] https://www.virustotal.com/en/file/ae0e586678910315c02739029b0f17efaaa12bbdbf61639f70aa6b3744970cc0/analysis/

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

A Review of Recent Drupal Attacks (CVE-2018-7600)
Apr 17th 2018
2 days ago by Johannes (0 comments)

A malicious word document with a VBA form
Apr 16th 2018
3 days ago by DidierStevens (0 comments)

Metasploit's Payload UUID
Apr 15th 2018
4 days ago by DidierStevens (0 comments)

Getting Incident Response Help from Richard Feynman
Apr 15th 2018
4 days ago by Kevin Liston (0 comments)

Drupal CVE-2018-7600 PoC is Public
Apr 13th 2018
6 days ago by Kevin Liston (6 comments)

Glitch in malspam campaign temporarily reduces spread of GandCrab
Apr 12th 2018
1 week ago by Brad (0 comments)

View All Diaries →

Latest Discussions

MinerPool Threat Feed info
created Apr 4th 2018
2 weeks ago by Anonymous (0 replies)

DShield on RPi returns no mySQL when running /home/pi/install/dshield/bin/status.sh
created Mar 29th 2018
3 weeks ago by nekton89 (0 replies)

Splunk: Any way to fetch logs via ssh
created Mar 15th 2018
1 month ago by Anonymous (1 reply)

Possible new worm activity
created Mar 13th 2018
1 month ago by Anonymous (0 replies)

Detecting the memcached issue
created Mar 9th 2018
1 month ago by David (0 replies)

View All Forums →

Latest News

View All News →

Top Diaries

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
9 months ago by Brad (6 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
8 months ago by Johannes (16 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
4 months ago by Russ McRee (2 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
7 months ago by Renato (0 comments)

Maldoc with auto-updated link
Aug 17th 2017
8 months ago by Xme (2 comments)