A web server is a software (or a set of software) that, running on a server, manages requests from a client, usually from a browser. Every time we visit a website, we send requests to web servers, which respond to us with the requested pages. There are many different software, but the most used are:
The first two are Open-Source. Therefore they have open source code, and it is possible to modify each parameter or internal code, while IIS is closed source, so (as far as I know) nobody is aware of the internal code. The architecture of a typical Open Source web server consists of the following:
- Linux operating system ;
- Software components, such as Apache ;
- The database, which can be MySQL, PSQL or others;
- the application layer, for example, PHP.
The architecture of an IIS web server is decidedly different. We have:
- Components such as HTTP.sys ;
- Services such as World Wide Web Publishing Service (WWW Service) and Windows Process Activation Service (WAS).
How Come They Are Compromised?
The reasons can be endless, ranging from the simple coincidence of a virus-infected email opened by a company technician to the targeted attack of hackers who want to compromise the site for certain reasons. The main causes of a compromise are:
- Install the server maintaining the default configurations, thus leaving the basic password, open ports (like ssh) and users with all possible privileges;
- Incorrect user or file permissions: If the web server configuration file is left accessible to anyone without restricting permissions to just the administrator, any user can change it at will.
- Outdated software: leaving out the “remote” possibility of a 0 day, most sites get compromised just like this;
- Non-existent or misconfigured SSL certificate: If I connect to the site from a public network and I don’t have the SSL certificate, anyone can read the credentials I use to connect.
A compromised server can cause a lot of damage, including:
- Account compromise, as a result, the user who owns the compromised account is no longer able to access it;
- Defacing a site, which consists in changing the home page of a site or some pages by inserting (usually) the successful action of the hacker;
- Data theft or removal ;
- Use of the server for illegal purposes, such as performing DDOS to other servers (a sensational case from a few months ago in which two Amazon servers were hacked, and they attacked the BBC site, with a bandwidth of 602 Gbps).
It consists of exploiting incorrect input validation configurations and accessing folders that, in theory, should not be accessible to anyone, such as the password file. An example of this type of attack on a *NIX server would be: http://some_site.com.br/../../../../etc/shadow.
If the web server is misconfigured, it will accept the request, allowing me to read the password file. One piece of software that looks for this vulnerability is dotDotPwn, while other examples can be found at this address.
HTTP Response Splitting
This type of attack can be used when data from a web request is included in an HTTP response and is not validated. To understand each other better, they can be the various types of injection(SQL,xss extension, CSRF extension).
It can be performed both in the login credentials (for example, if you have wordpress and the login page is not protected from this type of attack) and via SSH, telnet, or FTP. If the service is inactive, always remember to insert protections, which can be (for example) logins allowed only from certain IP addresses, bans on IP addresses that make too many requests, etc. Software that performs a brute force attack can be Hydra.
I have already explained the different methodologies for password cracking so that I won’t dwell on it. It is always good to remember never to log in if you are connected to a public network if you do not have the certificate, never use simple passwords and always insert checks on those who try to enter our system without authorization.
Unfortunately, this type of attack does not depend on any configuration but is only vandalism committed by those who do not have much to do (or are a competitor company). The consequence of this attack is having the site unreachable for the entire duration of the same. To reduce the chances of DOS attacks, you can subscribe to CloudFare, which implements a series of controls and defenses in the event of an attack.
Another entity that can mitigate (but not eliminate) is the hosting provider, such as Amazon, OVH or Aruba. The steps of an attack on a web server are the same steps that are taken in a session hacking, whereby:
- Exploration And Footprinting: we try to steal more information from the target, scanning the network and looking for the most suitable ways to exploit (if any) vulnerabilities.
- Scanning & Enumeration: phase in which the information previously gathered is used and used to determine the main objective.
- Keep signed in: in this phase. The hacker can try to gain root permissions to access as much information as possible (or damage as much as possible). He can insert a backdoor or a trojan to transfer the information to a place known only to him.
- Cleaning up traces: after entering a system, you need to arrange so that the system owner does not notice the presence of something extraneous, such as the deletion of log files.
To eliminate most of the risks of hacking your web server, you must follow a few simple rules, which must be implemented daily. If you cannot update your site, don’t let it go about its business, it’s never a good idea.
- Scan and verify that all active software is up to date ;
- Before installing a patch or update, verify that the source is trustworthy and has not itself been hacked;
- Install a good firewall ;
- Always perform backups in case some new installation goes wrong, or some joker decides to eliminate your web server and all its data;
- Block unnecessary and unused ports ;
- If remote access is required, protect it from brute force attacks with strong passwords and firewalls;
- Remove the users present by default and that you do not use;
- Check the server logs to make sure no one is trying to break in.
I have tried to describe broadly (very broadly) the main types of attacks and how to defend against them. A browser plugin that I’ve always found very interesting is Wappalyzer. It informs us every time we visit a site which web server it has, the cms used and a series of other more or less useful information.
A practical and real example of hacking a web server and an entire company can be found in the recent case of Hacking Team. The hacker published all steps, from entering the server, stealing information and exiting it as if nothing had happened.
ALSO READ: What Are The Primary Forms Of Cyber Threats?