Is Your Website at Risk from LulzSec?

Thursday, June 23, 2011

Kevin McAleavey

Ba829a6cb97f554ffb0272cd3d6c18a7

I'm sure we've all read more than enough about the LulzSec crew in the past couple of weeks.

What's particularly disconcerting about these continuing adventures is that their shenanigans have exposed a woeful deficiency in the security fabric of too many corporate and government sites which have fallen victim to their highly unsophisticated attacks.

I have been monitoring LulzSec, AnonOps and AntiSec along with many others whose curiosity and forensics backgrounds have made this an interesting hunt for the past two weeks. And while many have focused on the suspects themselves, I have been more interested in the tools they've been using and how they have managed to successfully penetrate the victims of their attacks.

Protecting your operation from this onslaught isn't as difficult as it may seem once their methods and their tools are known. In this short article, I would like to explain what you're up against and point you to the same tools they're using in order to allow you to beat them to your own servers to verify that your site's security is up to snuff before they find you. The numbers of bored children are on the increase daily.

Lulzsec has captured a number of existing botnets in a simple takeover once they had hijacked the C&C's behind those botnets. That is the source of their DDOS attacks, numerous bots running a client on each known as "LOIC" (Low Orbit Ion Cannon) which can be downloaded from:

http://sourceforge.net/projects/loic/

While the DDOS attacks from LOIC are academic to most victim sites, those who haven't yet dealt with this "kiddieware" modification of a useful admin load-sharing test tool might want to grab a copy and observe its signatures on your border firewall if you haven't already dealt with this tool on your inbounds and tighten up your rules for deflecting DDOS attacks if you haven't already done so since this is the tool of origin.

LulzSec 's primary attacks however originate with a GUI-based SQL injection tool is perhaps not so well known which originated in Iran. You can get the very same tool that they've hacked all the databases they've hit here:

http://itsecteam.com/en/projects/project1.htm

IT staff who are concerned about attacks from LulzSec should check out the above tools and use them against your own facilities to evaluate your attack surface as these are the very same tools that have caused so much damage to the long list of LulzSec victims so far. And for those who are not up to speed on your potential SQL vulnerabilities at the hands of Havij, ISC published a rather useful "how to" two weeks ago here:

http://isc.sans.org/diary.html?storyid=11011

ISC has also published a wealth of information in the past years detailing the mechanics of SQLi attacks, apparently unheeded:

http://isc.sans.org/tag.html?tag=SQL%20Injection

There is no excuse for your facility to provide the next round of "lulz." By examining your ability to withstand mass DDOS attacks from the LOIC software and by checking your SQL backend to ensure that exploits sent from Havij aren't successful, you stand a far better chance of withstanding the onslaught of the raging children should they turn their "cannons" your way. Once you've manned your battle stations, you can observe your adversaries here:

http://irc.lc/anonops/antisec/LulzLizard%5B@@@%5D

Their "official" channels can be monitored here:

http://lulzsecurity.com/
http://twitter.com/#!/lulzsec

Obviously, proper precautions are advised in running the tools or visiting the sites in question inside a protected client operating system for your protection.

About the author: Kevin McAleavey is the architect of the KNOS secure operating system ( http://www.knosproject.com ) and has been in antimalware research and security product development since 1996.

Possibly Related Articles:
23383
Network->General
Information Security
SQl Injection DDoS Network Security Anonymous Hacktivist LOIC Script-Kiddies Lulzsec
Post Rating I Like this!
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey Their success at "liberating" information comes from using DROP_TABLE against databases with the Havij tool that I linked to in the middle of the article. Once they've used that, the rest is easy once they access the database. Failure to use at least "prepared statement" access to the backend and allowing all tables to be accessed from outside is what has been their success. Once they have your database, they have everything else.
1308895078
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey And another hacktool turns up called "wp-pwn" ... trying to find a copy of it since it was used to attack wordpress at blackandberg.com. Transcript here:

http://pastebin.com/vxJkhJc3

So among all of the other things admins should be concerned about is ensuring that the latest patch of wordpress is rolled out ASAP since it's clear from the log that a shellcode attack was done against wordpress here.
1308897260
Default-avatar
Sjoerd Jump Make that 6 weeks and attacks on non mysql sites.
Thinking that lulzsec is operating soly with 'kiddy' tools seems like a grave mistake.
i wouldnt underestimate them mr mcaleavey
1308901276
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey I would concur. As more kiddies and tools pile onto the scow, they're acquiring a more significant amount of Linux shellcode in particular. Just captured two more from their distributions to my collection from pastebin. And a recent posting regarding Apple Inc is even more worrisome. I originally wrote the article two days ago and although this isn't my current day job any longer (though at times I really miss the hunt) I have spent a bit more of my off-time following up on what I used to do 24/7 not all that long ago since the angle of how they're getting in seems to have fallen by the wayside amidst all the "lulz."

Their earlier attacks though are strictly "amateur hour" and I thought it would be helpful to at least point out the low-hanging fruit since I imagine most admins are up to their ears in panic at the moment.
1308902169
Default-avatar
Sjoerd Jump I can imagine that last bit yes.
And for the rest. Time will tell :-)
1308904775
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven @mr McAleavey: Handbanana just replied to my queries on Twitter. They claim that this wp-own tool was of their own making and utilizes a vuln that they detected during a study of the website. They also stated that it is a pure remote code execution 0day, not SQLi, RFI or LFI.

I'd also like to note that these guys are probably not LulzSec, as their motive seems to be entirely different.
1308908681
Ba829a6cb97f554ffb0272cd3d6c18a7
Kevin McAleavey I'll make this my last reply of the "evening" as I seriously need some sleep.

THANKS, Don! My biggest hope for this item here was to get some communication going that would be of assistance to admins fearful that they might be next in this wave of "kiddie rage." Is there any chance of someone following up on this for our readers so that they can mitigate the threat? That was my whole purpose in writing this piece in the first place - that there was plenty of "story" on the attackers, but little useful information for those who have to contain and clean up the mess. The more information we can share, I think the better off all of us will be ...

Thanks again for the effort!
1308909814
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven You're welcome. Unfortunately I also wanted to know more but this was as much as they were willing to give me. I understand the power of an 0day and so I didn't press my luck by asking for more detail. Im afraid we're going to have to wait till someone catches the vuln in his logs somewhere.
1308913919
0b8d1c9dc5f4a80e6646d8d18b8683fe
Ben Keeley Keeping systems fully patched, IPS, penetration testing of applications, resolving discovered vulnerabilities (such as XSS/SQLi/RFI/LFI/etc etc) are all good mitigations.

However security professionals can only protect systems if the suitable resources are provided (exec support/finance/suitable skillsets). This for example makes very interesting reading:
http://uk.reuters.com/article/2011/06/24/oukin-uk-sony-breach-lawsuit-idUKTRE75N03520110624

1308914389
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.