Our friends over at Sucuri have discovered several instances of embedded backdoors in image files on web servers. The JPG image files allow an attacker to execute any content delivered to it via a standard HTTP POST command.
According to an interview between Sucuri CTO Daniel Cid and CSOonline’s Steve Ragan, an attacker can issue commands, or call for shell scripts hosted remotely and execute them. Moreover, depending on how the server is configured, the commands issued to the backdoor could be running with elevated privileges.
“The thing I recommend the most is file integrity monitoring,” Cid told Steve Ragan. “If you can detect files being modified, then you can discover this type of attack.”
We couldn’t agree more. In fact, any operating system or application server policy we create for CloudPassage Halo includes rules that monitor for the creation, deletion, and modification to sensitive files and directories. Applications on your servers should follow a relatively predictable behavior. If your application allows for file uploads, specific directories should be configured for the purpose. If new files are detected in directories not explicitly configured as “upload directories”, then this could potentially be an indicator of compromise (IOC) worth investigating further.
Services and application-specific executables also behave in a predictable manner. Potential IOCs include a change of network listening ports, a change in the file or group ownership, or even an increased number of similar processes where there should be only a single process running. Halo policies also include checks to validate that system-level services have the correct ownership, listening ports, and number of instances running.
An attacker may also try to establish a reverse access tunnel with the purpose of solidifying their beachhead and ensured continued access to the compromised server. As mentioned above, with regards to predictable behavior, new connections originating from your server follow a similar rule. We recommend employing the host-based firewall capabilities of your operating system to limit an attacker’s ability to establish a new connection out to the Internet. In fact, you may want to limit all new outbound connections from your server and only open them to apply patches and updates.
The security of your servers and applications, especially those that are Internet-accessible, is no easy task. Here at CloudPassage, however, we are continuously evolving Halo to take the pain and complexity out of securely deploying and monitoring servers and applications.