Exploits¶

Stack overflow¶

What is a Stack Overflow attack?

Similar to a buffer overflow attack, the stack overflow attack is a common attack on older systems, software and processes. This attack takes advantage of the way memory data blocks and stacks are allocated to system processes. A stack overflow attack occurs when a system process tries to write data to a memory block or stack when it is already full. This causes the data to be written to a memory address adjacent to the original destination stack. This occurs when a program does not sufficiently manage its memory allocation, does not sufficiently implement bounds checking flags and discard data when too much is sent to a memory stack.

Memory blocks are used to allocate a specific place in Memory (RAM) for an application to store information. During this process, the application will ask the operating system for memory resources, the operating system will then create a selection of memory (block) for that information to be stored. This is so the application/operating system can easily refer to that information when needed and to separate information from other applications.

To understand this further, we can use the following simplified example. Let’s say you have a container that can hold a maximum of 8 cubes. If you then try to put 9 cubes in that container, the last cube is not going to fit, but, you need to put that remaining cube somewhere, so you need to overflow into the next container and place the remaining cube next container along. This container was not meant to hold this cube but due to the overflow, we have now unexpectedly added data to that container.

Attackers can utilise this to their advantage to get the computer to run malicious code. An attacker can send over sided payloads to a vulnerable application in an attempt to get it to write code to other memory blocks (containers). The payload can be specially crafted so that the overflowed data can be read by other applications, ran and then executed to allow the attacker access to the system.

How can I remediate a stack overflow vulnerability?

As a stack overflow is a low-level attack, happening at the memory level, it’s difficult to remediate or prevent. Software developers must implement proper memory block bounds checking to check of the variable it’s about to write to has enough space to hold the desired payload.

As a system administrator, the best course of action would be to ensure that the latest software versions are used where possible and ensuring that any custom made software is created properly and tested vigorously.

Heap overflow¶

What is a Heap Overflow attack?

Similar to a buffer overflow attack, the heap overflow attack is a common attack on older systems, software and processes. This attack takes advantage of the way memory data blocks and heaps are allocated to system processes. A heap overflow attack occurs when a system process tries to write data to a memory block or heap when it is already full. This causes the data to be written to a memory address adjacent to the original destination heap. This occurs when a program does not sufficiently manage its memory allocation, does not sufficiently implement bounds checking flags and discard data when too much is sent to a memory heap.

How can I remediate a heap overflow vulnerability?

As a heap overflow is a low-level attack, happening at the memory level, is difficult to remediate or prevent after the fact. Software developers must implement proper memory block bounds checking to check of the variable it’s about to write to has enough space to hold the desired payload.

Buffer Overflow Attack¶

What is a Buffer Overflow attack?

The buffer overflow attack is a common attack on older systems, software and processes. This attack takes advantage of the way memory data blocks and buffers are allocated to system processes. A buffer overflow attack occurs when a system process tries to write data to a memory block or buffer when it is already full. This causes the data to be written to a memory address adjacent to the original destination buffer. This occurs when a program does not sufficiently manage its memory allocation, does not sufficiently implement bounds checking flags and discard data when too much is sent to a memory buffer.

Attackers can utilise this to their advantage to get the computer to run malicious code. An attacker can send oversized payloads to a vulnerable application in an attempt to get it to write code to other memory blocks (containers). The payload can be specially crafted so that the overflowed data can be read by other applications, ran and then executed to allow the attacker access to the system.

How can I remediate a buffer overflow vulnerability?

As a buffer overflow is a low-level attack, happening at the memory level, it’s difficult to remediate or prevent after the fact. Software developers must implement proper memory block bounds checking to check of the variable it’s about to write to has enough space to hold the desired payload.

Null user changed some information¶

What does this mean?

To understand this rule, it’s best if we first break down what is meant by null. As you probably know, null is the name given when a value is empty or not present. For example, if we have a variable that is called My_name but we have not saved and data into this variable, this variable will have a value of null or nothing.

Building on this, when information is changed on your server, the operating system will usually track what user or what process changed that information, for tracking and management purposed. On this occasion, the operating system was unable to determine why or what changed this information, this could be potentially malicious.

A common objective for an attacker is to remain anonymous as possible, for as long as possible, so they can do as much damage as they can. Preventing the Operating System from tracking what user or process is making changes to specific information can help the attacker to remain anonymous.

This anomalous activity can help us identify that some unexpected activity may be in progress.

Let’s not forget however that is it entirely possible that a program/service may have entered an error state or not correctly properly changed the information, not telling the operating system that I changed some information and triggering this alert as a false positive.

What do I need to do if I receive this alert?

If you receive this alert, we recommend being extra vigilant and looking out for any other alerts that may be triggered as a result of a potential attackers activity. Your MyUKFast dashboard is a great place to keep track of events on your server. Additionally, UKFast support is always on hand to provide assistance where needed.

Multiple authentication failures from the same IP address followed by success.

What does this rule mean?

This is an all-round rule for alerting on multiple failed authentication attempts, followed by a successful login. This is triggered when a user tried to log in multiple times before succeeding. This can indicate that an attacker accessed your server through a brute force attack. Alternatively, this could indicate that a service/process on your solution was unable to authenticate onto this server for a small period. It is also possible that a genuine user has forgotten their password, and has tried many times to authenticate, then remembered their password and logged in.

It’s always best to double-check the user account in question and take the appropriate measures to check that this was a genuine login. If you are unsure about this login, one of the quickest ways to take preventative action is to disable the added user account. For more information on this, please see the documentation here.

Additionally, to minimise these alerts and secure your server from this type of brute force attack, it’s recommended to lock down access to these services. The SSH server, for example, can be locked down to certain IP addresses at a firewall level. This means that only predefined IP addresses will be able to access the SSH port, securing access to this service. A VPN could also be used. More information on this can be found here.

Its best practice to ensure you have a strong password set for all these services. Passwords longer than 8 characters that contain numbers, wildcards and MixEd CaSe letters are very difficult to brute force. You can use a service like auditd to enforce password strength policies on your server. You can contact UKFast Support for assistance on this.

How can network scans be prevented

Unwanted network scans can be an annoyance and potentially dangerous, but due to the way networks are designed, some infrastructure needs to be visible to the Internet, and therefore susceptible to scans. One of the best ways to prevent these scans is to recognise when a scan is in progress and then block the attacking scanner. Threat Monitoring Dynamic Protection takes care of this automatically and will block scanning IPs.

Additionally, it’s important to ensure that your network is set up properly with the right security precautions in place to minimise the number of attack vectors that a network scan may find. Regular patching and updating will ensure that the number of vulnerabilities that are publicly visible are non-existent and therefore cannot be exploited.

System user successfully logged to the system.¶

What does this rule mean?

A user account that is reserved for a system process has successfully logged onto the server. This could indicate that a system account with a common user name (like Apache, or MySQL) has been hacked. Attackers will use automated scripts to find a vulnerable server on the Internet. These scripts will try common usernames and passwords to try and gain unauthorised access to a server and take control of it. Programs/services that run on your server all need a user name to run as this helps the operating system to keep track of what’s doing what.

The user name in question will depend on the program/service that has been attacked. This will most likely be services like Apache, MySQL, MongoDB, NGINX. You can look at your raw logs for more detail on this event, as well as the user name that accessed in the attack. Alternatively, you can ask us to take a look for you by raising a support ticket or calling UKFast support.

How can I fix this?

All system user accounts should have remote login disabled, meaning that attackers won’t be able to access this account from the internet, making it impossible to attack. For more information on this, visit this page for information on how to disable login for certain accounts.

Attacks followed by the addition of a user.¶

What does this mean?

One of our most serious attacks; this is triggered whenever an attack is followed by the addition of a user account on your server. It’s common that when an attack has succeeded, the attacker will add an account for themselves on the system in an attempt to leave a way back into the system should the original account be disabled. If this goes unnoticed, your server could be compromised again, even after removing the original vulnerability and compromised account.

Remediation needs to be immediate to tackle this attack. Firstly, the original attack should be dealt with as appropriate. Following that, any user accounts made during the attack or the patch phrase should be removed or disabled, to minimise the risk of the attacker regaining access to the system.

To prevent this from happening again, you can implement rules that only allow an administrative user to add user accounts. This would prevent accounts from being added even if one of your current accounts is compromised. This is enabled by default. If your administrative user is compromised, then you would need to look at another defensive technique, such as restoring from backups before the initial attack

For more information on how to disable user accounts, please take a look at our documentation on this topic here.

Next Article > ProFTPD

ANS Documentation

Improve This Doc