{"id":23698,"date":"2020-03-10T12:27:00","date_gmt":"2020-03-10T11:27:00","guid":{"rendered":"https:\/\/blog.wedos.cz\/?p=23698"},"modified":"2020-03-11T12:28:54","modified_gmt":"2020-03-11T11:28:54","slug":"jak-chranime-weby-nasich-zakazniku-pred-backdoor-a-dalsimi-nebezpecnymi-soubory","status":"publish","type":"post","link":"https:\/\/blog.wedos.com\/cs\/jak-chranime-weby-nasich-zakazniku-pred-backdoor-a-dalsimi-nebezpecnymi-soubory","title":{"rendered":"Jak chr\u00e1n\u00edme weby na\u0161ich z\u00e1kazn\u00edk\u016f p\u0159ed backdoor a dal\u0161\u00edmi nebezpe\u010dn\u00fdmi soubory"},"content":{"rendered":"

P\u0159ed dv\u011bma t\u00fddny jsme, sp\u00ed\u0161e pro zaj\u00edmavost, publikovali detektivku Jak jsme chr\u00e1nili weby na\u0161ich z\u00e1kazn\u00edk\u016f p\u0159ed kritickou chybou ve WordPress pluginu ThemeGrill Demo Importer<\/a>. Ne\u010dekali jsme, \u017ee to vzbud\u00ed takov\u00fd ohlas a dostaneme tolik dotaz\u016f. Proto jsme se rozhodli napsat dal\u0161\u00ed p\u0159\u00edklad pr\u00e1ce na\u0161eho bezpe\u010dnostn\u00edho t\u00fdmu.<\/p>\n

<\/p>\n

27. ledna a 27. \u00fanora 2020 zve\u0159ejnil bezpe\u010dnostn\u00ed t\u00fdm Sucuri Labs varov\u00e1n\u00ed p\u0159ed backdoory, kter\u00e9 se maskovaly jako bezpe\u010dnostn\u00ed pluginy blnmrpb<\/a> a wpdefault<\/a>.<\/p>\n

Co je backdoor<\/h3>\n

Pokud \u00fato\u010dn\u00edk z\u00edsk\u00e1 prost\u0159ednictv\u00edm bezpe\u010dnostn\u00ed d\u00edry anebo odcizen\u00fdch hesel p\u0159\u00edstup do va\u0161\u00ed instalace WordPress, nemus\u00ed hned prov\u00e9st n\u011bjakou neplechu. V n\u011bkter\u00fdch p\u0159\u00edpadech jen um\u00edst\u00ed zadn\u00ed vr\u00e1tka (backdoor), p\u0159es kter\u00e9 m\u016f\u017ee v budoucnu celou va\u0161\u00ed instalaci WordPress ovl\u00e1dat. Nap\u0159\u00edklad rozes\u00edlat spam, stahovat si data o va\u0161ich u\u017eivatel\u00edch, prov\u00e1d\u011bt \u00fatoky, t\u011b\u017eit kryptom\u011bny atd.<\/p>\n

Um\u00edst\u011bn\u00ed nen\u00e1padn\u00e9ho backdoor m\u00edsto okam\u017eit\u00e9ho \u00fatoku m\u00e1 pro \u00fato\u010dn\u00edka hned n\u011bkolik v\u00fdhod. Nap\u0159\u00edklad, \u017ee se backdoor nahraje i do z\u00e1loh webu, a pak obnova ze z\u00e1lohy nepom\u016f\u017ee, anebo \u017ee m\u016f\u017ee zneu\u017e\u00edt web a\u017e se mu to bude hodit. Backdoor toti\u017e funguje i pokud je bezpe\u010dnostn\u00ed d\u00edra opravena anebo je zm\u011bn\u011bno heslo, p\u0159es kter\u00e9 se tam dostal.<\/p>\n

Jak backdoor hled\u00e1me<\/h3>\n

Pokud v\u00edme o existenci backdoor jako v tomto p\u0159\u00edpad\u011b, tak m\u016f\u017eeme okam\u017eit\u011b aktivn\u011b hledat v provozu, zdali tyto konkr\u00e9tn\u00ed soubory n\u011bkdo nevol\u00e1. Je to nejrychlej\u0161\u00ed \u0159e\u0161en\u00ed, ov\u0161em ne zcela \u00fa\u010dinn\u00e9. Na\u0161e ochrany toti\u017e vid\u00ed pouze provoz p\u0159es HTTP, tak\u017ee u\u017eivatel\u00e9 se \u0161ifrovan\u00fdm provozem (HTTPS) maj\u00ed zat\u00edm sm\u016flu. Pracujeme na vylep\u0161en\u00ed na\u0161\u00ed ochrany, kter\u00e1 bude um\u011bt filtrovat i \u0161ifrovan\u00fd provoz.<\/p>\n

Dal\u0161\u00ed zp\u016fsob jak hled\u00e1me backdoor, je p\u0159es CML. Centr\u00e1ln\u00ed Monitor Log\u016f je n\u00e1\u0161 syst\u00e9m, kter\u00fd sb\u00edr\u00e1 naprosto v\u0161echna mysliteln\u00e1 data ze v\u0161ech server\u016f a t\u0159\u00edd\u00ed je na jednom m\u00edst\u011b a to v re\u00e1ln\u00e9m \u010dase. Denn\u011b se jedn\u00e1 t\u00e9m\u011b\u0159 o 700 GB sesb\u00edran\u00fdch textov\u00fdch dat. CML n\u00e1m poskytuje p\u0159\u00edstup nap\u0159\u00edklad k access log\u016fm v\u0161ech webhosting\u016f, v kter\u00fdch m\u016f\u017eeme naj\u00edt i vol\u00e1n\u00ed backdoor.<\/p>\n

Jenom\u017ee co kdy\u017e nikdo backdoor nevol\u00e1? Prost\u011b jej um\u00edst\u00ed na server a d\u00e1le se o n\u011bj nestar\u00e1. V tomto p\u0159\u00edpad\u011b m\u00e1me k dispozici star\u00e9 dobr\u00e9 vyhled\u00e1v\u00e1n\u00ed soubor\u016f. Probl\u00e9m je v tom, \u017ee mus\u00edme proj\u00edt neskute\u010dn\u011b velk\u00e9 mno\u017estv\u00ed soubor\u016f na v\u0161ech serverech a to tak, aby to neomezovalo slu\u017eby z\u00e1kazn\u00edk\u016f.<\/p>\n

To nen\u00ed nic jednoduch\u00e9ho. Star\u00e1me se t\u00e9m\u011b\u0159 o 105 tis\u00edc webhosting\u016f, na kter\u00fdch je zhruba 137 tis\u00edc web\u016f na dom\u00e9n\u00e1ch druh\u00e9ho \u0159\u00e1du. Z toho des\u00edtky tis\u00edc jsou redak\u010dn\u00ed syst\u00e9my, z nich\u017e v\u011bt\u0161ina vyu\u017e\u00edv\u00e1 cachovac\u00ed pluginy. Velk\u00e9 aktivn\u00ed weby s cachovan\u00edm vytv\u00e1\u0159\u00ed tis\u00edce soubor\u016f, kter\u00e9 pr\u016fb\u011b\u017en\u011b p\u0159ib\u00fdvaj\u00ed, p\u0159episuj\u00ed a ma\u017eou se.<\/p>\n

Za ty roky na to u\u017e m\u00e1me sv\u00e9 metody a odlad\u011bn\u00e9 skripty, ale proj\u00edt v\u0161e i tak m\u016f\u017ee trvat dny. Z\u00e1le\u017e\u00ed co a jak dob\u0159e schovan\u00e9 hled\u00e1me.<\/p>\n

Co d\u011bl\u00e1me, kdy\u017e najdeme podez\u0159el\u00e9 soubory<\/h3>\n

Pokud se jedn\u00e1 o podez\u0159el\u00e9 soubory, tak technici upozorn\u00ed majitele e-mailem, a\u0165 situaci prov\u011b\u0159\u00ed. To \u017ee soubor vypad\u00e1 jako napaden\u00fd nemus\u00ed nutn\u011b znamenat, \u017ee tomu tak je. Nav\u00edc majitel u\u017e m\u016f\u017ee pracovat na odstran\u011bn\u00ed a m\u00edt situaci pod kontrolou.<\/p>\n

V p\u0159\u00edpad\u011b backdoor, jako v t\u00e9to situaci, je to o dost jednodu\u0161\u00ed. Nastalou ud\u00e1lost \u0159e\u0161\u00ed technik z bezpe\u010dnostn\u00edho t\u00fdmu, kter\u00fd je s konkr\u00e9tn\u00ed hrozbou obezn\u00e1men. V\u00edme, co hrozba d\u011bl\u00e1 a co si m\u016f\u017eeme dovolit, tak aby to ide\u00e1ln\u011b neovlivnilo slu\u017ebu z\u00e1kazn\u00edka.<\/p>\n

Bezpe\u010dnostn\u00ed technik zablokuje \u00fapravou pr\u00e1v p\u0159\u00edstup k souboru tak, aby nemohl nijak \u0161kodit. N\u00e1sledn\u011b je z\u00e1kazn\u00edk informov\u00e1n e-mailem, kde jsou tak\u00e9 tipy, jak m\u00e1 situaci \u0159e\u0161it.<\/p>\n

Tento postup se n\u00e1m osv\u011bd\u010dil z dlouhodob\u00e9ho hlediska nejv\u00edce. Nap\u0159\u00edklad kdy\u017e soubory rovnou sma\u017eeme, tak p\u0159es nezal\u00e1tanou bezpe\u010dnostn\u00ed d\u00edru je tam \u00fato\u010dn\u00edk nahraje druh\u00fd den znovu.<\/p>\n

V\u011bt\u0161inu \u00fatok\u016f na dne\u0161n\u00ed redak\u010dn\u00ed syst\u00e9my prov\u00e1d\u00ed automatizovan\u00e9 skripty v ob\u0159\u00edm m\u011b\u0159\u00edtku. D\u011blaj\u00ed jedno a to sam\u00e9. Kdy\u017e se jim nepoda\u0159\u00ed nahr\u00e1t backdoor p\u0159es bezpe\u010dnostn\u00ed d\u00edru, proto\u017ee jim to pr\u00e1va neumo\u017e\u0148uji anebo zjist\u00ed \u017ee tam u\u017e backdoor je, tak jdou d\u00e1l.<\/p>\n

Tohle se t\u00fdk\u00e1 pouze napaden\u00fdch web\u016f, kter\u00e9 zat\u00edm ned\u011blaj\u00ed neplechu. Samoz\u0159ejm\u011b kdy\u017e u\u017e je n\u011bjak\u00fd webhosting aktivn\u011b zneu\u017e\u00edv\u00e1n, tak technici jednaj\u00ed d\u016frazn\u011bji.<\/p>\n

Jak to dopadlo?<\/h3>\n

Kdy\u017e jste dlouh\u00e9 roky nejobl\u00edben\u011bj\u0161\u00ed webhosting pro WordPress, tak\u00e9 s nejv\u00edce aktivn\u00edmi instalacemi, tak asi tu\u0161\u00edte, \u017ee jsme p\u00e1r napaden\u00fdch instalac\u00ed na\u0161li. Majitel\u016fm jsme poslali upozorn\u011bn\u00ed a p\u00e1r tip\u016f jak probl\u00e9m \u0159e\u0161it. Pomoc mohou tak\u00e9 hledat na na\u0161em komunitn\u00edm webu help.wedos.cz<\/a>.<\/p>\n

Je\u0161t\u011b jedna zaj\u00edmavost. Na\u0161li jsme instalace, kde backdoor byl schov\u00e1n v adres\u00e1\u0159\u00edch zn\u00e1m\u00fdch cachovac\u00edch plugin\u016f. Je to celkem chytr\u00e9, proto\u017ee ob\u010das jsou tyto adres\u00e1\u0159e p\u0159i proch\u00e1zen\u00ed opom\u00edjen\u00e9 z d\u016fvodu velk\u00e9ho mno\u017estv\u00ed soubor\u016f.<\/p>\n

Z\u00e1v\u011br<\/h3>\n

M\u00e1me DDoS ochranu, IPS\/IDS ochrany, detailn\u011b monitorujeme provoz, sledujeme aktu\u00e1ln\u00ed bezpe\u010dnostn\u00ed hrozby a dokonce aktivn\u011b hled\u00e1me nebezpe\u010d\u00ed na webech z\u00e1kazn\u00edk\u016f. D\u0159\u00edve jsme to d\u011blali hlavn\u011b kv\u016fli komfortu z\u00e1kazn\u00edk\u016f a abychom se n\u011bco nov\u00e9ho nau\u010dili s technologiemi, kter\u00e9 m\u00e1me k dispozici. Dostali jsme se v\u0161ak do stavu, kdy se n\u00e1m v\u0161echny tyto drah\u00e9 technologie za\u010daly dokonce vypl\u00e1cet.<\/p>\n

Z\u00e1kazn\u00edci jsou spokojen\u011bj\u0161\u00ed, klesla z\u00e1t\u011b\u017e na z\u00e1kaznickou podporu, technici se mohou v\u011bnovat v\u00fdvoji, ubylo administrativy spojen\u00e9 s napaden\u00fdmi weby (zvl\u00e1\u0161t\u011b pr\u00e1vn\u00ed) a sn\u00ed\u017eily se n\u00e1klady na provoz. V\u017edy\u0165 filtrujeme v\u00edce jak polovinu provozu, kter\u00fd ve v\u011bt\u0161in\u011b p\u0159\u00edpad\u016f m\u00ed\u0159il na necachovan\u00e9 str\u00e1nky a v\u00fdrazn\u011b zat\u011b\u017eoval servery.<\/p>\n

Dal\u0161\u00ed investice do bezpe\u010dnosti (hardware, software, v\u00fdvoj, vzd\u011bl\u00e1v\u00e1n\u00ed) tak u n\u00e1s nejsou probl\u00e9m. Pr\u00e1v\u011b naopak. Jedin\u00e9 co n\u00e1m chyb\u00ed jsou lid\u00e9 \ud83d\ude42<\/p>\n

M\u00e1me dost dat, abychom dok\u00e1zali odhalovat i nov\u00e9 \u00fatoky. Skr\u00fdvaj\u00ed se v nich zero day \u00fatoky, kter\u00e9 jsou \u010dasto objeveny a\u017e za n\u011bkolik m\u011bs\u00edc\u016f. Pokud bychom je dok\u00e1zali naj\u00edt a nahl\u00e1sit v\u00fdvoj\u00e1\u0159\u016fm, mohlo by to zachr\u00e1nit spoustu web\u016f. Jen n\u00e1m chyb\u00ed kolegov\u00e9 do bezpe\u010dnostn\u00edho t\u00fdmu, kte\u0159\u00ed by se ve dne v noci prohrabovali stovkami gigabajt\u016f log\u016f.<\/p>\n\n\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

P\u0159ed dv\u011bma t\u00fddny jsme, sp\u00ed\u0161e pro zaj\u00edmavost, publikovali detektivku Jak jsme chr\u00e1nili weby na\u0161ich z\u00e1kazn\u00edk\u016f p\u0159ed kritickou chybou ve WordPress pluginu ThemeGrill Demo Importer. Ne\u010dekali jsme, \u017ee to vzbud\u00ed takov\u00fd ohlas a dostaneme tolik dotaz\u016f. Proto jsme se rozhodli napsat dal\u0161\u00ed p\u0159\u00edklad pr\u00e1ce na\u0161eho bezpe\u010dnostn\u00edho t\u00fdmu.<\/p>\n","protected":false},"author":9,"featured_media":24245,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[112],"tags":[119,23,118,117,69,37],"class_list":["post-23698","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bezpecnost","tag-backdoor","tag-bezpecnost","tag-cml","tag-ips-ids","tag-utoky","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/23698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/comments?post=23698"}],"version-history":[{"count":9,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/23698\/revisions"}],"predecessor-version":[{"id":24328,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/posts\/23698\/revisions\/24328"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media\/24245"}],"wp:attachment":[{"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/media?parent=23698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/categories?post=23698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.wedos.com\/cs\/wp-json\/wp\/v2\/tags?post=23698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}