17
Know Thy System:
Application File System Integrity
•Detect changes in important files, such as configuration files (httpd.conf, log files etc.)
•
•Watch for changes in web documents, date/time and MD5 checksums for special files.
–Requires keeping reference information like dates and checksums
•
•Keep important data out of web root
–Database files, customer files, session files
Web servers have their own root directory and own all the files and data in this directory.  Putting sensitive data in the root directory can put it at risk.  If a hacker gains control of the Web server process/daemon they can gain control of all data in the root directory.

The best way to prevent detection is to remove the evidence.  Hackers know this and will do what they can to cover their tracks.

Keeping the log files in remote locations minimizes a hackers ability to access them.

Make sure that special control characters are sanitized before they are passed to the log files.  The best way to do this is to scrub them before they are accepted as input.

The Web server owns and updates the log files.  Clever hackers will try to trick the Web server into altering the recorded data by throwing encoded backspace and delete characters into the URL.

Other special characters can be used to attack log files at the OS level by tricking the Web server to issues commands to alter, remove, or otherwise damage system log files.