Non-stop hacking in JU website stopped by ISOAH
Anti Hacking Real life case study
Case study: Network, Server & Data Center Security audit (VAPT)
What happened:
In 2014, amidst a massive student agitation & rally, the website of the renowned university got hacked & it became a media sensation. Hackers had put up an 'I am sorry' message at the VC's desk button. The officials denied the fact and claimed that the website had been hacked. The incident was covered by all leading media houses in print & digital format.
- Times of India -
https://timesofindia.indiatimes.com/city/kolkata/Finger-at-outsiders-in-Jadavpur-University-web-hack-case-in-Kolkata/articleshow/45695536.cms - Economic Times -
https://economictimes.indiatimes.com/news/politics-and-nation/jadavpur-varsity-site-hacked-vcs-sorry-post-not-authentic-registrar/articleshow/42979014.cms - India Today -
https://www.indiatoday.in/india/story/jadavpur-university-molestation-case-website-hacked-293546-2014-09-20
In face of mass protest & reputation loss, University requested ISOAH to help them thwart the continuous attack on the website, which was resulting in a mockery of the premium institution.
ISOAH Challenge:
Under full media attention & relentless attack on the website, where hackers were posting fresh derogatory messages every day on the website, and knowing that the site can not be taken down for a moment; was a challenge for ISOEH Team. Taking stock of the situation and a promise to Vice Chancellor of the University that site will not get hacked from following day, team implemented the following –
- The Web-Application server was migrated to Ubuntu 14.10 from RedHat 6.0 in order to facilitate more regular updates and to maintain an up-to-date kernel.
- PHP hardening was performed on the LAMP Stack, with Apache being configured in the following ways to prevent unauthorized changes:
- PHP Errors were suppressed and no details of them were shown.
- All extraneous PHP functions were blocked and disabled, thus preventing the activity of shells.
- All the web-server files located in /var/www/html were owned by 'www-admin', as a result of which they cannot be read of modified by shells.
- The web-server file permissions were changed to 500, in order to prevent modification by unauthorized users.
- A Web-Application Firewall was also installed and configured by ISOEH. This is a customized version of Mod_Security with the OWASP ruleset.
- Certain functionalities of the web-application had been disabled by commenting out the code, or blocked by the strict rules of the firewall in order to prevent hacking. This had to be maintained till the Source Code is completely patched, to avoid any chances of a hack.
- SSH server port was changed to a non-standard one, so that the service may not be discovered and brute-forced externally.
Impact:
The relentless attack got stopped within the next day we took over, while our team analyzed the code (approx. 2000 pages) & helped JU technical team to understand the security gap in the code & subsequent plugin. The media attention stopped without further hacking of the website.
What could have been done: JU was using the vulnerable website hosted in a vulnerable infrastructure for many years. Hackers did infiltrate the system & was waiting for the right time to use the back door. The website was used for student recruitment, circulars, faculty login, student login, project portal & exam related activities. All information was compromised, downloaded to hacker server, database modified, etc.
If JU has opted for period audit (WAPT, NPT) for the website & hosting infrastructure, the active persistent threat could have been detected much earlier. Not only confidential data could have been protected, but reputation could have been saved.
We recommend every company opts for ISO/IEC 27001:2022 certification, where they have a end to end assurance of their information security.
