Tuesday, September 12, 2006
Tuesday, August 22, 2006
Detecting PHP Backdoors
http://img388.imageshack.us/img388/5003/c9928xp.jpg <-- c99shell.php
These are the common PHP backdoors that are being use today by script kiddies. And to detect them is simple. First go to your web directory (ex. /var/www/web/) because PHP backdoors are located in web directory to be use by script kiddies later to access your system remotely. In console just type this:
[root@me web]# grep –n –r 'system(' *
Most backdoors uses a system() function to execute a command.
But sometimes if your whole system is already rooted then ‘grep’ command is useless because it is already change by another ‘grep’ binary that comes from the rootkit.
Saturday, July 01, 2006
Figure 1.1 First right click on the desktop then New->Text Document
Figure 1.2 Then right click the New Text Document then Add to archive
Figure 1.3 Then name it whatever you like. I name it winrarbug.rar.
Figure 1.4 Then click Advanced and click Set password... and put the password you like. I put "123" as my password. Then OK.
Figure 1.5 Right click the winrarbug.rar then click Extract Here.
Figure 1.6 This is my favorite part. Don't input the password you use to rar the file, instead use any password. I use "asdf" as a password here.
Figure 1.7 And that's it. The file is extracted. I tried this bug in version 3.XX. I don't know if this works in version 2.XX.
Tuesday, June 27, 2006
What is a botnet?
Figure 1.1 This is the bot configuration.
Figure 1.2 This is the exploits the bot using. Actually it's an old exploits.
Figure 1.3 This is the config for anti-virus. So that you can't update your anti-virus.
Figure 1.4 This a more advanced bot. And it's private.
From Wikipedia, the free encyclopedia
While the term "botnet" can be used to refer to any group of bots, such as IRC bots, the word is generally used to refer to a collection of compromised machines running programs, usually referred to as worms, Trojan horses, or backdoors, under a common command and control infrastructure. A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 (IRC) standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet controller community.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, controllers must now find their own servers. Often, a botnet will include a variety of connections, ranging from dial-up, ADSL and cable, and a variety of network types, including educational, corporate, government and even military networks. Sometimes, a controller will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it.
Several botnets have been found and removed from the Internet. The Dutch police found a 1.5 million node botnet and the Norwegian ISP Telenor disbanded a 10,000 node botnet. Large coordinated international efforts to shutdown botnets have also been initiated.
Botnets serve various purposes, including denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. The botnet controller community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines, like university, corporate, and even government machines.
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several controllers who consider themselves as having legitimate access, note the irony, to a group of bots. Such controllers rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the controllers as to who gets the individual rights to which machines, and what sorts of actions they may or may not permit.
Types of attacks
- Main article: Denial-of-service attack
If a machine receives a Distributed Denial of Service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting. The best solution is to use hardware (ASIC or FPGA) based Rate Based intrusion prevention system. A solution that can act within seconds like a split second circuit breaker is your best bet as an automated solution.
Botnets typically use free DNS hosting services such as DynDns.org, No-IP.com, & Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community refer to such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse, at least until the controller(s) decides on a new hosting space. However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to much harm.
Thursday, June 22, 2006
What is phishing?
- Don't reply to e-mails, or click on links in the body of the e-mail, which asks for your personal or financial information.
- Never send an e-mail which contains your personal or financial information.
- Review credit card and bank statements as soon as they arrive.
- Use anti-virus software and keep it up to date.
- Don't open or download e-mail attachements unless you are sure they are free of viruses and trojans, and they are from a trusted source.
- Report suspected phsishing attacks to both the apparent source (i.e the bank or merchant who the e-mail claimed to be from) and the FTC.
Figure 1.1 This is the real ebay page but the source code is modified for phising.
Figure 1.2 Issuing the command "finger jane" in Unix you can see where the attacker's ip last login.
Figure 1.3 The command "more .bash_history" shows what the attacker's is doing in your box.
Figure 1.4 The directory of the files the attacker is using for phising.
Figure 1.5 The actual files for phising.
Figure 1.6 The source code inside flee.php
Those pictures was sent to me last year by my friend. So be careful to visit untrusted sites!
Tuesday, June 20, 2006
Man on the middle attack (mitm)
What is man in the middle attack?
A man-in-the-middle (MiM) attack is a clever way to circumvent
encryption. The attacker sits between the two communicating
parties, with each party believing they are communicating with
the other party, but both are communicating with the attacker.
When an encrypted connection between the two parties is established,
a secret key is generated and transmitted using an asymmetric cipher.
Usually, this key is used to encrypt further communication between
the two parties. Because the key is securely transmitted and the
subsequent traffic is secured by the key, all of this traffic is
unreadable by any would-be attacker sniffing these packets.
However, in a man-in-the-middle attack, party A believes that she
is communicating with B, and party B believes he is communicating
with A, but in reality, both are communicating with the attacker.
So when A negotiates an encrypted connection with B, A is actually
opening an encrypted connection with the attacker, which means the
attacker securely communicates with an asymmetric cipher and learns
the secret key. Then the attacker just needs to open another encrypted
connection with B, and B will believe that it is communicating with A.
Yesterday, my friend who has a simple knowledge in computers
sends me a picture. First look at it and I’m amazed. Because,
the picture is all about the MITM (man in the middle) attack
example. As you can see in the picture the username and password
is blackend for security purposes. My friend said that it’s a
SMART wi-fi connection because he is in his house. And not only
https usernames and passwords will be sniffed but also including
the FTP, IMAP, POP3, SMB, TELNET, VNC, TDS, SMTP, NNTP, MSKerb5-PreAuth,
Radius-Keys, Radius-Users, ICQ, IKE-PSK, MySQL, SNMP, and SIP. If
that is true then all SMART wi-fi subscribers are in great danger
here. Just imagine if everyone knows how to use a man in the middle
attack in SMART wi-fi connections. It would be a disaster!
Anyone knows how to combat this attack?