cPanel WHM’s cpHulk system manages iptables blocks against IP addresses that fail to authenticate repeatedly. While the settings are fairly lenient and shouldn’t result in legitimate users being blacklisted, occasionally it can happen. The following command will reset the blocklist completely. While this is akin to using a shotgun when a scalpel is required, the blocks are time based and any malicious addresses would get quickly re-blocked.
iptables -F cphulk && mysql -e "Delete from cphulkd.login_track;"
There is a method to remove specific addresses, but I do not have the commands handy at present, and if I remember correctly it entails connecting to the mysql console, running a query to find the IP in the block table and issuing a drop query.
A few handy commands to cut to the chase and find the crap spammers/skiddies have added to a WP install:
Find files containing text recursively:
grep -ri "string to search" .
A good use of this is to search for the below. It can return false positives, but finds a function commonly used to obsfucate code:
grep -ri "base64_decode" .
Diff two installations. If you have a clean copy of WP, you can compare it to a compromised version to find the differences. Here I am excluding the error_log file, and sending the output to diff.txt for review:
diff --exclude "*error_log*" -r /path/to/wp /path/to/other/wp > diff.txt
Find php files (and other filetypes that should not be present in the uploads directory. This is typically one if the first places things are placed:
find /wp-content/uploads -name "*.php" -type f
Grep the DB. Sometimes things get hidden in the database in an effort to hide malware. Considering that a WordPress database is tiny in the grand scheme of things, a simple way to quickly review what is in the database is to use mysqldump, phpmyadmin or whatever tool you would like to export the entire database to SQL. Then you can review the contents easily. Be on the lookout for base64 encoded strings, they are a good giveaway.
Find recently modified PHP files:
find . -name \*.php -mtime -2
In the wake of the recent SoakSoak WordPress vulnerability, among others I have began searching for a better way to keep tabs on malicious code that may get uploaded to client’s hosting accounts.
Maldet uses a constantly updated database of malware hashes to identify and quarantine (if required) malicious files. Maldet can be set to run automatically via cron, watch newly updates files, and more.
This document aims to describe common OAuth/Single Sign On/OpenID-related vulnerabilities. Many cross-site interactions are vulnerable to different kinds of leakings and hijackings.
Both hackers and developers can benefit from reading it.
As every target of a serious security breach will quickly note in their press releases and websites: Security is very important to them and take it very seriously. Taking this sentiment to heart before you learn it the hard way is recommended. Survive the Deep End: PHP security covers most of the major concepts that should be considered when writing secure PHP web applications.
Despite this, security is also very much an afterthought. Concerns such as having a working application which meets the needs of users within an acceptable budget and timeframe often take precedence over security concerns. It’s an understandable set of priorities, however we can’t ignore security forever and it’s often far better to keep it upfront in your mind when building applications so that we can include security defenses during development while change is cheap.
The afterthought nature of security is largely a product of programmer culture. Some programmers will start to sweat at the very idea of a security vulnerability while others can quite literally argue the definition of a security vulnerability to the point where they can confidently state it is not a security vulnerability. In between may be programmers who do a lot of shoulder shrugging since nothing has gone completely sideways on them before. It’s a weird world out there
I was doing some webapp security audits and needed to use hashcat to attack a few hashes. Definitely a must have when dealing with hashes of any kind.
- Worlds fastest password cracker
- Worlds first and only GPGPU based rule engine
- Multi-GPU (up to 128 gpus)
- Multi-Hash (up to 15 million hashes)
- Multi-OS (Linux & Windows native binaries)
- Multi-Platform (OpenCL & CUDA support)
- Multi-Algo (see below)
- Low resource utilization, you can still watch movies or play games while cracking
- Focuses highly iterated modern hashes
- Focuses dictionary based attacks
- Supports distributed cracking
- Supports pause / resume while cracking
- Supports sessions
- Supports restore
- Supports reading words from file
- Supports reading words from stdin
- Supports hex-salt
- Supports hex-charset
- Built-in benchmarking system
- Integrated thermal watchdog
- 80+ Algorithms implemented with performance in mind
The other day, I decided to bring my old “Skynet” device back online. The master came right online, but the drone was having some problems. I worked it out, and it’s all working correctly now. w00t. Just waiting on my N-Female to RP-TNC connector and I will be read to rock with the Yagi.
Also, I noticed that Kismet-Newcore is out which has a lot of nice features. There is also a plugin available called “Lorcon” that allows kismet to inject and sniff 802.11 frames. Sweet! I will compile both on the rother when I get time…
DBAN is a means of ensuring due diligence in computer recycling, a way of preventing identity theft if you want to sell a computer, and a good way to totally clean a Microsoft Windows installation of viruses and spyware. DBAN prevents or thoroughly hinders all known techniques of hard disk forensic analysis.
Well I finally got the VPN tunnel up for my iPhone.
First I tried IPSec, but it would not connect, and judging from the Firewall’s log output, I’m guessing the IPSec client only works with Cisco units.
Next, I tried L2TP, which I thought would work like a snap since the Sonicwall I’m using has a L2TP server built in. Unlucky for me, it turns out that Sonicwall’s built in L2TP server sucks and is only there for Windows clients.
Ffinally, I turned to PPTP. This was pretty easy to get working since my WLAN router has a PPTP server built in and just needed some quick configuration to get working. After that, I forwarded port 1723 (TCP-PPTP) to the LAN ip of the WLAN Router/PPTP Server.Now, I am able to connect my VPN tunnel, and transmit all data encrypted to my network, where it is then routed out to it’s final destination. Excellent!
I will do some packet captures later on to verify the traffic is truly passing thru my network.
Well the time has come and I have been looking for a new project. I think implementing WPA2 Enterprise complete with a RADIUS backend would be fun not to mention help secure the home network further (currently using WPA2/TKIP).
I’m not sure if I am going to ditch my Tomato firmware on the WRT54G v3 for openWRT or what. I need to see what kind of requirements the freeradius server has.
Some links Ive found so far:
Using RADIUS for WLAN Authentication
Dumping out a image of the current memory set for further analysis seems to be a much better approach to finding hidden processes, open ports, etc.
http://sansforensics.wordpress.com/2008/11/19/memory-forensic-analysis-finding-hidden-processes/ is a good article on it.
In a nutshell www.mandiant.com/software/memoryze.htm provides a suite of tools. Once he image gets dumped, you can analyze it with analyze.bat which will generate a XML file that you can import into excel for analysis.
After working pretty late last night I finally got all the pieces working for my wardriving setup. I posted about my original idea here, and this is the results of my labor. The premise of this is to avoid having to use a laptop to scan for AP’s.
Now on to the hardware setup…
- Linksys NSLU2 – Reflashed to Openwrt/jffs. This unit has two USB ports; one is used for storage to a memory stick and the other is used for my BU-353 GPS reciever.
- Linksys WRT54GS – Reflashed to OpenWrt/jffs.
The WRT54GS runs the kismet drone and a little script to enable the AP to continuously hop channels searching for AP traffic. All the data is passed to the kismet server on the NSLU2 for processing and/or display.
The NSLU2 is the central piece of the system. It runs the kismet server which receives data from the WRT drone, generates GPS positioning data for the APs, and logs it all to the memory stick.This allows me to easily retrieve the memory stick, read the logs in on a PC, analyze the TCP dumps, and feed the data into GPSDrive for AP waypoint mapping.
Now I just need to find my power invertor and my rig will be complete!
I just got a Globalsat BU-353 GPS Reciever in the mail. Pretty sweet so far, and the plan is to use kismet to create waypoints for gpsdrive to read in later to map out APs My brainstorm:
- WRT54GS Running OpenWRT
This will handle the scanning, sending its results via ethernet
- Linksys USB NAS (has a ethernet port and 2 USB ports). Running OpenWRT
This will handle writing the kismet data to a external HD as well as providing GPS data
I believe I should be able to attach a ext3 USB drive to the nas so it can write directly to the disk from the nas. Then, the wrt router running as a kismet drone sends the scan data back to the NAS and written to the external drive. The NAS would also be running GPSd with my Globalsat GPS attached. Both devices connect directly together via ethernet. The kismet drone will be configured to read the GPS data coming from the NAS on the GPSd port. As long as I can natively write to the attached USB drive on the NAS then I don’t see any thing that should be an issue pulling this off.
I was researching installing a USB port or a SD slot and came up with these interesting link that I will include just for the heck of it.
Whew I almost forgot how much cool stuff is in Sparkfun’s website.
“Hackers and malicious insiders are an undeniable threat to your organization’s network. They have sophisticated tools and backdoor programs at their disposal with which to steal information, perform unlawful or unauthorized activities, and cover their tracks. Security professionals charged with protecting their organizations can become overwhelmed in developing specialty applications to combat these threats.
To help bridge this gap, Foundstone offers several unique utilities that you can add to your network security arsenal.”
Foundstone SASS tools like Hacme Casion and Hacme Bank are great learning tools.
John Strand (vimeo.com/user595761) also has some great videos on the topic.