uncategorized
Comments

Name and Shame Volume 1 82.98.131.66

So I’ve decided to start some name and shame posts for “naughty” ip’s that trip an ids, turn up in my log audits etc … and who are woefully ill prepared …

Dear 82.98.131.66,

This post is for you, I’m not sure what you hope to gain by failing repeatedly to gain access to this blog (god knows I hardly have time to update it …) but doing it from a host with all your ports open probably not the best idea in the world, so here’s some information on you.

And for anyone else reading this, I usually end up ignoring the standard user enumeration and brute force attacks (As the offender get blacklisted very quickly), in this case however it was a targeted attempt …

Your ISP’s whois

inetnum:        82.98.128.0 - 82.98.143.255
netname:        DINA-HOSTING1
descr:          PROVIDER Local Registry
descr:          Dinahosting S.L.
country:        ES
admin-c:        RB1624-RIPE
tech-c:         EP2912-RIPE
status:         ASSIGNED PA
mnt-by:         DINAHOSTING-MNT
mnt-lower:      DINAHOSTING-MNT
mnt-routes:     DINAHOSTING-MNT
source:         RIPE # Filtered

person:         Ruben Bouso
address:        Rua das Salvadas, 41
                15705 - Santiago de Compostela
                Spain
phone:          +34900854000
fax-no:         +34981577449
e-mail:         [email protected]
nic-hdl:        RB1624-RIPE
mnt-by:         DINAHOSTING-MNT
source:         RIPE # Filtered

person:         Eladio Perez
address:        Rua das Salvadas, 41
                15705 - Santiago de Compostela
                Spain
phone:          +34 900854000
e-mail:         [email protected]
nic-hdl:        EP2912-RIPE
mnt-by:         DINAHOSTING-MNT
source:         RIPE # Filtered

% Information related to '82.98.128.0/18AS42612'

route:           82.98.128.0/18
descr:           First Dinahosting S.L. prefix
origin:          AS42612
mnt-by:          DINAHOSTING-MNT
mnt-lower:       DINAHOSTING-MNT
mnt-routes:      DINAHOSTING-MNT
source:          RIPE # Filtered

Log of you attempting to get access to ftp

Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=15007 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15008 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15009 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15010 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:45 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=15011 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=15012 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15013 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=48056 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=15014 DF PROTO=TCP SPT=58291 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48057 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48058 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=48059 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:48 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=48060 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=58 TOS=0x00 PREC=0x00 TTL=56 ID=48061 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48062 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK FIN URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=18719 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=48063 DF PROTO=TCP SPT=58293 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18720 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=52 TOS=0x00 PREC=0x00 TTL=56 ID=18721 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=69 TOS=0x00 PREC=0x00 TTL=56 ID=18722 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:51 132 kernel: IN=eth0 OUT= MAC=**:**:**:**:**:**:00:13:5f:94:18:00:08:00 SRC=82.98.131.66 DST=81.201.132.43 LEN=65 TOS=0x00 PREC=0x00 TTL=56 ID=18723 DF PROTO=TCP SPT=58295 DPT=21 WINDOW=92 RES=0x00 ACK PSH URGP=0 
Jun 12 20:02:52 132 fail2ban.actions: WARNING [vsftpd-iptables] Ban 82.98.131.66
Jun 12 20:32:53 132 fail2ban.actions: WARNING [vsftpd-iptables] Unban 82.98.131.66
...
Jun 12 20:02:46 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com  user=saiweb
Jun 12 20:02:48 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiweb rhost=hl45.dinaserver.com  user=saiweb
Jun 12 20:02:51 132 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=saiwebcouk rhost=hl45.dinaserver.com 
...

Can anyone say firewall?

21/tcp   open  ftp
22/tcp   open  ssh
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
110/tcp  open  pop3
143/tcp  open  imap
443/tcp  open  https
587/tcp  open  submission
3306/tcp open  mysql

You need to read this NOW!

Server: Apache/2.2.0 (Fedora) PHP/5.2.9 with Suhosin-Patch
Content-Length: 226
Connection: close
Content-Type: text/html; charset=iso-8859-1

Debian? seriously?

SSH-2.0-OpenSSH_5.1p1 Debian-5

mySQL seems recent at least

5.1.32-log?yV!>VvoI?^~"(D\$::QjC^C

For the moment I am assuming a compromised box quiet why you wanted to come after this blog is beyond me.

  1. 12/06/2011 - This blog written and evidence sent to ISP
  2. 12/07/2011 - The Scheduled publication for this post
hacking, php
Comments

Wptouch Redirection Vulnerability

In theory this: https://www.exploit-db.com/exploits/17423/ could be used to facilitate phishing,

To patch this update to 1.9.28, and apply this patch: https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch 

cd /path/to/blog/wp-content/plugins/wptouch/
wget https://raw.github.com/Oneiroi/PenTesting/master/patches/wptouch-edb17423.patch
patch < wptouch-edb17423.patch

update This: https://wordpress.org/news/2011/06/passwords-reset/ causes a 1.9.29 version to be rolled out.

1.9.29 is still vulnerable to this, the patch instructions above still work for 1.9.29

hosting, linux
Comments

Make Your Webapp Shine With Varnish Part 2 Backends

Pre-req reading: Part 1

In this part we will cover setting up a backend. A backend is your application server, whether this be apache / nginx / iis (IIS - Is Inherently Stupid) you are telling varnish where it should sends it’s requests to. Very basic configuration

.backend app1 {
    .host = "127.0.0.1";
    .port = "8080;"
}

For a quick start that’s it really you tell varnish a backend and the port to connect to it on … just make sure you use it in vcl_recv, but you’re not here for simple and quick start are you? lets add the following.

  • timeout settings
  • probe settings

Timeout settings

Your timeout settings deinf how long varnish should wait for a response from your backend

.backend app1 {
    .host = "127.0.0.1";
    .port = "8080;"
    .connect_timeout = 0.05s;
    .first_byte_timeout = 2s;
    .between_bytes_timeout = 2s;
}
  • connect_timeout wait 50ms for a tcp connection to take place
  • first_byte_timeout wait 2s for the first byte of data to be sent from the backend
  • between_bytes_timeout wait 2s if there is a pause mid data stream

Timeouts are a basic way of determining if a backend is down / miss behaving if you have multiple backends if timeouts occur then the backend is marked as sick and the other backends will be used.

probe settings - Trust me I’m a doctor

.backend app1 {
    .host = "127.0.0.1";
    .port = "8080;"
    .connect_timeout = 0.05s;
    .first_byte_timeout = 2s;
    .between_bytes_timeout = 2s;
    .probe = {
    .url = "/status.html";
    .timeout = 0.05s;
    .window = 5;   
    .threshold = 3;    #60% of last checks must of been OK for this backend to be healthy
    .interval = 2s;   #how often to run the checks
    }
}
  • url the URL to to query this must return a 200 OK response, you could use a php script to return a 500 on say a mySQL outage
  • timeout how long to wait for a 200 OK response from the URL
  • window keep the result of the last 5 probes in memory
  • threshold how many of the window total must be OK for the backend to be “healthy”
  • interval how often to run the probe

And that about wraps up this post.

security
Comments

Cloaking Your Web Apps - Ninja Vanish

Bad TMNT reference I know but with a reboot coming what do you expect realy?

Right so you have hidden your versions via The Hooded Apache so what now?

Well no matter what you do if your url’s contain .php / .asp / .cfm (Frankly if you are using coldfusion you deserve what you get … just saying …)

You are disclosing what your webapp is using as it’s server side language, now to be clear this hiding is only going to be effective if you are using a bespoke webapp, and not say Joomla / Wordpress as they are easily identifiable via other means (for another post) …

mod_rewrite

Learn this, I mean seriously not only can it help cloak your server side language but you can do so using SEO urls.

BUT be careful if you think you’re being cleaver by having mod_rewrite change the extension alone …

RewriteEngine On
RewriteRule (.*)\.inc$ $1.php [L]

it will be easy to enumerate the back end language this way … the first 404 that an attacker gets when enumerating your file names will reveal this rule i.e.

“The file /asfasdgasdg.php was not found on this server” … yeh …

Change the extension entirely

Security through obscurity? you bet your ass, just add your new extension onto your AddType declaration, because you are already avoiding the dual extension vulnerability right?

how about .wtf

AddType application/x-httpd-php .php .phtml .wtf

Now just name your files .wtf instead of .php

So your using subversion good for you! you can use subversion as part of PCI 11.5 (iirc) to enforce file integrity assuming of course you have your subversion deploy setup securely just one tiny problem …

curl -s https://domain.com/.svn/entries

10
dir
1234
https://domain.com/PROJECT/tags/1.0
https://domain.com

2011-06-15T11:47:29.153442Z
1234
joe.blogs
has-props

9733698e-0000-0000-abab-ab0000000aba
^L
config.php
file

ddde986004c962d5827ca851403f96d5
2011-05-25T08:13:14.961921Z
1234
joe.blogs

Seemingly innocent right? oh how wrong you are …

  1. https://domain.com we know the version control server location, we can attack that later
  2. https:// is not an encrypted protocol, easy to sniff for if you get access to the server / company lan
  3. joe.blogs we have a known username we can attempt to access using dictionary / brute force / social engineering
  4. https:// the server could be vulnerable to CVE-2011-1921
  5. we know that config.php exists we can target that later for other crednetials

So assuming a worst case scenario,

  1. Webapp is compromised and we managed to deploy a remote shell
  2. Sniffing for https:// hiding silently in the background we find a site update / commit, and snag joe.blogs user credentials
  3. Exploiting CVE-2011-1921 we enumerate all projects on the svn server (If we even have to … joe.blogs could have access to everything anyway …)
  4. Inject backdoors into all projects committing changes as joe.blogs
  5. Wait for co de to be deployed to production …
  6. And now you have backdoors into multiple projects

You can prevent this by …

<Directory ~ "\.svn">
Order allow,deny
Deny from all
</Directory>

Or using mod_security

SecRule REQUEST_URI "\.svn" phase:1,deny

Ensure you use an ENCRYPTED protocol for your version control https:// / ssh+svn:// for example with subversion.