dev/n0ll

When ever I talk about websites, I usual starts and end with “The most important thing, when it comes to websites, is that you need to keep it updated”. Well, I guess that has a double meaning today…..

Yesterday I spent quite some time updating a WordPress site. Just the normal updates, and fixing some design issues. But when I tried out the rss2 feed, I kind of got surprised. In almost every post, there where huge amount of link to Movies, Porn, other none-sense websites. But I couldn’t seen it when I surfed the site…. After a bit research I found that there where huge amounts of; “style=”display:none”. Posted in all kind of formats, using form, div, p, tags…

After doing some more research, I found out that they actually managed to put their malicious code in every post and one every page on the web page. How the !”#!$%! was I gonna fix this… I actually started removing it by hand…. but found out quickly that this was going to take forever. Then I downloaded the sql file, to look for patterns. Maybe I could simple do a ‘search & delete’. But I got to give it to them, they have been clever. There was to many combination. As I already said, they used different types of tags, and they inserted the malicious code in random place (not exactly, but nothing that would make a search&delete easily work).

Cruising through the website via ssh, I came over and old script I made, and a directory with backups of the database! Doing a quick check of all modified post/pages, I found out that most modification had been done in the last couple of days. A week old backup of the sql, cleared out 99% of my problem, and I got away with manual editing three pages… So the I’ll say it again. “Update your web page, to get your visits, and update your site code so that you don’t get visited by the wronge people…” And better safe then sorry, do backup!!!!!!

OpenPGP is the most widely used email encryption standard in the world. It is defined by the OpenPGP Working Group of the Internet Engineering Task Force (IETF) Proposed Standard RFC 4880. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991.

I’ve been playing around with openPGP lately, so before I forget I need to post a quick intro to openPGP. Otherwise I’ll forget. I’m only using openPGP to encrypt files. It’s super simple, and this can also be used to encrypt files before you send them to your friends. (as long as you have their pulic key..)

Create keys;

$ gpg –gen-key
Please select what kind of key you want: default
What keysize do you want? (2048) 4096
Key is valid for? (0) default
Is this correct? (y/N) y

Real name: First_Name Last_name
Email address: yourname@domain.com
Comment: Some comment if you want

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Enter passphrase: password
Repeat passphrase:password

Encrypt files

$ gpg –armor –recipient Your_Name –encrypt –sign $file

This will encrypt and sign $file with your public key, witch then you can be opened with, and only with, your private key. This command also can be used if you have imported a pubkey from another user. This way you can encrypt a file with recipent public key and he is then the only one who can open it with his private key.

Decrypt files

$ gpg –decrypt $file.asc
$ gpg –output $outputfile –decrypt $file.asc

The first command will decrypt and show content. The second command will decrypt and output content to $outputfile.

I guess everyone have heard about Brute Force Attack towards different services. This can be anything from SSH,Telnet,FTP to webadmin. Basically it is just an mathematical approach to try a large number of username and password. There are two approaches in how to do this. First is to try every combination, you start with 0 as username and 0 with password, and they you just keep on going. This will take a LONG time, but this way you will find a way in. This is in theory… This process can be a lot easier if you know the username. Then you only need to try different password. But even this method will take a long long time. (if the password has some security police, eg, a certain length, and must contain letters, numbers and symbols).

The other method is to do a dictionary attack. There are plenty dictionary out there, that you can use. These attacks are very common. The attacker then use some predefined usernames. e.g. root, admin, operator etc. A dictionary witch common passwords, and then they try. Every combination, and a lot of the time, they get lucky.

The disadvantage, from a crackers perspective, is that the two methods above use only one source ip. This again is easily detected, and can be prevented by eq using SSHGuard or any other program/script that will log invalid/failed logins and ban that ip, by using iptables/pf firewall rules or simply hosts.allow file. This is when distribute brute force comes into the pictures.

A distribute brute force attack, spreads the attack. This means that there are many ips that will fill your log with invalid/failed logins. And because of this, it is much harder to discovery. Special if they use a slow distribute brute force attack principle. This mean that they will only try about 1-2 attempt a day from each ip. Or even less.

I’m currently under such an attack. And it is, for a secure server and only trusted user with strong passwords, only considered background noise. To identify these attacks I’ve restricted SSH access to only some ip ranges. This way, all attempts will be logged as an refused entry.

Yesterday I finally got around to only parsing the last 24 hours from my logs files. And I can now create a nice graph of the current SSH traffic to my host. This creates a picture of the current traffic towards my host.

As you can see, I’ve refused 195 attempts the last 24 hours. And it also looks like the attempts are droping a bit. Have no idea why, but I’ll keep on tracking it, and check how it progress. Maybe they are giving up… After all they have been going at it for over a month now….

For live stats -> SSH stats