Author Archives: Brent Huston

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Inside an Average PHP Scan

Posted on by
Reply

I have been talking about PHP scans for a while now. They are so common that we get them on our HoneyPoint deployments all the time, often several times per day, depending on our location.

These scans follow traditional scanner patterns in that they grind through a list of specific urls that are known to have issues looking for a 200 response from the server.

Here is a quick list of a recent scan against one of our HoneyPoints:

/+webvpn+/index.html: 1 Time(s)
/PMA/main.php: 1 Time(s)
/admin/database/main.php: 1 Time(s)
/admin/datenbank/main.php: 1 Time(s)
/admin/db/main.php: 1 Time(s)
/admin/main.php: 2 Time(s)
/admin/myadmin/main.php: 1 Time(s)
/admin/mysql-admin/main.php: 1 Time(s)
/admin/mysql/main.php: 1 Time(s)
/admin/mysqladmin/main.php: 1 Time(s)
/admin/pMA/main.php: 1 Time(s)
/admin/padmin/main.php: 1 Time(s)
/admin/php-my-admin/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/admin/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/admin/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/admin/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/admin/phpMyAdmin/main.php: 1 Time(s)
/admin/phpmyadmin/main.php: 1 Time(s)
/admin/phpmyadmin2/main.php: 1 Time(s)
/admin/sqladmin/main.php: 1 Time(s)
/admin/sqlweb/main.php: 1 Time(s)
/admin/sysadmin/main.php: 1 Time(s)
/admin/web/main.php: 1 Time(s)
/admin/webadmin/main.php: 1 Time(s)
/admin/webdb/main.php: 1 Time(s)
/admin/websql/main.php: 1 Time(s)
/board/index.php: 4 Time(s)
/database/main.php: 1 Time(s)
/datenbank/main.php: 1 Time(s)
/db/main.php: 1 Time(s)
/favicon.ico: 1 Time(s)
/forum/index.php: 4 Time(s)
/forums/index.php: 4 Time(s)
/myadmin/main.php: 1 Time(s)
/mysql-admin/main.php: 1 Time(s)
/mysql/main.php: 1 Time(s)
/mysqladmin/main.php: 1 Time(s)
/padmin/main.php: 1 Time(s)
/php-my-admin/main.php: 1 Time(s)
/phpMyAdmin-2.2.3/main.php: 1 Time(s)
/phpMyAdmin-2.2.6/main.php: 1 Time(s)
/phpMyAdmin-2.5.1/main.php: 1 Time(s)
/phpMyAdmin-2.5.4/main.php: 1 Time(s)
/phpMyAdmin-2.5.6/main.php: 1 Time(s)
/phpMyAdmin-2.6.0-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.0/main.php: 1 Time(s)
/phpMyAdmin-2.6.2-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-pl1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3-rc1/main.php: 1 Time(s)
/phpMyAdmin-2.6.3/main.php: 1 Time(s)
/phpMyAdmin/main.php: 1 Time(s)
/phpbb/index.php: 4 Time(s)
/phpbb2/index.php: 4 Time(s)
/phpmyadmin/main.php: 1 Time(s)
/phpmyadmin2/main.php: 1 Time(s)
/robots.txt: 15 Time(s)
/sqlweb/main.php: 1 Time(s)
/web/main.php: 1 Time(s)
/webadmin/main.php: 1 Time(s)
/webdb/main.php: 1 Time(s)
/websql/main.php: 1 Time(s)
As you can see, the scanner requests some of the pages many times, usually with subtle differences in the method or url termination scheme. When we have faked the 200 responses for these pages, it simply catalogs the success and continues. Thus far, we have been unable to identify when/if the real human attacker returns to test and play with the finds, since there are just so many scans for these issues going on all the time. But, we continue to monitor and analyze, so hopefully soon we can identify a pattern of scans followed by verification and exploit.

Note that some/many of these scans will immediately exploit the vulnerability in PHP and use it to drop a bot-net client onto the machine. Of course, this immediately compromises the system and adds it to the scanning army. In those cases, the waiting for the return of the human attacker would not apply.

So, what does all of this mean? We wanted to give you some more insight into the wide scale PHP scans and what they look like. If you have not checked your own web site for these known vulnerabilities, it would likely be very wise to do so. It can be done quite easily by hand, using a simple Perl script or any of the publicly available web scanner tools.

Cisco Movie!!!

Posted on by
Reply

I also got to work with the folks at Cisco, Trend and RSA on a movie this week! I got to shoot a quick info session about Man in the Browser (MitB) attacks and then got to do a little play acting. The trailer should be available soon here.

If you want to see the whole thing come out to this event. I think you will dig it!

Hats off to Radigan, Flanagan and the others who hooked me up with this. It was very cool to be involved and I look forward to our big premier!  😉

Data Visualization Tools in Security

Posted on by
Reply

I have been playing with a few data visualization tools and doing some on the fly firewall log analysis. Mostly just basic plots and stuff so far.

These tools make analysis a pretty cool process. I can see where it would be useful with a very large data set.

I have been reading a new book about it, stay tuned for a review. In the meantime, there are a lot of data visualization tools out there, but I have been playing with the InspireData from Inspiration Software.  Check them out if you want to see what I am talking about.

Have you tried using visualization tools for log analysis? If so, leave me a comment about your experiences and the tools you use.

OpenBSD Ouchie, Apple QuickTime and Solaris 10 Vulns

Posted on by
Reply

In a pretty rare occurrence, a remote buffer overflow in OpenBSD has been identified. The vulnerability exists in “dhcpd”, the DHCP daemon, and allows denial of service and arbitrary code execution on 4.0 – 4.2. This issue was originally published in May, but new developments have been made in refining the exploits and in details about the issue. Patches are available, and should be installed as soon as possible.

Apple updated QuickTime to fix several identified issues, including some security problems. The updates are now available, and if you use the Apple update service, you should get them applied automatically. The big problem repaired in this release is a heap overflow that can be used to seize control of machines. We mention this update because QuickTime is one of those pesky applications that seem to turn up everywhere, in many organizations. It would likely be wise to check not only workstations, but also any servers that are used in training, multi-media or presentations. QuickTime seems to be a common tool for these mechanisms.

Lastly, Solaris 10 systems have proven to be vulnerable to a new buffer overflow in the monitoring package “srsexec”. This is installed in many Solaris systems, especially those leveraging the centralized console management and administrative console applications. Attackers with local access to the Solaris system can exploit this issue to execute arbitrary code as “root”, since the binary is suid by default. Patches are already available and should be applied as soon as practical.

Book Review: Security Power Tools

Posted on by
Reply

Authors: Burns, Granick, Manzuik, Guersch, Killion, Beauchesne, Moret, Sobrier, Lynn, Markham, Iezzoni, Biondi

Publisher: O’Reilly

$59.99

Rating: 4 out of 5 stars (****)

If you are tired of reading some Harry Potter or some such thing, and decide to devour 780+ pages of information security how-to, this is a pretty good candidate.

The book covers everything from legal and ethical issues to pretty deep knowledge of the tools and techniques used to do infosec work. It won’t make you an expert, but it is a much friendlier manual than the included docs for a whole lot of tools.

My favorite section is chapter 10, which covers the art and science of shell code, custom exploits and some great tools for making this often tough job a whole lot easier. The diagrams and code examples in this chapter alone make the book worth the money for the reference shelf, and you would get all of the rest too!

All in all, the book is easy to read, the examples are clear and easily understood. The graphics are clean and crisp, which makes it much simpler to follow along on your own systems. Basically, as with most O’Reilly books, the layout and design is excellent.

Check it out if you are getting tired of wizards and such. The ROI is likely higher and you might even learn a new skill or two to help you in the day. In the end, that should be the measure of a good security book – right?

A Couple of Interesting Developments

Posted on by
Reply

First, a couple of new tools are available specifically geared at cracking Oracle 11g password hashes. These are specifically aimed at attacking the newest features that 11g introduces to better protect the passwords. They also have some short cuts for those folks still making the old style DES passwords available (likely for backwards compatibility with older apps or uses). Essentially, these new mechanisms are slower than old hash attacks, but are still effective. In today’s world of computational power and bot-net distributed password cracking capability, it is pretty darn safe to assume that if the attacker can get the hash – they can get the password.

Another issue that is likely to be an annoyance for some folks is that a new remote Denial of Service attack has been identified in Ubuntu 6.06 DHCP server. While the attacker can’t really gain access to the system using it, they can replace the dead DHCP server with their own, which could include malicious entries and other annoyances. This DHCP server is popular in many cyber cafes I have visited – particularly outside of the US. Just another reminder that you have to pay attention to network connectivity. It might seem like ubiquitous wireless access is a boon, but without the capability to trust the network you use, you have little reason to trust the content you receive!  — Just a reminder!

Noel Brings Reminder to Review DR/BC Plans

Posted on by
Reply

For those folks on the east coast, Hurricane Noel should probably figure into your weekend plans. The storm is looking like a near miss for much of the eastern seaboard, but should be a strong reminder for folks to review their Disaster Recovery and Business Continuity plans for currency.

If you look in your policies folders and don’t see a DR/BC plan, now might be a good time to form a task group for making them. Given the wacky weather patterns lately, they might prove to be handy in the future. At the very least, you can rest a little easier just knowing they are there.

For those folks wondering what I am talking about, click here for more info on the storm.

If you want to do more reading on DR/BC policies, check out this wikipedia article.

Slight Increases in SSH Probes

Posted on by
Reply

Our HoneyPoints have been picking up slight increases in the probes and brute force attacks against port 22 – SSH. We are seeing increases in wide scale SSH scans and attacks against common login/password combinations.

Now might be a good time for folks to take a look at their perimeter and make sure no one has poked an SSH exposure through. If you have some, they should be immediatly audited for common account use. Treat any system with these issues as likely compromised and initiate an investigation.

Most of these compromised systems are used for further scanning and many have bot-net clients installed. Keep an extra eye on your logs for obvious forms of bot-net traffic, such as IRC connections, odd ports and outbound half-open TCP connections.

Things You Need to Know about Bot Net Attacks

Posted on by
Reply

Bot nets are one of the most common forms of compromise on the Internet today. Bot networks grew out of the explosion of home and user systems and the common availability of high speed Internet connections. Basically, they are little more than systems that attackers have compromised and put under their control that use some type of mechanism to get new tasks or commands and report their results.

Mostly, bot infected computers are home systems that attackers often use for scanning other systems, sending spam or performing other illicit activities. Often, the controller of the bot systems will rent or sell the bot services to others. No matter if they use the systems themselves, or sell their services – usually the master is after one thing, MONEY.

That’s right. They make money from the illicit use of YOUR system, if it belongs to a bot network. They use your hardware and your bandwidth, and they receive the returns. Even worse, if your system would be used in a serious crime, there may be criminal and civil penalties for YOU. While case law continues to grow on this, it appears there may be some capability for some victims of the bot net to come back at you for failing to adequately protect your system – which ultimately caused them damage.

So, the big question is – how do home users protect themselves from bot infections and the other issues associated with them? Primarily, they do by following this advice:

  1. Ensure that your computer has a firewall and anti-virus at all times. Make sure the firewall is engaged and that the anti-virus software is up to date.
  2. Keep your computer current on patches. Turn on the auto-update capabilities of the operating system and make sure you patch your applications if they have available update mechanisms as well. This is a lot like safe sex in that failure to be safe even once can have long term implications on your security.
  3. Consider using a browser that is somewhat hardened or hardening your browser. There are a ton of browsers out there, and a ton of tools for hardening the common ones. Check them out and make sure your browsing tools are protecting you against attack. Don’t use default installs of IE or FireFox – configure them for higher protections, if at all possible.
  4. Consider other security tools and mechanisms. You need spyware tools and other security mechanisms if you travel. Spend some time reading about mobile security and apply what you can to your life.
  5. If in doubt, rebuild your system. THIS IS CRITICAL – there are simply some things that can be done to a computer that impact the long term security of it. If you have doubts about your system’s security – rebuild it and protect it from the start. If you know you have an infection or problem – backup your critical data and rebuild. It is much easier than most other solutions.

Take these steps and some basic vigilance and apply them to your computing experience. Bot nets will continue to be a primary threat to Internet users, but being smart about them and aware of the defenses makes you less likely to be a victim.

WatchDog Content Moving to StateOfSecurity.com

Posted on by
Reply

If you are a regular WatchDog product user, then you may already know this, but on November 1, 2007 MSI will move all WatchDog content to this blog and begin to phase out the WatchDog client program.

This is being done to simplify the use and access to the information and to enable users to easily leverage our threat intelligence offerings via RSS and other popular mechanisms without using our locked-in client.

The same information that WatchDog has brought to you for years will continue, but hosted here instead of through the WatchDog client. It will also be stored in the emerging threats category – thus making it easy to subscribe or filter on.

We hope you continue to benefit from our work and insights, and please, let us know how you like the WatchDog content and if we can do something better or more helpful with the data.