jimbob

Forum Replies Created

Viewing 11 posts - 1 through 11 (of 11 total)
  • Author
    Posts
  • #51773
     jimbob 
    Participant

    Off the top of my head here’s a couple of things you need to look at for forensic exam post-compromise on a web server. No doubt there’s some repetition of what’s been said but here goes.

    • Logs – check the access logs for the web server for attack strings, access to admin pages and anything else that looks anomalous e.g. access to backdoor files.
    • Web root – what files have changed? Check the MAC times for new files and those that have been modified. Are there any new files that look suspicious e.g. .htaccess files, new PHP or JavaScript files. Use the content for malicious code inserts to try and file the bad files but beware of obfuscation.
    • Server config – are there any new configuration added? Check for things like malicious Apache modules.
    • database –  most web applications have some kind of backing store or database. Are there new accounts added? Is there anything else in there that could provide persistent access?

    Your aim ought to be to determine how the compromise occurred, what was carried out after the attack and remedy the situation. Remember to use Google since the attack is probably not unique to you. What web software are you using? Popular packages such as WordPress and Joomla are often the target for automated and effective attacks.

    Regards,
    Jim

  • #51051
     jimbob 
    Participant

    Welcome to ethicalhacker.net. You’ll find a lot of like minded people here and a lot of answers to the same question you are asking. Start by searching the forums, you’ll find that most people suggest one or more of the following:

    • Learn all you can about computers
    • Learn to program
    • Read, read, read.

    There are a lot of good resources out there. There’s blogs to read, videos to watch (try http://www.securitytube.net) and podcasts to listen to. Ask questions, learn and listen. Above all keep it safe and legal.

    Regards,
    Jimbob

  • #51069
     jimbob 
    Participant

    That’s an interesting take on things. Yes, people do have a habit of storing interesting info like passwords in plaintext files. While they are not exactly keyloggers it’s basically a different means to the same end. Trawling home directories is a great way to start privilege escalation and jumping to other systems and services.

    Regards,
    Jim

  • #50963
     jimbob 
    Participant

    @tturner wrote:

    There’s a big difference between collecting and alerting

    Agreed. The big issue is what to expose via alerts, dashboards etc. and what to keep. If capacity is not an issue keep everything. By all means trim down on noisy alerts that add no value but let the value of this filter down. Frequently you don’t know what you need until after the fact and finding out you have deleted something useful could be embarassing.

    Again, look at the junk as useful as a metric. What are the number of alerts following a tuning exercise versus untuned? This is a quantifiable metric to show improvement.

    Regards,
    Jimbob

  • #50960
     jimbob 
    Participant

    Hi,
    I would approach this from a different angle. Storage is comparatively inexpensive so trying to justify reducing a retention period on this basis may be hard. It may be easy to counter your argument with space is cheep, we will keep everything forever.

    What is your reason for wanting to reduce the retention period? I assume you mean to get rid of some useless (not usefull [sic]) IDS alerts. Tuning is an important part of managing any IDS solution so time would be well spent reducing noise and false positives. That does not mean you have to reduce the time you keep the alerts for. You could certainly sell the need for a clean up based on the effectiveness of the system and reduced overhead on those reading the logs.

    Regards,
    Jim

  • #50480
     jimbob 
    Participant

    There are good people in law enforcement who are capable of conducting an investigation of this sort. What’s more they have powers to gather ISP logs and other information with a warrant to discover the identity of the culprit.

    This is a sad tale but taking upon yourself (or expecting it from another) to investigate this type of incident may be counter-productive and potentially harmful. If evidence is tampered with e.g. unauthorised access to a mail account then the proper judicial process can be put at risk. Legal questions such as what laws have been broken arise and there’s often not a good, tested answer at this time.

    I share your feelings but this is not a road I suggest we go down. The only exception to this would be in the case of investigative journalism or a privately contracted investigator. Both should be aware of the law and how to conduct an investigation with a view to handing it over to law enforcement if need be.

  • #50864
     jimbob 
    Participant

    @matthias2012 wrote:

    Do you know/remember what happens if you place .LOG(CR/LF) in the first line of a txt-file and open it with notepad.exe?

    I’ve never come across that one before, nice.

    Books date at different speeds depending on the technology and the quality of the writing. Some older books like The Art of UNIX Programming are well worth reading despite its age. Java in a nutshell for JDK 1.3 should probably remain on the shelf. You might want to check the reviews in Amazon or aska round on the forum if you want to know about a specific title.

    Regards
    Jimbob

  • #50970
     jimbob 
    Participant

    It never fails to amaze me how people still put passwords on sticky notes. I would expect the armed forces to know better.

    Jim

  • #50820
     jimbob 
    Participant

    @artistic wrote:

    The privileges of law enforcement authorities – are they over privileged or not and why?can you please share your opinion and expalin.

    I think the powers given to law enforcement are massively disproportionate. Large motorcycles, advanced pistol weapons and the role of judge, jury and execution in one does not allow for proper judicial oversight. I’ll give a fuller explaination once I get back from seeing Dredd in the cinema later.

  • #50872
     jimbob 
    Participant

    @digitalvampire wrote:

    This is what they suggested as the correct statement:

    SELECT * FROM admins WHERE user = ” OR 1=1 OR ‘1’=’1′ AND pass = ”

    Why are the two true conditions in there.. not sure why that fixes it?

    What they may have meant was something like this:

    SELECT * FROM admins WHERE user = '' OR 1=1 AND pass = '' OR 1=1

    The two true statements together in their example would not change the outcome of the query. What would do would be manipulating both the user and pass parts of the query to always be true.

    What you might also try if you know a valid username is to manipulate only the password field.

    SELECT * FROM admins WHERE user = 'admin' AND pass = '' OR 1=1

    You would typically do this by terminating the SQL query in your injected string with a semicolon e.g. by entering  “‘ or 1 = 1’ ;–” in the password box.

    Good luck!
    Jimbob

  • #47591
     jimbob 
    Participant

    Don’t forget to think out a deeper solution. If you can get file upload on the server you can upload arbitrary binaries and ASP content to achieve this. Don’t think of pen testing as, “I have one exposed service, is there a remote exploit?” Can you find SQLi and execute code that way?

    Regards,
    Jimbob

Viewing 11 posts - 1 through 11 (of 11 total)

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?