2013, and the first post;
Been long since properly updating posts, blogging etc.. Seems this blog haven’t been really in “sleep” mode since much of automated scripts / attacks etc are targeted here.. I don’t know why people are targeting, but its also a good practice for me to learn few of the tricks and exploits available outside. Picture below shows the uploadify.php file been targeted in scanning/exploit activity:
Some G00gling give more info:
http://itpixie.com/2012/06/wordpress-exploit-alert-uploadify-php/#.UP9-G_Id7xQ
Uploadify™ is a jQuery plugin that allows you to easily add multiple file upload functionality to your website. It is used in a lot of WordPress themes and plugin to allow users upload files onto the website server.
Yes its an old exploit, and lots of plugins and themes are using it. But I believe there are lots other WordPress site is still vulnerable to this kind of threat.
This is why I need to update and keep blogging regularly 
January 23rd, 2013 in
Uncategorized | tags:
2013,
exploit,
php |
No Comments
Good names were created based on good people. Good reputation were based on good name.
Heck, I’ve got lots of good experience before. Those were the good days.
*This is not a rant, Lol
November 16th, 2012 in
Uncategorized |
No Comments
It’s been a while.. again. It’s not gonna be trend from now (that for each new post, I’m shifting to new company again) hopefully 
Previously became a Sys admin, and learned lots in revisioning, code audit, peer programing and coding/scripting style. Yes, its a sys admin cum sys developer.
So for this post, it’s about determining the status of previous shutdown of the Linux/BSD server, whether it’s clean, force, etc. I’ve googled lots in finding the solution, but seems there are no concrete answer for this. ‘last’ command in linux/unix flavor is to show last logged in user in the system. In theory and practical, a physical server shouldn’t be rebooted a lot, unless it is a testing server. Power outage, force shutdown, etc wouldn’t be appear in any logs in the system. ‘last’ command tells specific time, and the important indicator, is the ‘reboot; and ‘shutdown’ signal. A proper shutdown, will always have ‘reboot’ and ‘shutdown’ altogether. Means, if the system shutdown properly, the number of ‘reboot’ and ‘shutdown’ should be equal. Well, this is actually just my theory.
To test this, below is the bash script to demonstrate the behavior:
#!/usr/bin/env bash
log_dir="/var/log"
logs_ver=( "wtmp" "wtmp.1" "wtmp.2" "wtmp.3" )
sh="shutdown"
re="reboot"
for i in ${logs_ver[@]}; do
wtmp_logs=$log_dir/$i
if [ -f "$wtmp_logs" ]; then
echo "Log for $wtmp_logs"
if uname -a | grep -i bsd > /dev/null 2>&1;
then echo "System is *Bsd variant"
absd=`last -f $wtmp_logs| grep -i -E "$re"|wc -l`
bbsd=`last -f $wtmp_logs| grep -i -E "$sh"|wc -l`
if [ $absd -gt $bbsd ]; then
echo "reboot $absd times > shutdown $bbsd times"
echo "sumething not right"
else
echo "reboot $absd times = shutdown $bbsd times OK"
fi
elif uname -a | grep -i linux > /dev/null 2>&1;
then echo "System is *Linux variant"
a=`last -a -x -f $wtmp_logs| grep -i -E "$re"|wc -l`
b=`last -a -x -f $wtmp_logs| grep -i -E "$sh"|wc -l`
if [ $a -gt $b ]; then
echo "reboot $a times > shutdown $b times"
echo "sumething not right"
else
echo "reboot $a times = shutdown $b times OK"
fi
else
echo "not found"
fi
else
echo "wtmp log not existed for $wtmp_logs"
fi
done
It’s been a while since last post. And for this post, I would just to conclude for the method or approach I’ve implemented before.
Implementing psexec and pushing all of the batch script to the whole hundreds of server is best to be done during off-peak hour. Well, in theory it did work, as well in practical wise. Picture below are the example of the implementation. Notice that both of Web Server (win2k3) and WinServer (Win2k8) batch script executed accordingly. Doing this to tens/hundreds of servers can actually saves our time.
Little changes from previous script is to add and copy auditpol.exe directly from share server (192.168.44.1) to the Windows 2003 servers. This is because there are no auditpol.exe in Win2k3 system :
:Win_XP_2003
Echo copying Auditpol.exe to system32…
REM change the IP address to share server’s IP
xcopy “\\192.168.44.1\auditpol\Auditpol.exe” C:\Windows\system32
Echo Enabling Auditing…
Another interesting Eventlog agent I’ve stumbled upon is called Snare. I’ve been using this to send a-kinda-like syslog message from Event logs like Security, Application and System logs and it includes a webpage for configuration (and it is straight forward,easy to use).
For complete how-to and source/script on this approach, you can get it here – auditpol
*Note: the script may triggered an IDS signature such as PsExec_Service_Accessed, etc when performed to multiple Destination IP. Use with caution.
Yes, I’m still blogging..
Shifted to new company with rather different job scope but still in the same filed. Currently doing some projects on SIEM, which is actually a very tedious one. To make things short, turning on local security policy (local policies -> audit policy) on Windows for one Windows server is easy. Just navigate to the audit policy and choose either ‘Success’ or ‘Failure’ for each audit.
Automated things:
To do this on a few hundreds of Windows server machine (within AD and not) can turn you crazy. I know there is method to push settings/configuration/bla2 using sccm, but as far as i know, it requires to join AD.
One method that may possible to execute the batch scripts to hundreds of the machines is to use PSExec from Sysinternals. Example to use one is like this:
psexec @Host-List.txt -u domain\administrator -p-d -i “\\server\share\batch.cmd”
We can add hostname/iP in the Host-List.txt file, provided with username and password and execute the batch script from the share server. Doing this method, at least for me, is much easier. Any other method/suggestion/comments are welcome! BTW, below is the simple batch script:
====================================================
@ECHO OFF
:: poorman Local Security Policy (Audit Policy) batch script
:: will enable success/failure for all audits except DS access
:: require auditpol.exe if not exist
:: win ver part shamelessly from Denis St-Pierre
:: tdr[dot]local[at]gmail.com
VER | FINDSTR /L "5.0." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win 2000
C:\Windows\System32\auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all
)
VER | FINDSTR /L "5.1." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win XP
GOTO Win_XP_2003
)
VER | FINDSTR /L "5.2." > NUL:
IF %ErrorLevel% EQU 0 (
ECHO System is running Win 2003
GOTO Win_XP_2003
)
VER | FINDSTR /L "6.0." > NUL:
IF %ErrorLevel% EQU 0 (
If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe (
ECHO Running Windows 2008R1
GOTO Win_Vista_7_2008
) ELSE (
ECHO System is running Win Vista
GOTO Win_Vista_7_2008
)
)
VER | FINDSTR /L "6.1." > NUL:
IF %ErrorLevel% EQU 0 (
If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe (
ECHO Running Windows 2008R2
GOTO Win_Vista_7_2008
) ELSE (
ECHO System is running Windows 7
GOTO Win_Vista_7_2008
)
)
:Win_XP_2003
Auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all
GOTO EXEC_CMD
:Win_Vista_7_2008
C:\Windows\System32\auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Object Access" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Detailed Tracking" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"DS Access" /success:disable /failure:disable
C:\Windows\System32\auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Policy Change" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"Privilege Use" /success:enable /failure:enable
C:\Windows\System32\auditpol.exe /set /category:"System" /success:enable /failure:enable
GOTO EXEC_CMD
:EXEC_CMD
ECHO Continue with Audit Policy..
PAUSE
START c:\windows\system32\secpol.msc
*Note: the script may triggered an IDS signature such as PsExec_Service_Accessed, etc when performed to multiple Destination IP. Use with caution.
This is actually an extended version originally from d3t0n4t0r@lobak’s blog based on Ruby :
Added search hash capability:
===================
#!/usr/bin/env ruby
#original from lab69.com
require 'net/https'
require 'uri'
require 'digest/md5'
require 'rubygems'
require 'json'
require 'rest-client'
require 'mechanize'
print "Insert choice 1=file,2=hash\n"
choice = gets.chomp
case choice
when "1"
puts "Insert file name"
file = gets.chomp
md5 = Digest::MD5.hexdigest(File.read(file))
uri = URI.parse("https://www.virustotal.com/api/get_file_report.json")
key = 'YOUR_API_KEY_HERE'
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
request = Net::HTTP::Post.new(uri.request_uri)
request.set_form_data({'resource' => md5, 'key' => key})
response = http.request(request)
get_file_report = JSON.parse(response.body)
result = get_file_report['report']
puts "Date submitted: " + result[0]
result[1].each do |av,res|
if res.empty? == false
print "#{av.rjust(14)}: #{res}\n"
end
end
when "2"
agent = Mechanize.new
puts "Please insert hash"
hash = gets.chomp
#puts "Hash is " + hash + ". Continuing.."
res = agent.post( 'https://www.virustotal.com/api/get_file_report.json',
'key' => 'YOUR_API_KEY_HERE',
'resource' => hash )
get_file_report = JSON.parse(res.body)
result = get_file_report['report']
puts "Date submitted: " + result[0]
result[1].each do |av,res|
if res.empty? == false
print "#{av.rjust(14)}: #{res}\n"
end
end
else
puts "Usage: #{__FILE__} 1 | 2"
end=====================
A much more hardcore version is from m4ysix blog that added capabilities on saving it into MySQL database for reference and repository purposes.
Some of the output:
$ virustotal.rb
Insert choice 1=file,2=hash
1
Insert file name
SpyEye_suspected.exe
warning: peer certificate won’t be verified in this SSL session
Date submitted: 2011-01-06 17:55:01
Fortinet: W32/Spyeye.A!tr.dldr
TrendMicro: TROJ_GEN.R42E1JV
AntiVir: TR/Hijacker.Gen
Avast5: Win32:Spyware-gen
Antiy-AVL: Trojan/Win32.SpyEyes.gen
VirusBuster: TrojanSpy.SpyEyes!Z4tScdOCRJ0
VBA32: TrojanSpy.SpyEyes.cns
Command: W32/Heuristic-KPP!Eldorado
Sophos: Mal/Behav-010
TrendMicro-HouseCall: TROJ_GEN.R42E1JV
———–8<—————————-8<————————8<—————– snippet
Sometimes we don’t have the binary with us, we can easily search it:
$ virustotal.rb
Insert choice 1=file,2=hash
2
Please insert hash
44cdc9159db09f327370d45914459944
Date submitted: 2011-01-06 17:55:01
Fortinet: W32/Spyeye.A!tr.dldr
TrendMicro: TROJ_GEN.R42E1JV
AntiVir: TR/Hijacker.Gen
Avast5: Win32:Spyware-gen
Antiy-AVL: Trojan/Win32.SpyEyes.gen
VirusBuster: TrojanSpy.SpyEyes!Z4tScdOCRJ0
VBA32: TrojanSpy.SpyEyes.cns
Command: W32/Heuristic-KPP!Eldorado
Sophos: Mal/Behav-010
TrendMicro-HouseCall: TROJ_GEN.R42E1JV
————–8<——————-8<——————8< snippet
From http://www.libcpu.org/wiki/Main_Page :
“libcpu” is an open source library that emulates several CPU architectures, allowing itself to be used as the CPU core for different kinds of emulator projects. It uses its own frontends for the different CPU types, and uses LLVM for the backend. libcpu is supposed to be able to do user mode and system emulation, and dynamic as well as static recompilation.”
**********Ubuntu************
I’m Installing on top of Ubuntu 9.10 32bit
To install Libcpu on Ubuntu, CMake version 2.8 or higher is required. Unfortunately (as of January 3, 2010)
Ubuntu’s default CMake is still at 2.6.x, so I have to build it:
Download Cmake version 2.8 or higher. I’m using cmake-2.8.4.tar.gz
For other Operating systems we can download here http://www.cmake.org/cmake/resources/software.html
after that extract it:
# tar -zxvf cmake-2.8.4.tar.gz
# cd cmake-2.8.4
# ./configure
# make
# make install
We should have now a working cmake version 2.8.4
# cmake
cmake version 2.8.4
Usage
cmake [options] <path-to-source>
cmake [options] <path-to-existing-build>
——-8<————–8<———–
Install dependencies :
# sudo apt-get install flex bison libreadline-dev
I’ve issued apt-get install llvm, this will install the 2.5 ver. I gonna have to install the 2.6 ver.
To achieve this, download the 2.6 ver of llvm at http://archive.ubuntu.com/ubuntu/pool/main/l/llvm/llvm_2.6.orig.tar.gz
Proceed with unpacking and installation:
# tar -zxvf llvm_2.6.orig.tar.gz
# cd llvm-2.6/
# ./configure
# make
# make install
You will get it right if it shows the 2.6 ver
root@test:~/libcpu/trunk# llvmc –version
Low Level Virtual Machine (http://llvm.org/):
llvm version 2.6 (Ubuntu 2.6-0ubuntu1)
Optimized build with assertions.
Built Oct 26 2009(19:40:39).
Download and compile from the SVN svn://www.libcpu.org/libcpu
After downloaded, build libcpu by issuing:
# make
Running some test (inside libcpu directory) :
# test/scripts/cbmbasic.sh
**** COMMODORE 64 BASIC V2 ****
64K RAM SYSTEM 38911 BASIC BYTES FREE
READY.
For Mac OSX, we can download cmake 2.8.4 at http://www.cmake.org/files/v2.8/cmake-2.8.4-Darwin-universal.dmg
Next, proceed to download llvm 2.6 from http://www.break.net/orlando/llvm/llvm-2.6-macosx-release-universal-1.tar.bz2
Installation procedure should be straight forward from now.
p/s: detailed information on libcpu can be refer at http://www.libcpu.org/wiki/Getting_Started
This maybe too late (but I don’t care :p)
I’ve never watched Tron legacy before.. some say its good, some says its crap. Nevertheless, I’ve just got the copy of the movie (he he) and previewed it (not yet finish). The scene that attracted me is when the ENCOM OS/12 got leaked and published on the net.
Seeing a terminal/console on a movie is a very rare situation, last I watched it on Matrix Reloaded when Trinity used nmap http://nmap.org/movies.html . Now I’ve seen it on Tron Legacy. Captured from the blu-ray movie :
How cool is that?