- Quick Tip: Cobalt Strike Beacon Analysis, (Mon, Nov 23rd) November 23, 2020
- ISC Stormcast For Monday, November 23rd 2020 https://isc.sans.edu/podcastdetail.html?id=7264, (Mon, Nov 23rd) November 23, 2020
- Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format, (Sun, Nov 22nd) November 22, 2020
- VMware privilege escalation vulnerabilities (CVE-2020-4004, CVE-2020-4005) - https://www.vmware.com/security/advisories/VMSA-2020-0026.html, (Sat, Nov 21st) November 21, 2020
- Malicious Python Code and LittleSnitch Detection, (Fri, Nov 20th) November 20, 2020
I am going to go ahead and admit it to the internet that I was looking for something quickly last night and did not practice safe searching…. I had multiple tabs open, including my gMail and I was the victim of a cross site scripting attack.
Last night I was looking for a file converter for a document my wife had received from one of her students so that she could open and grade his paper. I had a bunch of tabs open and a google hangout ongoing and did not think to start a new chrome window for my searching, which I typically do. I run chrome extensions like uBlock Origin, and Privacy Badger, and some others. This attack went totally unnoticed to all of the tools I have to monitor my privacy.
When someone notified me I had sent them spam I asked for the view source of the message. It can be found here if anyone is interested. I redacted the email addressees and names,but left the servers and client data present since it is the client data and servers of a spammer, I don’t think they will mind.
In the mean time until I got the above email source data I thought my server where I host linward.net might have been compromised and began scanning it frantically. There were no authentication attempts against it and nothing out of the ordinary in the logs. I changed all passwords on the system and then checked all of the activity on my gmail account. No logins from strange IP addresses and nothing in my sent folder related to the spam activity.
After receiving the header information I was somewhat relieved to see the message was sent from Seoul, Korea using a client claiming to be Outlook 2013. Relieved because I do not live in Korea, nor do I even have a copy of MS Outlook installed on any of my machines especially not 2013.
I wanted to put this out there to see if anyone else had encountered anything like this in their day to day work. It was strange and totally creeped me out, I had not seen an attack like this before in person and I wish I could have isolated the site doing it so I could have notified the host.
It is completely against standard practice for any of us that are even remotely involved in security to admit our mistakes and/or seek assistance form the community. If everyone keeps quiet about every problem that we face, how we will ever make headway against attackers? It is obvious that the attackers are sharing information on tools and attacks. Otherwise we would not see so many copycat scripts and professionally produced malware toolkits out there for download and use to create mayhem. This is me “putting it out there” to everyone else. I was played by a cross-site-scripting attack and I want to inform others so that we can work together on the side of good to combat it and make headway against the attackers. Any suggestions for chrome or other browser extensions to block this kind of attack are welcomed. I can be reached from the contact form on this blog that nobody reads or @lin_ward on twitter.
Something to talk about…
I finally figured out something involving technology that I can write about, and remain employed. It isn’t that I haven’t had anything cool to talk about in the last year. The problem is, I am not allowed to talk about my job on the social medias… so there’s that. I have had all kinds of cool things to talk about over the last year it just wasn’t something that I could share with the world. My newest hobby is actually an old hobby. I have been working on video editing for my church. It is something that I have not been working on intently since I was in high school. Way back in the olden days (the late 90’s) I worked after school doing video editing. I have used iMovie and some of those tools over the years here and there, but in the last 2 months I have been in it every week editing the weekly sermon and making video bumpers for different events here at the church. Creating digital media has never been my strongest skill so it is making me stretch to work at coming up with ideas. Here is a link to the YouTube Channel we have started. Really the editing portion of it has been pretty easy chop off the front and the back and then upload it to youtube and embed it into the website. It has still been fun. I am also working on creating some new motion graphics for the bumpers on the sermons. Here is the first one I have done. I download Motion from Apple to get me started. This is my first project I am working now on some more loops to welcome people and announce events. I will most them here as I get them worked out.
It has actually been really fun to get away from the engineering side of things and be creative. At first I was dreading it, but now it has become an outlet. To learn about how Motion works (I am by no stretch an expert) I found some cool videos to get my started and I went from there. Here are some of the videos I watched to get reintroduced to video editing on Macs.
33 today – another year in the books
I haven’t been posting as regularly as I would like lately. The last few months have been a blur. It seems that everything has been changing in the last year and then the last few months it ramped up even more. In the last year we (my little family) have experienced some major challenges and been through some changes and battles that we never saw coming.
Both my wife and I have switched jobs in the last year, for me just in the last 3 months. Today marks 3 months at my new job and I am really enjoying it. I have been learning a completely new area of IT and I have enjoyed the challenges of being stretched in new ways. I miss many of my friends and co-workers that I have spent years getting to know, but this was a change that was in the best interest of my family. I am home every night and have an amazingly regular schedule that allows me to attend soccer practice and swim practice and many of the things I just couldn’t get home for early enough previously. My wife is teaching at a new school that she loves, her second year starts tomorrow, as well as Ayden’s. They are loving it there and are both growing in new and different ways. Jamie is teaching subjects that she hasn’t taught before and Ayden is amazing me more each day with how he soaks up and retains everything.
However, it hasn’t all been unicorns and rainbows. I lost two grandparents in the last few months and that has weighted heavily upon us. A big part of why we have never left the town that we are from is out families. Jamie and I are both extremely close with our families and losing two grandparents so close together was really hard on all of us, especially Ayden.
The other dramatic change has been that in the last year Jamie and I have taken up serious focus on our health. I have lost 50 pounds since this time last year and I have never felt better. All 3 of us are participating in 3 5K events is just as many months. It is going to be a fun time, which is never something I would have said about exercise previously, but it is fun because we are all doing it together.
Finally, we have spent a lot of time this year with our friends. We have made new friends and had some friendship attrition as people have grown and changed. If anyone knows me well, you know how important my friendships are to me and I take them seriously. If I call someone my friends it doesn’t mean I would call them for dinner, it means I would call them to help bury a body. We have rekindled some old friendships and made some new ones that I hope last a lifetime. My granddad used to say if you can make if your whole life and be able to count yourself as having 5 great friends you were really blessed. We are beyond blessed and it means a lot to have these people in our lives. To Jamie and I friends are synonymous with family and we are blessed to have such a large family.
Anyway that is all for now I hope to be able to get more time to post as I get more into the groove with this new job.
Helpful WordPress Plugin
I have been using a free WordPress plugin to track unauthorized attempts to login to my WordPress instance. It is called “Limit Login Attempts” and can be found here: http://devel.kostdoktorn.se/limit-login-attempts. It comes configured to allow for 4 bad logins before blocking an IP address for 24 hours. I set mine up this way and watched over the next few days as the same IP tried every day and got blocked every day. At least this user is persistent, not smart, but persistent.. and noisy. Anyway, I have now moved the lockout time to 9999 hours (the max the box would allow for) just so I get less emails about this attacker.
Once you configure the “Limit Login Attempts” plugin it will send you a nice email reminder when it blocks someone that looks like this one below:
Each time I see this email it just warms my heart, maybe I’m a little bit broken…
I could also edit my .htaccess file to block him/her, or the entire country the IP is originating from. However, that would cut into my fun of watching what is going on. That is what this is about anyway, my entertainment. There is a great site to help you write and edit .htaccess files that can be found here: http://incredibill.me/htaccess-block-country-ips there are some more specific tuning resources to be found here for .htaccess http://www.netmagazine.com/tutorials/protect-your-wordpress-site-htaccess
Another option is to limit your logins based on the originating IP address (this is a smart idea). If you are on the go as I am often connecting from your phone, home, and or work this is not your best option as the rules will get long and messy. It would also be “recommended” to disable or hobble your admin account. I set my admin account to a basic read only account and used a complex password generator so if you can get into that account, it’s yours read all you want, but no posting.
Screenshot of the Plugin and it’s Logs, click on images for a larger view.
MySQL Backup and Restore
I was having a time moving my blog from one database server to a newer one at my hosting company that had more space and was reportedly faster. After banging around for a bit I found it was most easily accomplished from the command line using only two commands. These technique requires access to your web host via SSH, and some knowledge of the *Nix command line.
mysqldump –host=server.name –user=user.name databasename -p > filetocreate.sql
You will be prompted for the password which you can enter. The file will be output into the folder you are currently in. After this completes you can upload the file to your new database host with the following command:
mysql –host=new.server.name –user=user.name -p databasename < fileyoucreated.sql
Again you will be prompted for the password which you can enter and the database will be streamed to it’s new location. Once that is done backup wp-config.php and then pop into your wp-config.php and update the database name, username, database host name and password. Cross your fingers and open the site back up to see the results, your mileage may vary. Drop me a message if this doesn’t work for you.
As anyone that knows me already knows I am ADHD personified at times. However, that is not what this post is about it is about another form of ADHD (Active Defense Harbinger Distribution) which a Linux distribution that provides honeypot services and a whole lot more. There is some questionable legality in parts of the whole lot more, so I am just experimenting with the honeypot features. I forwarded a few ports to it on my home firewall so I can watch and see who is scanning me. This distribution is capable of tracking back to a hackers source, but until more legal precedents are set I will be content just to know who is scanning me.
If you want to download it for yourself you can get it here, but be warned some of things in the package could get you into trouble, take care what you make public to the internet: http://sourceforge.net/p/adhd/wiki/Home/
It was created by some of the security minded folks that are creating inroads into offensive countermeasures: http://www.sans.org/course/offensive-countermeasures-defensive-tactics-work
Raspberry Pi – VPN & Proxy
Like a lot of people I purchased a Raspberry PI when they were all the rage about a year ago. Initially, I was super excited like everyone else about this piece of hardware that was going to change the world and bring affordable computers to everyone – fast forward a year – my Pi was sitting on my desk staring at me and I felt guilty for not putting it to better use. Several of my friends had used theirs to start programming projects or a XBMC servers. I am not much of a programmer and I already have Roku boxes on all of my TVs so it basically got booted up from time to time to show others that it was a tiny device that could hook to an TV with an HDMI port and surf the web… not earth shattering stuff.
I decided that my Pi needed to find new life as a part of my network. I went to http://www.raspberrypi.org and downloaded the newest version of their operating system referred to as Raspbian “wheezy” – it is based on Debian Linux which I regularly use in my job as a security administrator. However I use it mostly to launch Nessus scans from or NMap hosts with. NMap the Pi can do… Nessus not so much. I recalled some articles I had read on LifeHacker.com about using the Pi as a VPN / Proxy to put your traffic behind. Ok, I travel quite a bit so this could be my use case. I am not knocking LifeHacker, I am a regular reader of their articles and have found it to be tremendously useful resource. However their material on making the Pi into your web proxy was referencing specific versions of software that made the article useful, but not especially helpful to someone new to using the Pi or Linux.
Well now that I am into this post, we should probably flash back to the beginning and start with a Pi that is dead, lifeless, and sitting on a shelf. First we will need an operating system. The one I mentioned above is the way to go for this project. Once it is downloaded it needs to be uncompressed to SD media. There is a great guide to be found here – http://elinux.org/RPi_Easy_SD_Card_Setup – what this guide doesn’t readily mention, and that it took me about 20 minutes to figure out, is that if you have fat fingers (guilty of ham hands here) it is easy to accidentally “lock” the SD card and make it read only. The GUI tools that load the OS do not warn you of this fact. I only discovered this after I got fed up with the GUI and went to do the command line route. First command I type it tells me that the destination is read-only. After I removed my palm from my forehead and flipped the switch I returned to the path of the GUI. This only takes a few minutes and once it is done boot up the Pi for the first time.
What none of the guides told me, but I quickly figured out on my own is that the Pi doesn’t always start up correctly the first time. If you don’t see any video on the screen unplug the power, reconnect all of the cables, and re-insert it. When the Pi boots for the first time it will give you a menu to reset the password for the Pi user (it defaults to raspberry). It also allows you to enable the SSH server – do this, and it allows you to say if you do or do not want to GUI to start at boot. I went ahead with it starting but I may turn this off later as I am mostly using this guy for VPN and Proxy. I want to conserve as many CPU cycles as I can to devote it to passing my VPN packets. Once the Pi is up and running the rest of this can be done from your workstation it needs no monitor on the Pi just an SSH session. To get the IP Address use the Terminal shortcut on the desktop of the GUI, or from the Terminal that it boots into if you did not enable the GUI, -and at the Terminal type ifconfig to get the ip address of the Pi. Make a note of this address we will need it for the following steps.
Using SSH – if you are already an avid SSH user skip to the next paragraph, if not stay with me I am going to give you two simple ways. On a Mac open your terminal – shortcut way is Press Command and Space start typing the world terminal and hit enter. This will bring up a strange white box that will feel foreign to many Mac users. In the terminal type – ssh pi@ip address of your raspberry pi – it will prompt you to accept the key just hit Y and enter the password you changed in the boot menu or enter raspberry if you forgot to change that default password. On a Windows machine there is no default SSH client so you need to download a client. The client that I recommend is putty and can always be found here – http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html – putty has a GUI enter you Pi’s ip address, username, and password and get connected.
Now – we now have a fully functional Pi that is running Linux and providing us with a shell via SSH. The next two commands you are going to be typing in your sleep and wishing that every operating system that you use contained – sudo apt-get update – and once that completes – sudo apt-get upgrade. These two wonderful commands will scour the internet repositories for updates and then apply them in the second step, this keeping your Pi running with the newest software available.
I know this seems like a lot, or maybe I am just wordy. Now we are ready to continue on. There are 3 files we need to download that we are going to need later.
1. The installer for Hamachi http://secure.logmein.com/labs
If you haven’t used logmein before – be ashamed be very ashamed. Instead of going to the download page you will be presented with a login page. Login, open the link again and then you will see the LogMeIn Labs page. Click on Hamachi for Linux which at the time of this writing is in Beta. Hit learn more to see the list of software versions. The one I had the best success with was the file under ARM (processor type in the Pi) that ends with .tgz This is a tar file that is to be downloaded to your workstation and then copied to the Pi and installed from.
2. The installer for Webmin (an admin tool that comes in handy)
Go here http://webmin.com and click on Debian Package there is only 1 webmin package for all processor types it is not picky. Once it downloads it is time to get installing.
Open your favorite secure ftp client I prefer Cyber Duck on the Mac and WinSCP on the windows platform. Configure the client to connect to the Pi the same way you connected using SSH – we are using the same service on the Pi and the same basic protocol just some different features that it offers. The folder you connect to by default is the home folder of the Pi. When you connect via SSH or SCP you will be presented this folder first for whichever user you authenticate as. It is a good practice to create a folder here for storing your files. I usually go with source, but call it whatever you like. Just right-click and create the new folder, dragging your files over and dropping them into the newly created folder.
After the file copy completes. We can install the Hamachi VPN service. Back in the LogMeIn webapp you can access Networks, and My Networks. This is where you create and name your Hamachi Free VPN connections – up to 5 computers. It is best to create for our purposes a Mesh network topology and add you laptop or other computers that you want to proxy/VPN traffic on. Knowing your login name and network name will be very important shortly.
To get the Hamachi client extracted and installed first return to your SSH session and navigate to your software install directory use cd source or whatever you named it. CD stands for change directory in Linux, Mac, and Windows. The command is similar in all of them. You can use cd .. to back up one level or pwd (Mac and Linux) to know exactly where you are in the file system. Inside of the source folder you will see logmein-verison number information-armel.tgz. This is the file we will need type sudo tar –xvf and the .tgz filename. We use sudo to run commands as the root user – similar to administrator on a Windows machine. Tar is used to expant the tarball file we are working with. Once the process returns you to the prompt use ls to see what you have created and cd to move yourseld into the new folder. When you do ls now there are several files, the one we are interested in is install.sh to execute this file use the command sudo ./install.sh to start the install. If you did’t already know using the tab key on the keyboard will autocomplete filenames and commonly used commands in most operating systems.
The install will complete and we are ready to join our Hamachi network. First run sudo hamachi this will show you that the Hamachi program is running and connected. Next is sudo hamachi attach “email address you use for LogMeIn” and hit enter this will set your Pi to reference your LogMeIn account, next use sudo hamachi join “Name of the network you created”. This will prompt your for your Hamachi network password, if you it great, if not no problem. Return to the LogMeIn portal and to the My Network section and you will see the new machine at the top of the list. If you haven’t altered the default hostname of the Pi it will appear as raspberrypi. Edit it and move it into your Hamachi network. It should rapidly appear in the Hamachi window on your laptop or desktop.
Now we are ready to install the proxy server. This part is a breeze do to the amazing apt command. Simply type sudo apt-get install privoxy and hit enter. This will install the software and configure it. We only need to make one minor change once the install completes. Answer Yes to any question that pop up during the process. Once you are returned to the command shell type sudo hamachi to view your hamachi IP address, write it down we are going to need it in the next step.
The privoxy service needs to know that it will be contacted on it’s Hamachi IP address. We can define this behavior in the config file for privoxy using nano, a simple text editor for Linux. There is the more powerful vi, but this is for beginners not seasoned Linux veterans. First use this command cd /etc/privoxy/ to take us to the privoxy files use sudo nano config to open the config file as the root user (so that we have rights to change it). We have to find the space that needs editing so the simplest way is to hold down control and press w for the search command and search for localhost:8118 – go to the line below this one and mirror the syntax of the line above with localhost like this:
listener-address hamachi ip address:8118
The space between the listen-address directive and the Hamachi IP address is a tab not a space to enter it that way. The 8118 is the TCP port we will be using to connect with. Once you have the edit in there properly control X to exit and answer Y for yes to save and exit.
Now we need to restart the privoxy service – sudo service privoxy restart will take care of it from the command line. Most Linux services can be restarted so that they can affect changes to config files without the need for a reboot unlike some operating systems… windows. Now with the service restarted configure one of your browsers to use the Hamachi IP address as the proxy IP and enter the port as 8118. If you can connect to the internet you are now browsing across your VPN, but for a real test you are going to have to leave the comfort of your computer room to test it.
The final step for this article is to get WebMin installed. This is a great little utility for administrating Linux machines. It would be most helpful to set a root password. By default on Debian machines they do not use the root account much. To set this password use sudo passwd root and follow the prompts to set this password. Make note of it and keep it safe. Move back to the folder where we put the install files cd /home/pi/source/ as in my previous example. To start the webmin install sudo dpkg –I webmin-version-number.deb This will start the dpkg (debian package utility) installing the .deb (debian package) installing but it will not complete. There are several other files that WebMin needs to run. We are going to cheat and have the operating system find them for us. Once the WebMin installer errors out there will be several missing packages. I picked one called apt-show-versions (it doesn’t really matter which) and entered sudo apt-get install apt-show-versions after this completes I ran sudo apt-get –f install this command will find the dependencies for installed software and install them. When it competes it will tell you the login URL for your webmin instance. You can use the Hamachi IP just don’t forget the HTTPS:// in the front and the port :10000 at the end of the URL. When presented with the WebMin login page give root for the username and the password that you configured earlier in this paragraph.
Now you have a handy utility machine that can be accessed safely from virtually anywhere that you have internet connectivity. As I use the Pi more I hope to create more post showing how I am making use of my ultra cheap computer to make my computing more fun.
Social Engineering Call
So this afternoon I got a call from a strange number – 248.562.1268. When I answered it was an Indian fellow who told me he was calling from tech support to help my computer. He said the last time my computer went online that it downloaded a virus and he wanted to help me fix it. At this point my day was made. I have been hoping that they would call me because I wanted to see what website they were directing unsuspecting users to. He told me I needed to be in front of my computer, which I wasn’t, so that he could help me. I got a scrap of paper and took notes and pretended to play along. He wanted to know what version of windows I was running before we got started. I said Windows 7 so he would keep going. First he wanted me to hold down the windows key and press “r” on the keyboard, this is the shortcut for the “Run” box on Windows. He phonetically spelled out “prefetch” so I played along and he said all of the files in there were virus files and to delete them all. Next he said to type “eventvwr” which launches the Windows Event Viewer. I said ok I have it open. We wanted me to scroll through the even viewer for the first red icon I could find I said I found one. He asked for me to read the number out beside it. I just said a random number, I said 5000. He says this is a very grave situation you have 5000 virus files on your computer. I will have to connect remotely to take care of the situation. In my opinion they would be doing a great job in building confidence with a user that was unaware of what they were doing. This call lasted almost 10 minutes before I was even to the exploit part of the call. Of course a lot of that was me saying “huh”, “what” and “could you say that again”. We spoke two very different dialects of English. He wanted me to visit www.360pcsupport.com at this point I could not go any further as I did not have a computer handy, nor was I about to visit it…. so I said I am very sorry I have another call on the line please call back later. So far he has not called me back but I really hope they do. I want to see where else he wanted to take me from one of my sandboxed workstations. If anyone else gets a call from them please let me know I want to see if there are any other links I need to add into our web filtering system to block. This was way too much fun.
Amazing Slow Motion Photography
I saw this linked from an article I was reading and had to share it. It is some pretty amazing slow motion if you like that kind of thing. Turn the resolution up all the way and watch full screen.
Removing WordPress Malware
This week I had a friend contact me about a wordpress site he had built distributing malware. He had tried to clean it up and the malware was really persistant so he asked me if I would like to take a look at it. I opened the site and noscript instantly warned me about scripts trying to run. Opened up the ftp to the site and saw that the index.php file was huge. Surfed around inside of the directory structure and index.php inside of the wp-admin directory was also quite large. In Googling around there was no definitive guide about how to remove infections like this so I thought I should write up my findings if I was able to get it cleaned up.
Next I had to find what has causing the reinfection of the site. I was now able to open the wp-admin panel and login. I went straight to the plugins section of the control panel and disabled all of the plugins. From some of the posts I had read there were lots of comments about rouge plugins causing this problem. I wrote down a list of the plugins and went back to my FTP client. There were several plugins in the ftp folder that were not listed in the admin interface. I renamed these folders immediately and started googling the plugins that were in the folder. One of them was “ToolsPack” I had already observed several other users lamenting the problems with this plugin. It is basically a plugin that download and installs Malware for you. While that is very helpful it is not really what most users were looking for. Another plugin was just a random string of characters, it was also renamed. Typically I just add a .bad extension to the end of all suspect files/folders until I am sure they are ready to be deleted. Another good place to look is in your MyPHPAdmin control panel. Navigate into your database as shown in the picture below and find the Active Plugins in the wp_options table. If you see any in there that are suspect remove them. Just remember that a semicolon separates each plugin statement. It is important to get the formatting correct or you could experience problems. Check out the image of phpMyAdmin from one of my sites. Click on the image to see it in it’s original size so you can read the annotations.
Once the rouge plugins are disabled, the index.php files are set to a permissions level of 444, and you are feeling better about the site you should use one of the free virus scanners out there to double check your work. This site – http://sitecheck.sucuri.net/scanner/ will do a free virus scan of your site. I see no reason at this point to pay $89.99 for them to clean up a malware infection. After cleaning up one like this I think I would be happy to take someone’s $89.99 to do another one. It is not that bad if you are comfortable with the tools involved, ftp, a text editor, and a web browser with no script (to prevent infecting yourself). After Sucuir pronounces your site clean use the ftp client to delete all of files you marked as suspect with a .bad extension (or however you delineated them from the production files).
grep -r -l “Math.Pi” .
Grep invokes the program, -r searches recursively, -l lists the names of the files where the text is found. The string of text you are searching for belongs in the quotes, and finally a period at the end of the line and hit enter. Output will appear below to show you where the text is found. You have to be specific and careful. PHP is a programming language and the text you select to search for could be needed. Download a fresh copy of any files you think are suspect to compare against. I downloaded the .zip of the wordpress version that was installed in this case and I downloaded and extracted all of the .zip files for the plugins and themes that were installed. This allowed me to search and compare the original intended code with what was running live on the site. I am not a programmer, but it was very clear when I found the bogus code that I had found it. Here is a screenshot of the code that I found and knew was instantly bad with little programming background. Keep in mind that the text extends well out of the image shown. Several of the lines that are cut off were over a thousand characters long.
I hope someone else finds this helpful. It was frustrating as I looked for resources and there were lots of fragmented guides and forums where one or two of these ideas were mentioned but not one that covered all of these different ways to look for and repair a malware problem like this. If nothing else it can serve as a reminder to me the next time I encounter one of these infections.