JW Network Consulting » Security

Looking for Malicious PHP Files

Jason — Sun, 30 Oct 2011 22:03:15 +0000

I’ve been digging through some PHP files that are trying very hard to hide what they are doing. Basically, the PHP code is base64 encoded and then compressed. The blob of random text is then stuffed into a PHP file which calls

"eval(gzinflate(base64_decode("BLOB OF TEXT")));

to decode it and execute it on the web server. While it obscures what the code is doing (briefly), it fairly screams that something is not right with this file.

First to find any PHP files which use this on your server use:

egrep -r "eval\(gzinflate\(base64_de" . --include=*.php

That will find the offending files. To see what they did, I copied everything inside the “eval()” statement. Then I dumped into a text file on my laptop in something that looked like this.

Instead of displaying it in a browser, I called it from the command line.

> php foobar.txt

The code gets base64 decoded, decompressed and displayed in my console window. Because I removed “eval()” from the code I could see what the attacker was doing without worrying about executing bad code on my system. Or viewing it in my browser.

Technorati Tags: incident response, malicious php, obscured malicious code

Metasploit Breaks into SkyNet!

Jason — Fri, 01 Apr 2011 14:54:14 +0000

Metasploit has successfully broken into Skynet thanks to Comodo, RSA, MySQL and Stuxnet! Here is the output from msfconsole after updating today. Rock on guys.

(0 08:43:03 515) -> ./msfconsole 

#    # ###### #####   ##    ####  #####  #       ####  # #####
##  ## #        #    #  #  #      #    # #      #    # #   #
# ## # #####    #   #    #  ####  #    # #      #    # #   #
#    # #        #   ######      # #####  #      #    # #   #
#    # #        #   #    # #    # #      #      #    # #   #
#    # ######   #   #    #  ####  #      ######  ####  #   #

       =[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ -- --=[ 673 exploits - 353 auxiliary
+ -- --=[ 217 payloads - 27 encoders - 8 nops
       =[ svn r12202 updated today (2011.04.01)

[*] Calculating new Comodo SSL CA key...
Factoring..........

-----BEGIN RSA PRIVATE KEY-----
zFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbidQihV
AOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA2sru
OIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQABAoIBAQCJoijaEXWLmvFA
thiZL7jEATCNd4PK4AyFacG8E9w8+uzR15qLcFgBTqF95R49cNSiQtP/VkGikkkc
ao25aprcu2PnNA+lpnHKajnM9G3WOHuOXHXIps08es3MmBKTxvjNph6cUlqQULrz
Zry+29DpmIN/snpY/EzLNIMptn4o6xnsjAIgJDpQfFKQztxdmZU6S6eVVn0mJ5cx
q+8TTjStaMbh+Yy73s+rcaCXzL7yqWDb1l5oQJ/DMYNfufY6lcLgZUMwFxYKjCFN
ScAPCiXFUKTzY3Hy1Z4tLndFxipyEPywDep1TB2nMb+F3OOXUs3z+kKVjGFaGnLZ
591n3x3hAoGBAOOgsb4QybjHh9+CxhUkfsqcztGGdaiI3U5R1qefXL7R47qCWfGc
FKdoJh3JwJzLOLX68ZmHz9dPhSXw6YrlLblCi6U/3g7BOMme5KRZKBTjHFo7O9II
B0laE5ISRH4OccsOC3XUf9XBkm8szzEBj95DgzB0QydPL4jp7NY0h0QrAoGBAMEv
jEFkr/JCRe2RWUAPR1LWT/DHnVLMnDb/FryN2M1fAerpMYNUc2rnndjp2cYbsGLs
cSF6Xecm3mUGqn8Y5r8QqFo0lzp5OunCFCXEJvkiU3NSs8oskCsB8QJ6vk3qmauU
-----END RSA PRIVATE KEY-----

[*] Scanning RSA tokens for usable seed.....4d416f70-5f16-0410-b530-b9f4589650da!

[*] Logging into vault.rsa.com as 'rivest'......Successful

[+] Compromised 'vault.rsa.com' via ACE backdoor...

[*] Launching SQL injection attack against MySQL.com....Done

[*] Extracting passwords hashes....Done
[+] 54,024 passwords obtained

[*] Replaying SHA1 hashes against Sun.com.......Done

[*] Attaching to Stuxnet through Oracle Command Center....!#$

#

$@#$$puTTY

!@$@vaul
t.rsa.com
# #@puTTY#$

@#

..@#$@34 m

sf>.. uid=0(root) gid=0(ro
ot) groups=
0(root) @#$@#4

2 3ms

f>bash-4.1# 

ERROR
NOCARRIER
[*] Welcome to SkyNet v5.23.0-BETA
[*] Launching autonomous agent...
[*] Scanning 158.95.29.10.0/22...
[*] Injecting agent code into memory...
[*]         15 Nodes Online
[*]      3,156 Nodes Online
[*]     17,024 Nodes Online
[*]  1,423,813 Nodes Online
[*]  SkyNet has been loaded
[*]  Entering command shell
msf sky-net>

Technorati Tags: april 1st, Metasploit, skynet

Data Ownership, Governance and Controls

Jason — Thu, 20 Jan 2011 05:32:11 +0000

A friend of mine asked a question on Facebook that went something like this.

Who owns your company’s data?

The politically correct answer is that the business owns the data and IT manages it for them. That’s nice in theory, but is it really true? Does your company have a data governance group (run by the business) that actually sets data policy? Do you have data stewards that actively work to define usage and improve quality? I hear this exists in large comnpanies, but have you ever seen this in small-to-mid sized companies that you have worked in? How effective was it? Please chime in on this. I’m writing an article on data ownership and I would love to include your feedback.

I read through this a few times and decided to reply back with something that was a lot longer than I expected. I believe he was mostly interested in the idea of managing data and how governance programs could help the business improve how data is used. I get what he was asking, but I started thinking that even if you have a governance program, what about the data that gets outside of central control. So here was my initial thoughts on his question and the problems we face in managing data.

Legally, the company owns the data.

However, maintaining control over where it goes is a completely different issue. Maintaining access controls on file shares and databases is a chore, particularly if you are keeping track of things manually.

Governance programs help make sure everyone who needs access has it and those who don’t need access don’t. IT rarely knows who has a real need to view \\fileserver\sharename, but the business group generally does. They can tell IT who has transferred out and needs their access removed. (If they remember to mention it) Or tell you who is missing access rights. A good governance program makes sure that a periodic (monthly, quarterly, yearly?) review is done to make sure that these controls are correct.

Trying to do these reviews by manually checking shares, dumping the data into an spreadsheet and getting feedback is a painful process. This is where tools can be real valuable. The price can range from REALLY expensive to fairly cheap. It depends on how far you want to go and how much additional work you are willing to do. Once you get the data into a document for business to review, getting their feedback hasn’t been too difficult in my experience. Cleaning up permissions isn’t too bad either.

Then we open Pandora’s Box. While the company may have an excellent governance program, there’s all that data that gets saved on desktops, laptops, USB drives, iPods and emails. All of which steps outside of central control and can wander very far in a short period of time. That’s a scary mess and its far too easy for someone to walk out the door with your most important intellectual property. Technology tools are starting to get better at controlling access to removable media devices and such, but trying to control what goes out the network is sketchy. Data leakage prevention software (DLP) hasn’t impressed me too much yet. But I haven’t seen all the apps out there, so maybe something actually works as well as advertised.

Either way, as we keep coming up with new and interesting ways to share information, the controls to keep proprietary data confidential fall behind. Governance programs continually get re-adjusted and vendors promise to solve our woes. The hamster wheel of pain continues to spin and we race along trying to keep control of our data.

Do small to medium sized businesses really do governance programs? My experience so far is that it only occurs if there is some kind of compliance reason to cause it. Those that are in highly regulated industries, such as small banks, would probably have no choice but to do so. Is it a good idea to do in and of itself? I think so. It doesn’t necessarily have to be a huge process to be effective. In fact, in a smaller company, a large process would be completely ineffective. I do think it would need to be regularly done and have good communication between IT and business. And I think it needs to be documented some how. Otherwise, people end up wondering exactly how it is supposed to work.

Pandora’s Box really worries me though. Having the “secret sauce” for your business leave via email, Dropbox, USB drive or DVD is pretty freaky stuff. An iPod set to be a storage device can leave with a whole lot of information and give a competitor a good leg up on you. Or it can get us front page news coverage that we’d rather not have. Neither one is some where we want to be. There are controls to help, but there are still holes that are easy to use.

Technorati Tags: data governance, data security, information securit

Reconnoiter Updated

Jason — Tue, 18 Jan 2011 05:18:59 +0000

I spent some time today and fixed some seriously messed up regular expressions in Reconnoiter. Basically, Google made a bunch of changes to their search results and added AJAX all over the place. To deal with this, I changed the submitted user agent to Lynx and then updated the regex accordingly. Changes with regex were made to usernameGen.py and username_gen.rb (a metasploit module).

I also fixed an issue in username_gen.rb with the regex returning a null value to the list of names. The change was a quick check for null values and deletes any that it finds. No fuss and no crashes so far. It probably needs more testing to be sure, but all told it wasn’t a bad evening’s work.

Download is available at http://sourceforge.net/projects/reconnoiter/.

Technorati Tags: recon, Reconnoiter, username generation, web penetration testing, web security

Latest Happenings and Upcoming Events

Jason — Fri, 22 Oct 2010 04:47:00 +0000

Things have been really busy lately. First off, my Mentor session for SANS Security 504 started on September 21st. We are at the halfway point right now and leading this has been incredible. It seems whenever I need to present or teach something I learn more than anyone else. Plus teaching is just fun! Particularly when it is about stuff that I really enjoy. The student reviews have been great so far, so I must be doing something right.

Next, the Utah Open Source Conference (UTOSC) was two weeks ago, from October 7th to the 9th. There were a lot of great presentations and I had an absolute blast hanging out with all the technology loving folks who came. I was somewhat surprised on how far some people came to get there. I met people from Idaho, Wyoming, and California. It was really fun to sit in presentations and workshops on things that aren’t necessarily security related. It gave me some time to listen to what’s going on in other areas of technology and that’s can be really refreshing.

If that wasn’t enough, I also was able to speak at UTOSC again this year. Last year I spoke on building a toolkit of open source security tools. This year I did a presentation on Metasploit. I picked Metasploit because I started learning how to write modules for the framework this year. So doing a presentation on it seemed like a great way to learn even more about it. If nothing else, it would get me to spend more time using it and that’s where things really take off. My recording of the presentation didn’t go so well, so I’m waiting for the folks at UTOSC to release their recording. My slides are online though and you can download them on this site or view them at SlideShare.net/Tadaka. I put the presentation slides up on SlideShare after some folks expressed their reservations about downloading a PDF file from me after I mentioned backdooring PDF files. Go figure!

One offshoot of the UTOSC presentation was that one of the audience members, Joshua Williams, participates in the Linux Basix Podcast. It turns out that Joshua does this podcast with Infolookup, who is someone I know from IRC. They were chatting about my presentation and Infolookup realized that I was the guy he knew in IRC. One thing lead to another and I was invited to participate on last week’s Linux Basix Podcast! We spent about an hour chatting it up about Metasploit and just covering some of the basics about it. I really want to thank they guys for inviting me on. I had a ton of fun and they were all extremely friendly. You can download the podcast at http://www.linuxbasix.com/026-LB.

So that’s what I’ve been doing for the last month and a half or so. Now to something still to come. Paraben’s forensics conference (PFIC) will be on November 7th to 10th. I went last year and had a great time. Being very new to the forensics world, it was quite an interesting event. It is in Park City, UT at The Canyons Resort. I’m really looking forward to this year. If you are in the Utah area and want to attend a great, inexpensive conference then check it out. The cost is $299 and has some excellent speakers scheduled up. If you are there, let me know and we can meet somewhere. Meeting new people is one of the really cool things about conferences like this.

That’s all the events at this point. I’m hoping to get something else scheduled up in the next few months, but we will have to see how that goes. I’m also planning on doing another SANS Mentor session next year. I take what I learned this year and apply it to the next class.

Technorati Tags: JW Network Consulting, Linux Basix Podcast, Metasploit, PFIC 2010, Utah Technology Events, UTOSC