I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies
I want to simulate a serial protocol in user space program to test reception algorithm. The protocol is similar to UART protocol but frame format is different. The duration of 1 bit is 114,46 us. In my main function I'm creating two threads. Tx for simulating transmitting data and Rx for reception data. For measure time I use create_timer() function and signals. Each thread has its own timer and signal handler. Tx timer uses SIGUSR1 and Rx timer uses SIGUSR2. Tx thread sets the global variable and Rx reads it.
The timers are set to sample with 114,46 us period. When they reach this value signal handler should set the flag. Flag is check in thread and some operation are made. When I set the timers period for longer time (100 ms) everything works fine but when I change it to default value (114,46 us) the Rx thread doesn't receive the proper data. I am wondering if the 114,46 timer period is possible to simulate in user space? Whether the time will give me the proper resolution ? Theoretically it should provide 1 ns resolution.
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies View RelatedI fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies View RelatedI'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies View Relatedrecently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies View RelatedWith the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies View RelatedI work with python and I use emacs as my IDE tool. I have been running Debian Squeeze (6.0.9) for some time now with emacs 23.2.1 and ecb 2.32. I am able to access my python methods in the ecb-methods window with no problems. However I recently upgraded my desktop to Debian Wheezy (7.5) running emacs 23.4.1 and ecb 2.40 but I have lost access to the methods in the ecb-methods window. The window is just empty while the others (directories, sources and history) are all populated. I have a second laptop which I decided to upgrade to Debian Jessie, however Jessie recommends emacs 23.4.1 which is running with ecb 2.40 also. The result is the same as on Wheezy.
I have used the ecb menus and googled for a solution or even just a mention that such a problem exists but have come up with nothing. Either I have a unique situation here or am doing something really dumb.
I would like to upgrade to Wheezy or Jessie but I need access to methods in the ecb methods window. How to keep my upgrade and see the methods in the methods window of the ecb system ....
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies View RelatedI've created encryption systems on servers, but nearly always I have stored the password somewhere on the machine itself. The file is always 0600 to the relevant user, but a systematic analysis of my system could easily find the scripts that invoke decryption and discover the password. (The most blatant example of this is mounting SMB shares with the "-o credential_file" option where both the username and password are plain-text. In the cases where I've used this, the security of the share hasn't particularly mattered.)
Soon I might be faced with storing "patient health information" (PHI in the healthcare world) whose privacy is heavily regulated by the provisions of the US law called HIPAA. I've been thinking about creating an encrypted partition to hold the PHI, but I need a highly fault-tolerant method for obtaining the key from a different machine than tha server itself. At first, I thought about running a script using scp and shared keys to copy the key from the remote, use it to decrypt the partition, then erase it. I'd like to be able to do this with a pipe; otherwise I'll write the key in a non-persistent location like /dev/shm.
I need more than one machine to make this work to ensure I can obtain the key when needed (like at boot). One solution is to place copies of the key on multiple servers and try each of them until I find it. A more elegant solution would place the key in a DNS TXT record. I suspect I could use LDAP for this as well, but OpenLDAP and I have never really been on speaking terms. So does this make sense? I presume I can write a bash script to do all this at boot. Most of what will be stored in this partition is the PostgreSQL database in /var/lib/pgsql and perhaps some other files.
My understanding of encrypted file systems is that they are only encrypted when unmounted. When mounted they must be as visible to the operating system as an unencrypted partition. I suppose you could apply encryption to every single disk transaction, but that would require knowing the key all the time, and would seem to add a lot of overhead.
I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
I downloaded Ubuntu 10.4 netbook edition for my toshiba satellite a105 laptop (windows XP) burned it to a CD, restarted my computer with the disc in drive, pressed f12 at the appropriate time, chose to boot from CD. after sitting for a second i get error PXE-e61 media test failure, check cable. and then it boots XP normally. how do i get around this to install linux!
View 4 Replies View RelatedI want to know how can I test my server security with hping3 tool I want to make a virtual DoS or DDoS or SYNK attack in my LAN to test my server security and ability against these attack .Is hping3 a good solution for this or not if yes how can I do this which option of this can make such these attacks?
View 4 Replies View RelatedIs there a way to to check if the system has the available security updates installed? Specifically, I am looking to do this programmatically.
View 1 Replies View RelatedSo I activated the Firefox profile:
Code:
And restarted Firefox (even rebooted), but it doesn't seem to be working. When I open Firefox I am able to perform a "Save Page As" in locations I shouldn't be able to, like my Desktop or Pictures folder.
The following command says the Firefox process is in enforce mode:
Code:
Of the following lines, the only directory which is "rw" is /Downloads, why am I still able to write to other places?
Code:
OS: Ubuntu 10.10
Can someone with an active Firefox profile do this simple test for me? Click File -> Save As and try to save somewhere the Apparmor profile shouldn't let you, and let me know the results.
I recently came upon an ubuntu variant called blackbuntu. Its in early release stages at this point, but its being marketed as a pen test distro. Exactly like Back Track, but in Ubuntu form. Was just wondering if anyone has had a chance to use this yet? All software that the distro uses is readily avilable in the ubuntu repositories already.
View 4 Replies View Relatedi have fedora distribution running in my virtual machine. I installed sectool- .9.5-1.fc13.i686.rpm & sectool-gui-0.9.5-1.fc13.i686.rpm (the gui of the tool)
Then i modified the file /etc/selinux/conf to change the selinux from enforce to disabled (so the test can be run) the prob now, each time i try to lunch the package to get a test result... it takes so long time without result even if i choose 1 test only as u can see in the attached file. I've been waiting for more than 1 hour with no result
I ran a test where I login a test user several times using the wrong password to see that he gets locked out after several attempts. Now that I got the test user locked out, how do I unlock the test user? I tried passwd -u <test user>, but it says passwd: Error (password not set?).
View 4 Replies View RelatedWell someone has been putting up this attack on my game-server ports. For those of you who don't know what type of attack this is, so its an attack which is actually masked to us because the attacker uses his machine to send packets to a machine called source which reflects the packets to destination. Based on this, the UDP port under Flood at the destination starts making outgoing connections to that IP and gets rejected which uses up more than 5mb/second bandwidth instantly.
I've worked out on some security for this and now need a tool to test this against my machine. I've used PentBox but that's not really powerful to do anything. As I search Google, I find something called Trinoo but can't download or test it.
I know very little about MySQL, but I've got some users that need it for testing on a Linux server.So I had set it up a while back, but now I'm running into some small problems.Right now, each user has his own database that I created and can do whatever with it. Each user only sees their own database.I didn't want them to be able to create new databases at all, but they can and when they do anyone can see them.
EDIT(Apparently they can only create databases beginning with the word "test" in the name)
I need to either:
1) Stop them from creating new databases (without affecting their ability to interact with the existing database)
OR
2) Make it so that when they create a database, only they have privileges on it and only they can see it (except mysql root of course).
Anybody know the statement to set these kinds privileges up?
EDIT: pfft... I've a read a bit more and realize that this is an intended part of the installation.
EDIT2
I'd still like to remove the ability to make test databases.
EDIT3:Ok, for reference this is how you prevent users from making and using test databases:
shell> mysql -u root -p
Enter password: (enter root password here)
mysql> DELETE FROM mysql.db WHERE Db LIKE 'test%';
mysql> FLUSH PRIVILEGES;
I can see what Firestarter is blocking in the Firestarter/Events tab, but after reading all the man pages of UFW, I still don't know how to check what the UFW is blocking.
View 9 Replies View RelatedI have Ubuntu 10.04 and I used my ssh to connect to a webserver. This is the version that I have installed.
Quote:
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
Apparently the server was hacked using my user and the server admin suggested the my ssh can be tainted.
do a checksum of the ssh, but I cannot find this file on my system.
Code:
md5sum /usr/sbin/sshd
And I will need a md5 hash from a good untainted version and I cannot find that as well on the openssh website.
having a slow internet connection, I bought the all maverick repository on DVDs, copied the files on a usb drive and modified the apt sources file to consider the local repository only:
Code:
# deb file:/var/www/ubuntu_local/ ./
deb file:/var/www/maverick/dvd1/ maverick main universe restricted multiverse
deb file:/var/www/maverick/dvd2/ maverick main universe restricted multiverse
deb file:/var/www/maverick/dvd3/ maverick main universe restricted multiverse
[code]....
Even though I am reasonably sure it is safe, this local repository is not authenticated and I can only install package through the command line or synaptic, the Ubuntu Software Centre giving an error message "Requires installation of untrusted packages"...I thus would like to disable the apt authentication check for this local repository.
I am trying to install mysql 5.1.44..so i downloaded the binary package, i extracted it and then followed the instructions that were in the manual but i keep getting this error when running this command
Code:
scripts/mysql_install_db --basedir=/home/mosty/mysql
the error is
Code:
Installing MySQL system tables...
100315 20:07:27 [Warning] Can't create test file /var/lib/mysql/mosty.lower-test
100315 20:07:27 [Warning] Can't create test file /var/lib/mysql/mosty.lower-test
[code]....
You can try to start the mysqld daemon with:
shell> /home/mosty/mysql/bin/mysqld --skip-grant &
and use the command line tool /home/mosty/mysql/bin/mysql to connect to the mysql database and look at the grant tables:
shell> /home/mosty/mysql/bin/mysql -u root mysql
mysql> show tables
i was thinking that is there a way to check data flow for viruses? i mean if i set up calm av in my internet sharing server could it detect anything in incoming and outgoing data ?!!
View 2 Replies View RelatedI recently ran a rkhunter check and in my log i have found some very odd (to me at least) reports.
/usr/bin/last [ Warning ]
Warning: The file properties have changed:
File: /usr/bin/last
[code]....
I'm trying to do an online security check on my Linux system.I would like to do a Firewall/Antivirus test. What free online sites do you know?For instance, I use ShieldsUp to test some firewall's components.Does someone recommend anything else?I still can't find a site that tests for the presence of virus/malware installed.Are there any?
View 8 Replies View RelatedIs there a plugin or some other way to check to see if a website has https available, and use that instead? I know some sites, like Wikipedia have a different hostname for SSL support while others have the same hostname, just What I would really like to seesome kind of header in the http reply or the html that saysSecureAvailable= is there any system like this in place? There's too many issues with with unencrypted http to continue having that as the default.
View 3 Replies View Related
