SNET Phishing Ring

Posted on November 29, 2011 and filed under PHISHING.

Root level compromises that are only used for phishing make my life so much easier.
5.6.7.8 - root [11/29/2011:16:58:29 -0000] "GET /scripts5/wwwacct?si
gn=&plan=0&domain=snet.com&username=snet&password=__HIDDEN__&contact
email=&dbuser=snet&msel=n%2Cy%2Cunlimited%2Cy%2Cunlimited%2Cunlimite
d%2Cunlimited%2Cunlimited%2Cunlimited%2Cunlimited%2Cunlimited%2Cy%2C
0%2C0&pkgname=&featurelist=default&quota=unlimited&bwlimit=unlimited
&maxftp=unlimited&maxpop=unlimited&maxlst=unlimited&maxsql=unlimited
&maxsub=unlimited&maxpark=0&maxaddon=0&ip=1&customip=1.2.3.5&hasshel
l=1&frontpage=1&cgi=1&cpmod=x3&language=en&hasuseregns=1&mxcheck=loc
al HTTP/1.1" 200 0 "http://1.2.3.4:2086/scripts5/wwwacctform" "Mozil
la/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.2 (KHTML, like Gecko)
Chrome/15.0.874.121 Safari/535.2"

No comments.

New IP Ranges are not Always Dynamic

Posted on November 21, 2011 and filed under EMAIL & SPAM.

Hotmail has a nice little policy where anything that Spamhaus says is the law. I do agree that Spamhaus is a great RBL for reference and that they only block for SBL where it is necessary. They also publish the PBL which is a list for IP ranges that may be from dynamically assigned ISPs, similar to RoadRunner and Cox.

When a new IP range is assigned to an ISP, this range may not be properly identified as static, but assumed dynamic until proven static. Static differs from dynamic for IPs in that the IPs are assigned a proper FQDN, or hostname, and configured to a piece of hardware like a server or router. Generally, the IPs are not expected to change or move around after the assignment.

With SNDS, a Hotmail service for ISPs called Smart Network Data Services, you can see the IPs that are blocked in your range. If a new range happens to be flagged by the PBL in Spamhaus, it is automatically blocked by Hotmail, regardless of whether or not you have ever sent an email to their server’s before. I think of it like a FICO credit score, no credit can be as bad as low credit.

The fun part if after the more…
Read more »

No comments.

Timthumb WordPress Theme Remote File Upload

Posted on November 17, 2011 and filed under CONTENT MANAGEMENT SYSTEMS.

Timthumb is included with tons of WordPress themes by default because it’s a quick script to make thumbs and other image adjustments on the fly. Consider it the CONVERT of websites. The syntax is as simple as image URL, and what size you want it. A cache is created and then easily used, but therein lies the problem.

There is a function that allows files to be imported from other URLs which have authorized domain names.

No comments.

PCI Complaince Backports

Posted on November 17, 2011 and filed under PCI COMPLIANCE.

“I promise that this service is a backport for CentOS from Redhat.” This is never good enough for some PCI scanners. The next step would be to provide the RPM changelog and version information to confirm it. You can only hope that your false positive report will get read.

With CentOS, openSSH and BIND/NAMED updated versions are what we called Backports. This means they may still indicate an older version on their service banners, but may actually be fully patched and up to date for all CVEs and vulnerabilities, just the same as the latest reporting version.

Some may suggest to simply just turn off banners to for the service at the remote port. This may work for some scanner, but that should not be the proper solution. If you are explaining the situation one, this should not have to be re-addressed until the next scanning period, which may be six months down the road.

One way or another, it is not difficult to configure a server to be PCI compliant, just please stop asking for compliance in a shared or VPS environment. These will never be truly isolated like a dedicated server.

No comments.

Test Email Account SPAM

Posted on November 15, 2011 and filed under EMAIL & SPAM.

Does your domain have a “test”, “info” or other similar email account that was created at one time and just forgot about? Maybe you don’t but many people actually do!

These accounts are easy to guess the passwords to because most of the time their intention was to create the account temporarily, but its quickly forgotten about after the issue is solved. Many times clients will respond with surprise that the email account still exists on their site and that they created it several years ago to test some mail functions.

Several times a day, I have to deal with these left over accounts from yesteryear that get compromised. The concept behind the SPAM abuse is not that complicated.

When looking for domains to SPAM with, it’s not difficult to check if these sites have one of the test accounts. Using TELNET, anyone can try to check if an account exists. I have some code examples after the more…
Read more »

No comments.

OSCommerce 2.2 Remote File Upload

Posted on November 12, 2011 and filed under CONTENT MANAGEMENT SYSTEMS.

Not to downplay the usefulness of OSCommerce, but for a long time this exploit existed on the Internet with no formal patch issued by the developers. It is fairly easy to execute, even a skiddie could do it with an HTML sandbox due to the type of attack using forms. All you needed is your shell or file uploader PHP script and with one click, you have now uploaded your script to the remote site. It really is that simple with HTML.

The basis for this vulnerability is that any file can be uploaded or created on the remote server. The problem exists in several files found in the ./admin/ directory. Now you would imagine that this is blocked with at least sessions or HTTP AUTH, but you are wrong. These functions allow for uploading of images and other related files.

After seeing this hundreds of times on servers, there are quite a few signs that files have been uploaded. First, there may be PHP files in the ./images/ directory. Be sure to check and use a .htaccess to stop php execution in the directory. Other files may be uploaded to the direct path of OSCommerce. Check for goog1e[0-9]{10}.php files. After that, you will find files all over the account from shells that may have been uploaded.

The best solution that I have is to use an .htaccess file to force HTTP AUTH on the ./admin/ directory to prevent access. This simple solution will prevent new files from being uploaded. If you have already been compromised, be sure to find all shells and malicious files to ensure infection does not return.

Take a look at the easy code after the more…
Read more »

No comments.

Zenphoto 1.4.1.4 Code Execution

Posted on November 10, 2011 and filed under CONTENT MANAGEMENT SYSTEMS.

Recently this vulnerability has come about on the Internet and has been running rampant. The exploit consists of a simple POST which allows remote code to be executes on a server as an attacker sees fit. Now that a skiddie version of the code to be executed is available, tons of sites are getting hit with this attack.

The bulk of the attacks will inject the ./.htaccess files of the site and its sub directories with Mod_Rewrites to Russian based domains. The naming convention is something along the lines of *-security.ru and will add the usual 400-500 ErrorDocuments and also creates search engine referrer redirects. This will get flagged quickly by Google and will cause the malicious warning page if you are indexed. Be sure to check all .htaccess files on the account recursively to ensure that this redirect is completely removed. I have included a sample recovered from an attack after the more.

Some instances of the attack will include a PHP injection on the first line of the site’s files. Check in PHP files, mostly named index.php, and the first list near the <?php opening should have some long sting of code next to it. This code is quite simple to remove with a GREP/SED combo since its one line and easy to differentiate.

Other forms of the attack may upload shells or other malicious files to allow an attacker easier access to the site. Check out the code for the exploit after the more…
Read more »

No comments.