Jun 062013

This is a trick I learned a long time ago.  I used to teach it in my linux administration, digital forensics, and ethical hacking courses I taught at college.  It has been one of the most useful commands I ever learned.  So the scenario goes like this:  lets assume you have a user you suspect is doing something nefarious…maybe even a hacker has a shell on your server.  You would like to be able to see exactly what they are doing.  Wouldn’t it be nice to be able to connect to their shell without them knowing so you can watch what they are doing?

Here is how it is done…..

Continue reading »

Mar 162013

So one thing you learn pretty quick once you move into the cloud, is that what you normally would do to stop bots, rogue traffic, hackers, etc doesn’t quit work…even at the packet level.  What I mean is this, you have a web server sitting behind an aws load balancer and its under attack.  You are running linux.  First thing you do is set up an iptables rule to drop connections from that ip address.  The problem is, iptables never sees that ip address.  Iptables can’t look into packets.  Instead, it sees the load balancer ip address.  The ip address of the user is hidden in the x-forward-for.  So first thing you need to do is enable x-forward-for logging in your web server.  I will use nginx as an example:

Continue reading »

Mar 092013

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
# 20130308 - original script
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	sleep 1;


20130905 – added option to pass interface

Jul 272012

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc


Continue reading »

Jun 132011

As system administrators, we often need to search for potential backdoors or shells in web sites for servers we manage.  Its not something we want to happen, but need to do especially if we are supporting legacy code; have gotten behind on patches or updates; or a new exploit slipped through the cracks due to its popularity and how quickly it spread.

I wrote a quick bash script based on a php version I found here.

Here is the short script:

Continue reading »

May 102011

A lot of recent talks about “securing the cloud” but let me give you my take on it.

I am in the cloud, businesses are in the cloud, but which cloud?  Is any one cloud environment more secure than the other?  Let me give you a few things I have learned about the cloud….cause this might seem rather alarming to some or most.

Treat all cloud environments as a hostile environment.  Treat it like a wide open door to your business infrastructure, matter of fact, treat it like something blew 2 of the 4 outer parameter walls off of your business along with half of the roof coming down.  Rethink what you consider secure, how you secure services and applications, and treat it like you just handed everything to a blackhat hacker.

Almost every cloud environment I have used or tested offers a “private ip address” but is it really private?  If you dig around, you will find that it is not.  Matter of fact, it seems that others with those private ip addresses believe they have their own vlan switch of private ip address ranges segregated from everyone else….but fact is, you share your data on your private ip address range with many other clients on the same private ip address range.  Why?  Because you are all sharing a cut of the cpu, memory, network cards, etc of the same physical server.  Even though you might secure your forward facing applications, you would be surprised how many applications within the private ip addresses are not secured.  Why?  Because people automatically think of it in terms of “our local network or private lan”.  Why?  Because its in the same ip range as a private network.

See EXAMPLE 1 below

And because people treat it like a private lan network, they do the craziest things like “unpatched apache or other insecure software”, how about mysql root without a password on the private lan for ease of administration, or what about using the private lan to send critical confidential customer (or patient) records across to another failover server on the private lan….unencrypted.  You see where this is going??

See EXAMPLE 2 below

And then lets talk about pre-made cloud environments…..

Continue reading »

Apr 282011

So, sometimes I write scripts to be a quick way to monitor or audit other systems.  The following script was written as a way to quickly audit a list of domain names, i.e. from a list of 1 domain per line.  Initially it was used to audit a list of subdomains from a nettica account to see if the name still resolved and if so, determine if the server was running ssh with a valid key.  I have realized the script has a lot of uses, as a way to validate hosts are up and also validate ssh is running.  You could also replace the “ls” command in order to monitor other services on a server or even top or similar.  So, this script could start as a foundation and easily expanded upon.

First, you need a text file containing 1 domain name per line, like this:


Continue reading »