Trends from the trenches of Internet traffic. Hackers, spammers and Internet abuse. IP address database. DNS sightings. Views and opinions expressed are my own. ~ Teri Radichel @teriradichel
Sunday, July 30, 2006
Shopping Cart Vulnerabilities
This article gives a good run down of various shopping cart vulnerabilities. Take a look and make sure your provider is taking care of the following top security problems with e-commerce web sites: E-commerce Web Site Security
Thursday, July 27, 2006
Microsoft's Top 10 Security Problems
Here's a summary of Microsoft's top 10 security problems coming through their help desk:
Microsoft top 10 Security Problems
Microsoft top 10 Security Problems
Wednesday, July 26, 2006
Monday, July 24, 2006
Netcraft
Although netcraft provides up-time for hosting companies - there is a lot that netcraft uptime rankings do not tell you.
If the update is reporting a Linux server, and you are running Windows, how does the company rate on Windows uptime and vice versa?
Although a specific box may remain online for a very long time, that means the box hasn't been rebooted and therefore security patches have not been properly installed in a timely manner - correct?
This uptime report tells you nothing about a company's internal security policies and practices, which some may find in terms of lost revenue to be more important than uptime alone.
If the update is reporting a Linux server, and you are running Windows, how does the company rate on Windows uptime and vice versa?
Although a specific box may remain online for a very long time, that means the box hasn't been rebooted and therefore security patches have not been properly installed in a timely manner - correct?
This uptime report tells you nothing about a company's internal security policies and practices, which some may find in terms of lost revenue to be more important than uptime alone.
Friday, July 21, 2006
Hack Canada
I found this site today through a very round about means which I won't bother to explain. I don't quite get the reason for the site - to be honest I don't have time to bother with it - but I did notice that one article claims the US government is begging hackers in Canada to hack for them. I'll let someone else decide if this is true or not. All I know is that there are a lot of hackers coming out of Canada - especially the middle of Canada. I seem to recall some of them not seeming like they came from Canadian origin. More research is needed.
Hack Canada
Hack Canada
Thursday, July 20, 2006
DLL Injections
I ran across this posting on sysinternals.com which, according to my hosting company, is a respected source. For some reason the posting has been removed but I was able to pull up the topic from the Google cache - for however long this works:
DLL Injection
Basically here's the info:
Someone read about a utility called InjectedDLL from www.nirsoft.net which provides a list of DLL files injected into other processes. The writer had not heard of DLL injecting before but apparently it's quite common method use by Malware infections.
He wanted more info.
Here are some responses:
DLL loads in address space of the process. Then loads all of its dependency modules and then dll entry point called.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key (WinAll)
provides list of dll that injects to any started process automatically by windows
other method - call CreateRemoteThread function.
call FreeLibrary by CreateRemoteThread
DLL injection usualy uses CreateRemoteThread/WriteProcessMemory technic. When DLL injected it is initializes and execute its code.
The code: codeproject
another dll injection example
DLL Injection
Basically here's the info:
Someone read about a utility called InjectedDLL from www.nirsoft.net which provides a list of DLL files injected into other processes. The writer had not heard of DLL injecting before but apparently it's quite common method use by Malware infections.
He wanted more info.
Here are some responses:
DLL loads in address space of the process. Then loads all of its dependency modules and then dll entry point called.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key (WinAll)
provides list of dll that injects to any started process automatically by windows
other method - call CreateRemoteThread function.
call FreeLibrary by CreateRemoteThread
DLL injection usualy uses CreateRemoteThread/WriteProcessMemory technic. When DLL injected it is initializes and execute its code.
The code: codeproject
another dll injection example
Monitoring Keyboard and Mouse Events
Look how easy Microsoft makes it to monitor keyboard and mouse events - how nice of them:
Windows Keyboard and Mouse Hooks
Ok but you'd have to have access to install stuff on the box you say...
Well if you read my blog about the managed hosting company I've been using...then you may start to understand my concerns. Outsourcing your hosting to a managed hosting company is lovely - if you trust them. You want to trust them - but can you? Read my information about life at a managed hosting company and decide for yourself.
So how can we balance out getting someone else to manage our servers while protecting our privacy and data?
It would be nice if Microsoft provided more detailed logging of what was installed and when, and also means to clearly distinguish what DLLs go with what programs, for instance.
Additionally how can we be sure someone is not tracking our events with the code noted above? How can we be sure they are doing this only if we have given them authority to do so?
Windows Keyboard and Mouse Hooks
Ok but you'd have to have access to install stuff on the box you say...
Well if you read my blog about the managed hosting company I've been using...then you may start to understand my concerns. Outsourcing your hosting to a managed hosting company is lovely - if you trust them. You want to trust them - but can you? Read my information about life at a managed hosting company and decide for yourself.
So how can we balance out getting someone else to manage our servers while protecting our privacy and data?
It would be nice if Microsoft provided more detailed logging of what was installed and when, and also means to clearly distinguish what DLLs go with what programs, for instance.
Additionally how can we be sure someone is not tracking our events with the code noted above? How can we be sure they are doing this only if we have given them authority to do so?
Tuesday, July 18, 2006
Mcafee Vulnerability
Today I read about a flaw that supposedly went unused and unnoticed in the Enterprise version of McAfee:
Mcafee Vulnerability
Interestingly enough this exploit allows control over the machine to steal files and data.
Based on personal experience, other versions of McAfee may have issues as well. I can't pinpoint it, but when I install the software, I have problems.
This is really sad because McAfee has some cool concepts in their firewall software, for instance.
Mcafee Vulnerability
Interestingly enough this exploit allows control over the machine to steal files and data.
Based on personal experience, other versions of McAfee may have issues as well. I can't pinpoint it, but when I install the software, I have problems.
This is really sad because McAfee has some cool concepts in their firewall software, for instance.
Check for Programs Hidden From Event Logs
I found another problem on my server today - the server that was just rebuilt and then my hosting company somehow ran my app as administrator even though I was very adamant it should not be.
Was it my hosting company that did this, or someone who accessed my server through the app or some other security hole...I don't know...but I went into the program error logging and some "invisible" program was set to not log errors in the Microsoft event logs.
You can check for this issue on your box by going to your system properties, click on advanced, and click on error reporting. Click the "choose programs" button to see if any programs you did not place in this area have been added to be excluded from error reporting.
Was it my hosting company that did this, or someone who accessed my server through the app or some other security hole...I don't know...but I went into the program error logging and some "invisible" program was set to not log errors in the Microsoft event logs.
You can check for this issue on your box by going to your system properties, click on advanced, and click on error reporting. Click the "choose programs" button to see if any programs you did not place in this area have been added to be excluded from error reporting.
Saturday, July 15, 2006
Hosting Companies - People Vulnerabilities
Yesterday my server was completely rebuilt by my hosting company due to a totally messed up system. (See previous articles if you want the gory details.)
The whole rebuild was caused by over three months of security issues (see my previous articles for the gory details).
Not even 24 hours after this reinstall my hosting company support staff opened up various security holes on the system. Maybe they were inadvertent, new untrained staff, or whatever but it is my server and my business that is hurt by their "minor" or "not so minor" lapses. They can say they are sorry. I lose time and money.
Here's what happened.
First I think their system for tracking passwords isn't working, but I suppose I could have typed something wrong. A guy over there says he couldn't login as the user under which the app is supposed to run...but worse what he did is then start the app up under an administrator account. That's just great. Now if their was a hack in my app the hackers had admin access all day before I realized what he did.
One of the major changes I made and one of the things I had to hassle them to do is set apps up under accounts with limiting restrictions - right out of the gate on a clean install he completely reverses this. Even after I stated multiple times to run this under the limited account.
I'm sure this was an inadvertent error by this user, not intentional, but it is hurting my business. I don't blame this person - his company for not training him correctly after the fiasco I just went through and the fact that their higher level tech stated he was annoyed that no one told me to run this app under lower level permissions. So why didn't someone inform the people who do the day to day support?
Next they deleted an administrator account I created. The reason I created a separate one with a separate password is because this company has the password to the main administrator, so someone could login while I was logged in and the log entries would look like I was doing it. Creating a separate login they can't use prevents this.
Additionally, someone opened up remote access for DCOM to all users. I triple checked this was off yesterday. So why couldn't they only give access to the specific app or user that needs it instead of everyone? And I told them to call me before making any of these changes. They didn't.
The whole rebuild was caused by over three months of security issues (see my previous articles for the gory details).
Not even 24 hours after this reinstall my hosting company support staff opened up various security holes on the system. Maybe they were inadvertent, new untrained staff, or whatever but it is my server and my business that is hurt by their "minor" or "not so minor" lapses. They can say they are sorry. I lose time and money.
Here's what happened.
First I think their system for tracking passwords isn't working, but I suppose I could have typed something wrong. A guy over there says he couldn't login as the user under which the app is supposed to run...but worse what he did is then start the app up under an administrator account. That's just great. Now if their was a hack in my app the hackers had admin access all day before I realized what he did.
One of the major changes I made and one of the things I had to hassle them to do is set apps up under accounts with limiting restrictions - right out of the gate on a clean install he completely reverses this. Even after I stated multiple times to run this under the limited account.
I'm sure this was an inadvertent error by this user, not intentional, but it is hurting my business. I don't blame this person - his company for not training him correctly after the fiasco I just went through and the fact that their higher level tech stated he was annoyed that no one told me to run this app under lower level permissions. So why didn't someone inform the people who do the day to day support?
Next they deleted an administrator account I created. The reason I created a separate one with a separate password is because this company has the password to the main administrator, so someone could login while I was logged in and the log entries would look like I was doing it. Creating a separate login they can't use prevents this.
Additionally, someone opened up remote access for DCOM to all users. I triple checked this was off yesterday. So why couldn't they only give access to the specific app or user that needs it instead of everyone? And I told them to call me before making any of these changes. They didn't.
Wednesday, July 12, 2006
Windows File Integrity Checker
Found what I was wishing for tonight. Microsoft has a scan tool that verifies Windows files here:
Windows System File Checker
It looks like this posting is from 2004, however and I have seen reports of this rolling back hotfixes so if you run it make sure you re-run microsoft update.
Windows System File Checker
It looks like this posting is from 2004, however and I have seen reports of this rolling back hotfixes so if you run it make sure you re-run microsoft update.
Configuration Changed by Managed Hosting Company? Again
Interesting, I reported about a DCOM issue last night. Today I logged into my server and the settings were completely changed from the way I had them last night. They look more secure so that's fine, but the Anonymous account has been completely removed and some other user accounts that were in there have been changed. Hmm.
Could this be the work of a hacker or is it an insider at my managed hosting company? Or a conspiracy? Ahh...the imagination goes wild. Need to write a book.
Could this be the work of a hacker or is it an insider at my managed hosting company? Or a conspiracy? Ahh...the imagination goes wild. Need to write a book.
Friday, July 07, 2006
SOA - Rogue Services
Here's an article about rogue services and SOA. There are numerous security issues to consider when software is developed as a service to run accross networks. This article talks about governance and other issues in taming the SOA security beast.
Software Validation - Microsoft Windows
It would be nice if Microsoft would create a tool that runs through your operating system and verifies that all the components are valid.
For instance recently a server was hosed and they ultimately had to replace the TCP/IP software. Was it hacked? Corrupted? Registry problem?
They could turn on the server but could not connect to the firewall. In this case it would be neat to have a nifty tool to run over the machine to verify all the networking components. It should list everything that is not "standard" Microsoft and mention that if you did not change this on purpose - it's probably a hack.
It would also be nice to have a record of which programs, when installed, have altered Microsoft base components to help track down problems.
For instance recently a server was hosed and they ultimately had to replace the TCP/IP software. Was it hacked? Corrupted? Registry problem?
They could turn on the server but could not connect to the firewall. In this case it would be neat to have a nifty tool to run over the machine to verify all the networking components. It should list everything that is not "standard" Microsoft and mention that if you did not change this on purpose - it's probably a hack.
It would also be nice to have a record of which programs, when installed, have altered Microsoft base components to help track down problems.
Thursday, July 06, 2006
The latest - Firewall Open to Terminal Services From any IP
That's it. I have had so many problems with my hosting company. Microsoft's number one hosting company has some serious problems. I just went to a random location and tested and my firewall is wide open to any ip for Terminal Services. This is not what I requested. I have a VPN for this purpose. I am paying for it. I pay them all this money and I think I have absolutely no security. I get hacked constantly. My web server was down all day yesterday, and it went down again today for three hours this morning.
When I asked why the monitoring service failed - no explanation. I was told that someone was reading that my web server runs on port 1100. WHAT? I don't know where in creation they got that information. Not at all accurate. It's running web sites. Don't you think a web site support person would know that web sites run on port 80? Sure you can run them on something else but if you do no one can see them if they don't type in the port number!
Does anyone else see a problem here after reading my posts? Well I'm not going to slam my hosting company just yet. Let's see if they can actually figure out who is doing these things - an internal person - or a hacker. One last chance.
When I asked why the monitoring service failed - no explanation. I was told that someone was reading that my web server runs on port 1100. WHAT? I don't know where in creation they got that information. Not at all accurate. It's running web sites. Don't you think a web site support person would know that web sites run on port 80? Sure you can run them on something else but if you do no one can see them if they don't type in the port number!
Does anyone else see a problem here after reading my posts? Well I'm not going to slam my hosting company just yet. Let's see if they can actually figure out who is doing these things - an internal person - or a hacker. One last chance.
Port 25: CHECK IT!
Ok would everyone out there do me a favor who is running imail on Windows - or at a managed hosting company...
Please set up your firewall logs to use some sort of logging such as Kiwi or some other firewall logging utility that allows you to monitor ALL traffic in and out of your server. Look extraneous traffic on port 25. Check not only the IPs assigned to your server but also your back up servers and database servers. Check your internal and external IPs for this traffic.
If you are at a hosting company, you can ask them to check for this traffic. If they find something it could speed up your web sites and improve performance.
Please also check for multiple copies of extraneous DLLs in your registry like hunny-mime.dll and Cypress.dll. It could be somethine else.
Shut down extraneous services that are running as dllhost.exe in your Windows services panel. Try to figure out what they are and where the came from and report the problem so other people can be alerted to the issue such as companies like Microsoft, RackSpace, McAfee, Norton, etc. to try to resolve the problem at a higher level.
If damage has been done to your business or applications due to this issue report it to the FBI, Secret Service, etc. so it can be investigated.
I am guessing this problem is going on at servers all across the country and probably linked back to certain sources. If those sources can be eliminated OUR Internet will run faster.
Please set up your firewall logs to use some sort of logging such as Kiwi or some other firewall logging utility that allows you to monitor ALL traffic in and out of your server. Look extraneous traffic on port 25. Check not only the IPs assigned to your server but also your back up servers and database servers. Check your internal and external IPs for this traffic.
If you are at a hosting company, you can ask them to check for this traffic. If they find something it could speed up your web sites and improve performance.
Please also check for multiple copies of extraneous DLLs in your registry like hunny-mime.dll and Cypress.dll. It could be somethine else.
Shut down extraneous services that are running as dllhost.exe in your Windows services panel. Try to figure out what they are and where the came from and report the problem so other people can be alerted to the issue such as companies like Microsoft, RackSpace, McAfee, Norton, etc. to try to resolve the problem at a higher level.
If damage has been done to your business or applications due to this issue report it to the FBI, Secret Service, etc. so it can be investigated.
I am guessing this problem is going on at servers all across the country and probably linked back to certain sources. If those sources can be eliminated OUR Internet will run faster.
Tuesday, July 04, 2006
Imail hacks
Found another imail hack today. Somehow my imail IP address for the primary host was listed on an ip that is not on my box, or so I thought. Later one of the techs told me it is on my box and that it is a backup ip and that IP would probably have gotten selected when I installed the latest version of Imail. So, I uninstalled and reinstalled Imail and doesn't seem like this was the case. Actually it looked like there may have been a secondary or virtual host set up and pointing to this IP. I don't see how that could have gotten there in the manner the tech was suggesting. (Microsoft's #1 managed hosting company and they support imail so you'd think they would be up on this kind of thing).
Saturday, July 01, 2006
Undetectable Malware
This is scary- undetectable malware:
Undetectable Malware
So what can the OS manufacturers do about this? As mentioned many times previously - better logging of system and application activities so you can turn on auditing and track every single action taken by the system and query it to pinpoint specific activities and which user accounts or processes are performing those activities.
Also as noted in previous posts - Microsoft's current design for DCOM and RPC makes this pretty much impossible. Some changes are needed to those as well as the underlying system.
To be really nice there could be a way to turn on and off this logging to improve system performance, and a very tight tracking mechanism for WHEN it is turned on and off.
This would render undetectable malware...a bit more detectable.
Undetectable Malware
So what can the OS manufacturers do about this? As mentioned many times previously - better logging of system and application activities so you can turn on auditing and track every single action taken by the system and query it to pinpoint specific activities and which user accounts or processes are performing those activities.
Also as noted in previous posts - Microsoft's current design for DCOM and RPC makes this pretty much impossible. Some changes are needed to those as well as the underlying system.
To be really nice there could be a way to turn on and off this logging to improve system performance, and a very tight tracking mechanism for WHEN it is turned on and off.
This would render undetectable malware...a bit more detectable.
Cisco Software Exploit
Well Cisco has an exploit in some software which I will not go into detail about as I do not want to post information to help the hackers who are obviously reading my blog. [I know this after posting a bait to get them to hack a particular site and they bit.]
But Cisco still has a serious issue. They sent us a fix to some client software and tell us OK have everyone update the client software. Now what the heck good does that do? All some hacker has to do is get a copy of the OLD client software and then they can access my Cisco equipment in an insecure way. What they need to do is fix the SERVER side and disallow the old version of the client software.
But Cisco still has a serious issue. They sent us a fix to some client software and tell us OK have everyone update the client software. Now what the heck good does that do? All some hacker has to do is get a copy of the OLD client software and then they can access my Cisco equipment in an insecure way. What they need to do is fix the SERVER side and disallow the old version of the client software.
Subscribe to:
Posts (Atom)