Saturday, November 25, 2006

Command and Control Bots

Working away and suddenly a whole bunch of hits on my server from bots around the world lead me to suspect that these IPs are somehow working together in a coordinated attack of some kind.

Could be coincidental but just saw a whole bunch of hits in a short time period. I have been working all day and not been seeing this. These hits are from the usual suspects - Germany, Taiwan, etc.

And coincidentally - I just made a significant update to my web server. Seems as though they are monitoring changes.

64.124.85.78
64.34.145.194
64.34.145.195
66.246.252.172
38.100.225.11
193.47.80.39
220.130.191.240
219.142.118.37
212.241.204.251
38.98.120.70
64.34.145.198
88.198.43.39

Tuesday, November 21, 2006

Sites with XSS Flaws

Here's a forum of sites with XSS flaws. Verify for yourself. If you can stand the terrible language and tangents.

Sites with XSS Flaws

I accidentally found an XSS flaw on my bank's web site recently. They were trying to prevent it by using a JavaScript pop up box. Helllloooo. Who doesn't know you can turn off JavaScript these days? A bank for goodness sakes...my money at stake.

It is a small credit union. Needless to say I am in the process of changing banks.

Saturday, November 18, 2006

Sunday, November 12, 2006

Process Monitor: What is that process doing?

Microsoft took over sysinternals.com as mentioned and in so doing is replacing regmon and filmon with the Sysinternals Process Monitor.

Process Monitor

This looks to be the information requested for months in my pleas to help find out what is causing problems on a machine in past articles (of course I am just one of the many...) I haven't tried it yet but if it lives up to the description it could be very useful if and when you suspect hacking on a machine - to verify and validate every process and user and what they have been up to.

Friday, November 10, 2006

Windows Security Utilities

Here are some utilities that can be used to explore what is running on your machine:

Security Utilities

Microsoft has purchased a the site formerly Sysinternals.com which was a good source of utilities - probably used by both hackers and legitimate security professional alike.

Wednesday, November 08, 2006

Kernel bugs & vulnerabilities

Which OS has the most hacks -- and the most alarming hacks or bugs?

This month that topic is being explored by some developers on this web site with contributions accepted from other developers around the world:

Kernel Bugs

The scariest one to me so far is the GDI bug on windows that allows escalation of privileges to take over a machine. Not good and no fix available yet supposedly.

Also interesting are the tools used to find these bugs. Aren't the developers building this software familiar with and testing their software with these tools for such a critical piece of functionality such as an operating system kernel?

Yeah I might not be using them for my code but I don't have the whole world relying on the securty of my software as these vendors do.

Tuesday, November 07, 2006

Site Rippers

There are many reasons why someone may want to "rip" a site but in my opinion, it should be illegal. Things are copyrighted and available online. If you need them offline you should have to request permission from the site owner.

I would guess most people are site ripping for the purpose of reverse engineering a site either to compete with SEO rankings or to try to find a way to hack the site. For instance they can rip the site, run tests against it without hitting your web logs, and then put the program they have developed to do whatever to you web site undected - so it looks like normal traffic in your web logs.

Some site rippers are obvious - like looking in the request headers and finding the user agent. Others are more sly, doing things to cover their tracks and appear as if they were a "normal" user.

What to do about site ripping? Good question. First block the blatant ones. Second, look for traffic anomalies that don't appear to be "normal" users clicking through a site at normal speed. Finally, frequent site changes can help ensure someone has not written a program to walk through your pages and do something malicious. You can "break" their code by finding ways to change your pages frequently.