Jump to content

aelius

Administrators
  • Posts

    4970
  • Joined

  • Last visited

  • Days Won

    373

Everything posted by aelius

  1. Pai daca va pun eu intrebari, va deturnez chat-ul cu totul. Am mai incercat si s-a facut liniste. Sa spuna Usr6
  2. @ANYK: Daca mai postezi rahat la "Anunturi importante si regulile forumului" iti dau ban. Thread closed si mutat la cos.
  3. @askwrite: se referea la altceva, din cate vad in acel context. Si chiar daca ai fi idiot, nu te-a facut el. El doar ti-a spus Hai, pe bune, nu va mai vaitati precum muierile.
  4. aelius

    www.phro.ro

    Ne bagam pula-n biserica. Da, sunt crestin dar in Romania, bisericile sunt institutii de muls banii cetatenilor. Basca, nu platesc impozite catre stat si au gramada de business-uri ce functioneaza sub tutela mitropoliilor. O gramada de cacanari ce se roaga la lemne si picturi. Scrie si in sfanta scriptura, sa nu iti faci chip cioplit si sa te rogi la el. Deci muie la popa. Credinta trebuie sa fie gratuita, nu sa dai bani la un escroc sa-ti cante.
  5. Trebuie sa oferi ceva sa fie de interes pentru utilizatori, altfel nu vad de ce ar da subscribe undeva sa primeasca SPAM cu link-uri afiliate. Nu prea suna a afacere. // edit: Orice consideri ca este util pentru un grup de oameni. Nu poti sa multumesti pe toata lumea si deasta ma refer strict la un grup de oameni. Poate sa-ti faci un blog si pe el sa pui produsele cu aff, iar pe blog sa ai articole de calitate. (e doar o idee)
  6. Terrestrial television - Wikipedia, the free encyclopedia Satellite television - Wikipedia, the free encyclopedia - Yaghi, Dublu-Romb, Cerc, Synaps ?! - Pasiva / Activa ?! Cred ca nu ai idee ce vrei defapt.
  7. Satelit sau terestru ?
  8. You forgot the fucking #include for standard input/output library La multi ani!
  9. Pai si ala ce e frate, nu e REQUEST HTTP ? Nu vreau sa te jignesc, dar aplicatia da nu are nicio legatura cu un atac ddos. In primul rand, designul lasa de dorit. (design-> nu ma refer la aspectul lui, ci la alt nivel) Argumente: - Intr-un atac, trimiti pachete sau request-uri fara sa te intereseze de raspuns. Caz in care nu vad de ce ai folosi un browser web. - Ai afirmat ca se trimit "LA RAND" cate 8 request-uri per proxy. Lucrul asta nu face nimic, aplicatia va genera un singur thread, lucru ce nu poate pica nici un web server instalat pe telefon. Nu te intereseaza sa faci 8-10-20 request-uri per proxy la rand, te intereseaza sa deschida cat mai multe conexiuni persistente catre web server. Cele mai comune servere web de la httpd sunt (dupa model): - Apache MPM Prefork - Apache MPM Worker Primul, adica Prefork va deschide cate un proces pentru fiecare utilizator online. Daca deschizi 1000 de conexiuni in el, sistemul va crapa pentru ca nu exista memorie suficienta sau limita maxima (default 256) a fost atinsa. Prefork consuma in jur de 16-40 MB memorie per process (in cazul in care php este incarcat ca dinamic shared object (adica rezident in process) - DSO/mod_php). Al II-lea model, Worker este un model threaded-safe (multi thread). Un singur process apache poate sustine si 5000 de conexiuni. Deci, inca odata, aplicatia ta la ce este utila si ce anume face ? (epuizeaza numarul maxim de conexiuni acceptat de web server, are ca tinta epuizarea resurselor, sau ?!) Nota: am adus in discutie apache web server pentru ca este cel mai utilizat. Daca punem problema nginx-ului sau altor web servere lightweight sau event based, pur si simplu nu ai ce le face prin http flood. (cel putin nu la nivelul asta) De preferat cand faci un tool de genul este sa cunosti cum functioneaza un webserver (in afara de faptul ca are port 80 open) PS: replica vine in urma: Daca vreti discutii de genul, putem deschide un thread dedicat despre asta.
  10. Banuiesc ca face http requests. Este bine de precizat ce anume foloseste un tool facut de tine. Si acum vin cu o intrebare pertinenta: - Daca utilizeaza requesturi http. Ce fel de user agent are ? O idee: - Daca nu are random user agents, poti aduce imbunatatirea asta. De preferat doar versiuni diverse de browsere. O alta idee: - De ce nu l-ai gandit multithreading ? (sa deschida un numar definiti de socketi, pentru ca asa saturezi un web server) ps: nu sunt interesat de atacuri ddos, ma intereseaza mai mult solutiile de mitigare.
  11. Just a little note to announce that we released NAXSI, an Open Source, Positive Model Web Applicative Firewall for NGINX. Naxsi is now also an official OWASP project (yeepee !) Why ? Because, out there, first of all, there is not much open source WAFs, secondly, even if mod_security is awesome, we wanted something different, that is more reverse proxy oriented. And last but not least, as a security enthusiast, I’m not found of negative model when it comes to applicative firewalling, as js/html/*sql languages are so rich that it’s very hard to have a 100% coverage of possible injection vectors. You may find some examples here : ModSecurity SQL Injection Challenge: Lessons Learned - SpiderLabs Anterior (results of the mod_security bypass context). To make it short, a negative model requires a LOT of efforts to maintain a core rule set (and we’re far from being able to do what the mod security project has done). So, we are left with proprietary appliances, and as a hoster (more than 1.000 websites currently hosted), proprietary appliances are not even an option. This is why we decided to create NAXSI. How ? Well, positive model can be fairly complicated/long to configure when you have a huge web-site, or a web-site that allows a lot of rich/complex user inputs. So, we designed NAXSI to be as flexible and easy to configure as possible. So, here is a global overview of how it works : 1. NAXSI does not have ‘rules’, strictly talking. It will just “score” strange characters in user contents. When the request reaches a critical score, the request will be denied. 2. The learning mode heavily relies on NGINX’s power. When in a learning mode, all to-be-denied requests will be allowed, AND, posted back to a specific location (in NGINX’s term) pointing to a script that will analyze the request and generate the appropriate white-lists, write them to naxsi’s configuration file and reload NGINX. (Thanks to NGINX design, current connection’s won’t be closed, so it’s 100% invisible for the end-user) 3. Once you are in a “production” state (no more learning mode, NAXSI is indeed blocking the requests), all denied requests will be redirected to a specific location, where you can : 4. Depending on the user’s IP, turn it into learning mode (for some Ips, naxsi will always be in learning mode, and generate white-lists on the fly) 5. If the user’s thinks it’s a false positive, he can fill a captcha. If he decided to do so, a mail will be sent, with the associated generated white-lists and detailed request (full HTTP request, so that it can be reproduced) 6. Very simple rules syntax, allowing (for extreme cases) easy hand tuned white-list or negative rules writing. As you can see, we tried to make this as easy as possible to configure and use. During configuration, the user should never have to edit NAXSI’s white-list configuration by hand, as it’s 100% automatically generated via learning mode. You can even partially perform this part with a crawler (if yours is good enough). You can find more details on the googlecode’s page of the project : naxsi.googlecode.com. What ? Naxsi, thanks to NGINX power, can do pretty much whatever you want : turn on learning mode for some users only, redirect forbidden requests to another domain, a vhost, a single page. For those of you who have some knowledge about NGINX, you know how right I am, for the other’s, have a look at NGINX, it’s pure awesomeness ! When ? Naxsi is currently released on an “alpha” status, but we are already deploying in on various production sites. For those whishing to try naxsi, I ‘really’ recommand that you use the SVN to fetch last sources, as packaging is not done on a regular basis right now. Test ? We have setup a test box (referenced on naxsi’s wiki, here : OnlyTrustWhatYouCanTest - naxsi - Naxsi is an open source, high performance, low rules maintenance, Web Application Firewall module for Nginx - Google Project Hosting where you can try naxsi by yourself, as we setup the box as a reverse proxy to on-purpose vulnerable websites ! Wanna help ? You’re welcome ! We are currently looking for some web developers to setup a nicer forbidden page and even a reporting interface. We are as well looking for some people to test the software and give us some feedback. What’s next ? We are currently thinking very seriously about supporting mod security CRS level 1 in NAXSI, so that we can have the perfect firewall, fitting every kind of web sites ! So, stay tuned ! Source: Naxsi, open source WAF (Web Application Firewall) for NGINX Download: https://github.com/nbs-system/naxsi
  12. dariusmare: foloseste explode, definesti ce separator vrei
  13. De ce nu folosesti mai simplu $_SERVER['REMOTE_ADDR'] ? Iti pui adresa ta ip acolo si aia e. De asemenea, ai putea folosi htaccess pe director (sau reguli cu allow from ... deny from all in htaccess) Sau combina-le: Password + verificare adresa ip remote (sa se indeplineasca ambele conditii)
  14. A BBC FTP server ftp.bbc.co.uk was compromised by a Russian hacker and access to it touted online, say computer security researchers. The miscreant behind the attack on the internet-facing file store tried to sell access to the infiltrated system to other crims on Christmas Day, we're told. Hold Security – which this year has helped break news of data heists at Adobe and a top-flight limo company – spotted someone trying to sell access to ftp.bbc.co.uk, according to Reuters. FTP is a 1970s vintage protocol for transferring information in bulk over the internet; its use is discouraged because usernames and passwords to log into accounts are sent over the network unencrypted, although there are ways to establish secure connections. The hacked service was used by reporters to file material from the field, and by advertisers to upload video to BBC Worldwide channels. The invaded computer was cleaned up over the weekend. Right now the system appears to be running ProFTPD 1.3.3g on Solaris, but there's nothing to indicate that was the vulnerable software. However, versions of ProFTPD prior to 1.3.3g suffer from a use-after-free bug (CVE-2011-4130) that allows an attacker to execute code remotely on the machine hosting the server; a flaw that's been known about since 2011. "The only other information that I can offer is that the hacker was offering a screenshot proving that he had administrative access to the BBC server," Alex Holden, chief information security officer at Hold Security, told BBC News. It is not clear how deep the hacker managed to penetrate Auntie: specifically, whether the miscreant obtained just an FTP admin account login, gained control of the user account running the FTP daemon, or gained full control of the machine running the file-transfer server. Don't forget, a compromised computer could have acted as a stepping stone to other systems within the Beeb's network. Source: Yes, the BBC still uses FTP. And yes, a Russian crook hacked the server • The Register CVE-2011-4130 Overview: Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer. Note personale: - Este doar un an decand a fost un alt '0day' in proftpd. (Pe platforma x86). - "Right now the system appears to be running ProFTPD 1.3.3g on Solaris" - Oare unde au vazut ei ca ruleaza pe Solaris?! Poate au un glob fermecat.
  15. Ba, Nytro pune de o ora tutoriale si voi va scarpinati dubios la maciuca cu threadurile de rahat. Thread closed. Chiar nu vedeti nimic interesant aici decat rahaturile astea ?
  16. Il inchidem pana nu va luati banuri in ordine alfabetica.
  17. closed & ban.
  18. Ja right.
  19. Thread mutat in categoria 'Cosul de gunoi'. Daca mai vad biohazarduri deastea de tutoriale, si furate, iti dau ban. Pai ce faci frate, iti bati joc de noi?
  20. // offtopic: Byte-ul: Matt are o reputatie destul de ok aici. // ontopic: Thread closed. Flood pentru jocuri ... Mare ti-e gradina.
  21. Mirc nu are CONT. Este doar o aplicatie de rahat facuta pentru a te conecta la servere IRC ce ruleaza pe windows. Si nu, aici chiar nu oferim suport pentru asta.
  22. Aha, loguri paypal. Ban permanent. Cand mai vedeti posturi de genul, va rugam sa dati report. Avem a multumi ;-) Thread closed.
  23. Following the recent disclosure of a massive data breach that affected nearly 40 million customers, retail giant Target has now confirmed that encrypted PIN data from card transactions was accessed by hackers. Target, which on Dec. 23 confirmed it was working with the United States Secret Service and the Department of Justice to investigate to investigate the incident, has reversed earlier statements that PIN numbers had not been compromised in the breach. “While we previously shared that encrypted data was obtained, this morning through additional forensics work we were able to confirm that strongly encrypted PIN data was removed,” a Target spokesperson told SecurityWeek on Friday in an emailed statement. While encrypted PIN numbers may have been accessed by attackers, Target is confident that because the information was fully encrypted, customers should not panic. “We remain confident that PIN numbers are safe and secure. The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems,” the statement continued. According to the retail giant, when a customer uses a debit card in a Target store and enters a PIN, the PIN is encrypted at the keypad using the popular Triple DES encryption standard. Target said it does store the encryption key in its system, and that it does not have access to the encryption key used to store PIN data. “The PIN information is encrypted within Target’s systems and can only be decrypted when it is received by our external, independent payment processor,” the company explained. “What this means is that the ‘key’ necessary to decrypt that data has never existed within Target’s system and could not have been taken during this incident.” According to Target, debit card accounts have not been compromised due to the encrypted PIN numbers being taken. Source: Target Confirms Encrypted PIN Data Was Stolen in Security Breach | SecurityWeek.Com Related article: Experts Debate How Hackers Stole 40 Million Card Numbers from Target | SecurityWeek.Com
  24. NEW YORK - A US judge ruled Friday that the National Security Agency's mass surveillance of telephone calls is lawful, fanning a legal conflict likely to be decided ultimately by the Supreme Court. Federal judge William Pauley in New York threw out a petition from the American Civil Liberties Union and said the program was vital in preventing an Al-Qaeda terror attack on American soil. Ten days earlier, however, another federal judge in Washington had deemed that NSA surveillance is probably unconstitutional, laying the groundwork for a protracted series of legal challenges. "The question for this court is whether the government's bulk telephony metadata program is lawful. This court finds it is," said the 54-page ruling published in New York on Friday. The scale by which NSA indiscriminately gathers data on millions of private calls was exposed by intelligence whistleblower Edward Snowden, sparking an international and domestic outcry. Protected by judicial checks and executive and congressional oversight, Pauley said the program does not violate the US Constitution's fourth amendment right against unreasonable searches and seizures. "There is no evidence that the government has used any of the bulk telephony metadata it collected for any purpose other than investigating and disrupting terrorist attacks," he wrote. The judge sided with US spy chiefs who say that by connecting the dots between archived calls and terrorist suspects, US officials can keep the country safe. The NSA hoovers up information about virtually every telephone call to, from and within the United States, and says it is the only way to discern patterns left behind by foreign terror groups. The judge quoted the 2004 report by the 9/11 Commission -- the panel which investigated the 2001 Al-Qaeda attack on the United States -- as saying it was a false choice between liberty and security, as "nothing is more apt to imperil civil liberties than the success of a terrorist attack on American soil." "As the September 11th attacks demonstrate, the cost of missing such a thread can be horrific. Technology allowed Al-Qaeda to operate decentralized and plot international terrorist attacks remotely," he wrote. "The bulk telephony metadata collection program represents the government's counter-punch: connecting fragmented and fleeting communications to reconstruct and eliminate Al-Qaeda's terror network." The judge quoted examples in which NSA phone monitoring in 2009 exposed an Al-Qaeda plot to bomb the New York subway, and cite a plot by convicted Pakistani-American terrorist David Headley to bomb a Danish newspaper office. "Unintentional violations of guidelines," Pauley said, appeared to have stemmed from "human error" and "incredibly complex computer programs" and had been rectified where discovered. This month, an official panel handed President Barack Obama a review of the NSA's surveillance program along with more than 40 recommendations to install safeguards and limit its scope. But the administration is not expected to significantly curtail the mission, and Snowden remains a fugitive from US justice who has been granted temporary asylum in Russia. Source: New York Judge Rules NSA Phone Surveillance Lawful | SecurityWeek.Com
×
×
  • Create New...