-
Posts
18737 -
Joined
-
Last visited
-
Days Won
711
Everything posted by Nytro
-
Brakeman is an open source vulnerability scanner specifically designed for Ruby on Rails applications. It statically analyzes Rails application code to find security issues at any stage of development. Unlike many web security scanners, Brakeman looks at the source code of your application. This means you do not need to set up your whole application stack to use it. Once Brakeman scans the application code, it produces a report of all security issues it has found. Advantages No Configuration Necessary Brakeman requires zero setup or configuration once it is installed. Just run it. Run It Anytime Because all Brakeman needs is source code, Brakeman can be run at any stage of development: you can generate a new application with rails new and immediately check it with Brakeman. Better Coverage Since Brakeman does not rely on spidering sites to determine all their pages, it can provide more complete coverage of an application. This includes pages which may not be ‘live’ yet. In theory, Brakeman can find security vulnerabilities before they become exploitable. Best Practices Brakeman is specifically built for Ruby on Rails applications, so it can easily check configuration settings for best practices. Flexible Testing Each check performed by Brakeman is independent, so testing can be limited to a subset of all the checks Brakeman comes with. Speed While Brakeman may not be exceptionally speedy, it is much faster than “black box” website scanners. Even large applications should not take more than a few minutes to scan. Limitations False Positives Only the developers of an application can understand if certain values are dangerous or not. By default, Brakeman is extremely suspicious. This can lead to many “false positives.” Unusual Configurations Brakeman assumes a “typical” Rails setup. There may be parts of an application which are missed because they do not fall within the normal Rails application layout. Only Knows Code Dynamic vulnerability scanners which run against a live website are able to test the entire application stack, including the webserver and database. Naturally, Brakeman will not be able to report if a webserver or other software has security issues. Isn’t Omniscient Brakeman cannot understand everything which is happening in the code. Sometimes it just makes reasonable assumptions. It may miss things. It may misinterpret things. But it tries its best. Remember, if you run across something strange, feel free to file an issue for it. Changes since 1.9.4: Add check for unsafe symbol creation (Aaron Weiner) Do not warn on mass assignment with slice/only (#203) Do not warn on session secret if in .gitignore (#241) Fix session secret check for Rails 4 Fix scoping for blocks and block arguments Fix error when modifying blocks in templates Fix crash on before_filter outside controller Fix Sexp hash cache invalidation Respect quiet option in configuration file (#300) Convert assignment to simple if expressions to or More fixes for assignments inside branches Refactoring of CheckLinkTo and Report (Bart ten Brinke) Pin ruby2ruby dependency to version 2.0.3 (see here) Download Sursa: Brakeman The Static analysis security scanner for Ruby on Rails v1.9.5 Released | ToolsWatch.org - The Hackers Arsenal Tools | Repository for vFeed and DPE Projects
-
[h=2]A story of win32k!cCapString, or unicode strings gone bad.[/h] In the most recent blog post (“Fun facts: Windows kernel and guard pages”), we have learned how the code coverage of kernel routines referencing user-mode memory can be determined by taking advantage of the fact that kernel-mode code triggers guard page exceptions in the same way as user-mode does. Today, I will present how the trick can be used in a practical attack against an actual 0-day vulnerability in the Windows kernel. Don’t get too excited though – the bug is a very peculiar type of an information disclosure class, not particularly useful in any sort of real-life attack. Despite being of minimal severity due to the extent of information the bug makes it possible to leak, it makes a great example of how the misuse of the UNICODE_STRING structure and related kernel routines can lead to opening up a security loophole in the operating system. Microsoft has been aware of the issue for over 4 months, but due to its low severity, I believe it is rather unlikely it will be fixed any time soon. [h=1]Unicode string security[/h] All of the most recent versions of the Windows operating system (starting with Windows 2000) internally handle textual strings using the UTF-16 encoding and a UNICODE_STRING structure defined as follows: typedef struct _LSA_UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING; Together with the structure definition, both user- and kernel-mode API interfaces provide a set of functions designed to initialize, examine, compare and otherwise operate on unicode strings, e.g. RtlInitUnicodeString, RtlAnsiStringToUnicodeString or RtlAppendUnicodeStringToString. In the above listing, the Length field represents the current length of the string in bytes (it must be a multiplicity of two due to the encoding used), MaximumLength indicates the total capacity of the buffer in bytes and Buffer points to the actual data. Note that both Length and MaximumLength fields are only 16-bits long, which is by far enough to accommodate the size of any string used during normal operation of the system. Perhaps contrary to intuition, the relatively limited ranges of the integers (making it possible to easily craft a string of a maximum size) do not pose any serious threat with regards to integer arithmetic, because overflowing either fields doesn’t give the attacker much edge. If you think about it, getting Length to be smaller than the actual length of the string can only lead to overwriting the existing buffer contents, but will never result in writing past the pool allocation. Similarly, setting MaximumLength to an overly small number only puts a more strict limitation on how many bytes can be stored in the corresponding buffer, or causes all subsequent calls to fail due to an invalid Length > MaximumLength condition. As a consequence, integer overflows are not of much interest in this context. Link: A story of win32k!cCapString, or unicode strings gone bad. | j00ru//vx tech blog
-
[TABLE] [TR] [TD][TABLE=width: 100%] [TR] [TD=align: justify]SSLCertStoreViewer is the free Tool to view all the installed SSL certificates from your local system store. [/TD] [/TR] [/TABLE] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD=align: justify] Currently it can automatically scan and display Certificates from following type of stores, CA Certificate Store Private Certificate Store Root Certificate Store Software Publisher Certificate Store For each discovered SSL certificate it displays following information Certificate Store Certificate Subject Name Certificate Issuer Name Issue Date Expiry Date It also checks if any of the certificate is expired. If so then it will be displayed in RED color. Finally you can generate detailed report of displayed certificate list in HTML/XML/TEXT file. SSL Cert Store Viewer is fully portable and works on all Windows platforms starting from Windows XP to Windows 8. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=class: page_subheader]Features [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD] Instantly scan & list all the installed SSL certificates Display Certificates from all the system stores. Automatically verify and display the expired certificates in RED color. Generate report in HTML/XML/TEXT file. Very easy to use with cool GUI interface Fully Portable, can be run from anywhere [/TD] [/TR] [TR] [TD] [/TD] [/TR] [/TABLE] [TABLE] [TR] [TD]Screenshot 1: SSLCertStoreViewer showing all the installed SSL certificates from local system store. [/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD]Screenshot 2: HTML report generated by SSL Cert Store Viewer[/TD] [/TR] [TR] [TD] [/TD] [/TR] [TR] [TD=align: center] [/TD] [/TR] [TR] [TD][/TD] [/TR] [TR] [TD][/TD] [/TR] [/TABLE] Download: http://securityxploded.com/download.php#sslcertstoreviewer Sursa: SSLCertStoreViewer : View Installed SSL Certificates from Local System Store | www.SecurityXploded.com
-
[h=1][C] Keylogger, keyboard hook with HTTP PHP upload[/h]By Anasazi Hi all, I realized that I've never really written a proper keylogger. So what I decided to do now that I have some time on my hands was to write one. It works good although I haven't througholy tested it, features include; Writing logs as HTML code, special keys such as CTRL/SHIFT etc is logged as red. Example log; http://warpzone.se/u...X_06_52_12.html Taking a screenshot of the screen after the log has reached maximum size Compresses the screenshot using zip technology Uploads both the screenshot and the log to a webserver through a PHP script, it connects using winsock. Names of files will be computer name and current time. Handles clipboard & window title A quick screenshot; Enjoy, constructive critisicm is welcome, and yes I know that a lot of you belives that hooks bad. Download: http://www.rohitab.com/discuss/index.php?app=core&module=attach§ion=attach&attach_id=3733 Sursa: [C] Keylogger, keyboard hook with HTTP PHP upload - rohitab.com - Forums
-
nginx Arbitrary Code Execution NullByte Injection # Exploit Title: nginx Arbitrary Code Execution NullByte Injection # Date: 24/08/2011 # Exploit Author: Neal Poole # Vendor Homepage: http://nginx.org/ # Software Link: https://launchpad.net/nginx/0.6/0.6.36/+download/nginx-0.6.36.tar.gz # Version: 0.5.*, 0.6.*, 0.7 <= 0.7.65, 0.8 <= 0.8.37 # Tested on: Ubuntu Server 10.04.1 # nginx version: 0.6.36 # Advisory: https://nealpoole.com/blog/2011/08/possible-arbitrary-code-execution-with-null-bytes-php-and-old-versions-of-nginx/ # Description In vulnerable versions of nginx, null bytes are allowed in URIs by default (their presence is indicated via a variable named zero_in_uri defined in ngx_http_request.h). Individual modules have the ability to opt-out of handling URIs with null bytes. However, not all of them do; in particular, the FastCGI module does not. # Proof of Concept: http://<server>/<path>/file.ext%00.php or http://<server>/<path>/file.ext/x00.php Sursa:nginx 0.6.x Arbitrary Code Execution NullByte Injection
-
Crypto 2012 - Breaking And Repairing Gcm Security Proofs Description: In this paper, we study the security proofs of GCM (Galois/Counter Mode of Operation). We first point out that a lemma, which is related to the upper bound on the probability of a counter collision, is invalid. Both the original privacy and authenticity proofs by the designers are based on the lemma. We further show that the observation can be translated into a distinguishing attack that invalidates the main part of the privacy proof. It turns out that the original security proofs of GCM contain a flaw, and hence the claimed security bounds are not justified. A very natural question is then whether the proofs can be repaired. We give an affirmative answer to the question by presenting new security bounds, both for privacy and authenticity. As a result, although the security bounds are larger than what were previously claimed, GCM maintains its provable security. We also show that, when the nonce length is restricted to 96 bits, GCM has better security bounds than a general case of variable length nonces. Slide : - http://www.iacr.org/conferences/crypto2012/slides/1-3-Iwata.pdf Sursa: Crypto 2012 - Breaking And Repairing Gcm Security Proofs
-
Php Code Injection - English Version Description: Este y más videos en: http://www.el-palomo.com Síguenos en Facebook: http://www.facebook.com/El.Palomo.Seg... Síguenos en Twitter: @ElPalomo_Blog This video shows: - How to you inject PHP code - Use de Tamper Data to inyect code - PHP SCRIPT with CURL to sends attacks - Upload Payload Tags: php , code , inyeccion , injection , codigo , el , palomo , omar , palomino , payload , upload , Latest from the SecurityTube Blog: Finding Publicly Readable Files in your Amazon S3 Accountby Vivek Ramachandran - Apr 10, 2013 Amazon S3 is a cloud storage service which is used by thousands of Enterprises worldwide. The most common use case is data ... My Code made it to a Hollywood Movie by Vivek Ramachandran - Apr 06, 2013 One of the first things I do every morning is check the Twitter chatter about my website (@SecurityTube) . I was pleasantly ... Demystifying the Execve Shellcode (Stack Method) by Vivek Ramachandran - Apr 05, 2013 We launched the SecurityTube Linux Assembly and Shellcoding Expert course recently. The course introduces the student to the ... Simulating an SSH Worm using Python by Vivek Ramachandran - Apr 04, 2013 The topic of SSH Worms came up when I was speaking with a couple of students attending my workshop at Blackhat Europe in ... Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: Sursa: Php Code Injection - English Version
-
[h=1]Shellcode analysis on Linux x86 32bit[/h]Andrea Sindoni April 16, 2013 Most of the programs that we use every day contain bugs; a bug is a malfunction in a program, which can make the program take unwanted actions or errors. These bugs or vulnerabilities can be exploited by writing a code that is usually called an exploit. The most common types of vulnerabilities are those that concern the corruption of memory as buffer overflows, the heap overflows, race conditions, format string attacks, etc… In this article, we won’t learn to write an exploit, we will not even see how to search for a vulnerability in a software, but we will see how to write and analyze shellcode and the relationship with the above. The shellcode is generally regarded as a program that starts a shell, and is used as the payload of the exploit. In reality, one shellcode can do everything that makes a normal program. The shellcode is executed after the vulnerability has been exploited. In this article, we will analyze and write shellcode for Linux x86 32-bit architectures. I pointed out the type of architecture, that is because shellcode is usually written in assembly language, and each processor family has its own set of instructions. In addition, each operating system has its own system calls to make service requests to the kernel. To make a system call using the int 0×80 instruction, the kernel then checks the value of the EAX register to take the number of the system call. Each system call is identified by a unique number that the kernel recognizes. We look at the system call in Linux, they are located (in Ubuntu) in the following file: – /usr/src/linux-headers-3.0.0-25/arch/x86/include/asm/unistd_32.h It’s time to start! Let’s write our first shellcode – I have chosen to write a fairly simple, so as to better understand the steps necessary to analyze and optimize it. What we need is to write shellcode that should display the command “cat” the contents of the file /etc/passwd file (this file contains some information about the system account). Link: InfoSec Institute Resources – Shellcode analysis on Linux x86 32bit
-
[h=1]Stored XSS In Facebook Chat, Check In, Facebook Messenger - Break Security[/h] Today, I’m going to share a few of my favorite Stored XSS Findings in Facebook (Facebook Chat, Facebook Check In, Facebook Messenger. These findings are almost always interesting if you happen to find them in the right location. For instance, what would occur if the Malicious Stored XSS Payload ran on the victim every time they checked in? You could also inject the Payload into the Facebook Chat Screen, which could be really interesting. There are essentially two different ways to exploit Stored XSS issues. 1. Let the victim visit our stored XSS Payload (Facebook Check-In, Facebook Messenger, Facebook Chat) on their own. 2. Exploit it with the URL plus the Stored XSS data. I wanted to locate an interesting spot within Facebook that would run the data on the victim each time they visited one of my places. I could also just run it through Facebook Chat. This post will talk a lot about Stored XSS in regard to Facebook Chat, Check-In, Facebook Messenger (Windows Version). The vulnerabilities mentioned here has been confirmed patched by the Facebook Security Team Link: Stored XSS In Facebook Chat, Check In, Facebook Messenger | Break Security
-
Using xss-protection and blocking/bypassing javascript code Modern browsers have increased a function called "xss protection", which helps to avoid "Cross Site Scriptings" by preventing any script in the url from executing (complete tags as "<script>alert('xss')</script>" are totally stopped). Thanks to this protection, an attacker can spoof a fake XSS attack and stop code blocks in the webpage, avoiding possible security checks(example below). Examples working only with Chrome and Safari browsers. Tested browsers: Chrome ( Desktop and Mobile ), Safari, Opera, Firefox. Link: Using xss-protection and blocking/bypassing javascript code
-
Integrating DNS in Metasploit Metasploit Tutorial By Un0wn_X Posted by: FastFlux April 19, 2013 I made a small tutorial on integrating DNS in Metasploit backdoor executables. If you don’t know about creating backdoors please refer my previous tutorial http://www.youtube.com/watch?v=NiBsBKGf80Y.Ithink most of you know how to configure RATs. We use a DNS because our external IP changes every time. So a normal reverse_tcp connects like this. Victim’s internal IP—>Victim’s external IP—> Attacker’s external IP—> Attacker’s Internal IP But most of the time the Attacker’s External IP is Dynamic and changes. For that we can use a free domain name server such as No-IP. First of all create an account on No-IP and configure your DUC client correctly. Next make sure you port forward you router to a new internal IP. That is your Back Track machine. Use a bridged connection in Network settings because we are going to add our BT machine to our internal IP Range. So here we use the payload as windows/meterpreter/reverse_tcp_dns in making our backdoor. As the DUC client sends our External IP and updates our no-ip domain DNS is acting static. This is how it works. Victim’s internal IP—> Victim’s external IP—> Attacker’s DNS—>Attacker’s external IP—> Attacker’s Internal IP Set the LHOST to your no-ip domain, mine is (boomboom.no-ip.com). Set the LPORT to your forwarded port for the BT machine. Those are things new we should modify in making our backdoor the rest are normal. Now launch metasploit and use the multi/handler exploit which handles exploits outside the network. Set the LHOST to your internal IP which BT has been assigned. Set LPORT to your forwarded port number and exploit. Once the victim opens the backdoor it back connects through the DNS to our IP successfully. Now you can use that at any time because of DNS, it will be little similar to RATs. Making it FUD and undetectable is up to you. This video is just a demonstration and Special Thanx to Max for acting as the victim and helping me making this video in real world. Use this for Educational Purposes Only and I am not responsible for the damage you cause. Sursa: Metasploit Tutorial By Un0wn_X | ZeroSecurity
-
"private phpshell (x36-priv8) , can bypass any server. please keep it private." Arata cam asa: http://oi34.tinypic.com/29zsgav.jpg Download: http://www.multiupload.nl/5E1PAMHOSO Sursa: x36 priv8 (phpshell)
-
[h=1]Spybot +AV 2.1 Beta – Un nou antivirus cu motor BitDefender[/h] By Radu FaraVirusi(com) on April 20, 2013 Spybot era mai demult un nume in industria anti-malware cand venea vorba de detectie si indepartare adware, spyware, troieni. Intre timp performantele sale si notorietatea au scazut. Iata ca acum se relanseaza intr-o noua versiune cu antivirus, folosind motorul BitDefender. Noul produs se numeste Spybot +AV 2.1 si este in testare BETA pe site-ul oficial. Iata caracteristicile produsului: Antivirus scan (Home Edition and above) Enhanced GUI: a simple view has been added to many components and the number of dialogues has been reduced. Colour coded indicator on dialogue boxes for easy reference MRU Scan: ability to tell Spybot to only scan the Most Recently Used files Added scan mode to only scan for usage tracks Improved rootkit scan, suspicious results can be scanned with our File Scan Multi-core processor support in scan engine (Home Edition and above) Live Protection Internet Security: an integrated proxy server blocks access to suspect URLs (Windows 8 is currently not supported) Improved ‘Protected Repair Environment’ – now has its own easy to use Spybot taskbar Updated Boot CD Creator allows to create your own Boot CD with Spybot 1 and 2 Boot sector scanning Extensive white list for system files, now used in more Spybot components Spybot now prompts you to create a white list when installed on newly commissioned systems French and Italian translations now included by default O problema cunoscuta in aceasta versiune este protectia antivirus deficitara pe Windows 8. Pentru mai multe informatii si link-ul de download accesati: Beta Versions | Spybot © ™ - Search & Destroy Sursa: Spybot +AV 2.1 Beta – Un nou antivirus cu motor BitDefender
-
C/C++ Manual complet - Herbert Schildt C++ pentru incepatori, volumele I si II - Liviu Negrescu Totul despre C si C++ - Kris Jamsa Le gasesti prin librarii. Lasa cacaturile de tutoriale. Dupa ce inveti bine limbajul iti recomand Secrete C++ - Constantin Galatan.
-
Cyber Crime - cum se apara statul roman de atacurile hackerilor
Nytro replied to S.R.I's topic in Stiri securitate
"Astfel, zeci de experti din aceste institutii se vor antrena ca sa poata face fata unui atac cibernetic." Oare cati or sa devina "de-ai nostri"? -
Poti sa iti faci nervi, ochii cat cepele si sa iti pierzi noptile uitandu-te la cateva linii de cod incercand sa gasesti problema. Dar are si avantajele sale.
-
Doritori sunt, dar cine vine cu locurile de munca?
-
Ma pis pe ei de straini, nu imi pasa de ei, mie imi pasa de "ai mei"
-
Another way to hack Facebook accounts using OAuth vulnerability In recent few months White hat Hacker ,'Nir Goldshlager' reported many critical bugs in Facebook OAuth mechanism, that allowed an attacker to hijack any Facebook account without user's interaction. Another hacker, 'Amine Cherrai' reported a new Facebook OAuth flaw, whose exploitation is actually very similar to Nir Goldshlager's findings but with a new un-patched way. Before reading further, I would like to suggest you to read following post to understand the basic exploitation mechanism: Facebook OAuth flaw allows gaining full control over any Facebook account Facebook hacking accounts using another OAuth vulnerability URL Redirection flaw in Facebook apps push OAuth vulnerability again in action Now, if you are aware about the vulnerability used against Facebook OAuth in redirect_uri parameter in the URL, there is another way that Amine Cherrai found, to bypass the patch applied by Facebook security team. He found another file on Facebook, that allow redirection to steal access_token of victim's accounts. i.e Facebook Cross-Domain Messaging helper . Successful exploitation once again allowed hacker to hijack Facebook accounts using OAuth Flaw. Proof of concept : http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F Video Demonstration: By the way this bug was closed by Facebook Security Team few days back and your social accounts are once again secured, till next finding ! Sursa: Another way to hack Facebook accounts using OAuth vulnerability - Hacking News
-
[h=1]Google Glass are specifica?ii oficiale, se îndreapt? c?tre primii clien?i[/h] Dorian Prodan - 16 apr 2013 Dup? ce a a?â?at curiozitatea tuturor cu detalii succinte despre ochelarii s?i inteligen?i, Google a anun?at ieri sear? c? primele exemplare Glass au p?r?sit liniile de produc?ie ?i se vor îndrepta c?tre clien?i în etape succesive. Pentru început, este vorba doar de cei care au participat anul trecut la Google I/O 2012 ?i au comandat acest produs contra sumei de 1500 de dolari. Cu aceast? ocazie, au fost publicate ?i primele specifica?ii oficiale. Acestea nu includ ?i natura procesorului folosit sau capacitatea bateriei, în acest ultim caz Google sus?inând c? ace?tia vor oferi o autonomie de 24 de ore. Google Glass include un ecran cu rezolu?ia de 640 x 360 pixeli, produc?torul afirmând c? acesta ofer? o experien?? similar? cu cea a unui ecran HD de 25” care este privit de la o distan?? de 2,5 metri. Conectivitatea include un adaptor Wi-Fi 802.11 b/g, o interfa?? Bluetooth ?i un conector Micro USB. Stocarea intern? are o capacitate de 16GB, din care 12 GB sunt disponibili utilizatorului. Camera frontal? ofer? un senzor cu o rezolu?ie de 5 MP care este capabil? s? înregistreze secven?e video 720p. Partea audio a fost tratat într-un mod ceva mai exotic, Google Glass urmând s? foloseasc? un transductor care va transmite sunetul prin rezonan?a oaselor craniului. Dup? cum se observ?, ochelarii Google Glass nu includ o conexiune de date, fiind dependen?i din acest punct de vedere de un smartphone sau o tablet? Android. În acest scop, Google a lansat ?i aplica?ia MyGlass, care necesit? Android 4.0.3 sau mai nou, ?i care va media serviciile GPS ?i SMS. Aceast? aplica?ie este înso?it? de publicarea ghidului pentru dezvoltarea aplica?iilor software, programatorii interesa?i putând afla la ce s? se a?tepte atunci când vor avea acces la API-urile necesare. Un detaliu interesant este procesarea cloud, toate aplica?iile urmând s? fie intermediate de serverele Google pentru a nu suprasolicita puterea de calcul oferit? de Glass. Sursa: Google Glass are specifica?ii oficiale, se îndreapt? c?tre primii clien?i
-
Hmm: Contest | tresorit
-
[h=2]Brute Force Attacks Build WordPress Botnet[/h]Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers. Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress). According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations. Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress. Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms. “It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.” Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites. “As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant. ”This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.” That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions. “One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. ”These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.” HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses. Also, WordPress users can take advantage of a third-party plugin from Duo Security, which enables secure logins using one-time codes pushed via text message or an associated mobile app. Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote. Daniel Cid, chief technology officer of Sucuri Security, a company that helps site owners prevent and recover from security breaches, said his team isn’t seeing infected sites being used to attack others; according to Cid, most of the password brute-forcing is being conducted by desktop systems under the attackers’ control. “We saw a big increase in the number of brute force attacks (almost tripled) since previous month’s average,” Cid wrote in an instant message interview. “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including the Blackhole Exploit Kit. Cid also shared a copy of the username/password list that the attackers have been using for the brute-forcing. “The brute force attacks do not seem to be coming from servers, but from desktops,” Cid said. “However, this is still very early, since they are injecting backdoors (a variation of the Filesman backdoor) they can later use the sites to inject malware or even create a botnet and brute force other sites.” According to Sucuri, WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections: - Log in to the administrative panel and remove any unfamiliar admin users. - Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time). - Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in). - Reinstall WordPress from scratch or revert to a known, safe backup. Update, 3:05 p.m. ET: Corrected Gaffan’s title. Update, 6:29 p.m. ET: Added quotes and tips from Sucuri Security. Update, Apr. 13, 2013, 12:14 p.m. ET: Added comments from Mullenweg. Sursa: Brute Force Attacks Build WordPress Botnet — Krebs on Security