Monday, August 29, 2016

Are Hackers looking at your Web Backups?

I read a great blog post Mazin Ahmed's Blog on Backup File Artifacts on the web. It's a great article on how Developers, Sysadmin, etc. have to be CAREFUL they aren't leaving backup files/artifacts out on the internet freely accessible to the bad guys. For example ...
a.) Leaving a web.configBACKUP.txt file sitting in the root folder. Suddenly your connection strings are accessible on the internet!!!
b.) Leaving a index.php.bak file out in the web folder. Suddenly your server-side php code could be accessible to the attacker!!!
c.) Leaving a db.mdb.bak out in the web folder. Suddenly a copy of your database is accessible!!!


The bad news is, I've seen developers do this on purpose and accident. It might even get checked into their source control and then auto-deployed out! I've also seen SysAdmins do this too for example when they're doing a website update or perhaps troubleshooting a Production issue. It's CRITICAL that as developers and sysadmins you clean-up/remove your backup file artifacts from production.

The bad guys can use this to grab passwords, data, code, and much more that could allow them to get just enough information to break into your system.

The even worse news? I see bad guys running generic random queries across the entire internet searching for these .bak , .backup, etc. files, so if you have one our there already, they may have already found it and utilized it against you. So take the time to clean your production server now, and remember to put a process in place so those files never get out there again!

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

CIO 5 Practices to make Hackers Life Harder

I liked this CIO Article 5 practices to make hackers lives harder By Thor Olavsrud.

1. Limit admin access to systems
2. Protect privileged account passwords
3. Extend IT security awareness training
4. Limit unknown applications
5. Protect user passwords with security best practices


Simple but effective. For #1 the fewer people that have access, the harder it will be for the attacker to find somebody who has it. For #2 manage and monitor who or what systems get a privileged account, where and how they're used, don't just create them and forget about them. For #3 humans are clearly the weakest link so a lot of time and effort needs to be spent securing them. For #4 make sure you whitelist all applications and application accounts, and don't allow anything else to run. For #5 while most experts think passwords are going the way of the dinosaur soon, for most companies that hasn't happened yet, thus there's no excuse for following best practices on strength, expiration, etc.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Test Environment Requests

Why would somebody make a request to this path?

GET /test/wp-admin/

It appears this is a common, perhaps the default, location to install your "test" environment for a Wordpress blog. The problem appears to be if I do a google search for test wp-admin pages I get a bunch that are indexed and accessible.



I would never advise having your test environment accessible to the internet. Only have it accessible locally, you're just asking for trouble because test environments are never as locked down and monitored as production, and if your test blog is on the same server as production then you've just created a backdoor to production if an attacker can get into your test environment they're on your production server.

Another perhaps even bigger problem is that when I do the google search, most of these folders return directory listing and allow access to potentially sensitive files. Uh-oh. Lock down your test environments or remove them if you don't need them because the bad guys are looking for them!





More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Nagios XI noauth=1 requests

I've seen these admin page requests many times. Interesting that the parameter is noauth=1 which leads me to believe that if somebody misconfigured Nagios XI that it could allow an attacker to bypass authentication.

GET /nagiosxi/login.php?redirect=/nagiosxi/index.php0.000000&noauth=1

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Kazehakase SQL Injection example

This looks like SQL injection attempt of some sort on mysql, saw it this weekend.

GET /index.php/module/aciton/param1/$%7B@print_r(md5(1123123))%7D HTTP/1.1
Host: mysite.com
Accept-Encoding: gzip, deflate
Accept: */*
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.8) Gecko Fedora/1.9.0.8-1.fc10 Kazehakase/0.5.6
Connection: keep-alive


The Kazehakase/0.5.6 user-agent stuck out to me as unique.

More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Sample PHP Injection Themes.php

Another example of php injection attempt

POST /themes.php HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)
Host: mysite.com
Content-Length: 178
Content-Type: multipart/form-data; boundary=----------------------------f1fd927d4b1a
qf385ab=eval("echo 10000000000-245205634;");


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.

Wordpress Gravity Forms File Upload Attempt

Here is a sample from this weekend of last year's Gravity Forms Wordpress file upload exploit

POST/?gf_page=upload HTTP/1.1
Host: mysite.com
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:36.0) Gecko/20100101 Firefox/36.0
Connection: keep-alive
Content-Length: 2476
Content-Type: multipart/form-data; boundary=3196e7ebf0e84b8499c31b44f2f68dd8
gform_unique_id=../../../../
name=css.php5
form_id=1
field_id=3
file=11.jpg


More about neonprimetime


Top Blogs of all-time
  1. pagerank botnet sql injection walk-thru
  2. DOM XSS 101 Walk-Through
  3. An Invoice email and a Hot mess of Java


Top Github Contributions
  1. Qualys Scantronitor 2.0


Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.