Meine Blog-Liste

  • end of life - Good morning, as you may have already found out, the posts on this blog have been getting less and less. This is caused by the fact that my two honeypots h...
    vor 1 Jahr

Dienstag, 1. September 2015

Apache Logging Forensics (introduction)

The following article was created for a software documentation I have written a year a go. As I buried the software, the documentation was never finished.

Introduction


The idea of the “MyPyApacheFW” started in 2013.

It was caused by a Webserver. Nothing Fancy, but in risk. It was running a normal Apache PHP content managemant system and investigation showed that it was under heavy attack during the night.

First idea was to simply install the mod_security1 on it and include the OWASP ruleset2, but this just broke the whole system as the standard handling by the CMS lead to many problems not resolvable in easy way.

So, to not just leaving it the way it is, I started my firewall project.

The project is available on GITHUB


2http://spiderlabs.github.io/owasp-modsecurity-crs/

Apache Log Entry




When we take a look at “combined logging” which I use to have all log files in one place and no need to run multiple instances at the same time we have basically these fields within the logfile:



Field
Description
oc.johest.de:80
Servername or server alias of the server which was accessed.
ServerAlias:Port
142.0.41.40
The source address where the request came from
[30/Dec/2014:12:32:56 +0100]
The Timestamp of the access
"GET / HTTP/1.1"
The GET command which was received
302
The return code of the GET
526
The size of data which was send in return of this request
"-"


"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
The information of the client used to perform the GET request.



The GET request

Now, lets take a closer look at the GET request itself.
The request can again be splitted into three things:



Field
Description
GET
Type of the request
/
Path or URL which was requested
HTTP/1.1
Used HTTP version of the request



The client information

"Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"



The client information is pretty much straight forward. It shows the program used to access the website and some basic information on the operating system used. The OS information is mostly taken from the client information, so for what OS the client was build.
Here we see that the client was a Firefox build for windows.

"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2251.0 Safari/537.36"



Another client “seen in the wild” is this Safari build on Mac OS X.


How does it work



When receiving a GET / HTTP/1.1 requested
  • Apache is addressed to deliver the content of / to the client. The representation of / is taking from the Server which was addressed, in our case this is oc.johest.de
  • Apache will determine the location of / according to the information within the Server description (normally within /etc/apache2/sites-enabled/SERVERNAME.CONF like in our case 001-oc.conf)
  • / means hereby the source folder described within the directory structure of the conf file
  • It depends on the configured behavior what it will deliver now
    • index.html
    • index.php
    • list of content of the directory

  • Now Apache will find out if the content can be delivered and the return code represents what happened. 302 shows for example that the path was found. Please refer to http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html for a full list of return codes.
  • In addition, Apache calculates the size of the content returned.
  • Apache will place a log entry within the log file (normally within /var/log/apache2/ like in our case other_vhosts_access.log)

Montag, 3. August 2015

SendMeSpam: A two stage compromise attack

SendMeSpam: A two stage compromise attack: I am pretty sure you have read the blog post for the php code execution attack. http://sendmespamids.blogspot.nl/2015/07/encoded-bot-execu...

SendMeSpam: HTTP/2 revisited

SendMeSpam: HTTP/2 revisited: As you may know, I published a simple blog post about "HTTP/2 PUSHing malicious content" . This lead to some discussions and more ...

SendMeSpam: HTTP/2 malicious SERVER PUSH (weak POC)

SendMeSpam: HTTP/2 malicious SERVER PUSH (weak POC): HTTP/2 now supports SERVER PUSH messages HTTP/2 adds a new interaction mode whereby a server can push responses to a client ( Section 8.2...

Montag, 20. Juli 2015

SendMeSpam: A two stage compromise attack

SendMeSpam: A two stage compromise attack: I am pretty sure you have read the blog post for the php code execution attack. http://sendmespamids.blogspot.nl/2015/07/encoded-bot-execu...

Sonntag, 19. Juli 2015

SendMeSpam: Encoded bot execution from 162.209.14.224 includin...

SendMeSpam: Encoded bot execution from 162.209.14.224 includin...: 2015-07-19 16:28:52 Source IP: 162.209.14.224 Country: US RiskScore: 1 Malware: [] POST //%63%67%69%2d%62%69%6e/%70%68%70?%2d%64+%61%6c%6c%...

SendMeSpam: Encoded NTTPD atack from 110.170.205.51

SendMeSpam: Encoded NTTPD atack from 110.170.205.51: 2015-07-19 05:17:46 Source IP: 110.170.205.51 Country: TH RiskScore: 2.9 Malware: [] POST /tmUnblock.cgi HTTP/1.1 content-length: 946 %73%7...

Freitag, 17. Juli 2015

SendMeSpam: Encoded NTTPD atack from 149.129.69.111

SendMeSpam: Encoded NTTPD atack from 149.129.69.111: Earlier today my honeypot (new version by the way), received an encoded attack 2015-07-17 19:04:14 Source IP: 149.129.69.111 Country: MY ...

Montag, 13. Juli 2015

Samstag, 4. Juli 2015

SendMeSpam: Urlencoded attack by 198.154.63.131

SendMeSpam: Urlencoded attack by 198.154.63.131:  After some weeks with really not much going on on the honeypot, I had an urlencoded attack yesterday. {"message":"Jul 4 0...

Donnerstag, 25. Juni 2015

IBM Xforce Exchange - my client script

As some of you may know, my SendMeSpamIDS includes a script to check data against the IBM XForce Exchange api.


As this script was hidden within a sub folder, I decided to create a standalone github project out of it:


Usage: XFupload.py [options]
Options:
  -h, --help            show this help message and exit
  -u scanurl, --url=scanurl
                        URL to be checked by Exchange IBM Xforce
  -m scanurl, --malware=scanurl
                        Malware to be checked by Exchange IBM Xforce
  -f filename, --file=filename
                        file (md5 hash) to be checked by Exchange IBM Xfo
  -x xfid, --xfid=xfid  XFID to be used
  -c cve-xxx-xxx, --cve=cve-xxx-xxx
                        CVE, BID, US-Cert, UV#, RHSA id to be searched
 From time to time I add improvements to this script, so stay tuned for changes.

The script was developed and tested on:
  • Windows 7 Pro (including Visual Studio + Python)
  • Ubuntu and Debian
  • Raspberry Pi with Debian

Donnerstag, 18. Juni 2015

Montag, 15. Juni 2015

SendMeSpam: JST IrcBot revisited

SendMeSpam: JST IrcBot revisited: Maybe you remember the shellinjection I reported yesterday. This morning I took the time to read a bit through the code  JST Perl IrcBot...

Sonntag, 14. Juni 2015

SendMeSpam: JST IrcBot revisited

SendMeSpam: JST IrcBot revisited: Maybe you remember the shellinjection I reported yesterday. This morning I took the time to read a bit through the code  JST Perl IrcBot...

SendMeSpam: Perl script injection: 85.214.60.234/den

SendMeSpam: Perl script injection: 85.214.60.234/den: The last two days several Shell injections have hit my Honeypot. Any of them tried to download a prscript and execute it Jun 13 06:42:11 ...

Mittwoch, 27. Mai 2015

SendMeSpam: Thats new: allcfgconf attack seen in the wild

SendMeSpam: Thats new: allcfgconf attack seen in the wild: According to my last log files from yesterday, there was an attack which included a allcfgconf statement  beeswarm [mypyfwa] 2015-05-28 0...

Dienstag, 26. Mai 2015

SendMeSpam: Introducing IBM X-Force Exchange

SendMeSpam: Introducing IBM X-Force Exchange: Several weeks ago IBM launched there X-Force Exchange Webinterface. Basically, the idea behind this is to have a collaboration platform whe...

Montag, 11. Mai 2015

Mittwoch, 6. Mai 2015

SendMeSpam: PHP injection attacks (encoded url analyze)

SendMeSpam: PHP injection attacks (encoded url analyze): I adjusted my analysing script to now do a length count of the request. Reason was a ongoing attack which tried to inject url encoded code i...

SendMeSpam: China.Z still out there

SendMeSpam: China.Z still out there: I am still seeing China.Z malware or variants hitting the system on a regular base (1 to 4 each night). All attack vectors look the same , o...

Sonntag, 3. Mai 2015

SendMeSpam: Trojan.Perl.Shellbot-2 injection

SendMeSpam: Trojan.Perl.Shellbot-2 injection: Last night I had another 30 lines of tried shell code injection and the download of malware. 194.176.119.86 - - [02/May/2015:21:14:23 +02...

Samstag, 25. April 2015

SendMeSpam: perl script injection again

SendMeSpam: perl script injection again: The same style as reported some days ago has hit the system again last night  186.56.42.11 - - [25/Apr/2015:09:11:48 +0200] "GET /c...

Sonntag, 19. April 2015

SendMeSpamIDS

All tools which have been written are now used on my Honeypot.
All results of this honeypot are now available on the special blog for this server

http://sendmespamids.blogspot.de/

Montag, 26. Januar 2015

MyPyApacheFW whats new

In the last some months I tried to archieve some improvements on my tiny little firewall. So here whats new:

Usage: mypyfw.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  write report to FILE, default is /var/log/mypyfw.log
  -i IPPOSITION, --ippos=IPPOSITION
                        adjust IP position, default is 0
  -b FILE, --blacklist=FILE
                        path to blacklist, default values are Hardcoded
  -w FILE, --whitelist=FILE
                        path to Whitelist, default values are Hardcoded
  -t, --try-run          you want a test run
  -g, --geoIP           add GeoIP data to output
  -p, --pf              use PF as firewall (ex. on openBSD)
  -n INTERFACE, --net=INTERFACE
                         set iptables/pf network interface

  1. pf is added
    I added support for pf. While changing my developer notebook to openBSD I thought it might be useful to integrate pf as the OS firewall used. Thanks to py-pf and the help of the developer I was able to integrate it. IMPORTANT: When using pf you also should tell the script which interface to use
    python mypyfw.py -p -n em0
    If you dont set an interface it will default to eth0.
  2. conf.d now added by default
    In the current version the MatchList and the IPWhiteList is added by default.
    I used it as a pre step and hope that I will be able to provide updates to this lists, so that you can receive updates for this. In addition to that I have some IP blacklists on the target. we will see what happens here.

Whats next:

There are many Ideas on my mind.

  1. Improve GETanalyzer.
    The GETanalyzer is part of the script since the beginning. Currently it is just used to identify sql injection in an very easy way, like counting of words like SELECT , FROM, JOIN. I am creating a list currently on what to add. Like recursion counter. The level will be set within the conf file. So, once the analyzer is extended, the introduction of a confile to set variables will be part of this.
  2. Documentation
    I am currently working torwards a documentation. So a nice pdf which shows how the Apache works and what the layout of the log is and how my script integrates to this. I will use it as a source for a talk I want to give at a OWASP meeting (or so) :-)