Saturday, December 01, 2012

w32.changeup

I was at work this week and a teammate mentioned that w32.changeup might be a concern to our client base.  We try to proactively alert our clients on what could affect them without needlessly spamming them (we try to weed through the hype as well).  The vendors already have the technical write-ups, so I'll spare the readers my thoughts on that.  But I will say that the worm was first discovered a year ago...it's an older worm but the new variants appear to be enhanced, and there's a large spike in infections across the world.  As well, the worm is apparently difficult to remove if not using AV tools.

In my research, I discovered the following:


  • When using Symantec as a resource, it is difficult to determine which variant is being discussed, which leads to confusion and not being fully aware of possible impact.  There are 32 variants of this worm and in most of Symantec's articles, knowledge-base entries, and blog/forum posts, the authors rarely mention the variants that could negatively affect users.  

  • As well, there aren't many other vendors that can detect and/or remove infections, so it is critical that rare resources be accurately documented (as much as possible, at least).

  • I became curious if any other vendor could detect (and/or remove) the worm, but because I didn't know a common name for this worm that the industry was collectively using, it was difficult to find additional details.  Finally, I stumbled across this:  http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name, which is the Symantec Blog.  It lists several vendor names of the worm.  It is highly annoying that I had to visit Symantec's site to find what McAfee named the worm.
I hate researching worms and viruses because there's no real standards that the AV industry follows.


*Resources:

http://www.symantec.com/security_response/writeup.jsp?docid=2009-081806-2906-99
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&tabid=2
http://www.symantec.com/security_response/writeup.jsp?docid=2012-112709-5049-99&om_rssid=sr-latestthreats30days
http://www.symantec.com/connect/blogs/w32changeup-worm-any-other-name
http://www.symantec.com/connect/blogs/w32changeup-threat-profile
https://kc.mcafee.com/corporate/index?page=content&id=KB76807
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=1607456

Thursday, November 15, 2012

Skype and Adobe

It's been awhile since I've done this, but here it is:

First, Skype.  Apparently, Microsoft fixed an issue with Skype accounts being vulnerable to hijacking.  It only took them three (3) months to address the issue...

https://isc.sans.edu/diary/Skype+account+hijack+vulnerability+fixed/14512

http://countermeasures.trendmicro.eu/skype-vulnerability/

Next, there's been another password disclosure breach, this time affecting Adobe and connectusers.com users.  The compromise occurred via a SQL injection attack.

https://isc.sans.edu/diary.html?storyid=14515

http://arstechnica.com/security/2012/11/adobe-breach-reportedly-spills-easy-to-crack-password-hashes/ 


Note (LONG):

I posted the notifications on Facebook, as my friends and family use Skype.  I'm going to throw this out there right now:  I hate OSS zealots.  I had an acquaintance stir up some crap about "why are you using Skype", "why are you using Windows", "why are you giving the corporations your money/data".

Life is SHORT.  That goes for everyone, including the zealots.  I'm a fan of open source software, but I don't live the life of "down with M$".  Microsoft has a place in my life.  I game...a LOT.  I play the types of games that don't do well within virtual environments...there are no Linux equivalents of these games.  As well, complicated software that is difficult to keep running properly in Windows tends to be even more cumbersome on *nix.  

I know how to administer *nix and know it's strong points as well as weak points.  I know *nix very well.  I've never solely administered *nix for a living (I'm multi-disciplined), but I know it well enough to where I've been running *nix servers remotely without issue for YEARS.  I also tend to focus on security hardening on my *nix machines, moreso than the average *nix administrator (I'm a security consultant by trade).  So I know what I'm doing...I'm seasoned enough to know what to do and what not to do.

Now, I love *nix.  But there are different types of such love.  I love it but I also love gaming.  *nix won't do what I desire when it comes to the types of games I play, so in that regard it fails me.  You don't have to agree or disagree, because it won't matter what you think when it comes to *ME* and my computing usage.

As well, *nix can be high maintenance, depending on what's broken and your experience level.  I've told several of my relatives that have an interest in trying different operating systems that Linux could give them some freedom.  If they try it and find that it's not for them, I'm not going to continue pushing it down their throats.  That's not me.  I don't try to convince people (but I might nudge them if they're showing a serious interest)...that's the job of the product.  Also, the person doing the trying has to be open-minded and willing to learn new things.  I can help with that but I'm already pinged constantly, since most people think I'm a general tech support guy that they can call/e-mail at any time...I'm not going to administer their box for them. If you don't have the drive to help yourself a little and be willing to learn, *nix is NOT for you.

And, sometimes I just want stuff to work when I install it...without me fiddling with config files.  Remember, I've been working as a consultant the last 10 years in sometimes grueling or archaic work environments.  I do  NOT want to come home to the same crap.

Yes, I love smartphones.  Yes, I love Mac systems.  Yes, I'm OK with using Windows 7. 

This smacks of socialism (pushing people to adopt your version of the greater good...sharing everything, having extreme hate for commercialism).  Maybe I'm generalizing, but this is not the first time I've had someone berate me or try to push me to not use MS/this product/that company...like there's some code I'm supposed to be following as a *nix user.  For those that have issues with *nix guys using "M$" software, are you really going to bust a blood vessel worrying about what I'm using on *MY* LAN?

Lastly, regarding the "corporations are bad and will share your data as well as backdoor all apps and even the OS".  Bullshit.  Believe that crap if you want.  While I won't willingly give out my private data, I'm not going to live like an Amish person.  I won't live like I'm in a cave.  I'll lock down my data as much as I can, but I will not believe that all corporations are bad.  If you believe that, I guess you keep your life savings in your mattress....good for you if you do, but that's not me.

Tuesday, October 23, 2012

Postfix Install, OSSIM, Slack 14, Ubuntu, and VPNs

This isn't really a technical post, but I did want to share that I have Postfix running on my server.  I'd never had the need to run my own mail server until I moved my wigglit.com domain.  It was initially hosted at 1and1.com, but I got fed up with their service (or lack thereof).  I had several e-mail accounts set up there and still needed them to stay active, so I was pretty much forced to migrate the accounts as well as the domain.  The domain migration was pretty simple.  The Postfix install was much more difficult, even when using Webmin to set it up.  I used a Ubuntu tutorial (searched on 'webmin', 'ubuntu', 'postfix', and 'configuration') and used it exclusively to set up the server.  I think I have it tuned  pretty well so far, only I found some bounced e-mails going back maybe a month or so...I fixed those today.  Those weren't actually related to Postfix, though.  When I stood up the new server and domain, I forgot to adjust the scripts that kicked off the e-mails (cronjobs).  I'll double-check tomorrow, but I think I've fixed those (was able to test the cronjob successfully...generated a test e-mail).  I've since been editing the main.cf file to make configuration changes (and restarting the mail server afterward).

I've also been trying to use OSSIM, but I think I need a dedicated machine.  I tried to use an install of it within VirtualBox, with very limited success.  It seems it needs considerable resources and doesn't run well on a virtual instance with limited CPU/memory resources.  I ran VirtualBox on my M17xR3...that machine definitely has enough horsepower, but only has 8GB of RAM...it may need a bit more so that I can give OSSIM ample memory.  As well, my RAID 0 drive set may be hindering OSSIM.  I got a taste of it, though, and like it much better than Aanval.  Unfortunately, I don't have a good spare box at the moment, otherwise I'd be running it already.  That was my first time using VirtualBox, also...it's not that much different than VMware...much simpler, though.

So, Slackware v14.0 was released not long ago.  I took the liberty of installing it within VirtualBox.  It runs very nice!  I'm in the process of evaluating it and will soon upgrade my two v12.0 machines.  No, I'm not using Slackware on my public server.  I opted to use Ubuntu (v12.04) instead.  While I love Slack, I needed something less high-maintenance on the public server.  No complaints so far and it's been about a year since I flushed it and gave Ubuntu a try...no complaints whatsoever.  KISS is where it's at.

Lastly, since I've had success with Postfix, I plan to eventually start evaluating security tools again.  I've been out of the loop for awhile and need to push myself to continue to be familiar with Linux and security.  I've never used any of the VPN software before, so I plan to establish a VPN conduit between my LAN and my public server.  We'll see how that goes soon.

Friday, October 19, 2012

Engineering Stories

On the way to work today, I remembered an occasion where a team member who'd left the company had been stockpiling 1U rackmount servers in storage.  He'd reimaged each server with a common image (each had different passwords, though).  I had a listing of passwords for each server, but the listed password for one particular server wasn't working and we needed to get access to that machine.  I couldn't just reimage the machine since, even though it shared a common image, it was prepped for deployment to a certain location and was configured for that specific site.  While I had a copy of the site-specific information, I just did not have the time to reimage the machine and reconfigure it...I saved that as a "last resort" option.

After a bit of research, was able to log in successfully.

I knew the BIOS wasn't locked down, so I went into the BIOS and enabled booting from CDROM.  I had a copy of a Linux CD which I put into the CDROM tray.  I then power-cycled the system.  I was able to use the live-CD to boot up the box.  I mounted the drive within the system and removed the encrypted password within /etc/passwd using 'vipw'.  I then shut the box down, removed the live-CD, then started the system.  I was immediately given a shell.  I then reset the password to what was on the passwords list for that particular system then finished the pre-deployment steps.

This is why I love Linux.  There's always an option.  I could NOT do this with one of the backup Windows servers we had.  That case was similar:  the system was a cold backup and was racked but powered down...it was a new system with a new image but customized for a specific role...it had yet to be used, though.  The password that we had for the device was apparently incorrect.  I even tried to crack the SAM file...that didn't work and I eventually had to reinstall (not reimage) Windows Server (forgot which version) onto the system again.  What made this much worse was that there wasn't an original cloning image to use, as well as the fact that the previous engineer hadn't maintained directions on how he configured the device.  So I had to use the trial-and-error method.  I eventually configured the OS properly and installed and configured the proper software (it was a CA eTrust AV server).  The whole time, the lead client was pestering, badgering, and being overly hostile.

In another case, another contractor had left the company.  He'd been administering a Nessus server that he installed on top of OpenBSD.  This contractor chose OpenBSD and was comfortable with working within a terminal session (as was I).  And really, the box didn't really have an abundance of resources anyways, so it was probably more robust without the GUI enabled.  I understood something of OpenBSD and was aware of how to conduct scans and how to view/store the scan results.  I even had a cron job running that would conduct the scans during maintenance windows.  Everything was working fine.  The same client lead couldn't operate the system because his *nix skills were seriously lacking.  Instead of asking for help/guidance, he directed another contractor to wipe the machine and install Red Hat with the GUI enabled so that he could operate the machine.  Data was not backed up.  The scanning data as well as configuration man-hours were wasted.

Another time, I was working a deployment issue where client remote hands were my remote hands/eyes.  They'd received our Snort sensor that we'd imaged, customized, and configured and had just finished racking and powering it up.  The remote hands did not know anything of how to operate within a terminal session.  I walked him through the process, spelling out the commands he needed to type.  The problem?  We built the machine and while testing it before we shipped, had logged into the machine via SSH.  When the machine was at the remote location, I could not establish an SSH session because the host key had changed.  In order for me to regain access, the remote hands had to remove the existing host key that was tied to the IP of my work machine...the host key resided on the Snort sensor that I was trying to log into.  What made me feel good was that one of the clients was logged into the bridge call and was listening.  After the call, she praised me for my knowledge of guiding the remote hands through the whole process without ever being able to view what was on his screen.  She also commented on how I guided him in what to type.  In this case, I could care less how much they were paying me (which wasn't really all that much)...I was happy that I was able to be of assistance and value.  That was payment enough.  That was one of the few bright days in working with that particular organization.  I soon took a dignified stance and left that contract.  To this day, I will not recommend any person I know to work at that particular location without giving them ample warning.

But the main reason for this post is to share that I love *nix (and why)!

Thursday, September 13, 2012

BSD machine fixed!

So, I swapped a known working motherboard into the BSD machine.  It now works.  I also decided to use a quad core AMD AM2+ CPU that I had sitting around.  That's all I changed.

I'd originally thought the problem was related to the hard disk.  So, I decided the night before to disconnect the drives (it has two SATA drives), to determine if it were the real issue.  It still experienced the same symptoms after boot-up attempts, which told me it wasn't a hard disk issue.  I also swapped out the RAM with a known working chip with the same results when trying to boot-up.

So, either the the old CPU (a dual-core AMD...I forget the model) died or something on the motherboard died (or maybe there was a short somewhere?).  I left it running a live instance of Linux Mint, just to see if it stays stable over the next 24 hours.

Next, I need to reinstall FreeBSD (wondering if I should try some others as well, such as OpenBSD or Mint).  I wiped the drive, thinking that there was some corruption issue...shouldn't have done that.

Saturday, June 23, 2012

BSD machine still not fixed; Slackware bullet-proof as usual...

So, I've had some time to play with my Slackware install.  I should actually upgrade to the latest, but I think I might try to get that BSD system back up this weekend.  I did upgrade firefox on the Slack machine, though...it was running a VERY old version (v2.x.x, I believe).  I'm running v12.0 now via my regular user account.

I'm tempted to install phpBB3 onto this machine (that's why I want to get into that BSD box...I'd just installed phpBB3 and had a very nice site that contained all my system and sysadmin notes that I've collected over the years...been using that software as a data repository since 2003 or so, on a very old system that runs phpBB2).

I've no real plans this weekend or maybe even the next (no autocross scheduled until next weekend and I'm opting out of that).  That should give me time to delve into the BSD issue as well as wiping the replacement system and installing the latest Slack.

Wednesday, May 30, 2012

Slackware Reunited!

Well, I'm back to using Slackware.  I don't know if that's actually proper to say, since I still use Slackware as an IDS for my LAN, but that box is pretty much just monitoring the network...nothing else.  I had an issue with my new FreeBSD box (it won't boot properly) and I needed another box, so I powered up an old machine that had Slackware v12 on it.  Yes, I'll upgrade to the latest as soon as I can, since everything seems to be out-of-date, such as my browsers and such.

I was able to get onto irc.freenode.net (was previously logging in via Xchat-aqua using my Macbook), but had a problem with D-bus:

ron@slackbox:~$ xchat
process 7948: D-Bus library appears to be incorrectly set up; failed to read machine uuid: Failed to open "/usr/local/var/lib/dbus/machine-id": No such file or directory
See the manual page for dbus-uuidgen to correct this issue.
  D-Bus not built with -rdynamic so unable to print a backtrace
Aborted

No, I don't use irssi or BitchX (I used to, awhile back).  Found that I could kickstart D-bus with the following command:

dbus-uuidgen --ensure

Dunno why this was an issue, since I didn't have the issue before I powered off the machine...maybe something broke during the power-down cycle of that last shutdown?  Dunno.

I'm glad to be delving in Slackware again...I love tinkering with different environments, but I'm pretty spread thin with Windows 7 (necessary evil to do my hardcore gaming), FreeBSD, Ubuntu (my colo server), and now Slackware...been meaning to reactivate an old box with OpenBSD on it also.  We'll see how I can cope with with all this.  :)

Sunday, May 20, 2012

FreeBSD Pains

My 'new' BSD machine (FreeBSD 8.2) crapped out again.  Actually, I think either my wife or one of my kids accidentally shut it down.  Now it tries to boot up and immediately shuts down during the boot-up process.  I can't look at logs because it keeps shutting down.  I tried single mode and it does the same thing.  I've been trying to see the last line of the boot-up process before it shuts down...that's like trying to capture (with your mind) one frame of a film...very hard to do.  Well, it looks like it can't mount the root partition (just from what I've seen the milli-second before it shuts down).  I need to run fsck on it but I can't do that if it's not booting up properly into single mode.

I cheated and tried to boot up live install of Linux Mint, Ubuntu (both of the latter are on USB sticks), and FreeBSD (on DVD)...they must be trying to mount the drive that the FreeBSD install is on, because they all shut down too.  So, I'm going to try a rescue version of FreeBSD (for memory sticks).

Once I fix this, I'm sure there's a rc.conf setting that I'll need to set to force an fsck during boot-up if needed.  This has happened ever since I installed FreeBSD and I'm a bit irritated...this should be enabled by default so that someone doesn't get 'locked' out of their system.  :/

Thursday, May 17, 2012

Missing me some Slackware...

I haven't played with Slackware in quite awhile.  I still run a server through Linode.com but I no longer have Slackware installed as an OS (I'm using Ubuntu for ease of use...yes, it is easier to maintain compared to Slackware and I've not run into any 'gotchas' yet).  I run one machine that has Slackware installed (it's sorely in need of an update, though) and it is being used as a NIDS system.  I've another machine with Slack on it that hasn't been turned on in months (it's OS version is even older than the other system).  I'll probably turn on this system and begin to use it again, but it is in very sore need of cleaning (it has 4-5 hard disks with data ALL over the place).

I'm trying to resist the urge to run Slackware in a VM on my Alienware system.  It will require me to probably get more RAM (I'm trying to resist that idea for now).  I do not want to attempt a native install, as I don't feel like experimenting to get Slack to work on that system.  The integrated and dedicated GPUs will probably be an immediate issue, as well as the fact that my system is running two 750GB drives in RAID0.  And, that is also my gaming system.  There's no real need for me to install Slackware natively on my system.  But, I will definitely install Cygwin, since I can leverage it's tools (such as GnuPG) without having to open a shell and have an internet connection.  Cygwin is the less complicated of the aforementioned options.

But I am missing using Slackware, which is why I've been trying to be more active at ##slackware on irc.freenode.net.  The thing is, I also have a fetish for Open- and FreeBSD, so I've been focusing on both of those the past few years.

Tuesday, April 17, 2012

Power Outages

There have been power outages here that have been taking down my lab equipment. This affected my new BSD machine. The drive became borked due to an unclean shutdown. After a few days, I got it back up again. It was a simple fix but one of the other machines kept me busy until I got to the BSD machine. The old BSD machine had an IP conflict with one of the Verizon set top boxes...I thought I'd set it to a static IP and when I checked, I had, but the damned router gave the set top box the same IP. I had to run around the house at 11PM trying to figure out which box it was (I've five of them). The last one I checked was the one I was looking for...go figure. A quick power-cycle and it got another IP. I wouldn't have figured this out if I hadn't used ARP. I kept pinging the BSD machine's IP but wasn't seeing return traffic...I telnet'd to port 22 and 80 and didn't get a response, either. So, I looked at the ARP results and saw that another machine had the IP...in fact, the set top box had two of them, but the MAC addresses were wrong on one (this was the BSD box entry...the MAC matches that machine). Very weird but hopefully it won't happen again.

I'll be looking to invest in a UPS soon. I need one that will be able to power down 3 *nix machines or at least keep them running for 5 minutes or so. Dunno if I should also ensure that there's room for the router...

Monday, April 09, 2012

Snortreport install

I remember running snortreport awhile back and liked it. I want to try to use it again, but I was having issues installing it in FreeBSD.

It appears that the FreeBSD port of snortreport requires php4. I'm currently using php5 and want to run snortreport with minimal fuss. I do not want to try to run both php5 (for Apache and phpBB3) and php4, as it will break the server. There are several tutorials on how to run both but as I said, I don't want any fuss.

So, I delved a bit into the ports and makefiles. I looked at the makefile for snortreport and decided to remove the php check that stops me from installing the port. It then choked on jpgraph (a dependency)...it appears that jpgraph is actually the port that requires php4. I was going to edit the makefile for jpgraph to allow the install (by commenting out the line that checks for php4), but saw that there is another version of jpgraph called jpgraph2. I looked at that port's makefile and it didn't check for php4 (it did check for php5). I went ahead and installed jpgraph2 instead, then installed snortreport without any warning/error messages.

So, for those of you that want snortreport on FreeBSD and want to leverage the ports system, you can get around the php4 dependency issue by just installing jpgraph2.

Of course, I still have to fully get snortreport up and running before I claim 100% success, right? ;)

Trying to upgrade/revamp my lab

I'm trying to retire some of my older equipment in my lab.  The biggest move will be in migrating my old FreeBSD server to a new one.  Both are currently up and running.

The old:

FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007
CPU: Pentium II/Pentium II Xeon/Celeron (447.69-MHz 686-class CPU)
Origin = "GenuineIntel" Id = 0x652 Stepping = 2
Features=0x183fbff
real memory = 268427264 (255 MB)
avail memory = 252989440 (241 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1

The new:

FreeBSD 8.2-RELEASE-p3 #0: Tue Sep 27 18:45:57 UTC 2011
CPU: AMD Athlon(tm) 64 X2 Dual Core Processor 4400+ (2210.20-MHz K8-class CPU)
Origin = "AuthenticAMD" Id = 0x60fb2 Family = f Model = 6b Stepping = 2
Features=0x178bfbff
Features2=0x2001
AMD Features=0xea500800
AMD Features2=0x11f
TSC: P-state invariant
real memory = 1073741824 (1024 MB)
avail memory = 1002987520 (956 MB)
FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs
FreeBSD/SMP: 1 package(s) x 2 core(s)
cpu0 (BSP): APIC ID: 0
cpu1 (AP): APIC ID: 1

I've a LOT of data on the old system that I need to somehow offload and retain onto the new one.  I also have to stand up updates services (mysql, ssh, httpd) and apps (phpbb3, BASE).  I already have the new phpbb3 running (it is NICE), but still have to install BASE (although Snort is installed).

I'll keep you all updated on this.

Wednesday, February 01, 2012

Moving my older domains

So I had wigglit.com hosted at 1and1.com, but ran into issues with them that appear to be recurring.  I previously purchased MobileMe for my mac machines (I can archive data as well as use it's e-mail system and web page authoring), but since Apple is killing MM and migrating to iCloud, some of those capabilities are disappearing.  I decided to host my pages myself, using 1and1.com, but apparently they are idiots.  I sometimes need to shell into the 1and1.com environment to make changes and I've been trying to pipe the data hosted on MM to 1and1.com but they keep locking my account.  I've sent several nastygrams asking them to lessen the lockout threshold on their shell accounts, but they keep blaming the user and not really investigating, sending cookie-cutter responses and such.  So I told them I'm going to discontinue their services as soon as I migrate the data.

So far, I've moved wigglit.com over to my Linode account.  I've moved my SV1000 blog and site to sv1000s.wigglit.com, and my Apple blog was moved to apple.wigglit.com.  I'd never used subdomains before, so that was new to me.  I also had never delved in DNS, as I had to map my subdomains to my Linode account.  Using the Linode tools and a bit of research, I was able to do this seamlessly.  I now have functional subdomains.

I'm going to eventually have everything consolidated on the Linode.  The big one will be migrating my e-mail to my Linode system...I think that's going to be painful.

I will move the rest of the data soon and discontinue using 1and1.com's services within 30 days.

Note that this has nothing to do with Slackware in itself, but I wanted to capture this move in one of my blogs.