Hackosis

In response to Snort: Simple Rule To Block HTTP Brute Force, here is a similar rule, only for POP3 brute forcing:

HINT: You may have to adjust the threshold by modifying the ‘count 20, seconds 10′ part to meet your needs. Some brute forcing programs can generate up to 80 logins per second, so it is possible to set the threshold much higher if you are getting false positives.

I got hacked not too long ago, so I decided to setup snort patched with snortsam to stop the intruders. This acually works very well.

They got in by brute forcing a log in page for the web mail interface. The intruders also used the compose mail page to send spam after they broke in.

I wrote my own snort rule to detect and block brute forcing and sending spam through the web mail (It will only block if you have snortsam properly setup). This rule blocks anyone that does an HTTP POST more than 20 times within 10 seconds (I believe it is a ratio - average of 2 times per second).

HINT: Replace X.X.X.X with the IP of your web server. Take out the “fwsam: src, 5 minutes;” if you are not using snortsam (you should be ;p). Replace 123456789 with your own custom ID and make it large so it doesn’t conflict with default snort rules.

Have you wrote any custom snort rules or do you have a suggestion to improve this rule? Show us in the comments.

Emerging Threats hosts the only open snort rule set.

Emerging Threats is funded by National Science Foundation and the Army Research Office.

You can download the rule sets separately or all at once.

Check out the perl script to automatically update your iptables, Honeywall and Smoothwall configurations, and the inline snort config.

Confused? Read the Emerging Threats documentation site.

What is Snort?

SNORT® is an open source network intrusion prevention and detection system utilizing a rule-driven language, which combines the benefits of signature, protocol and anomaly based inspection methods. With millions of downloads to date, Snort is the most widely deployed intrusion detection and prevention technology worldwide and has become the de facto standard for the industry.

If you use snort and don’t already know about Emerging Threats I am sure it will help you out on your intrusion detecting escapade. If you have any tips for using Emerging Threat’s rules let us know in the comments.

The Tor Browser bundle makes it easy to use Tor without having to install any software on your PC. You can even slap it on your jump drive to use any where you go.

And it is as easy as — download, extract, run!

From the site:

The Tor software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, it prevents the sites you visit from learning your physical location, and it lets you access sites which are blocked.

The Tor Browser Bundle lets you use Tor on Windows without needing to install any software. It can run off a USB flash drive, comes with a pre-configured web browser and is self contained. The Tor IM Browser Bundle additionally allows instant messaging and chat. If you would prefer to use your existing web browser, install Tor permanently, or if you don’t use Windows, see the other ways to download Tor.

The bundle includes portable Firefox and also Pidgin IM software with the IM Browser bundle (separate download).

Check out the Tor Browser page for downloads and instructions.

If you like Tor you might want to check out Take Control of Tor With Vidalia, Browse Anonymously with XeroBank, and using Anonym.OS to encrypt and anonymize traffic.

Infinity Exists features many ‘how to’ videos to quench your inner thirst for exploit information. Topics include lock picking, password cracking, email spoofing, SQL injection, and much more.

What are you waiting for? Go check out the videos!

I was testing some things on this site today. I opened the error log and found something interesting (X.X.X.X = me):

Yes, these IP addresses are registered to Google. BUT why is Google loading every page I visit at the exact time? This is reproducible for every 404 I can generate.

I understand the concept of a bot and crawling the web for information, but is it necessary that they crawl every single page that I load? Surely they can’t be doing this for everyone on the web.

Does anyone have an explanation for this?

If you have a web server I would be interested to see if you can produce the same results…

From Wikipedia:

The fork bomb is a form of denial of service attack against a computer system that implements the fork operation, or equivalent functionality whereby a running process can create another running process. It is considered a wabbit as fork bomb programs typically do not spread as worms or viruses. It relies on the assumption that the number of programs and processes which may be simultaneously executed on a computer has a limit.

Yes, the command “:(){ :|:& };:” looks like a bunch of rabid smileys, but in fact is a dangerous command that could leave your Linux system unusable until rebooted. The command essentially creates a DoS attack on the system by spawning a large number of processes and very quickly taking all available resources and process slots. This is especially important on multiuser systems like terminal servers, web servers, etc.

The jargon file also defines fork bomb.

Linux is not the only vulnerable OS, but lets focus on the bash command structure for now and I will fill you in on ways to prevent your system from being vulnerable from this command and catching users who attempt to start the fork bomb.

:(){
 :|:&
};:

Essentially the code says:

Bomb the bombs while I drop bombs with even more bombs.

But how do I prevent the fork bomb?

Linux has a handy pam_limits module that can limit the amount of resources any one group or user can take. The configuration is stored in the /etc/security/limits.conf file. This will restrict the user or group from spawning more processes than defined in the configuration.

NOTE: This requires that you have the pam_limits module installed.

Example configuration:

user          hard    nproc           300
@group        hard    nproc           300

Replace ‘user’ with usernames and replace ‘@group’ with group names. You might have to play around with the settings and see what works best for your environment and available resources.

OK, but someone is dropping the fork bomb and I can’t tell who it is!

You could simply look in their ~/.bash_history and see, but that isn’t to say they haven’t deleted it out of the file.

The Linux kernel patch grsecurity could be another solution. I don’t have much experience with the patch so I cannot go into great detail, but the grsecurity forum has a bit of information on the issue.

If you have not setup ways to protect your mutliuser system from the fork bomb, it just might leave you dropping the F bomb. We wouldn’t want to hear any system administrator saying that, would we?

Know any other ways to create the fork bomb? Leave a suggestion in the comments.

Not only can you blind cameras with infrared LEDs, lasers work as well.

Your first thought might be,”It’s really hard to shine a laser at a camera and do something at the same time!”. Not when you mix a tripod and a gun’s laser scope.

One major limitation of this method is the fact that most lasers only emit one color, therefore it is fairly easy to filter the color using optical and electronic methods unless multiple colors are used.

Another limitation may involve exactly how to locate cameras, as they can be hidden anywhere.

Michael Naimark can say a whole lot more about the camera zapping subject with laser beams than I can. Have a look at his excellent document on this interesting subject.

How to ZAP a Camera: Using Lasers to Temporarily Neutralize Camera Sensors - by Michael Naimark [via How To Do Stuff]

Kevin Mitnick tells a story about how he played workers at a Hollywood telephone company with his 1337 social engineering skills:

More videos and info at news.cnet.com.