Sunday, November 04, 2012

BOT House|RELOADED - Part I


At long last, BOT House is finally reincarnated.  And on a much perkier Intel box with a newer, 64-bit version of Debian.  The new, official name is BOT House|RELOADED or BH|R for short.

So much hardware has crashed and burned this year it's hard to keep teack of it all.  First, it was the proxy project box.  It died of—what else—hard drive failure.  It was a strange setup in the first place: a (hardware) "RAID Nuthin" array spread across an IDE and a SATA drive.

And to complete the nightmare... on LVM.

But there were backups.  I re-installed everything on an external USB/IDE drive temporarily just to keep things running.  Later I bought a pair of 3.5T SATA drives & a new RAID card.  I mirrored the drives and plan to use it as the main backup for all this crap I shit out.

But before I finally got around to taking it off the USB, UPS's started to shit themselves.  Power failures have been brutal this year.  It used to be all I had to worry about were a few minor brown-outs during the beginning of "air conditioner season", but this year multi-day blackouts were far too common for my comfort level.  Two UPS's died.  I replaced the batteries in one and upgraded another from 350VA to 1000VA.

A few weeks after the derecho hit and knocked us out for four fucking days (two off, one on, two more off) it was getting a little windy outside, so I decided to check the Weather Channel for a forecast.  I turned on the TV, tuned in, and no sooner than they said "... high winds approaching our area..." the entire house went dark and stayed that way for another forty-eight hours.

A couple of weeks later, there I was, minding my own business and limping away on the USB drive in the proxy project box when one day, after mowing the lawn, I sat down and searched for images of Mossberg shotguns (for this story) on Google.

And... nothing happened.

Then I hear this "click click" sound coming from BOT House.  I switch to the console.  The last thing I saw was a message that said "Replace UPS battery" before I tried to reboot it.

It didn't reboot.  It just went click click click...

I spent the rest of that afternoon recreating the router & firewall on a bootable USB version of the Backtrack5 LiveCD and ran that for a couple of months before buying all the new hardware—computers, UPS's, hard drives—for everything and re-engineering the whole DinkNet NOC from the bottom up.

The things I do for you kids!

Thursday, May 31, 2012

Flasad32.dll


Just thought I'd drop a quick "blog turd" to get another hit from Google.

Long story short(ish): had a victim of some type of Russian malware, likely a password stealing bank Trojan.  The anti-virus was clueless.  Found one suspect DLL, deleted it, and another (the title of this post) appeared to take its place.  When I went to Google the name of this DLL, Google had nothing.  So I thought I'd take advantage of that as long as they came up with blanks.

This was a few days ago.  The situation hasn't changed.

There was some silly ASCII stuff inside the DLL, very similar to stuff I found in the first DLL.  I will share it with you here...

He standard alive cutting get cup, point itself sign, were waste establish in happened five, through balloon, smaller sing without thirty set between swim development Andy national without, citizen manufacturing quit fifth in wrong at still pencil egg falloff behind water above taught, threw, thing lips whale alive cutting get cup point breakup aboard went torn draw establish in build wear, five let separate wept, fur sing completely jar development under comeup Illinois above rest increase manufacturing thou lit will still pencil wound over drive falloff breakfast leader from Johnny lips whale alive cutting, get cup, point itself sign draw establish proper five let onto arrive smaller constantly of once development under, ancient, national inside fit before thou in let will, on ranch pencil wound happily movement leader thing lips, whale alive cutting get above, frame point itself between like were waste, establish burst, wear of kill let onto arrive into, spent fur sing, completely jar development Andy national without spread manufacturing quit at scared yet become on ranch pencil egg falloff, breakfast leader thing from bat whale above, clock cutting get above frame point out of offer sign, in comeup, Germany establish burst wear five bar smaller constantly set child development Andy. 

So there you have it.  Not sure what the point is, but the "pencil egg" theme, "thing lips", and "Andy" were in the first DLL as well.  Before you go and make a firewall rule with this data, be advised I don't know if this is the malware itself or part of the payload.  I don't have a full forensic environment (I work for Cheap Bastards), so studying it in depth was out of the question.  I opted to "nuke and forget", but I did keep both DLLs, just to see how long it will take for the AV companies to catch up.

"Flasad" could be construed to be a corruption of "Flash Ad".  Something had to download it to replace the original one that got deleted, so it's not 100% of the infection.  But I did find the text amusing, so there you have it.

Let me know if you got infected by this bug.  Drop a note and we'll compare results.

UPDATE 07/12/2012


This bugger was finally detected today as "Generic PWS.y!1e3" by an AV vendor who will remain nameless.

That took SIX FUCKING WEEKS.

So I was right.  It was a password Trojan.

I'm never wrong.  And when I am I delete that post anyway so there's no proof.

Wednesday, April 18, 2012

/* Shitty globals */


This is nothing earth-shattering so I'll try to make it short and sweet.  And I'll add the pertinent links later.  If I feel like it.

A couple of weeks ago, the InfoSec Institute announced a privilege escalation problem with wicd in Backtrack 5 R2, which caused the BT people to go into Butthurt Mode and emit a Class 3 Shit Storm.

"Tut, tut," they proclaimed, "you can't escalate privileges on a system designed to be run as root and besides it's not our fucking code."

The InfoSec people said "Ooopsie!", the wicd wonks fixed it, and everyone went on with their lives.

Meanwhile, Hinky stumbles onto a really insecure network while he's hacking around on BT5 R2.  Digging into the available BT tools, he finds netdiscover-0.3beta7, which is basically an arp-spoofing tool in the Information Gathering→Network Analysis→Identify Live Hosts "hive".

It worked great, except the built-in OID list was ancient and didn't identify over 90% of the hosts I found.  So I search around for the code and found this, in which the author states:
I’ve written a patch for NetDiscover 0.3-beta7 (the last release) that eliminates libnet dependency. 
Apparently he had some religious objection to linking the software with both libnet (old) and libpcap (well maintained), so he fixed it.  He then gives a link to the package at backtrack.it, the Italian headquarters of Backtrack.  So I figure hot damn this must be the place!  He then gives a link to the package, and the link doesn't fucking work.

Just my luck.

But this is the Internet, so it has to be somewhere.  I find "an equivalent package" here, also with the same notes about eliminating the dependencies on libnet.

Great.  Well that settles that.  And there's an OUI update script!  Great stuff.  I update the OUIs and compile the program and then...

I am disappoint.  : (

It works, but it doesn't find the hosts that the stock BT5/R2 version finds.  WTF is going on here?

So I run both programs through Wireshark to see the differences.  And the difference is: the BT5 version sends the correct MAC address of my NIC and the "equivalent package"—same version number and beta level, mind you—sets my MAC to...

ca:fe:ca:fe:ca:fe

How about that?  So I look into the code and sure enough, in the source file ifaces.c, under a comment titled...

/* Shitty globals */

... is an array of unsigned chars representing just that value.  As an experiment, I change the array to my MAC address, recompile, and run it.

It works fine.  It finds the same hosts that the standard, off the shelf, BT5 code—same version number and beta level—finds.  And now it identifies the OIDs properly.

So... what is the difference in the code, besides the OID issue?  Intrigued, I ran both executables through "strings" and discovered that the BT5 version is linked to libnet.  Try it yourself:

#~strings /usr/local/sbin/netdiscover | grep libnet

No denying this is not the same code.  The fine folks at Backtrack took "netdiscover-0.3beta7" and put the libnet stuff back in.

Like I said, this is not earth-shattering, but I have to take Backtrack's "not our code" position with a grain of salt from now on.  I ended up hacking "netdiscover-0.3beta7" to put the real MAC into the "CAFE" array, but I wouldn't have had to do that if BT would release their code.

Shitty globals or not.


Monday, March 05, 2012

Running Chromium as Root on BT5R2


Well, sort of.

You can't do it.  They (the omnipotent and wise developers of chromium) won't let you.  If you try to run it as root, you'll get this...


You can run it su'd as a regular user while logged in as root, but it takes a little X-Fu to get it done right.  First, create your user with the "adduser" command.  Then, give him access to the X display with the "xhost" command.

Here, our user is called "bob":

xhost +SI:localuser:bob

Now start a terminal session and "su bob".  Then run...

chromium-browser --user-data-dir=/home/bob

...and you're in.

This is not unique to Chromium,  The Tor Browser Bundle for Linux will also not let you run as root, which is a bitch and a half.  This trick will work with Tor as well, but it will bitch about the user's profile.  So far I haven't found (or looked for) an equivalent "user-data-dir" switch.

Chromium isn't in BT5R2 by default, so you need to install it with...

apt-get install chromium-browser

Neither is the Tor Browser Bundle, but I'm sure you can figure out how to install that.  It's as simple as downloading & extracting it.

So anyway, BT5R2 is the best version yet, but as usual I have my complaints.  I won't bore you with them now.

Give me another week.

Monday, January 09, 2012

McAfee Relay Server 5.2.3 (Port 6515)

Earlier today I noticed I was getting a lot of TCP port 6515 proxies on The List.

Curious, I checked one and it gave me a VIA header of

1.1 Fran-PC (McAfee Relay Server 5.2.3)


Then I took a peek at the database.  Nearly 1900 of these things since December 1st, 2011.  Although the name of the PC above is a dead giveaway that this is some sort of consumer product ("[name-of-owner]-PC" is the default Windows machine name created during setup), a quick check of the DNS names of these boxes confirms they are all on residential IP addresses.

So what is "McAfee Relay Server"?  I'm guessing it's one of those snarky products they stick you with whenever you buy a new PC.  This makes sense, since December is a big month for new PCs.

But why install it as an open proxy?  

If it's a "security product" I hope it's a honeypot.

UPDATE: BIG LIST OF MCAFEE VIA HEADERS


This is what I have been able to salvage from the proxy run logs that I still have.  All of December is basically lost, unfortunately.

1.1 62G3CP1 (McAfee Relay Server 5.2.1)
1.1 acer-86e9bf2e61 (McAfee Relay Server 5.2.3)
1.1 Alan (McAfee Relay Server 5.2.3)
1.1 BERCOBACKUP (McAfee Relay Server 5.2.1)
1.1 bill-2eb924946b (McAfee Relay Server 5.2.3)
1.1 billkayredsa-PC (McAfee Relay Server 5.2.3)
1.1 blackkbarbie-PC (McAfee Relay Server 5.2.1)
1.1 bobot (McAfee Relay Server 5.2.3)
1.1 Breaker (McAfee Relay Server 5.2.3)
1.1 Brian-PC (McAfee Relay Server 5.2.0)
1.1 Buzz-PC (McAfee Relay Server 5.2.3)
1.1 CJ-PC (McAfee Relay Server 5.2.3)
1.1 ConwayVault (McAfee Relay Server 5.2.0)
1.1 Custom-PC (McAfee Relay Server 5.2.3)
1.1 D3Y34L91 (McAfee Relay Server 5.2.3)
1.1 D3ZQQW81 (McAfee Relay Server 5.2.3)
1.1 Daddy-PC (McAfee Relay Server 5.2.3)
1.1 Dan-PC (McAfee Relay Server 5.2.3)
1.1 Darla-PC (McAfee Relay Server 5.2.3)
1.1 david-PC (McAfee Relay Server 5.2.0)
1.1 DDS7CS81 (McAfee Relay Server 5.2.3)
1.1 Debby-PC (McAfee Relay Server 5.2.3)
1.1 dell (McAfee Relay Server 5.2.3)
1.1 denise-4f98da88 (McAfee Relay Server 5.2.3)
1.1 DG690771 (McAfee Relay Server 5.2.3)
1.1 DHWATSON (McAfee Relay Server 5.2.3)
1.1 dianadozard-PC (McAfee Relay Server 5.2.1)
1.1 DillonComput-PC (McAfee Relay Server 5.2.3)
1.1 donald-gpmxmpyb (McAfee Relay Server 5.2.3)
1.1 DSVR002557 (McAfee Relay Server 5.2.1)
1.1 DSVR006181 (McAfee Relay Server 5.2.3)
1.1 DSVR008084 (McAfee Relay Server 5.2.3)
1.1 eisberg (McAfee Relay Server 5.2.3)
1.1 eleni-PC (McAfee Relay Server 5.2.3)
1.1 emachine-98e05c (McAfee Relay Server 5.2.3)
1.1 Emachine (McAfee Relay Server 5.2.3)
1.1 FINISHIN-P6868U (McAfee Relay Server 5.2.3)
1.1 Fran-PC (McAfee Relay Server 5.2.3)
1.1 FTP-Server (McAfee Relay Server 5.2.3)
1.1 funk-sbs-2003 (McAfee Relay Server 5.2.3)
1.1 gary-393c91b143 (McAfee Relay Server 5.2.3)
1.1 general (McAfee Relay Server 5.2.3)
1.1 h1951093 (McAfee Relay Server 5.2.3)
1.1 hill-PC (McAfee Relay Server 5.2.3)
1.1 home (McAfee Relay Server 5.2.3)
1.1 Home-PC (McAfee Relay Server 5.2.3)
1.1 ILEXSA001 (McAfee Relay Server 5.2.3)
1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.2)
1.1 IQ-K12-Desktop (McAfee Relay Server 5.2.3)
1.1 IQ-K12-Laptop (McAfee Relay Server 5.2.3)
1.1 Irvines-PC (McAfee Relay Server 5.2.3)
1.1 JackRogers-PC (McAfee Relay Server 5.2.3)
1.1 Jennifer-PC (McAfee Relay Server 5.2.3)
1.1 jennings-PC (McAfee Relay Server 5.2.3)
1.1 JERRY-PC (McAfee Relay Server 5.2.3)
1.1 Joanne (McAfee Relay Server 5.2.3)
1.1 Jody-PC (McAfee Relay Server 5.2.3)
1.1 JohnandCathy-PC (McAfee Relay Server 5.2.1)
1.1 john-HP (McAfee Relay Server 5.2.3)
1.1 JR-PC (McAfee Relay Server 5.2.3)
1.1 JTSICOE (McAfee Relay Server 5.2.3)
1.1 jupiter (McAfee Relay Server 5.2.3)
1.1 Kaminski-PC (McAfee Relay Server 5.2.1)
1.1 kedwards-PC (McAfee Relay Server 5.2.3)
1.1 keebaby5-PC (McAfee Relay Server 5.2.3)
1.1 Kit-PC (McAfee Relay Server 5.2.3)
1.1 LANG (McAfee Relay Server 5.2.3)
1.1 LarCar1969-PC (McAfee Relay Server 5.2.3)
1.1 manuel (McAfee Relay Server 5.2.3)
1.1 Mary-PC (McAfee Relay Server 5.2.3)
1.1 mdshor-PC (McAfee Relay Server 5.2.1)
1.1 millers-PC (McAfee Relay Server 5.2.1)
1.1 nanakatewest-PC (McAfee Relay Server 5.2.3)
1.1 nault-pc (McAfee Relay Server 5.2.3)
1.1 nichowa1-PC (McAfee Relay Server 5.2.3)
1.1 office (McAfee Relay Server 5.2.3)
1.1 owner-8477f6334 (McAfee Relay Server 5.2.3)
1.1 owner (McAfee Relay Server 5.2.3)
1.1 owner-PC (McAfee Relay Server 5.2.3)
1.1 Owner-PC (McAfee Relay Server 5.2.3)
1.1 pathenri-PC (McAfee Relay Server 5.2.3)
1.1 PCGARANT04 (McAfee Relay Server 5.2.2)
1.1 PRINCIPAL (McAfee Relay Server 5.2.3)
1.1 PServer (McAfee Relay Server 5.2.3)
1.1 PTBrunnock-PC (McAfee Relay Server 5.2.3)
1.1 Ratuld (McAfee Relay Server 5.2.3)
1.1 ricky-PC (McAfee Relay Server 5.2.3)
1.1 sarahcasey- (McAfee Relay Server 5.2.3)
1.1 server01 (McAfee Relay Server 5.2.3)
1.1 server_02 (McAfee Relay Server 5.2.3)
1.1 server152 (McAfee Relay Server 5.2.3)
1.1 Sharon-PC (McAfee Relay Server 5.2.3)
1.1 Shop-HP (McAfee Relay Server 5.2.3)
1.1 shulapc (McAfee Relay Server 5.2.3)
1.1 snowwhimpy-PC (McAfee Relay Server 5.2.3)
1.1 SRV-CAPYLR (McAfee Relay Server 5.2.3)
1.1 stanknight2-PC (McAfee Relay Server 5.2.3)
1.1 Sue (McAfee Relay Server 5.2.3)
1.1 Terry-PC (McAfee Relay Server 5.2.3)
1.1 Tommy-PC (McAfee Relay Server 5.2.3)
1.1 UBSPAULISTANO (McAfee Relay Server 5.2.1)
1.1 u-Net-NAS1 (McAfee Relay Server 5.2.1)
1.1 user-9y1zyxu5xh (McAfee Relay Server 5.2.3)
1.1 user (McAfee Relay Server 5.2.3)
1.1 User-PC (McAfee Relay Server 5.2.3)
1.1 virtualserver (McAfee Relay Server 5.2.3)
1.1 your-4dacd0ea75 (McAfee Relay Server 5.2.1)

There are some obvious corporate type names, but the -PC names are definitely consumer grade.  Again, the majority of all IPs reverse map back to residential address ranges.


Monday, January 02, 2012

Disappearing APs...


Related?


I wouldn't characterize the issue I've been seeing here as the access point "crashing" because it's still controllable after the ESSID disappears from the airwaves.

And of course I don't have a Dlink AP.

If I did I probably give it an ESSID of "Hlinky".  :o)


If you didn't know it already, Harald is not just some random guy on the Internet (like me).  If he says someone is crashing his APs, someone is crashing his APs.