Latest WordPress Milw0rm exploits PIPE’d to your feed reader!

Milw0rm is a great source of security exploits, subscribing to it’s feed is a good way of getting a heads up on where the next attack might come…. there are a lot of script kiddies that do nothing more than download milw0rm exploits and fire them randomly into the internet hoping to get a hit!

The thing is there are a lot of exploits found everyday and it can start to fill-up your RSS Feed Reader, so it’s a good idea to filter out things that are useful to you, as an expample I have created a simple Yahoo! Pipe which delivers only WordPress exploits found on Milw0rm!

PIPE URL: http://pipes.yahoo.com/linickx/milw0rmwordpress
FEED: URL: http://pipes.yahoo.com/pipes/pipe.run?_id=RDnArZNk3hGthFdiUpWufg&_render=rss

The pipe / feed is currently empty – returns no results – as there hasn’t been anything new published recently, but I’m sure that’ll change soon enough :)

Bluecoat reverse proxy and health checks.

Bluecoat Reverse Proxy Health Check Diagram
Bluecoat Reverse Proxy
Health Check Diagram

Consider the attached diagram, a customer wants a fairly simple reverse HTTP proxy solution; behind the bluecoat is two servers one hosting pages for server1.domain.com and the other for server2.domain.com (both of these DNS names resolve to the IP address of the bluecoat).

The requirement comes with a twist, in the event that either server goes down they want requests sent to another “we’re sorry the site is down” server, below is some pseudo-code explaining what we want the bluecoat to do when it receives a HTTP request.


If (URL = http://server1.domain.com ) then
If ( webserver1 = healthy) then
Forward webserver1
Else
Forward backupserver
Fi
Fi
If (URL = http://server2.domain.com) then
If ( webserver2 = healthy) then
Forward webserver2
Else
Forward backupserver
Fi
Fi

Now it took me some time to find out how to do this, some can be applied in the GUI, the rest has to be applied in Content Policy Language (CPL). If you want to do something similar start by defining some forwarding hosts in the GUI click: Configure -> Forwarding Hosts -> New . In this example only use IP addresses, it makes things simple later, so server1.domain.com =

  • alias = 192.168.1.1
  • host = 192.168.1.1
  • type = server
  • ports = HTTP 80

then server2.doamin.com is…

  • alias = 192.168.1.2
  • host = 192.168.1.2
  • type = server
  • ports = HTTP 80

and the backup webserver is…

  • alias = 192.168.1.3
  • host = 192.168.1.3
  • type = server
  • ports = HTTP 80

If you now click: Heath Checks -> General you’ll see that some health checks like fwd.192.168.1.3 have been created for you.

Next In the VPM (Policy -> Visual Policy Manager -> Launch) create a web access layer permitting “any” to your webserver hosts server1.domain.com & server2.domain.com

Finally you need to upload come CPL ( Policy -> Policy Files -> Under: Install Local File from -> Select: Text Editor -> Install)

<Forward>
	; Forward to server1.domain.com
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=yes forward(192.168.1.1)
	server_url.host.exact="server1.domain.com" is_healthy.fwd.192.168.1.1=no forward(192.168.1.3)
	; Forward to server2.domain.com
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=yes forward(192.168.1.2)
	server_url.host.exact="server2.domain.com" is_healthy.fwd.192.168.1.2=no forward(192.168.1.3)

Change as necessary, but now if server1.domain.com goes down the page on 192.168.1.3 is displayed (and the same happens for server2) neat!

(Correct as of SGOS 5.4.1.3 as usual YMMV!)

IPSO: From CLISH to Bourne Shell (sh)

Note to Self:

If an administrator has setup your Nokia (IPSO) shell account to log into clish rather than the unix shell… and you need to cpstop;cpstart… you can switch shells with the command…

Nokia:>shell
[admin@nokia]#

It’s quite a simple command, so why can’t I remember it!

Footnote:
iclid is the “router shell” – where you can do show commands
clish is the “voager shell” – where you can “set” things and make changes
/bin/sh or Bourne shell (or sh) is the “Unix shell” – where you have access to the root operating system and can make changes to the file-system or restart processes.

Cisco ASA Syntax Highlighting with Notepad++

When using windows, Notepad++ is my editor of choice. When editing PHP files, it’s nice to see coloured highlighting confirming your syntax is correct.

As I regularly have to review & build Cisco ASA Firewall configs I thought it would be nice to add a little colour :)

Notepad++ supports a user defined language system whereby users can create their own syntax highlighting. As google couldn’t find anyone else who’d had a go at this before I thought I’d have a crack at being the 1st.

Attached to this post you’ll find userDefineLang_ASA.xml, what you need to do is..

1. Download the user-defined language to your computer
2. Open the file with your favourite text editor (such as notepad++ or notepad)
3. Click start, run, type (or paste in) %APPDATA%\Notepad++ then click ok
4. Open userDefineLang.xml with a text editor
5. If this is the first userdefined language you are adding, copy/paste the entire first file (which you downloaded) into the userDefineLang.xml, replacing all that was there. If this is the second or more language you add, simply copy everything from the first file starting at to and paste it at the end of the userDefineLang.xml right before
6. Save the newly improved userDefineLang.xml

Reference: http://notepad-plus.sourceforge.net/uk/download.php

Now my implementation is quite simple at this stage, I’ve copied all the top level commands, i.e. anything from an initial “?” such as “show”, but I haven’t gone thru grabbing level two such as “run” as in “show run”. I have however added the most common level two commands so you should see something useful.

Comments or improvements welcome :cool:

Allowing RFC1918 – 192.168, 10. , 172.16-32 address with NoScript

I’ve recently started installed the firefox add-on NoScript to improve my online security.

One of the things that’s been a little frustrating has been having to manually accept/white list internal 192.168.1.1 type addresses. After a fruitless google, I’ve managed to find the answer here in the NoScript Forum.

There is one major limitation and that is the NoScript white list only accepts entries of more than one byte, this means that you cannot whitelist the whole of 10.*.*.* (10/8) as inputting 10. is only one byte. On the upside you can however whitelist a whole /16 (255.255.0.0) subnet, which works out nicely for the 192.168.0.0/16 set off addresses but for the 10′s & 172′s you’re a bit stuffed.

Now you may find that when you try to white list 10.123.0.0/16 that you have issues, I know I did! The trick is to read the forum post carefully. If you want to white list 10.123.0.0 through 10.123.255.255 then add the following:

http://10.123

https://10.123

That should allow both http & ssl traffic to all those internal addresses to be permitted by NoScript!

Dear googler, I hope this was of some help :)

Don’t forward Warning E-mails!

For a while now, I’ve warned that forwarding “beware of xYz virus” e-mails causes as much harm as the intended good; I like this McAfee post, personally I would have titled it, “Hoax or Not – Delete it!” :)

A Clever DNS DDOS

This post from yesterdays internet storm center diary is worth a mention, the concept is very simple and very clever; the attack spoofs a recursive DNS query which has a short request and a long response, i.e. the amount of data sent in the reply from the DNS server is greater than the attacker sends to initiate the attack; the long response is sent to a spoofed victim ip address who get’s hammered!

Introduction to CCIE Security Mind Maps on XMIND

In 2004 I certified as a CCSP, well actually back then it was called CSS1, anyway after a couple of year experience I decided that would start walking down the CCIE security path.

Cisco recommends that potential candidates have a CCSP and at least 5 years experience in IT Security, and when I made the decision back in 2006/7 to begin studying I qualified in both cases and figured this was the path for me.

The thing is, the more I studied the more I realised what I didn’t know; I changed employers and began getting some practical experience with Ciscos non-security technology as routing & switching features quite heavily. After 2 years of gathering as much information as I can on both Ciscos security and basic-networking portfolio and think 2009 is the year to stop putting this off and go for it!

I’ve messed about with many different techniques to prepare for the CCIE SEC Written, different ideas ranging from old skool A4/A3 notebooks, to google notebook, delicious keeps a record of some good bookmarks, and I guess my Cisco and security blog posts count!

Meet my latest, and hopefully last plan…


See the rest of my Mind Maps

Yep, I’m mind mapping, not only that but I’m going opensource and the maps are on XMIND. The Maps are far from finished but I’m hoping that this work will not only get me up to standard but also help others, after all you can’t have too many security experts!

If you have any suggestion of good revion resources, NOT testing kings or ways to cheat! Please comment and let me know.

UPDATE: Forgot to post that the .xmind file is also in my dropbox :)

I Caught A Harvester!

I’ve been running a honey pot for a while, and found this in my inbox this morning…

Nick –
Regardless of how the rest of your day goes, here’s something to be happy
about — today a honey pot you installed successfully identified a
previously unknown email harvester (IP: 217.126.9.173).

This is a nice thing to find, I’m looking forward to catching some more inter-twats over the Christmas period :)

Multiple SYSLOG Receivers with a Cisco NAC Appliance Manager (CAM)

According to Cisco’s documentation on configuring syslog on a CAM, you can only forward the NAC logs to a single external log server. If you’re willing to get down and dirty with the Linux operating system underneath, then this document will show you that this is simply not the case.

To get started, tweak the default logging settings within the NAC web interface, this screen-shot shows I’m sending the syslog to the local host as local6 messages, this change will send a copy of the “normal” NAC event logs to the localhost syslog server.

Next we need to enable the localhost syslog server; the CAM is build upon a Fedora image, so the SYSLOG daemon is already running it’s just not listening on UDP 514 (thus not yet receiving the logs configured above). Change /etc/sysconfig/syslog , the line:
SYSLOGD_OPTIONS="-m 0"
to
SYSLOGD_OPTIONS="-m 0 -r"

Now that the local daemon is recieving the files we need to change /etc/syslog.conf, here we will make two changes, One: we will write a copy of the NAC events to disk – this will allow us to see what events the “NAC application” is sending. The second change we’ll make is the forwarding configuration, we will put in two lines (for both our syslog hosts) so that we send forward the syslogs to two different servers – which was our original intention :)
Add the following lines to /etc/syslog.conf :

# Log Messages sent from Cisco NAC Application to dedicated File
Local6.*	/var/log/CiscoNAC.log

# Forward all syslog messages to host1
*.* 	@loghost1
# Forward all syslog messages to host2
*.* 	@loghost2

*NOTE: loghost1 & loghost2 need to be resolvable via DNS or in /etc/hosts !!

Finally restart the syslog daemon /etc/init.d/syslog restart

Housekeeping
It’s good practice once we’ve made changes to clear up after ourselves, these are some option steps you can take.

Add /var/log/CiscoNAC.log to logrotate, so that it doesn’t just grow and grow until you run out of disk space. This is done by editing /etc/logrotate.d/syslog before /var/log/messages insert /var/log/CiscoNAC.log

You may also want to compress your syslogs, edit /etc/logrotate.conf and uncomment the word compress (remove the “#”) .

Important Note
When performing NAC upgrades, Cisco provide operating system package upgrades & changes, it’s important to check that after an upgrade this config changes still exist, also I take no responsibility for Cisco’s TAC not wanting to support you because of the changes made!

MARS: Zone product or package version does not match

I’ve been having problems getting my Cisco MARS Local and Global controllers to synchronise their topologies. This error message vexed me for a few days, but thankfully Cisco’s TAC solved it for me.

If you read Ciscos troubleshooting guides they will tell you to check that the MARS Local & Global controllers are running the same version, and to check that the SSL certificates are copied/pasted correctly.

If after checking the above Cisco recommendations and the additional basics ( network connectivity / ntp / timezones etc) check that both MARS boxes are running and have downloaded the same version of IPS signatures; under Admin -> IPS Signature Dynamic Update Settings -> Update Now.

It fixed the problem for me!