ipv6: Neighbour table overflow

One of my virtual machines hosted at Gandi had an excessive amount of error messages

The cause of this error message are the IPv6 router announcements that try to discover and configure the IPv6 neighbourhood. The excessive amount of messages were polluting the logs.

After contacting the Gandi helpdesk they provided insight on the cause of the error message and provided mitigations to prevent these type of errors. I had to update /etc/sysctl.conf withRead more.

Malware scanning of web directories with OWASP WebMalwareScanner

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Exploring webshells on a WordPress site

I recently had to handle a case where a website development company was hacked. This post describes some of my findings during the investigation.

All of the company websites were hosted on one virtual server running Linux. Most of these websites were WordPress powered. The management of the server was done via DirectAdmin, updating of the web files happened via FTP.

The incident was brought to the attention of the company because they received complaintsRead more.

HTTP 304 and Apache sinkhole

This is a short post, put here as a “reminder to self” on browser caching.

A colleague recently set up an HTTP sinkhole with Apache. The setup redirected all the user requests to one specific resource.

When deploying the sinkhole, the web server logs showed that the first requests where logged with HTTP status code 200 (“OK”). The next requests however were logged with HTTP status code 304 (“Not Modified”).

The HTTP 304 code basicallyRead more.

The New Glibc Getaddrinfo Vulnerability: Is It GHOST 2.0?

I had a guest post published on Security Training for Incident Handlers: The New Glibc Getaddrinfo Vulnerability: Is It GHOST 2.0?.

The post describes the critical issue found in glibc getaddrinfo (CVE-2015-7547) and gives you advice on patch management to deal with current (and future) issues in glibc.

Using Passive DNS for Incident Response

According to isc.org “Passive DNS” or “passive DNS replication” is a technique invented by Florian Weimer in 2004 to opportunistically reconstruct a partial view of the data available in the global Domain Name System into a central database where it can be indexed and queried.

In practical terms passive DNS describes an historical database of DNS resolutions. What does this all mean? It means that you can lookup to what IP address a domain resolvedRead more.

Introduction to Modbus TCP traffic

Modbus is a serial communication protocol. It is the most widespread used protocol within ICS.

It works in a Master / Slave mode. This means the Master has the pull the information from a Slave at regular times.

Modbus is a clear text protocol with no authentication.

Although it was initially developed for serial communication it is now often used over TCP. Other versions of Modbus (used in serial communication) are for example Modbus RTURead more.

Logging nfsen queries

In two previous posts I covered “What is netflow and when do you use it?” and “Use netflow with nfdump and nfsen“.

Nfsen provides a web interface on netflow data made available via nfdump. Because of the nature of the netflow data it is important to have strict access controls and extensive logging on the nfsen access. You should have a complete access and query log of who did what at any given time.

AccessRead more.

What is netflow and when do you use it?

Netflow is a feature that was introduced on Cisco routers and that provides the ability to collect IP network traffic as it enters or exits an interface. Netflow data allows you to have an overview of traffic flows, based on the network source and destination. Because of this it lets you understand who is using the network, the destination of your traffic, when the network is utilized and the type of applications that consume theRead more.

Intro to basic forensic investigation of a hard drive

For a recent project I had to do a basic forensic investigation of a hard drive. The assignment included two questions :

detect if there were viruses on the system analyzing the surf behavior of one of the users (policy related)

I want to share the steps that I took to do basic forensics on a cloned disk image. This is not an in-depth forensic investigation but it was enough for this assignment.

Read more.