Malware scanning of web directories with OWASP WebMalwareScanner

One of the recent incidents I had to handle involved a compromised webhost. This allowed me to do some Exploring webshells on a WordPress site. In the aftermath of the investigation I searched for tools that could have improved my tasks (evaluating which files might have been compromised).

One of the approaches I had in mind was take a hash of every file and then verify that hash with Virustotal. This would have worked inRead more.

Exploring webshells on a WordPress site

I recently had to handle a case where a website development company was hacked. This post describes some of my findings during the investigation.

All of the company websites were hosted on one virtual server running Linux. Most of these websites were WordPress powered. The management of the server was done via DirectAdmin, updating of the web files happened via FTP.

The incident was brought to the attention of the company because they received complaintsRead more.

Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 3

In the two previous posts on MISP

Getting started with MISP – part 1 – Configuration Getting started with MISP – part 2 – Usage

I covered the basic installation, configuration and usage of MISP, Malware Information Sharing Platform & Threat Sharing.

Visit the page from CIRCL.lu to get a good overview of the possibilities of MISP and a description of a practical use case.

If you need (commercial) support you should visit http://www.misp-project.org/.

Read more.

Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 2

My first post on MISP described how to get MISP installed and get it up and running. This post describes how you can use MISP to your benefit to share threat information with your community.

The basic features of MISP are described in detail in the documentation at INSTALL/documentation.pdf. I’ll describe the steps needed to create an event and add some useful data.

You can add an event under Event actions, Add event. You’ll haveRead more.

Getting started with MISP, Malware Information Sharing Platform & Threat Sharing – part 1

MISP or Malware Information Sharing Platform & Threat Sharing is an open source tool for sharing malware and threat information with the security community. It is available on Github and is used by a large number of CERTs and security teams.

This first post describes how to get MISP installed and get it up and running. The next post describes how you can use MISP to your benefit to share threat information with yourRead more.

Analyzing WordPress login attempts with Pipal

I manage a number of WordPress sites. These sites get a lot of login attempts. Instead of dropping these attempts I decided to log them and build some stats.

I also wanted “something” that I could use to play with Pipal. Pipal is a password analyzer that provides useful statistics on a list of passwords. Note that it is NOT a password cracker.

I created a fake WordPress login form (wp-login.php) and installed this onRead more.

Ulogd-viz, visualize iptables / netfilter / ufw logs

I have iptables on a couple of different Linux hosts. There are a number of tools that allow you to centralize the logs of different hosts (and services) but they often focus on some form of alert management. I need something that allows me to gather the logs from different hosts, put them all in one central database and then generate some statistics on this data.

Iptables logs to the local syslogger but ulogd allowsRead more.

Install ModSecurity on Ubuntu (from source)

ModSecurity is an embeddable web application firewall or WAF. It can be installed as part of your existing web server infrastructure.

ModSecurity is available as a package for different Linux distributions but these versions are often outdated. I installed ModSecurity from source on Ubuntu 12.0.4 LTS.

Start by downloading the source tarball from the ModSecurity website. The full code is available via GitHub and the links to the tarballs are available from the home page.

Read more.

HTTP POST from PHP

Sometimes it can be useful to do a HTTP GET or HTTP POST request from a PHP script. I used to use curl to do this but there’s a ‘cleaner’ way to do this.

For reference, this is how to do the HTTP POST request in curl from PHP

The PEAR – PHP Extension and Application Repository contains a number of useful reusable PHP components.

The component we are going to use is HTTP_Request2. YouRead more.

Catch all web script

It can sometimes be useful to have a script that captures all the HTTP requests and that logs these requests to a file. The PHP script below works for me. I use this script in combination with the htaccess file to catch all web page requests and redirect them to one file.

The .htaccess file :

The apache config for the virtual host is straightforward.