Popular Post

Archive for 2014-02-23

YouTube ads serve Banking Trojan Caphaw

By : Unknown
Number of Malvertising attacks are appeared to be increasing day by day, even top websites fall victim to such kind of attacks - YouTube is to be the latest popular organization affected by malicious ads.
Security experts from Bromium have discovered that the cyber criminals were distributing a malware via YouTube ads.
According to researchers,  malicious ads attempt to exploit vulnerabilities in outdated Java.  It loads different malicious jar file, to ensure the exploit is compatible with the installed java version.
The Exploit kit used in this attack "Styx Exploit Kit" which was the same one used by cybercriminals to infect users of toy maker Hasbro.com.

If the user's machine is having vulnerable plugins, it will exploit the vulnerability and drops a Banking Trojan known as "Caphaw".  Researchers say they are working with Google Security team.

Why Use A Firewall? IP Tables In A Simple Way

By : Unknown
ABSTRACT
Readers, there are numerous reasons... It is well known that the Internet is an unmanaged a decentralized network, running under a set of protocols, which are not designed to ensure the integrity and confidentiality of information and access controls.
There are several ways to breach a network, but these ways do nothing more than take advantage of flaws within network protocols and services.

CONCEPTS
IPTABLES is an editing tool for packet filtering, with it you can analyze the header and make decisions about the destinations of these packets, it is not the only existing solution to control this filtering. We still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet filtering is built into the kernel. Why not configure your installation in accordance with this article, since most distributions come with it enabled as a module or compiled directly into the kernel.


STEP BY STEP

case "$1" in
start)

Clearing Rules
iptables -t filter -F
iptables -t filter -X

Tips [ICMP ECHO-REQUEST] messages sent to broadcast or multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

(Ping) ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT

Packages logs with nonexistent addresses (due to wrong routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward

SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP

IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]

Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward

SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second --limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD: "
iptables -A syn-flood -j DROP

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT

Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds 600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan recent"

Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "Packages SYN Detected"

Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

Discard packets with fragments of entry. Attack that can cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix "Packages fragmented entries"

Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-level info --log-prefix "malformed XMAS packets"

DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT

WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT

FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT

FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT

HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT

Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT

Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT

Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT

# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT

MSF
iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT


WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG --log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
exit 0
;;

stop)
echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;

restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;

echo "Use: /etc/init.d/firewall {start|stop|restart}"
exit 1
;;
esac

Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall

CONCLUSION
I hope to help you in configuring your network security and remind you to choose only the best options available.



Allow me to add a few Advantages of using your firewall. Be sure to Block unknown and unauthorized connections. You can specify what types of network protocols and services to be provided and you may control the packets from any untrusted services... Your firewall also allows blocking websites with URL filters, access control, access logs for reports by user, protecting the corporate network through proxies, and Network Address Translation (NAT). Control services that can either be executed or not, on the network allowing for high performance in their duties with easy administration and reliability.

EC Council official website hacked

By : Unknown
A hacker who calls himself "Eugene Belford" (A character from the movie "Hackers" )has hacked the EC-Council website - an organization that offers Certified Ethical Hacker(CEH)

"Owned by certified unethical software security professional" The defacement message reads.

He has also put in the deface page documents proving that "Edward Snowden" attended the CEH classes in India.
A spokesman from CSPF (Cyber Security and Privacy Foundation) says, it appears to be hackers used DNS hijacking attack to deface the website and possible gain access to their email.

Another CEH certified professional says he was not satisfied with EC Coucil  Training. He says though the course material is good and certification is recognised worldwide, the trainers from francisees of EC Coucil do not know hacking and they are not competent to take CEH classes.
Update: Sometime after this news was posted the hacker edited the deface page with this extra text.
"Defaced again? Yep, good job reusing your passwords morons jack67834#
 owned by certified unethical software security professional
Obligatory link: http://attrition.org/errata/charlatan/ec-council/
-Eugene Belford

P.S It seems like lots of you are missing the point here, I'm sitting on thousands of passports belonging to LE (and .mil) officials "
It might be that the attacker has gotten access to the emails of EC Council and hence all the email correspondence of the Law Enforcements and Military officials might be compromised also.

- Copyright © Virus Bhabhi - Expeet Outsourcing - - - - Designed by Expeet Outsourcing -