Archive for 2014-02-23
YouTube ads serve Banking Trojan Caphaw
By : Unknown
Number of Malvertising attacks are appeared to be increasing
day by day, even top websites fall victim to such kind of attacks - YouTube is
to be the latest popular organization affected by malicious ads.
Security experts from Bromium have discovered that the cyber
criminals were distributing a malware via YouTube ads.
According to researchers,
malicious ads attempt to exploit vulnerabilities in outdated Java. It loads different malicious jar file, to
ensure the exploit is compatible with the installed java version.
The Exploit kit used in this attack "Styx Exploit
Kit" which was the same one used by cybercriminals to infect users of toy
maker Hasbro.com.
If the user's machine is having vulnerable plugins, it will
exploit the vulnerability and drops a Banking Trojan known as
"Caphaw". Researchers say they
are working with Google Security team.
Why Use A Firewall? IP Tables In A Simple Way
By : Unknown
ABSTRACT
Readers, there are numerous reasons... It is well known that
the Internet is an unmanaged a decentralized network, running under a set of
protocols, which are not designed to ensure the integrity and confidentiality
of information and access controls.
There are several ways to breach a network, but these ways
do nothing more than take advantage of flaws within network protocols and
services.
CONCEPTS
IPTABLES is an editing tool for packet filtering, with it
you can analyze the header and make decisions about the destinations of these
packets, it is not the only existing solution to control this filtering. We
still have the old ipfwadm and ipchains, etc.
It is important to note that in Gnu / Linux, packet
filtering is built into the kernel. Why not configure your installation in
accordance with this article, since most distributions come with it enabled as
a module or compiled directly into the kernel.
STEP BY STEP
case "$1" in
start)
Clearing Rules
iptables -t filter -F
iptables -t filter -X
Tips [ICMP ECHO-REQUEST] messages sent to broadcast or
multicast
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
Protection against ICMP redirect request
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
Do not send messages, ICMP redirected.
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
(Ping) ICMP
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
Packages logs with nonexistent addresses (due to wrong
routes) on your network
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
Enabling forwarding packets (required for NAT)
echo "1" >/proc/sys/net/ipv4/ip_forward
SSH accepted
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
Do not break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
IP spoofing protection
echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
echo - Subindo proteção contra ip spoofing : [OK]
Disable sending the IPV4
echo 0 > /proc/sys/net/ipv4/ip_forward
SYN-Flood Protection
iptables -N syn-flood
iptables -A syn-flood -m limit --limit 10/second
--limit-burst 50 -j RETURN
iptables -A syn-flood -j LOG --log-prefix "SYN FLOOD:
"
iptables -A syn-flood -j DROP
# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
Tips connections scans
iptables -A INPUT -m recent --name scan --update --seconds
600 --rttl --hitcount 3 -j DROP
iptables -A INPUT -m recent --name scan --update --seconds
600 --rttl --hitcount 3 -j LOG --log-level info --log-prefix "Scan
recent"
Tips SYN packets invalid
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j
DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j
LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
--log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
--log-level info --log-prefix "Packages SYN Detected"
# Tips SYN packets invalid
iptables -A OUTPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j
DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j
DROP
iptables -A OUTPUT -p tcp --tcp-flags SYN,RST SYN,RST -j
DROP
iptables -A INPUT -p tcp --tcp-flags ALL ACK,RST,SYN,FIN -j
LOG --log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG
--log-level info --log-prefix "Packages SYN Detected"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG
--log-level info --log-prefix "Packages SYN Detected"
Certifies that new packets are SYN, otherwise they Tips
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j
DROP
Discard packets with fragments of entry. Attack that can
cause data loss
iptables -A INPUT -f -j DROP
iptables -A INPUT -f -j LOG --log-level info --log-prefix
"Packages fragmented entries"
Tips malformed XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j LOG
--log-level info --log-prefix "malformed XMAS packets"
DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
WHOIS Out
iptables -t filter -A OUTPUT -p tcp --dport 43 -j ACCEPT
FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j
ACCEPT
FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j
ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED
-j ACCEPT
HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
# Reverse
iptables -t filter -A INPUT -p tcp --dport 77 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 77 -j ACCEPT
MSF
iptables -t filter -A INPUT -p tcp --dport 7337 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7337 -j ACCEPT
WEB Management Firewall
touch /var/log/firewall
chmod +x /var/log/firewall
/var/log/firewall -A INPUT -p icmp -m limit --limit 1/s -j
LOG --log-level info --log-prefix "ICMP Dropped "
/var/log/firewall -A INPUT -p tcp -m limit --limit 1/s -j
LOG --log-level info --log-prefix "TCP Dropped "
/var/log/firewall -A INPUT -p udp -m limit --limit 1/s -j
LOG --log-level info --log-prefix "UDP Dropped "
/var/log/firewall -A INPUT -f -m limit --limit 1/s -j LOG
--log-level warning --log-prefix "FRAGMENT Dropped "
/var/log/firewall -A INPUT -m limit --limit 1/minute
--limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet
died: "
/var/log/firewall -A INPUT -m limit --limit 3/minute
--limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet
died: "
exit 0
;;
stop)
echo "turning off the firewall "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;
restart)
/etc/init.d/firewall stop
/etc/init.d/firewall start
;;
echo "Use: /etc/init.d/firewall
{start|stop|restart}"
exit 1
;;
esac
Logs available: /var/log/firewall
COMMANDS TO MONITOR LOGS: tail -f /var/log/messages
Save: /etc/init.d/firewall
CONCLUSION
I hope to help you in configuring your network security and
remind you to choose only the best options available.
Allow me to add a few Advantages of using your firewall. Be
sure to Block unknown and unauthorized connections. You can specify what types
of network protocols and services to be provided and you may control the
packets from any untrusted services... Your firewall also allows blocking
websites with URL filters, access control, access logs for reports by user,
protecting the corporate network through proxies, and Network Address
Translation (NAT). Control services that can either be executed or not, on the
network allowing for high performance in their duties with easy administration
and reliability.
EC Council official website hacked
By : Unknown
A hacker who calls himself "Eugene Belford" (A
character from the movie "Hackers" )has hacked the EC-Council website
- an organization that offers Certified Ethical Hacker(CEH)
"Owned by certified unethical software security
professional" The defacement message reads.
He has also put in the deface page documents proving that
"Edward Snowden" attended the CEH classes in India.
A spokesman from CSPF (Cyber Security and Privacy
Foundation) says, it appears to be hackers used DNS hijacking attack to deface
the website and possible gain access to their email.
Another CEH certified professional says he was not satisfied
with EC Coucil Training. He says though
the course material is good and certification is recognised worldwide, the
trainers from francisees of EC Coucil do not know hacking and they are not
competent to take CEH classes.
Update: Sometime after this news was posted the hacker
edited the deface page with this extra text.
"Defaced again? Yep, good job reusing your passwords
morons jack67834#
Obligatory link:
http://attrition.org/errata/charlatan/ec-council/
-Eugene Belford
P.S It seems like lots of you are missing the point here,
I'm sitting on thousands of passports belonging to LE (and .mil) officials
"
It might be that the attacker has gotten access to the
emails of EC Council and hence all the email correspondence of the Law
Enforcements and Military officials might be compromised also.