Author:(Nasim/Ramadhan/Hafiz/Shuaib) Introduction Security practitioners develop ways to detect cyber attacks that are of potential risk to Internet users. This is to secure computer system vulnerabilities, provide alerts to the community, as well as to learn on ‘the how to’ of such an attack occurring. One of the ways in detecting such malicious attack, is developing […]
Converting String, Hex and Fixnum Using Ruby
1.0 Introduction Software development in the security domains always involve converting from and to hex and binary format. For those new to certain languages, a high learning curve is involved and this translates to increasing the development cost. This article concentrates in using the ruby language to help new comers shorten the learning curve. To […]
ProFTPD 1.3.3c Compromise:Trojan Source Code
On Sunday, the 28th of November 2010 around 20:00 UTC the main distribution server of the ProFTPD project was compromised. The attackers most likely used an unpatched security issue in the FTP daemon to gain access to the server and used their privileges to replace the source files for ProFTPD 1.3.3c with a version which […]
mysql subqueries bug
Setelah projek pkaji, kami cuba menambahkan maklumat/profile untuk setiap serangan RFI. Ketika menulis kod untuk menggali maklumat yang tersimpan dalam database yang mempunyai hubungan many-to-many, didapati mysql mengambil masa yang terlalu panjang. Dari penilitian yang dibuat, sql yang paling luar ketika penggunaan subqueries tidak optimize kerana enjin mysql gagal menggunakan index yang sesuai. Kod yang […]
ruby mysql blob
Recently, one of mycert’s internal project required that PDF files to be saved into the database (MyQL). Since its is not easy to find the sample code via Google, here’s a quick note for future reference. fContent = File.open(“/path/file”, “wb”).read() db = Mysql.new(‘localhost’, ‘user’, ‘password’, ‘database’) st = db.prepare(“insert into tableA( fieldBlob) values (?)”) st.execute(fContent) […]
pKaji: The PHP Analyzer
pKaji is a free service provided by MyCERT that allows one to analyze PHP codes. It facilitates detection of network activities and other potentially malicious activities within the code by using the ‘hooking’ technique. Basically, it uses the APD (Advance PHP Debugger) extension to hook the original PHP built-in function. Using pKaji To use pKaji, […]
Bashing The Wildcard
This is quick note about wildcard usage for the Linux command line particularly on how to select/include some files among the others. Let say you have a directory that contains the following files: $ls mh apache-log.tar.gz.00 apache-log.tar.gz.01 apache-log.tar.gz.02 apache-log.tar.gz.03 apache-log.tar.gz.04 apache-log.tar.gz.05 apache-log.tar.gz.06 apache-log.tar.gz.07 apache-log.tar.gz.08 apache-log.tar.gz.09 apache-log.tar.gz.10 apache-log.tar.gz.11 apache-log.tar.gz.12 apache-log.tar.gz.13 To copy the first 10 files, […]
Crontab Problem
crontab ps bash
Hooking pBot
I’m working on analyzing remote file inclusion (RFI) code. For pBot class which uses an IRF server as their command and control (C&C) , we are interested to get the IP addresses of the C&C, the channel name and the nickname used to connect to irc server. Below are sample of output: ok! (host=irc.server_name.net, port=6667, […]
Log Files: Dealing with Inconsistent Field Delimeter
Salam, Log files are big. Processing it would be cumbersome especially if the field separator are not so unique. Take a look at contain of file example.log below : “209.34.23.99”,6667,”Rembau, NSembilan,Malaysia”,”GET /phpmyadmin “,404 “238.34.23.99”,80,”Selangor”,”GET /phpmyadmin/ ,200 “21.34.23.99”,9090,”A. Star, Kedah, Malysia”,”GET /phpmyadmin/favicon.ico,404 “120.34.23.99”,6667,”Malysia”,”GET /phpmyadmin/print.css,404 “2.34.23.99”,993,”A. Star, Kedah, Malysia”,”GET /phpmyadmin/phpmyadmin.css.php?lang=en-utf-8,404 At first sight, anybody would agree to […]