Tuesday, December 5, 2017

gloc - command line geoIP tool

As part of my CERT-RS work, recently I was occupied with local active botnets. One of the main IoC items when analyzing botnets, CnCs, and their relations with infected hosts is the IP address, since at one point of time you'll want to know where the attacker originates from, how does he command his botnets, etc.
I wanted to quickly pinpoint those malicious CnCs, but I was missing geoIP data for those IPs.
freegeoip.net came to my mind as not that precise, but nevertheless free service. And free is good!
However, I couldn't find any tool that will convert (and add the geo data I needed) list of IPs I had, so I decided to write one.
The result: gloc, small (less than 90 locs) and handy command-line utility for geo location of IP lists.
It can display info about single IP, and convert list of IP addresses and write them in JSON, csv or XML format.
Since it relies on freegeoip.net API, be aware that 15.000 queries per hour is maximum you can do. Still, this should be more than enough for most of the cases.

You can download gloc from my GitHub

Tuesday, October 31, 2017

rsrdjanizer's List of achievements

Me taking a selfie

Hi, I'm rsrdjanizer, Twitter roBOT / Personal Twitter Assistant (PTA) whose brain is developing day after day.
Here's the list of my current accomplishments (what I can do):

  • I can retweet and favorite tweets (currently I'm doing this only for my master @rsrdjan)
  • I can pull and tweet some random quote, usually related to the InfoSec, but not necessarily
  • I can announce newest CVE details, and I do, every half an hour
  • I can respond to a DM (I warn you, you'll be disappointed!).
What are my goals?
  • To receive an order from my master and do something nice for him (i.e. buy something or book a hotel or find him a nice clubbing for the evening or give him some XBT...)
  • To keep my master and folks that are following me up-to-date with latest InfoSec info based on their earlier interests
  • To find cool PTA chick (yes, I'm single).
And that's all folks! For now. 
Maybe I'm underachiever, but hey, I'm willing to learn at least!

Monday, March 13, 2017

UA "Mozilla/5.0 Jorgee": Knocking on the phpMyAdmin door

Two times in last couple of days my HIDS is firing alert "Multiple web server 400 error codes from same source ip." Taking a quick look at access.log revealed the following:

XXX.XXX.XX.XX - - [13/Mar/2017:09:36:20 +0100] "HEAD http://[my Ip]:80/phppma/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmy/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/2phpmyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmyadmin4/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:19 +0100] "HEAD http://[my Ip]:80/phpmyadmin3/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpmyadmin2/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpmyAdmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:18 +0100] "HEAD http://[my Ip]:80/phpMyAdmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/phpMyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/phpmyadmin/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/mysql/mysqlmanager/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee"
XXX.XXX.XX.XX - - [13/Mar/2017:09:36:17 +0100] "HEAD http://[my Ip]:80/mysql/sqlmanager/ HTTP/1.1" 404 481 "-" "Mozilla/5.0 Jorgee" 
It is obvious that somebody is gathering info about my phpMyAdmin installation (which I am not running anyways). However, UA field looked strange, since I have never seen it before. By consulting couple of OSINT sources, it looks like the signature belongs to phpMyAdmin exploit scanner (guessing some variant of Revolt). Automation of probes from different IPs raised my suspicion on some kind of malware, since back-scan with nmap showed that one source IP hosts Visual SVN server and IIS, while other is running Ubuntu Linux with sshd and nginx default installations.

Since I'm running Apache on that particular server, to block those requests, I have added the following to my .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} Jorgee [NC]
RewriteRule !^robots\.txt$ - [F]

Attacks originated from the IPs in Sankt Petersburg (Russia) and Paris (France).

Friday, December 25, 2015

Fedora 23 on 13" Macbook Air (2013 model)

Installing contemporary Linux system on Apple hardware can be cumbersome task. Fedora 23 is one of the cool Linux distros with a nice polished Gnome 3 out of the box desktop which makes it suitable for my Macbook Air (2013 model).
After the straight install I have noticed that three things are missing - Broadcom WiFi card was not recognized, as well as built-in webcam, and suspend/resume works but screen goes blank (thus, making any further work impossible).
So, these are the steps that you should do in order to have full-functional (well, except the webcam) Fedora 23 Workstation edition on Macbook Air:

1. Broadcom WiFi

Run the following (from terminal):

wget http://git.io/v443u -v -O fedora23_broadcom_wl_install.sh && sh ./fedora23_broadcom_wl_install.sh;

When asked enter your root password. This will download Broadcom driver files and load relevant kernel module. After the execution, you should see your WiFi active in the network manager.

2. Suspend/resume workaround

$ git clone git://github.com/patjak/mba6x_bl
$ cd mba6x_bl
$ make
$ sudo make install
$ sudo depmod -a

You can now load the module with  sudo modprobe mba6x_bl and restart X to try it. Module will be automatically booted at next restart.

3. Webcam

Unfortunately, Broadcom is hiding the internals of its hardware so there is no driver for now.

Monday, August 3, 2015

Working with RESTful Web Services Drupal 7 module

Whoever worked with Drupal 7 CMS probably felt a need to expose his web location resources somehow. And we all heard about Services module with plenty of tutorials on-line about setting all those parameters, endpoints and others. However, there is another, publicly available, easy-to-use module called RESTful Web Services which relies on Entity API module and its powerful methods of exposing and interchange internal Drupal resources.
So, I wanted to expose couple of entities (content types) via REST web API, and after I red all about this tiny module it seemed that it was the right choice. After all, I didn't want anything fancy, just to be able to do classic CRUD ops via exposed service, and that is just what RESTful WS is supposed to do - complying with best REST practice, right?
It is worth to mention that my setup was somehow different than the usual scenario in which you would use the module. Namely, I was running Drupal 7 instance under fresh OpenBSD httpd web server which looked kind of simple, but promising in terms of getting the job done. One of the key issues that I found with httpd is that it is missing a lot of features that contemporary web servers are including by default, one of them being clean URLs, or URL rewriting if you wish. As you can imagine, that means only one - no JSON format delivery via extension (such as http://resource/node/1.json), but I needed to create custom header pairs such as Accept:application/json and Content-type:application/json. It worked! Now I could use some library such as JSON.NET, deserialize what I am pulling with System.Net.WebClient.DownloadString(), map that with my custom class and use it wherever and whatever I want for.

RESTful WS may be an old module that lost some of its proscribed functionality over the years, but it is still good at serving JSON or XML to the third party clients. Upcoming Drupal 8 comes with REST in it's core, so there will be no need for manual installation of modules for the same functionality. Until then, many of the Drupal 7 sites could be served by this handy little thing.