File Carving Software

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata. The carving process makes use of knowledge of common file structures, information contained in files, and heuristics regarding how filesystems fragment data. Fusing these three sources of information, a file carving system infers which fragments belong together.

File . . . → Read More: File Carving Software

detect flashback mac

F-Secure has created a free tool that automates the detection and removal of the widespread Flashback Mac OS X malware.

How to use the tools:

1) Download FlashbackRemoval.zip to the Mac machine you want to scan. 2) Double-click the zip package to unzip it in the current folder. 3) Double-click the FlashBack Removal app . . . → Read More: detect flashback mac

Honeynet honeywall howto

Honeynet/Honeywall Implementation

Routing of malicious traffic and forensic analysis

Steve Stonebraker

11/22/2010

 

A detailed implementation of a full interaction honeypot and honeywall in a virtualized VMWare environment is presented. The benefits and drawbacks of this type of this type of implementation are explained. The importance of proper . . . → Read More: Honeynet honeywall howto

detect mac flashback

to detect the mac flashback virus (courtesy of cnet.com)

How does it work?

The Flashback malware injects code into applications (specifically Web browsers) that will be executed when they run, and which then send screenshots and other personal information to remote servers.

First step: Exploiting Java When you encounter the malicious Web page containing the . . . → Read More: detect mac flashback

ossec clear database

To delete all currently stored alerts and related data in the ossec database execute these commands in

MySQL Editor:

truncate table alert; truncate table data;

Bash Script: #!/usr/local/bin/bash # #Stop ossec, remove old alerts, start ossec

echo “stopping ossec”

/var/ossec/bin/ossec-control stop

echo ‘TRUNCATE TABLE `alert` ;’ | mysql ossec . . . → Read More: ossec clear database

Secure Apache ServerTokes and ServerSignature directives

There are two config directives that controls Apache version. The ServerSignature directive adds a line containing the Apache HTTP Server server version and the ServerName to any server-generated documents, such as error messages sent back to clients. ServerSignature is set to on by default. The ServerTokens directive controls whether Server response header field which is . . . → Read More: Secure Apache ServerTokes and ServerSignature directives

Install OSSEC local on Ubuntu

 

Download files wget http://www.ossec.net/files/ossec-hids-latest.tar.gz wget http://www.ossec.net/files/ossec-hids-latest_sum.txt Check the MD5 or SAH1 to make sure they are legit (Don’t skip!!) md5sum ossec-hids-latest.tar.gz cat ossec-hids-latest_sum.txt Extract the files from the tar tar zxvf ossec-hids-latest.tar.gz Cd into the directory and run the installer ** cd ossec-hids-latest/ ./install.sh If you are not running a local install make sure . . . → Read More: Install OSSEC local on Ubuntu

check your website for vulnerabilities

How do you check your website for vulnerabilities for free?

Check out these sites that provide free vulnerability scans:

http://wepawet.iseclab.org/index.php

http://sitecheck.sucuri.net/scanner/

fseek() expects parameter 3 to be long os_lib_alerts.php SEEK_SET

to fix this error: fseek() expects parameter 3 to be long os_lib_alerts.php SEEK_SET

Line 842 in os_lib_alerts.php Reads:

fseek($fp, $seek_place, “SEEK_SET”);

It should actually be:

fseek($fp, $seek_place, SEEK_SET);

decoding sql injection attempts

Background

SQL Server has a function called CAST, that converts an ASCII codes array to text. Hackers can use this function to obfuscate the SQL Injection payload, and bypass filters that block SQL commands or hazardous characters. Here is an example to an attack that uses this technique:

DECLARE @S CHAR(4000); SET @S=CAST(0x The ASCII . . . → Read More: decoding sql injection attempts