Waraxe IT Security Portal  
  Login or Register
::  Home  ::  Search  ::  Your Account  ::  Forums  ::   Waraxe Advisories  ::  Tools  ::
March 28, 2024
Menu
 Home
 Logout
 Discussions
 Forums
 Members List
 IRC chat
 Tools
 Base64 coder
 MD5 hash
 CRC32 checksum
 ROT13 coder
 SHA-1 hash
 URL-decoder
 Sql Char Encoder
 Affiliates
 y3dips ITsec
 Md5 Cracker
 User Manuals
 AlbumNow
 Content
 Content
 Sections
 FAQ
 Top
 Info
 Feedback
 Recommend Us
 Search
 Journal
 Your Account



User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9145

People Online:
Visitors: 578
Members: 0
Total: 578
PacketStorm News
·301 Moved Permanently

read more...
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Tools -> AntiExploit - locate bad files on your server
Post new topic  Reply to topic View previous topic :: View next topic 
AntiExploit - locate bad files on your server
PostPosted: Sat Apr 23, 2005 7:22 am Reply with quote
hebe
Advanced user
Advanced user
 
Joined: Sep 04, 2004
Posts: 59




http://www.h07.org/projects/aexpl/
Quote:
1 INTRODUCTION
1.1 About AntiExploit
1.2 Illusory security?

2 SETUP AND CONFIGURATION
2.1 Install
2.2 Configuration
2.3 Database format
2.4 Update the exploit database
2.5 Shellscript support
2.6 Sample aexpl sessions and outputs
2.7 Troubleshooting & BUG Submission

#####################################################################
1 INTRODUCTION

1.1 About AntiExploit
---------------------

AntiExploit is the first ON-ACCESS Exploit-Scanner for Linux and
FreeBSD. First aexpl has been a simple perlscript which scanned the
filesystem over the locate database. Now it's a full featured
c-application.

AntiExploit uses the dazuko kernelmodul (www.dazuko.org) to
identify suspious files when they are created or used.

Currently we use a daily updated md5-database to identify files,
but with upcoming versions we introduce file signatures and
extended checks so that bypassing of aexpl will be much harder.

AntiExploit was created to locate possible bad users on a FreeShell-
System.

AntiExploit was written by Enrico Kern and Christin Volmering,
please send feedback and bug-reports to

phantom or risk@hzeroseven.org


1.2 illusory security?
----------------------

I belive that you can't really provide a 100% security for a massive
User-System. But you can do your best to enhance the overall-security
for your System. The most attacks are from script-kiddies, crackers
without deep knowledge who mostly uses known exploit-codes and
easy to detect scans etc.

In this version we use MD5 to identify suspious files, this means you
can bypass bad files if you use modified exploits which are not in the
database or compiled ones. But we work on signature support for
upcoming versions.


####################################################################
2 SETUP AND CONFIGURATION

2.1 Installation
----------------

You need to install dazuko and the aexpl distribution,
for further informations read the file INSTALL.


2.2 Configuration
-----------------

You can tweak aexpl settings in the file etc/aexpl.conf
The .conf file explains itself, but here are some hints:

analyze/exploit_db (required)
Includes the path to the exploit.db, this file
is supplied within the aexpl-tarball and you find
it in the etc directory, but you can set the
database path to /etc/exploit.db for example.
You can create the database with the -u option
and download the latest file from the internet
to the specified location.

analyze/update_url (required)
The update url of the exploit.db.
This is usually: http://www.h07.org/exploit.db
This file is updated daily at 8 pm CET.

analyze/ca_cert
If you have choosen to compile curl with ssl
support, you can optain the database via https.
We, h07 are the certificate authority for the
webserver providing the exploit database and
if you trust us, you can use the the cert:
H07CA.pem wich ships with AntiExploit, to secure
the transmission protocol.
If you want to use this way, change the protocol
in analyze/update_url from http to https if not
already done automatically.

analyze/version_url (required)
Location of the file wich holds the latest version
of AntiExploit.
This should usually be: http://www.h07.org/aexpl.version

analyze/custom_db
This section contains three elements which are
identical in functionality as the same named
ones in the analyze section: exploit_db,
update_url and ca_cert.
Use this optional section to define your own
bad file database.
See section 2.3 of this document for more information
on the database format.

analyze/exclude_paths
Define paths wich should be excluded from aexpl.
This is a colon seperated list. For example:
/home/iamevil:/tmp:/var/spool/mail

reports/mail_addr (required)
A e-mail address where aexpl sends reports to
if a suspious file was found.

reports/facility (required)
Syslog facility for log messages. You can optain
the facility codes from syslog.h. The default
value is LOG_DAEMON (3<<3) = 24.

scripts/run_script
Do you want to use shellscript support?
"true" to enable shellscript support or "false"
to disable.

scripts/user_script
The path to the shellscript you want to use.
If you use shellscript support, the shellscript
here will be executed if aexpl finds a suspios file.
The script also gets as first parameter the file,
as second the userid and third the group id of the
fileowner.

core/lock_file (required)
Aexpl uses a lock file to prevent starting the
daemon more thae once. You can optain the pid
of the running process from this file.
Default: /var/run/aexpl.pid

core/ld_so_conf (required)
Name of your shared library configuration file.
All paths in this file will be excluded from the
scanner.
Default: /etc/ld.so.conf

core/inot_size (required)
When aexpl gets a file for analysis it's stored
in a table, so we do not have to scan the same
file each time it's suplied.
Normaly you don't have to change this value but
if you own a large system with a lot of users,
you may increase this value a little.
Default: 2048

core/max_file_size (required)
Do not scan files bigger than <max_file_size>.
The hashing of the files can take a while if
they are to large, so be carefull when increasing
this value.
Default: 102400

core/queue_size (required)
Aexpl has an internal buffer wich holds files
until they are fetched from the worker proccess
to analyse them. This value can normaly be
very small because the worker is very fast, but
if you decided to scan big files
(See <max_file_size>), you may increase this
value.
NOTE: The queue allocates queue_size * PATH_MAX
bytes virtual memory to store the file
paths, so take care!
Default: 64

proxy/enabled
Enable proxy support.
Possible values are: true or false

proxy/type
Proxy type.
Possible values are: http, socks4 or socks5

proxy/host
Proxy host.
Format is: hostname:port

proxy/login
Proxy login information.
Format is: username:password


2.3 Database format
-------------------

The database format is very simple and nothing special.
The first entry is the md5 sum of the file and the
second is the original filename. Both propertys are
separated by a colon.

Example:
f4a23c9093f9a696bd8d628db2581ac1:wicked_exploit.c

The filename is currently not in use and the database
may change in further releases. For example a information
database is planed and signature support will hopefully
be added soon.


2.4 Update the exploit database
-------------------------------

You can fetch a daily rebuild of the exploit.db from
www.hzeroseven.org/projects/aexpl/exploit.db

You can do this with aexpl -u <path to aexpl.conf>

This will download the latest exploit database and store it
in the specified path.

When AntiExploit is already running, a SIGHUP will be send
to the active process and this will reload the exploit
database.


2.5 Shellscript support
-----------------------

If you configured AntiExploit to execute a shellscript after a
suspious file (see 2.2) has been found, then you can perform
tasks like auto delete the file or notify the system admin etc.
The shellscript gets 3 parameters.
The filename, the userid and the groupid of the fileowner.


2.6 Sample aexpl sessions and outputs
-------------------------------------

This is a simple example session of running AntiExploit and should
give you a short overview about the capabilities.

Lets run the daemon:

%aexpl -c /etc/aexpl.conf
Detaching, please check the log file to see if everything was ok!

Ok lets see if all was ok:

%tail /var/log/aexpl
Sun Aug 1 18:19:32 2004 <info> Starting initialization.
Sun Aug 1 18:19:32 2004 <info> Exploit database loaded with 3657 entries.
Sun Aug 1 18:19:32 2004 <info> Successfully registered with dazuko.
Sun Aug 1 18:19:32 2004 <info> Initialization complete.
Sun Aug 1 18:19:32 2004 <info> AntiExploit started.
Sun Aug 1 18:19:32 2004 <info> Worker thread woken up.

Ah aexpl is running, lets test it:

%wget http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c

--23:44:21-- http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c
=> `linksys-dhcp-exploit.c'
Resolving www.packetstormsecurity.nl... 213.206.75.252
Connecting to www.packetstormsecurity.nl[213.206.75.252]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,721 [text/plain]

100%[====================================>] 11,721 72.91K/s

23:44:21 (72.60 KB/s) - `linksys-dhcp-exploit.c' saved [11721/11721]

Ok check:

%tail /var/log/aexpl
...
Sun Aug 1 18:22:07 2004 <alert> AntiExploit found a suspious file: /home/phantom/linksys-dhcp-exploit.c uid(1000) gid(1000)

And finaly the mail:
++++++++++++++++++++

To: phantom@ph-mobile.h07.org
Subject: AntiExploit Report for ph-mobile.h07.org
From: Enrico <phantom@ph-mobile.h07.org>
Date: Sun, 01 Aug 2004 18:22:07 +0200

AntiExploit Alert!

File: /usr/home/risk/linksys-dhcp-exploit.c
User: 1000 (phantom)
Group: 1000 (users)

Cool or? Smile


2.7 Troubleshooting
-------------------

If you found a BUG in AntiExploit please open a ticket
in our Trouble-Ticket System: http://www.h07.org/bugs/

You can use this account to open your ticket:
user: `guest'
passwd: `bugsbugs'

ATTENTION!
**********

before you submit a bug please download the daily build @ http://h07.org/projects/aexpl/
to see if the problem is fixed in the latest development-version. Daily-Builds are generated
every day 8pm CET from svn-sources.



EOF


Install

1: Download the latest version of AntiExploit
2: Extract the tarball
2: Build and install dazuko (read the readme for further instructions)
3: ./configure [options]
4: make
5: Edit etc/aexpl.conf to fit your needs
5: make install (use GNU make on FreeBSD)
5: Update your exploit-database (aexpl -u "path to aexpl.conf")
6: Start Aexpl with aexpl -c "path to aexpl.conf" and check the log file





View user's profile Send private message
PostPosted: Tue Apr 26, 2005 6:09 am Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




well, if its true , then it would be good
more better if combine it with rkhunter Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Tue Apr 26, 2005 4:30 pm Reply with quote
LINUX
Moderator
Moderator
 
Joined: May 24, 2004
Posts: 404
Location: Caiman




is good combination but really all antirootkits only detect 60% rootkits,

the present time 2005, exist more rootkits private that publics Cool
View user's profile Send private message Visit poster's website
PostPosted: Wed Apr 27, 2005 1:58 pm Reply with quote
y3dips
Valuable expert
Valuable expert
 
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




no doubt about that LINUX Wink
but it would help to minimaze n give more time for the admin to manage the machine Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
AntiExploit - locate bad files on your server
  www.waraxe.us Forum Index -> Tools
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Post new topic  Reply to topic  




Powered by phpBB © 2001-2008 phpBB Group






Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2020 Janek Vind "waraxe"
Page Generation: 0.122 Seconds