This script will go line by through a text file checking to see which IP is up. If the host is not up it will log to the results.csv file as “IP,DOWN,NoName”. If the host is up it will log to the results.csv file as “IP,UP,hostname”. Please note that if the authority DNS server does not have an answer for that IP it will log no name and instead will put the IP address again.  This script is very handy on our firewall audits and cleans ups to see what hosts are still needed and which are no longer even turned on any longer.

You will need to have the IP addresses you want to check in a file called IP.txt, unless you edit the script. Make sure you put the file in the same path as the script.

#!/usr/bin/ruby
require “socket”
require ‘resolv’

def computer_exists?(fwip)
system(“ping -c1 -w1 #{fwip}”)
end

def append_to_file(line)
file = File.open(“results.csv”, “a”)
file.puts(line)
file.close
end

def getInfo(current_ip)
begin
if computer_exists?(current_ip)
host_name = Socket.getaddrinfo(current_ip,nil)
append_to_file(“#{current_ip},UP,#{host_name[0][2]}\n”)
else
append_to_file(“#{current_ip},DOWN,NoNAME\n”)
end
rescue SocketError => mySocketError
append_to_file(“#{current_ip},UP,ERROR”)
end
end

#Myfavorite method, read and process file
ipLST=’IP.txt’
File.readlines(ipLST).each do |line|
current_ip = “#{line}”
getInfo(current_ip)
end

Requirements:
1. Windows vista or higher (preferably 7)
2. Powershell 2,0
3. user access control disabled
4. Acuentix installed (v7 or higher)
5. List of sites to scan

Adding functionality:

To add functions to the wvs_console call edit the variable $scan

Code:

################################################
## Automate Acunetix Console Scans
## Edit $scan to add more function (profile, report type, etc)
## Created by Michael LaSalvia
## http://www.digitaloffensive.com for http://SecurityonLocation.com
###############################################

Set-Location “C:\Program Files (x86)\Acunetix\Web Vulnerability Scanner 7″
# Add my directory to the current PATH
$x = (Get-Location).ProviderPath
$env:path = “$env:path;$x”
write-host “Current directory added to ENV:PATH”
##################################################
##Edit below but be careful
##################################################

$sites= Get-Content c:\mytest\sites.txt
foreach ($i in $sites) {
$scan = “/scan $i /generatereport”
Start-Process ‘wvs_console.exe’ -WindowStyle hidden -Wait -ArgumentList $scan -PassThru

}
exit

How to run:

Place code in a file called whatever you want .ps1 and make sure to sign so you can execute it with powershell. Also make sure to edit the variable sites and variable scan to meet your requirements.

Any questions or concerns feel free to contact me.

This is a simple script I wrote in ruby to scan ports to see if they are open and grab the banner of the service.  The script has error handling built in so it is able to continue on to the next port if the port before is closed. Port banners are displayed to the screen. If you want to log them to a file just alter the print statement to redirect to a file. To change the port ranges to scan alter the line where the “for loop” is 0…65536. This script will only do tcp and not udp. The script was written for fun but when you are doing an actual audit sometimes you cannot install tools on the machines or with in the network you are auditing. This will allow you to use a piece of software that is installed on most new Linux machines.

#!/usr/bin/ruby
#Simple Ruby Banner Graber
#Created by Mike @ digitaloffensive.com
#######################################

require ‘socket’
puts “Enter the IP to scan: ”
bIps = gets
puts “Now scanning #{bIps} for open ports”
for sPorts in 0…65536
begin
bcon = TCPsocket.new(“#{bIps}”, “#{sPorts}”)
bcon.puts(“get / HTTP/1.1 \n\n\n\n\n”) #http is picky
bhead = bcon.recv(100)
bcon.close
print bhead
rescue
puts “#{sPorts} is not open, continuing”
end
end

iScanner is developed by the folks over at iSecur1ty.org. The latest update of code was in September of 2010. The iScanner application is ruby based application that has many features:

Current Features:

• Ability to scan one file, directory or remote web page / website.
• Detect and remove website malwares and malicious code in web pages. This include hidden iframe tags, javascript, vbscript, activex objects, suspicious PHP codes and some known malwares.
• Extensive log shows the infected files and the malicious code.
• Support for sending email reports.
• Ability to clean the infected web pages automatically.
• Easy backup and restore system for the infected files.
• Simple and editable signature based database.
• You can easily send malicious file to iScanner developers for analyzes.
• Ability to update the database and the program easily from iScanner’s server.
• Very flexible options and easy to use.
• Fast scanner with great performance.
• Yes, it’s FREE!!

I found this tool extremely interesting and started playing with it. Overall it is a great tool though I found it was missing some functionality that I wanted.

1.       It does not have a flag to index and scan the whole site for malicious code.

2.       The database is extremely small and does not detect some common variations of C99 shell.

To resolve the first issue I used the ruby module Hawler and a modified version of htmap created by John Hart of Spoofed.org. This allowed me to get an index of all links that are linked to on the URL you want to scan. Once I had that information I was able to create a simple shell script to loop through the list scanning each page. I even went as far as to only output the infected pages into a report for easy reference.

To resolve the second issue I created my own database based on information I found on the internet and from personal research. I found using a web tool like Rubular, http://www.rubular.com/ great for testing my regex strings.  We also are experimenting with downloading known malicious URL lists and auto creating signatures to use in the scans. We will be releasing this code in our next article.

For testing purposes we created the following signature and added it to the database:

a)      — 9.3

b)       - (eval)

c)       – PHP ‘eval’ functions detected, possible encoded malicious code.

d)      – MU:RE

• Bullet (a) is he signature number; this should be unique for your reporting.
• Bullet (b) is the regex string. The regex string is encapsulated in ()
• Bullet (c) is a comment about the malicious code.
• Bullet (d) tells the app to scan multiple lines to match the regex and to also check when remotely scanning

For more information of the creation of custom signature files check out the README file that comes with iScanner it is extremely easy to follow.

So let’s take a look how to install all of this and how to use iScan script:

1.       Make sure you are running linux and have ruby installed or the ability to install ruby.

2.       Install the Hawler ruby gem: gem install –source http://spoofed.org/files/hawler/ if any dependencies are needed make sure you install them as well.

3.       Download the modified version of htmp and iscan.sh (found in the zip file with the rest of the scripts from this article).http://www.digitaloffensive.com/files/iscan.zip

4. Download iScanner from: http://iscanner.isecur1ty.org

5. Uncompress iScanner and run the installer.

6.       Copy iscan.sh to the directory you want to run it from and edit the variables to suit your need.

7.       chmod 777 iscan.sh and run it by typing ./iscan.sh and follow the onscreen directions.

a.       Using the Hawler gem and the modified htmap you will be able to scan all links on the url you enter as well as set how deep you want to crawl. Remember the deeper the longer it will take.

Now that we have all the tools we need let’s create a test environment:

1.       You will need a website for this to work. If you do not have one you can install and run apache on the Linux box that you are working on to use this script.

2.       Create a index page in the root of the web directory with a single href code to test.html

3.       Create another file called test.html and put the word eval in it and anything else you want.

4.       Put my test signature in the signature database and save.

5.       Run the iScan script and follow prompts.

a.       You will be first prompted for the URL. Use the full domain or the IP here. IE www.domain.com, domain.com, or 127.0.0.1 avoid using /.

b.      Enter the depth you want to scan. Since this is a test set it to 1

c.       Sit back and watch

This script is pretty basic we are working on making reporting better as well as adding the ability to grab known malicious url black lists and hopefully know malicious code samples and increasing the signature database. The only current down side we see in the iScanner app after using our script is the lack to scan for malicious code in a database.

If you have comments or questions let me know.

What is MJSIP version 2.0 beta:

After a very successful following our first version and recent changes to how Magic Jack is handling passwords and usernames we have decided to update our script with additional filters and added the ability to find your username as well since it is not always E_number_01.

What is new and why is this called beta:

Though we have tested this on over 40 + jacks from 10/20/2010 to as recently as of today we are have not allowed the general public to try it until now. That is why it is called beta. This version now includes the ability to retrieve your username.

What is required:

MJSIP: Our Perl script. This can be downloaded here: http://www.digitaloffensive.com/mj/mjsip2.zip. If you have our older ne overwrite it with this one.

SIPDump: Magic Jack stores all your SIP information in the programs memory during the startup process. SIPDump is a modified version of MemDump, which was originally developed by Stroth. You can download this tool here: http://www.digitaloffensive.com/mj/mj.rar

Active Perl: This is a free windows port of the Perl interpreter. It can be downloaded her for the 32 bit or 64 bit processor: http://www.activestate.com/activeperl/downloads. Download the msi file and install it, choose all the defaults.

How to use it:

Step 1: Download and extract all your tools to a folder on your system. Working out of one folder will make life so much easier.

Step 2: Use SIPDump.exe to dump the Memory of your Magic Jack. If you need more details on how to do this check out my article on this located here: http://www.digitaloffensive.com/2010/03/hacking-the-magic-jack-in-2010-for-use-on-trixbox-or-any-other-sip-device/

Step3: Out of all the Magic Jack’s we have tested the 3^rd dump file was the most reliable at containing the password. I would strongly suggest you do not change that line in the MJSIP.pl file.

Step 4: Open a command prompt and navigate to the folder that you created that has all your tools in it. This folder should also contain you SIPDump files, unless you did not listen to my suggestions above. Once in that folder type the following command “perl mjsip.pl” This should dump your password and username to the screen.

What is SIPBAN:

SIPBAN is an addon for the advance policy firewall written by “R-FX Networks (http://www.rfxn.com)”. This addon is will search your asterisk logs for failed registration attempts from unknown networks and ban the IP address. This helps thwart SIP secret guessing and other SIP based attacks.

How to configure and use the script:

Configuration of the script is done by variables. The most important variables are gIP1 and gIP2. These variables are where you can define friendly networks not to ban. For example your work network is 192.168.2.x. So gIP1 would look like this gIP1=192.168.2. You could do just 192.168 but that leaves a lot of room for IP spoofing even though that is a RFC 1918 IP. You can use gIP2 for your home network or a remote office. To add more friendly networks just add more gIP variables in the variable section and edit line 15 of the script by adding an addition “ | grep –v “$gIP#” to the line right after the last one. Repeat this as much as you need to.

Once you made those changes save the script and change the permission of the script using chmod so it now executable.

Before you execute the script make sure you have “APF” installed and configured to your requirements. To configure APF for use in a PBX in environment leave egress filtering to “0” as in disabled and set ingress filtering to TCP 22, 80 and UDP 5060_6000 and 10000_20000. Once that is done make sure that APF is still in development mode . This insures that if you ban yourself or if you did not set the ports right you will be able to get back in after 5 minutes. Finally start APF by issuing the command apf –s.

Now that APF is running run a test of SIPBAN. To do this run the command ./sipban.sh. Nothing will show on the screen. Once it returns back to a command line you can view the log at /var/tmp/sipban.log. If everything looks successful then you can edit the APF config to take it out of development mode and restart APF.

At this point you are ready to schedule SIPBAN via the cron to run on whatever cycle you want. Since it is parsing a large log file I would do a minimum of 1 hour depending on how much ram your PBX has.

0 * * * * /root/sipban.sh

Where to get SIPBAN:

To get a copy of SIPBAN click the following link http://www.digitaloffensive.com/files/sipban.sh

If you have any questions or comments please feel free to contact us.

About:
AUTORAFI is a Linux shell script developed by Digital Offensive to either locally or remotely install an Asterisk based PBX solution with FreePBX front end. AUTORAFI was developed and tested on base installs of CentOS and Fedora Core.

Why:
Over the last few years we have been installing more and more of these solutions so we have taken the time to automate as much as we can to save time. Now we are offering AUTORAFI to the general public to make your lives easier.

Requirements:
1. System running either CentOS or Fedora Core.
2. SSH or console access
3. root access
4. Basic knowledge of Linux text editors
5. Internet access
6. Patience: install can take up to 1 ½ hours depending on your internet connection and your system configuration.
7. If you are running behind a firewall you will need to review this article for special firewall and FreePBX configuration: http://www.digitaloffensive.com/2010/05/overcoming-sip-over-nat

Use:
1. Copy the script to your server.
2. Use your favorite Linux text editor to change the user variables
a. Uncomment the following sections if they apply to you
i.Webmin: Lines 112-114
ii.DAHDI: Lines 180-185
3. Make sure it has a .sh extension
4. Chmod 777 script_name.sh
5. ./script_name.sh
6. Follow prompts!!
a. If you see warnings it is ok to proceed. It is when you see major errors, or failures that you need to stop the install.

Cost:
AutoRAFi costs $175.00. Since this is a digital product and the source is fully viewable there is no refund. We will work with you to correct any issues. To purchase this please visit our product page: Products

Support:
This script was developed and tested thoroughly on Fedora and CentOS. We ran it over 100x on each OS working out all the flaws.
We provide limited email support for free for this script. We plan to eventually offer a ticket system for this script if it is required. To get support please send a detail email with exact errors (Screen shots) to support@digitaloffensive.com
Free updates of this script will be provided to those that have purchased it.
If you need support configuring FreePBX, or anything else outside of this script and would like our help our hourly rate is $50.00 an hour. Min 2 hours.
Check out http://www.digitaloffensive.com for more info on our services.

FBCbot is a bot written in Perl to interface with Facebook on the users behalf. The bot is still in its infant stage and could definitely be improved upon. Currently FBCbot was developed on Linux though since it is written in Perl it can be modified to run on Windows as well. The FBCbot was developed in a way to allow for quick writing and adding of additional modules to it. Side note I am pretty new to programming in Perl, so if you see something that could be improved please let me know.

FBCbot works by checking all your friends status updates for key words that are predefined as commands in the bot. By default FBCbot comes with two modules. The “nmap” module allows users to post the command nmap xxx.xxx.xxx.xxx , where the xxx.xxx.xxx.xxx is the IP to NMAP. Once it is done scanning the IP it will post the results back to the wall of the user that issued the command. The “ping” module allows users to post the command pingpong xxx.xxx.xxx.xxx, where the xxx.xxx.xxx.xxx is the IP to PING. Once it is done pinging the IP it will post the results back to the wall of the user that issued the command.

To use FBCbot you will need to have a Perl interpreter installed on your operating system. I am currently using the default one that comes with Linux. You will need a way to schedule the bot to run, I currently use the cron to have it check every x amount of minutes. You will also need the Facebook command line application that was written by Dave Tompkins over at http://fbcmd.dtompkins.com/. This allows you to send commands via command line to Facebook as well as craft custom Facebook queries like you would do in SQL. Facebook command line runs on both Linux and Windows as well. Once you have this application you will need to overwrite the original fbcmd.php with my modified one. The modified one is provided in the zip along with FBCbot.pl: http://www.digitaloffensive.com/files/fbcbot.zip

I altered the original fbcmd.php file to add a common delimiter to the “fstatus” output to make separating the username and the command easier since the white space between the username and status is never the same. To do this I added “::” to be printed out right before the actual status

To add additional modules to FBCbot you can use the “elsif” syntax in Perl. Basically you would say

If $command = “x” then do “y” elsif $command =”a” then do “b” and so on. Just make sure to use proper syntax and close everything you open.

The current limitations to FBCbot are that it can only do 10 wall posts day. More than that will have it blocked for 48 hours. I am currently thinking of implementing a way that a user can provide an email address to have the results mailed to but that is a future though if more development is done FBCbot. I also need to take into consideration how to handle people leaving commands in their status over long periods of time.

AMJchan is a shell script written by the Digital Offensive team to quickly and accurately patch your Asterisk server for use with the Magic jack. This script was developed and tested on Centos, fedora and Redhat. The script can be easily altered to use another package manager other then yum to make it cross system compliant.

As many of you already know that to use a Magic Jack in any means other than the intended means  you are required to use a proxy. The Proxy facilitates the md5 hashing of the connection. In most cases people choose to use mjproxy, for Linux, some routers and ATA devices or MJMD5.exe for windows based systems. The actual patch was not developed by us and we cannot take credit for that. From my resources the patch was developed by 2 individuals DTM and Teddy_b. The patch allows you to run your Asterisk PBX without using a proxy.

AMJchan does the following for you:

1. Checks to find out what version of Asterisk you are running
2. Checks to make sure you have the needed tools (wget and patch)
3. Installs needed tools if you do not.
4. Downloads the Asterisk SRC that matches the version you have installed.
5. Downloads the Magic Jack chan_sip patch code.
6. Backups your original chan_sip.so and .c files
7. Patches the chan_sip
8. Makes the new chan_sip
9. Stops the asterisk process
10. Copies the new chan_sip into production
11. Restarts asterisk

To download the script click here: http://www.digitaloffensive.com/files/AMJchan.sh

AMJchan should be run as root to insure that you do not have any permission issues. The Digital Offensive does not take any responsibility for your use of this script.

If you have any questions or feedback please feel free to contact us and if this script helped you feel free to support us through a donation if you see fit.

What is it:

This simple shell script was created by Michael LaSalvia of Digital Offensive to auto dial numbers and plays back a message to the person that picks up the phone. This script will take a comma separated file (CSV) that is setup as follows:

Number,Sound,Trunk_Name

And automate the dialing and playing of that sound / message. The sound can be in the standard gsm format or an mp3 file.  This is useful for automating phone campaigns or just having a good time messing with friends.

How it works:

This script takes advantage of the Asterisk outgoing spool directory. The script creates a “call” file using the variables that you provided in the csv file as well as the variables you set in the script. The file is then moved into the /var/sppol/asterisk/outgoing directory where asterisk will process the “call” file and place the call.

The CSV file:

The CSV file is setup with three columns number, sound and trunk_name

The telephone number must not contain any – and must be the full 10 digit number for local and long distance calls. This may vary based on your dial plan.

To play custom sounds / messages you will need to create them and upload them to /var/lib/asterisk/sounds. Make sure that all the files you upload there that you chown them to asterisk.asterisk if your PBX is running as asterisk. When adding the sound to play in the CSV file do not add the extension just define the exact name.

To allow you to use different trunks to place your calls we added a column to define your trunks. If you only have one trunk then use that trunks name on each line

The CSV should look like this:

7175551111,campaign1,trunk1

7174442222,campaingn2,trunk2

And so on….

The shell script variables:

If you are not sure what you are doing please leave all the settings here along except nFile and nTrunk.

1. sounds: this variable defines the path to the asterisk sounds. You must upload your custom sounds /messages to this directory for them to play.
2. rOut: this variable defines the path to the asterisk outgoing spool directory.
3. rUser: this variable defines the user as asterisk.
4. rGroup: this variable defines the group as asterisk.
5. nFile: this variable defines the path and file name of your CSV file. You need to upload that file to a readable spot on your PBX.
6. rtry: this variable defines the max time to wait between trying to call a user back.
7. mtry: this variable defines the max number of times to try to call someone back.
8. stime: this variable defines the time to wait before calling the next number. This will help avoid congestion.

What is needed:

1. You will need an Asterisk based PBX.
   1. You will need to have an account that has the ability to access required directories and files. Preferably root.
   2. You will need to modify the /etc/asterisk/modules.conf file and add the line “load pbx_spool.so”
   3. You will need to have a copy of our script which can be downloaded here: http://www.digitaloffensive.com/files
   4. You will need a client to upload your sound / message files to the server with as well as your CSV file.

How to run:

To run this script you will need to either manually execute it daily or schedule it via cron.

Current issues:

Since I do not have access to the do not call lists database I cannot add the functionality to check your CSV file against the do not call list. With that being stated I do not take any responsibility for your actions with this script.

Up to recently we use to pay a third party SEIM provider to provide us reporting for all our site to site VPN tunnels. This is due to an audit requirement we had that said that our system administrators had to report on any time their vendor connected to the tunnel. If they connected they had to provide the start date & time, the end date & time, the duration of the connection, the source address and destination address, the protocol & port as well as the tunnel name.

Due to the cost of the third party SEIM provider as well as their not so wonderful service we decided to find a replacement. The only issue is the replacements we found all cost over 100,000 a year. This is when Michael Yan and I set forth to develop our own solution.

We are happy to bring you “CP-VPN-Auto-Audit 1.0”. This system is compromised of 4 scripts that run together to export your logs, format them into individual tunnel csv reports and then email them to the system administrators.

To use these scripts you will need the following:

1. You must be running the SPLAT operating system on your management server
2. You must install active Perl on your mgmt server.
3. You must have a SSH key pair setup with another Linux box that has the ability to mail files. (This is useful for log backups and automated upgrade_exports as well).
4. Understanding of basic Perl, Linux and Shell scripting.
5. You must configure your logs to rotate nightly at midnight and make sure to do a install database to apply the settings.

How to install Active Perl on your Mgmt server:

Since the Splat Operating system is just a striped down secured version of Red Hat Linux you are able to install some dependency limited RPM packages.

1. Log into your mgmt server and escalate your privileges to “expert”
2. Download the RPM that is right for your processor architect: http://www.activestate.com/activeperl/downloads. This file needs to be downloaded to a box that has either a SSH server running or an ftp server running since your mgmt station will not have wget, curl or lynx. But you do have SCP and FTP
3. From your mgmt server copy the RPM over to /root.
4. Issue the command “rpm –ivh file_name.rpm” to install
5. Next we will have to edit our environment so the Splat operating system will detect it.
   1. Use your favorite Linux editor to edit the file $FWDIR/tmp/.CPprofile.sh
   2. Find the line “PATH=${PATH}:${FWDIR}/bin:” and modify it to PATH=${PATH}:${FWDIR}/bin:/opt/ActivePerl-5.10/bin ; (change to version number that matches your Perl version).
   3. Log out of your mgmt server, log back in and escalate your privilege to “expert”
   4. Execute the command “which perl” You should get a path back if it worked.

Installation of the Perl script on the mgmt server:

On the mgmt server you will need to copy the logstrap.pl and the vpn-audit.pl to the /root directory. Once you have the files copied there you will need to modify them to match your version of checkpoint , the log output directory, the remote server name and account. I normally like to use variables but in this project the use of variables seemed to add so many headaches and countless additional hours of trouble shooting.

Inside look at logstrap.pl: Download code here: http://www.digitaloffensive.com/files

The code is heavily documented so to keep this document clean just search for the lines below to see the code:

#Get Yesterday Date:  This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.

#Create shell script to use *CheckPoint Environment* and Process the log export for yesterday log: This code will create the shell script called execute-me.sh. This script will define the CheckPoint environment and process the day before account logs using the fwm logexport command. Next since the cron will spawn a new shell when we declare the CheckPoint environment we need a script that will launch the rest of the code for us in the new shell, this script does that for us by call /root/vpn-audit.pl.

Inside look at vpn-audit.pl: Download code here: http://www.digitaloffensive.com/files

The code is heavily documented so to keep this document clean just search for the lines below to see the code:

#Get Yesterday Date:  This code will get the server time and convert it from epoch and format it to a usable format for us. It will also add a 0 in front of any day value that has only 1 character.

#Logs to use: This code will open all the log files that we will use to separate the log file into individual csv files, 1 per vpn tunnel that we have.

#Printing header: This code will add a header to each of the csv files. This allows for easy filtering of results and also makes understanding what data is in each column.

# Find Column numbers based on column names since *CheckPoint changes the column numbers daily*: This code will resolve the issue of where the column numbers found in the CheckPoint logs change daily. Instead of using a preset number we find the column name and then find what column that is associated with.

#Process individual reports: This is the part of the code where we process each VPN tunnel into and individual report using regular expression matching and unique tunnel names.

#Close all open logs: This code will close all the logs that we have opened.

# Tar files and move them to server to be emailed: This code will make use of the SSH keys we have established with our other Linux box. It will tar up the logs and transfer them to the other box. It will also clean up all the logs we just created as well as call the mail.sh code located on the other box.

Inside look at the crontab entry on the mgmt server:

To edit your crontab use the command “crontab –e”

45 11 * * * /root/logstrap.pl >& /var/log/cron.err

Since we use GMT time I have to set the cron 4 hours in the future from the time I want to execute the script. We output the results to /var/log/cron.err for error checking and debugging.

Installation of mail.sh on your other Linux server: Download code here: http://www.digitaloffensive.com/files

Remember on this server you have already confirmed that you can send email from it.

1. Log on to the box as the user that you established the SSH key pair with.
2. Create a directory called vpn.
3. Copy the mail.sh code into that directory.
4. chmod –Rf 777 /user/vpn

Inside look at mail.sh:

##Variables: This section will allow you to define the following:

1. The path to the csv files
2. The mail recipient.
3. The email message body.
4. The subject line of the email.

## Do not edit below this line: This section of the code contains a loop that will mail all the csv files as attachments until it is done. It will also clean up and remove all the tars and csv files after it sends them out.

I have created a simple shell script below that will automate the process for you. This script was written to run on the Linux based PBX (Trixbox, PBX in a Flash, Asterisk and so on). Though with a little editing of the script you can use it to just create the ringtones and not install them.

1. Make sure you have sox installed: which sox and if you don’t you can install it with either apt-get or  yum.
2. Download the wav files or mp3 that you want to convert to your PBX but. I suggest using Google or another means to find files you want to use. Remember mp3 support may not work.
3. Copy the code below and paste it into a file on your Linux box using your favorite editor.
4. Open the shell script and edit the variables if your paths are different. If you don’t know what to put here leave it blank. These are the paths on your PBX where the phone will pull its configurations from.
5. Save the changes and chmod the file so you can execute it.
6. Excute the script:
7. When prompted for the path and name of file you want to convert enter it like this: /music/ring.wav
8. When prompted for the path and name of the output file it enter it like this: /music/ring (no extension)
9. Watch for errors and correct where needed.
10. If you are running this on a Linux PBX it will copy the file to the /tftpboot dir and edit the RINGLIST.DAT file for you.
11. Once the script is done reboot your phone

#!/bin/bash
#####################################
## Create custom cisco ringtones   ##
## Created by Michael LaSalvia     ##
## http://www.digitaloffensive.com ##
## Tested on cisco 7940 and 7960   ##
## Running SIP                       ##
#####################################

#Variables
dtftp=/tftpboot
fring=$dtftp/RINGLIST.DAT

#My current sox install does not support mp3. Most do not by default.
echo “Enter the path and name of the file you want to convert: ”
read inRing
echo “Enter the path and name of the output file: ”
read oRing
echo “#############################################”
echo “Converting the file”
echo “#############################################”
#Not all sox installs support -b without a positive integer
sox $inRing -t raw -r 8000 -U -b -c 1 $oRing.raw resample -ql
echo “#############################################”
echo “Resizing the file(16080B) and saving to $dtftp”
echo “#############################################”
dd if=oRing.raw of=$dtftp/$oRing.raw bs=1005 count=16
echo “#############################################”
echo “Editing the RINGLIST”
echo “#############################################”
echo “$oRing    $oRing.raw” >> $dtftp/$fring
echo “#############################################”
echo “If there was no errors above, please reset your phone and choose your new ring”
echo “#############################################”

Years ago I did web hosting as a side source of income. This led to me developing  a lot of Linux based scripts to help automate my daily sysadmin responsibilities. Our hosting company was  called ezhostingpro.com. Since then another party owns the domain but googling that and my name will lead you to several of my scripts being hosted by other sites. I posting the code on my site as I am finding many people on http://www.getafreelancer.com using codes I post on this site to bid on projects and win them.

This script is in two parts. The first part creates the backup and the second part transfers the backup remotely. The first part of the script makes use of the built in backup commands in cpanel. The script needs minor changes to be used by resellers instead of dedicated server owners.

Script 1:

#!/bin/bash

############################################
## ##
## EZHOSTINGPRO BACKUP FTP SCRIPT v1.0 ##
## Created by Michael LaSalvia ##
## http://www.digitaloffensive.com ##
## 2/23/04 rev 1 ##
############################################
## 1. Create a file called cpbackup.txt in /root
## 2. Place account names you wanted backup
## 3. Save file in /root
############ DO NOT EDIT BELOW #############
cd /root
for users in $(cat cpbackup.txt)
do
rm -rf /home/$users/cpmove-$users.tar.gz
/scripts/pkgacct $users
mv /home/cpmove-$users.tar.gz /home/$users/
cd /home/$users
chown $users.$users cpmove-$users.tar.gz
chmod 777 cpmove-$users.tar.gz
/home/$users/bkftp.sh
cd /root
done

Script 2: This script needs to beedited with the users ftp credentials and placed in the user home dir.

#!/bin/bash

##################################
## EZHOSTINGPRO REMOTE BACKUP ##
## created by: Michael LaSalvia ##
##http://www.digitaloffensive.com##
## DO NOT EDIT THIS FILE ##
## Name this file bkftp.sh chmod 777 ##
##################################

### VARIABLES ###

var_cpaneluser=’cpanel_user_goes_here’
var_remote=’remote_server_goes_here’
var_ftpuser=’remote_server_ftp_username_goes_here’
var_ftppass=’remote_server_ftp_password_goes_here’

cd /home/$var_cpaneluser
ftp -n $var_remote <<END_SCRIPT
quote USER $var_ftpuser
quote PASS $var_ftppass
del cpmove-$var_cpaneluser.tar.gz
put cpmove-$var_cpaneluser.tar.gz
quit
END_SCRIPT
exit 0
rm -Rf cpmove-$var_cpaneluser.tar.gz

I believe the newer cpanel system actually provides a built in method to do this, though since I do not have access to one to test I will post this any way. If you have any questions comments or concerns please feel free to contact me.

The initial interest for this research came to me after reading an article on this on the site http://enclavesecurity.com/ . In the article they talk about using the malicious hashes to discover malware and other malicious files on their systems. They also take a deeper look into the recent APT and Auroa attacks on Google. Though the thing I found most interesting is trying to develop a way to automate this process for free and provide usable information.

The biggest thing to understand before continuing on is that this is not a fool proof process as a simple change of the file will change the hash of the file. For example if you have the c99.php shell and change the password or add a white space to the php this will change the hash of the file hence making detection via this method impossible. The other issue I have noticed in using this methodology is no one is willing to share all the information. Many companies will only share bits and pieces such as “The Malware Hash Registry” (http://www.team-cymru.org) considered the leading authority on this topic. They make part of their service available online to submit hashes to and get back the following information:

Ex:1: 7697561ccbbdd1661c25c86762117613 1258054790 NO_DATA

Ex:2: cbed16069043a0bf3c92fff9a99cccdc 1231802137 69

In example 1 you see the md5 hash then the epoch date and time then NO_Data meaning it could not tell if this hash is malicious.  In example 2 you see the same except instead of NO_data you see 69. This number means that 69% of the Antivirus vendors they used to check this file with found it to be malicious. This info is good but I find it to be not very helpful. It is nice to know that it was detected as malicious but is it truly malicious and if it is what type of malicious file is it, is it a backdoor, key logger or so on. I have emailed them asking if they could provide the detection type; with understanding that most of their system is private as they will not disclose the database or the vendors they use to scan the files. Though I have not heard back from them at this point.

This led me to searching the internet for other sites like this that provided additional information along with the hash. In this search I found one other site called http://malwarehash.com a sub site of the company NoVirusThanks.org. They provide an online utility to submit your hash to and if it is discovered as malicious it will give you info back. See screen shot below:

As you can see they provide an additional layer over what you get from the Malware Hash Registry. On top of that they use a simple PHP script for the query that makes scripting this so much easier:

http://www.malwarehash.com/result.php?hash=1E71DE2D6A89AA9796344BB7FA23AC7E

As you can see in the URL you have the site the script and the hash. The only issue with this site is that it seems they have not updated their database since 6/2009. I have contacted them as well to ask them about this and to see what their plans are for the site though I have not heard back from them either.

With this information in hand I set forth to develop a script that would allow me to automate this process as we have found this methodology to be helpful at work even if it is not 100% accurate as we notice that most malware will not get detected by our Anti virus so by using the hashes and relying on the internet community we are able to help our detection and remediation of malicious files.

To use this script you will need to have a Linux user account and some basic knowledge of Linux to set the variables properly. I wrote the script in bash for two reasons 1 it is a piece of cake to do and 2 so you be forced to move the malicious file off a windows environment where you stand a higher chance of infecting your self.  First access your shell and create a directory called what ever you want but in the code we used a directory called infect that is set in a variable for easy changing. Once you do that copy the malware-hash.sh script to 1 directory above the folder you just created. Then copy the sed script file to a file called clean in the directory that you created. Once you have done this chmod the malware-hash.sh script so you can execute it and chmod the clean script so the malware-hash.sh script can read it. Once done all you have to do now is copy the suspicious files to the directory you created and execute the script. The script will get a listing of all the files in that folder, remove the clean script, and any dupes from the listing and then get the md5 hash of each file. Once it gets the hashes it will create a batch file to be processed against The Malware Hash Registry and save the results in a clean human readable format. We use the batch function to stay with in the TOS of the site.  This includes adding the file names in front of the hash so you know what the hash belongs to. Next it will take the hashes and run them through the site Malwarehash.com. We use the –random-wait command with wget here to not act like a bot or script. If it gets a hit for a infection we will grab the site and scrape out the data we want then process it into a human readable report. Once all done we will combine the results of both checks and email the final results to the email address provided.

The script is written in bash and is highly documented:

The script is broken down into 2 sections the actual script and the sed script file.

Part 1 the Script: Copy this script to a file with a .sh extension or download it here http://www.digitaloffensive.com/malware-hash.sh . I suggest downloading it as the word press system will definitely destroy the formatting of the code. Place this script 1 directory up from the directory that you are using for the infected files.

#!/bin/bash
################################################
## MALWARE HASH BASH                           ##
## Written by Michael LaSalvia                  ##
## http://www.digitaloffensive.com              ##
## Inspired by an article at enclave Security ##
################################################

#Variables and clean up
#Edit in Path to dir that contains file for analysis
inPath=/home/mike/virus/infect

#Path to your md5sum app to verify it is not compromised. I got the hash from a new install on fedora 12.
wmd5sum=/usr/bin/md5sum

md5sum /usr/bin/md5sum > .tmp
mverify=`cut -f 1 -d ‘ ‘ .tmp`
if [$mverify == 019329f334fa7ef6116ad1a24271c8da ] then
echo “Your md5 hash matches”
else
echo ” Your md5sum hash is not right, Please verify it before continuing. Press CTRL+C now to exit”
fi
rm -Rf .tmp
# I strongly urge you to make sure your md5 application is not compromised or the rest of this script is useless.
Sleep 20

#Get a list of file to analyze and get their hash
ls $inPath > files.txt
for vfiles in $(cat files.txt)
do
cd $inPath
md5sum $vfiles >> hashes
sort hashes | uniq > $inPath/hashes.txt
done
#Clean up my files
cat $inPath/hashes.txt | grep -v hashes >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v md5 >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v clean >> .tmp; mv .tmp $inPath/hashes.txt

#Format file to submit to http://www.team-cymru.org as a batch
cut -f 1 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5hash.txt
cut -f 3 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5name.txt
echo “begin”| cat – $inPath/md5hash.txt > .tmp && mv .tmp $inPath/md5hash.txt
echo end >> $inPath/md5hash.txt
rm -Rf $inPath/hashes.txt

#Send batch request o the Malware Hash Registry (I Love netcat)
nc hash.cymru.com 43 < $inPath/md5hash.txt > $inPath/md5results.txt

#Clean up response and format it
cat $inPath/md5results.txt | grep -v “#” >> .bk; mv .bk $inPath/md5results.txt
paste $inPath/md5name.txt $inPath/md5results.txt > $inPath/results.txt
#cat $inPath/results.txt
cat $inPath/md5hash.txt | grep -v “begin” >> .tmp; mv .tmp $inPath/md5hash.txt
cat $inPath/md5hash.txt | grep -v “end” >> .tmp; mv .tmp $inPath/md5hash.txt

#Dirty web scraper and formating (site may be out of date)
for whashes in $(cat $inPath/md5hash.txt)
do
wget –random-wait http://www.malwarehash.com/result.php?hash=$whashes -O $whashes
if grep “INFECTED” $whashes > /dev/null; then
cat $whashes | grep -m 1 a-squared >> $inPath/.tmp
cat $whashes | grep -m 1 “Avira AntiVir” >> $inPath/.tmp
cat $whashes | grep -m 1 “Avast<” >> $inPath/.tmp
cat $whashes | grep -m 1 AVG >> $inPath/.tmp
cat $whashes | grep -m 1 BitDefender >> $inPath/.tmp
cat $whashes | grep -m 1 ClamAV >> $inPath/.tmp
cat $whashes | grep -m 1 Comodo >> $inPath/.tmp
cat $whashes | grep -m 1 “Dr.Web” >> $inPath/.tmp
cat $whashes | grep -m 1 Ewido >> $inPath/.tmp
cat $whashes | grep -m 1 F-PROT >> $inPath/.tmp
cat $whashes | grep -m 1 “G DATA” >> $inPath/.tmp
cat $whashes | grep -m 1 IkarusT3 >> $inPath/.tmp
cat $whashes | grep -m 1 Kaspersky >> $inPath/.tmp
cat $whashes | grep -m 1 McAfee >> $inPath/.tmp
cat $whashes | grep -m 1 “Malware Hash Registry” >> $inPath/.tmp
cat $whashes | grep -m 1 NOD32 >> $inPath/.tmp
cat $whashes | grep -m 1 Norman >> $inPath/.tmp
cat $whashes | grep -m 1 Panda >> $inPath/.tmp
cat $whashes | grep -m 1 “QuickHeal” >> $inPath/.tmp
cat $whashes | grep -m 1 “Solo Antivirus” >> $inPath/.tmp
cat $whashes | grep -m 1 Sophos >> $inPath/.tmp
cat $whashes | grep -m 1 TrendMicro >> $inPath/.tmp
cat $whashes | grep -m 1 VBA32 >> $inPath/.tmp
cat $whashes | grep -m 1 “VirusBuster” >> $inPath/.tmp
#More Cleaning and report creation.
sed -f $inPath/clean $inPath/.tmp > $inPath/.tmp1; mv $inPath/.tmp1 $inPath/$whashes
rm -Rf .tmp .tmp1
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
echo “$whashes : ” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
cat $inPath/$whashes >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
else
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo “NO RESULTS FOUND for: $whashes” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
fi
rm -Rf $inPath/$whashes
rm -Rf $inPath/md5*
rm -Rf $inPath/hashes
done
cat $inPath/results.txt | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
echo “Results from The Malware Hash Registry” | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
mail -s”Malware” me@me.com < final_report.txt

Part 2 the sed script:

Copy this code and put it in a file called clean located in the folder that has the files you want to analyze and chmod it so the script can read it.

s/<tr><th>/AV Name:/
s/<tr><th width=”150″>/AV Name:/
s/<\/th><td width=”83″>/ Sig Version:/
s/<\/td><td width=”100″>/ Engine Version:/
s/<\/td><td width=”116″>/ Engine Version:/
s/<\/th> <td width=”83″>/ Sig Version:/
s/<\/td> <td width=”116″>/ Engine Version:/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”213″><font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”190″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td> <td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td> <td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/font><\/td><//
s/\/tr>//
s/<\/font><\/t//
s/<\/font> <//
s/<\/font><\/td> <\/tr//
s/> <\/tr//
s/d>//

Though this methodology is a few years old there is many things that can be done with this. For example we are in the process of writing a tripwire type script that will allow web masters to monitor changes to their sites and to be able to quickly see what was added or modified as well as run it though the process above to search for infections / compromise

As always if you have any questions, comments or concerns please feel free to contact me.

#!/bin/bash
#######################################
## Simple Google Query and web scraper
## Written by Michael LaSalvia
## http://www.digitaloffensive.com
## Created: 1/15/09
#######################################
##Variables
tFile=gmath.txt
oFile=rmath.txt
rm $tFile
echo “If there was a error above this line that is ok”
echo “###################################”
echo “# Press (a) for addition          #”
echo “# Press (s) for subtraction       #”
echo “# Press (m) for multiplication    #”
echo “# Press (d) for division          #”
echo “###################################”

echo -e “What do you want to do:”
read Mmath
case $Mmath in
“a”) dMath=%2B && echo “You chose addition”;;
“s”) dMath=- && echo “You chose subtration”;;
“m”) dMath=* && echo “You chose multiplication”;;
“d”) dMath=/ && echo “You chose divsion”;;
esac

Now that we know what arithmetic the end user wants to do we need to find out what variables they want to use. To do this we do this:

echo -e “Enter first number:”
read nNum1
echo -e “Enter Second number:”
read nNum2

Now that we have all the needed variables comes the fun part. We now need to construct the URL, but since it is Google and they do not allow automated responses we need to make our script look like a real user agent as well. (WARNING: This may break Google’s AUP). To do this we used the following code:

wget –header=”User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)” “http://www.google.com/search?hl=en&safe=off&q=$nNum1$dMath$nNum2″ -q -O $tFile

The user agent we chose to masquerade as was Internet Explorer 8. You will also notice that we outputted the file to a “known” file. This makes the rest of the process much easier and simpler to code.
Now that we have the full page downloaded we need to find just the information we want. To do this I first manually reviewed the source code of the page and notice that no matter what math problem I entered the source code always had the following around each problem EX.

Code: style=”font-size: 138%;”><b>999 + 998 = 1<font size=”-2″> </font>997</b>

So to remove everything except what I wanted I used the following code:

cat $tFile | awk -F “138%\”><b>” {‘print $2′} | awk -F “</b>” {‘print $1′} > $oFile
echo “Your answer is:” && cat $oFile

You will notice that I did not clean the file fully, that is because I noticed that when it was echoed to the terminal the html that was left did not show and instead of sitting there using “sed” to fully clean it up I left it as is.
I hope you have learned something from this. If you have any questions or concerns please feel free to contact me.

Here is a screen shot:

It is no secret that almost all the cell phone companies today allow you to send txt messages to a person’s cell phone for free by means of emailing them a txt. This does not mean the company will not charge the receiver but the sender will not be charged.  To do this all you need is a email client or a web mail client and the following information:

T-Mobile: phonenumber@tmomail.net
Virgin Mobile: phonenumber@vmobl.com
Cingular: phonenumber@cingularme.com
Sprint: phonenumber@messaging.sprintpcs.com
Verizon: phonenumber@vtext.com
Nextel: phonenumber@messaging.nextel.com

For example if I want to txt 717-555-1234 and that user is a Verizon user you would simply put 7175551234@vtext.com in the “To” field and enter a small message in the body. Remember most cell phones are limited to 160 characters and cannot handle all the crazy things a standard email can.

Though an enough on this as you are here to learn about the code and a simple Google and can provide you with more information on the above topic.

Since I rarely try to PHP program I decided to write a PHP e-mailer that basically gave the user the ability to use a web form to send a SMS message to someone through an email.

The URL above will no longer work I removed the file so spammers and script kiddies could not use it.

To follow a long you need to have basic knowledge of PHP and HTML. If you do then this will be simple for you.  To view the code you can download it by click here http://www.digitaloffensive.com/mailer.txt

Section 1: This contains the author’s information as well as a warning about using the script as it is not written securely. This section also contains the die command to stop scrip kiddies from using file include and leaching off the script.

Section 2: Is the actual PHP code this is where I define the variables by using $variableName = $_POST[‘textboxName’]. I use the POST command instead of the GET command as POST is used for tasks that will be done in the background and not displayed to the end user in the URL. In this section I also put basic logic check functionality in. Basically by using “if isset” I am able to define a field to make sure something is inserted before executing the code. If I did not have this in their every time the page loaded it would try to send and fail since no fields are defined by default. The final key element of this section is the “mail” command this is a PHP built in command and will use the “sendmail” application to send mail.

Section 3: This section contains the actual code to make the form. This is the entire html that makes the text boxes and submit button. The key elements here are the names I used for the text box in the “id=”  or in the “name=” field as they tie in directly with the variables in the PHP section.

That covers all the code if you have any questions please feel free to post a comment and I will answer them. I plan to develop security in this app as I sharpen my skills of the PHP language past just searching for vulnerabilities.

Every day I review my web server’s visitor stats and logs and the other day I noticed something odd. I saw a URL that was accessed 35 times from the same exact IP and I did not recognize the file as being a part of Word Press or any static page I have uploaded.  The file was called Photo13.php. While investigating this file I noticed several files with the time stamp of the night before. These new files were a part of the breach. In total there was three files found. The c99 PHP shell and two other scripts 1 was used to drop webmail.exe on to a visitor’s machine and the other was to email passwords from webmail users to the owner.

Before you all jump on me about Word Press and its security flaws let me assure you I try to make sure to keep the core up to date every time there is an available update. I believe the breach was either on the host side, a weak cPanel password of one of my client sites or the twitter plug-in on the Word Press site.  I am personally leading more on the twitter plug-in or the hosts as these sites have been hosted for over two years on another host with the same configurations and there was not an issue until recently. Also today there was an important upgrade warning about the twitter plug-in.

This got me thinking how I can be sure to have removed all copies of c99 PHP shell and its variants that the attacker might have installed and how I can take a more active approach in detecting this shell and others. When I copied the c99 PHP shell to my local machine and viewed the code I noticed that it is encoded in base 64 as many of you already know that. When you decode this you get a compressed file it is not until you decompress the file you can see the actual code. If you are interested in decoding this file I suggest using Google to search for “gzinflate base64_decode”. Though it was encrypted I did notice that the coding was the same for several c99 PHP shells that I found on other peoples sites via Google.

With this information I decided I could reliably detect a potentially infected file by running it through three separate string checks. So I wrote the following shell script: To download the code in a .sh file click here (Word Press messes up the formatting.)

#/bin/bash
##################################################################
### c99 and variant shell detection, quarantine and or removal ###
### Created by: Michael LaSalvia on 10/08/09                   ###
### Site: http://www.digitaloffensive.com                      ###
### Not responsible for your use of this script                ###
##################################################################
#Variables: if you dont know what you are doing leave these as is
txtInfect=/tmp/php.txt
dirSearch=/var/www/
qInfected=/tmp/infected
ck1=/tmp/c99check1.txt
ck2=/tmp/c99check2.txt
ck3=/tmp/c99check3.txt

echo “########################################################”
echo “## Creating needed files and cleaning old check files ##”
echo “## Ignore errors here                                 ##”
echo “########################################################”
mkdir $qInfected
rm -f $ck1 $ck2 $ck3 $txtInfect

echo “########################################################”
echo “### STARTING SEARCH FOR c99 and vairants            ####”
echo “########################################################”

find $dirSearch -name \*.php >> $txtInfect
for c99 in $(cat $txtInfect)
do
if grep “gzinflate” $c99 > /dev/null; then
echo “$c99 is infected **CHECK 1 of 3**”
echo $c99 >> $ck1
for c992 in $(cat $ck1)
do
if grep “’7X1rcxs5kuBnd0T” $c992 > /dev/null; then
echo “$c992 is infected **CHECK 2 of 3**”
echo $c992 >> $ck2
for c993 in $(cat $ck2)
do
if grep “/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/” $c993 > /dev/null; then
echo “$c993 is infected **CHECK 3 of 3**”
echo $c993 >> $ck3
echo -e “##############################################################”
echo -e “## After 3x c99 code has been found in the following files: ##”
cat $ck3.txt
echo -e “##############################################################”
echo -e “#####  Press 1: To delete these files **WARNING**        #####”
echo -e “#####  Press enter: Rename the infected php to .txt      #####”
echo -e “#####  and move it to $qInfected for review           #####”
echo -e “##############################################################”
echo -e “Please enter your choice:    ”
read yChoice
if [ "$yChoice" == 1 ]
then
for rmInfect in $(cat $ck3)
do
rm -f $rmInfect
echo “** $rmInfect has been removed”
done
else
for mvRname in $(cat $ck3)
do
mv $mvRname $mvRname.txt
mv $mvRname.txt $qInfected
echo “$mvRname has been renamed to $mvRname.txt”
echo $mvRname.txt has been moved to $qInfected
done
fi
fi
done
fi
done
fi
done
rm -f $ck1 $ck2 $ck3 $txtInfect

The shell script is based on my worm detection shell script, which can be found here: http://www.digitaloffensive.com/2009/10/removing-a-mass-web-site-infection/. This script basically searches the “PATH” you provide it for all the files on your system with a .php extension and saves them to a file. The script then checks each file that is the list using three nested “for loops”. The first for loop checks for the string “gzinflate” as that is not a common command in most web scripts. If the string is detected it logs the file and path to another file, if there is no possible infection it will end the script. If the string was found the next for loop will search the possible infected files for the string “’7X1rcxs5kuBnd0T” Once again if the string is found it will copy the file path and name to another file and if nothing is detected it will end the script. The last for loop searches for the string “/wxMNVWOra7tTSb4BOrTD7FuM+847ZoXbxU7K2m2Elzg1RYWkhKujJiJa6QaqTwy9X5tCDZ6f77AUoj9XtkXuWQ5ROgowOYpU59wydY/”. If this string is detected it saves the file path and name to another file. You are then prompted to take action against the script. You will have the option to enter “1” to remove all the infected files that were found or you can just press any other key (enter) and it will rename the file to give it a .txt extension so the attacker cannot execute it, it will also move the file to a quarantined folder in your /tmp directory for your review.

If you have any questions, comments or concerns please feel free to post them or contact me.

CODE:

#!/bin/sh
> .tmp
find /home/ -name \*.php >> php.txt
find /home/ -name \*.html >> php.txt
find /home -name \*.htm >> php.txt
for infected in $(cat php.txt)
do
if grep “http://www.domainstat.net/stat.php” $infected > /dev/null; then
echo “$infected is infected now cleaning”
sed -f clean $infected > .tmp ; mv .tmp $infected
echo “$infected cleaned”
else
echo “$infected is not infected: moving on”
fi
done
> php.txt

The below code is the clean script that I reference:
s/< ? echo “<script language=’JavaScript’ type=’text\/javascript’ src=’http:\/\/www.domainstat.net\/stat.php’>< \/script>”; ?>//
s/<script language=’JavaScript’ type=’text\/javascript’ src=’http:\/\/www.domainstat.net\/stat.php’>< \/script>//

The code above is a shell script written to search /home (this was written for a cpanel server, most Linux servers store web files in /var/www/html) for files that have common web extensions.  Once it lists all the files into a file called php.txt it then greps through each file looking for the infectious code. If it finds the code it copies the page to a tmp file, uses sed to remove the infectious code and then renames the tmp file back to the original.

If  you have any questions or concerns please feel free to post a comment.

Instant IDS v1.0 is a custom shell script that will automatically download, configure and run Snort IDS and BASE web gui.

Though this script has been tested in-depth I the author do not guarantee it will work and or not harm your system. Since this is a shell script and can be easily edited I strongly suggest that you don’t download it from any site but http://www.digitaloffensive.com. Please note that IDS systems need to configure to properly work in your environment. Until they are tuned you may receive false positives.

This script has been tested in-depth on CentOS 5.0, Fedora Core 7 and Fedora Core 6. This script should work on any other Linux flavor that makes use of yum and chkconfig.

This script currently makes use of the snort 2.7 and the rules that were released with this version. We do not download new rules for you as Snort requires a user account to download newer rules. We strongly suggest that if you like the Snort product that you subscribe to their subscription rule base service to receive new rules faster.

What is needed?

a)      A default install of Linux with gcc (no need to choose http, mysql or anything like that)

b)      A Internet Connection

What Does Instant IDS provide you?

Instant IDS provides you with a fully functional IDS system in minutes. The script will download all needed services, libraries and packages that are needed. It will install and configure each of these items based on the underlying operating system. It will also configure and start the needed services based on user input. Once done it provides you with a fully working IDS system running Snort, MySql and BASE.

What are we planning to do in the future?

Since 96% of the script pulls the newest packages using yum we plan to make sure that we keep the script up to date as new versions of Snort, Base and Libpcap are released. We plan to make the script more customizable by introducing the ability to configure variables. We plan to add more advance means of error checking and improve the code. We also plan to have it lock down the box as much as possible based on user input. With all this said we rely on the users of the script to tell us what they like and don’t like and what they would like us to do in future releases.

How to use Instant IDS

a)      cd /root

b)      wget http://www.digitaloffensive.com/snort/snort.sh

c)       chmod 777 snort.sh

d)      ./snort.sh

e)      Answer the questions that you are prompted with. Please make sure that if you are using a subnet that you enter it as xxx.xxx.xxx.xxx\\/24 ß or whatever class it is.

f)       The wait value you enter will give you some time to make sure there is no show stopping errors, some warning are ok. This is only to be used if there is a major issue and a library or application does not install or compile. If you see a major issue press ctrl +c to cancel the rest of the install.

g)      Once instant IDS is installed we suggest you lock down your machine, here are a few examples:

a.       Firewall the machine.

b.      Disable root ssh access.

c.       Create a mysql root password.

d.      Update the systems patches

e.      Disable unneeded services.

This script is released freely we ask that you keep the original authors information in it though you have right to modify the script as you see necessary. This script may not be sold.

For a recent audit I was tasked with checking a class C network for null sessions. The task itself sounds simple doesn’t it? But I am not one to just run a quick scan without verifying my work. This caused a interesting discovery. My first run at the network I used NTscan and discovered 1 machine with a null session open. If this would of been correct then the client would of definitely improved their security posture since the last audit they had from another company. To verify my work I then ran xscan v3, though I prefer their older versions I could not find a working clean copy in the short time frame I had to use it. This scan returned 3 open machines. Now this was odd but I chalked it up to maybe another machine came up in the time frame it took to run the tools. The third scan I ran with a tool called netscan and this tool not only returned 16 machines open but returned all the drive information with their permissions. Now this totally baffled me, so I ran all three tools one after another and the same results came up. I also manually checked the machines that returned results and each one was indeed open. Now with this in mind I figured the only safest way to confirm what was truly open was to manual test the full class C using net commands. So to this I wrote a simple shell script for CYGWIN to verify the machine was up then to check it for null sessions. The script returned 26 null sessions, which I verified a sampling of them and confirmed my results. The script is attached. The script was not written with the ability to quickly change it with variables as I needed it quickly and did not have time to make it look real pretty. If you would like to customize the script please feel free to do it, or if you need help please feel free to ask.

Part 1:

Verify the node is up: ShareScan: http://genxweb.net/wp-content/uploads/2007/06/shareup.zip

This script will go through a txt file and verify that the ips inside the file are up and if they are up moves it to another file that will be used by the scanner to check for null sessions.

Part 2:

Check for null session: Scan Share: http://genxweb.net/wp-content/uploads/2007/06/scanshare.zip

This script takes the IP addresses that are up from the results from the first part of the script and runs the net use commands on them checking for null sessions. Error checking is basic as we use a simple truth statement && to say if it was mapped successfully then disconnect it.

Side note: I first published this article on my old site http://www.genxweb.net

So I am about to have a garage sale and want to accept credit cards so people can’t say they don’t have money so I search all over the internet and there is nothing in the form of a POS for paypal users. So what do I do I create a down and dirty one using a simple Batch file.

Check out the code below.

Title Yard Sale Pyapal Check Out
@echo off
cls
set /p ItemNo=Item No:
set /p ItemName=Item Name:
set /p Price=Price:
pause

echo ^<form target=”paypal” action=”https://www.paypal.com/cgi-bin/webscr” method=”post”^>>Out.htm
echo ^<input type=”hidden” name=”cmd” value=”_xclick”^>^<input type=”hidden” name=”amount” value=”%Price%”^>>>Out.htm
echo ^<input type=”hidden” name=”business” value=” you@your.comThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it “^>>>Ou
t.htm
echo ^<input type=”hidden” name=”item_name” value=”%ItemName%”^>>>Out.htm
echo ^<input type=”hidden” name=”item_number” value=”%ItemNo%”^>>>Out.htm
echo ^<input type=”hidden” name=”return” value=”www.divepa.com/thanks.html”^>>>Out.htm
echo ^<input type=”hidden” name=”cbt” value=”Continue”^>>>Out.htm
echo ^<input type=”image” src=”cart.jpeg” border=”0″ name=”submit” alt=”button”^>^</form^>>>Out.htm
echo ^<br^>^<br^> >>out.htm
echo You are purchasing item: %ItemName% for %Price% if you agree click the cart above and complete your transaction >>out.htm

pause
start /max “C:\Program Files\Internet Explorer\iexplore.exe” Out.htm

All you do is copy the above code into a notepad file and save the file as paypal.cmd then double click it and fill in the blanks. Make sure you change the email field first to your paypal email account.