 |
Menu |
 |
|
 Home |
| |
|
 Discussions |
| |
|
 Tools |
| |
|
| Affiliates |
| |
|
 Content |
| |
|
 Info |
| | |
|
|
|
|
|
User Info |
|
 Membership:
 Latest: MichaelSnaRe
 New Today: 0
 New Yesterday: 0
 Overall: 9144
 People Online:
 Visitors: 70
 Members: 0
 Total: 70
|
|
|
|
|
|
Full disclosure |
|
|
|
 |
|
 |
 |
|
 |
IT Security and Insecurity Portal |
|
|
AntiExploit - locate bad files on your server |
|
 Posted: Sat Apr 23, 2005 7:22 am |
 |
|
| hebe |
| Advanced user |
 |
|
| Joined: Sep 04, 2004 |
| Posts: 59 |
|
|
|
 |
|
 |
|
http://www.h07.org/projects/aexpl/
| Quote: | 1 INTRODUCTION
1.1 About AntiExploit
1.2 Illusory security?
2 SETUP AND CONFIGURATION
2.1 Install
2.2 Configuration
2.3 Database format
2.4 Update the exploit database
2.5 Shellscript support
2.6 Sample aexpl sessions and outputs
2.7 Troubleshooting & BUG Submission
#####################################################################
1 INTRODUCTION
1.1 About AntiExploit
---------------------
AntiExploit is the first ON-ACCESS Exploit-Scanner for Linux and
FreeBSD. First aexpl has been a simple perlscript which scanned the
filesystem over the locate database. Now it's a full featured
c-application.
AntiExploit uses the dazuko kernelmodul (www.dazuko.org) to
identify suspious files when they are created or used.
Currently we use a daily updated md5-database to identify files,
but with upcoming versions we introduce file signatures and
extended checks so that bypassing of aexpl will be much harder.
AntiExploit was created to locate possible bad users on a FreeShell-
System.
AntiExploit was written by Enrico Kern and Christin Volmering,
please send feedback and bug-reports to
phantom or risk@hzeroseven.org
1.2 illusory security?
----------------------
I belive that you can't really provide a 100% security for a massive
User-System. But you can do your best to enhance the overall-security
for your System. The most attacks are from script-kiddies, crackers
without deep knowledge who mostly uses known exploit-codes and
easy to detect scans etc.
In this version we use MD5 to identify suspious files, this means you
can bypass bad files if you use modified exploits which are not in the
database or compiled ones. But we work on signature support for
upcoming versions.
####################################################################
2 SETUP AND CONFIGURATION
2.1 Installation
----------------
You need to install dazuko and the aexpl distribution,
for further informations read the file INSTALL.
2.2 Configuration
-----------------
You can tweak aexpl settings in the file etc/aexpl.conf
The .conf file explains itself, but here are some hints:
analyze/exploit_db (required)
Includes the path to the exploit.db, this file
is supplied within the aexpl-tarball and you find
it in the etc directory, but you can set the
database path to /etc/exploit.db for example.
You can create the database with the -u option
and download the latest file from the internet
to the specified location.
analyze/update_url (required)
The update url of the exploit.db.
This is usually: http://www.h07.org/exploit.db
This file is updated daily at 8 pm CET.
analyze/ca_cert
If you have choosen to compile curl with ssl
support, you can optain the database via https.
We, h07 are the certificate authority for the
webserver providing the exploit database and
if you trust us, you can use the the cert:
H07CA.pem wich ships with AntiExploit, to secure
the transmission protocol.
If you want to use this way, change the protocol
in analyze/update_url from http to https if not
already done automatically.
analyze/version_url (required)
Location of the file wich holds the latest version
of AntiExploit.
This should usually be: http://www.h07.org/aexpl.version
analyze/custom_db
This section contains three elements which are
identical in functionality as the same named
ones in the analyze section: exploit_db,
update_url and ca_cert.
Use this optional section to define your own
bad file database.
See section 2.3 of this document for more information
on the database format.
analyze/exclude_paths
Define paths wich should be excluded from aexpl.
This is a colon seperated list. For example:
/home/iamevil:/tmp:/var/spool/mail
reports/mail_addr (required)
A e-mail address where aexpl sends reports to
if a suspious file was found.
reports/facility (required)
Syslog facility for log messages. You can optain
the facility codes from syslog.h. The default
value is LOG_DAEMON (3<<3) = 24.
scripts/run_script
Do you want to use shellscript support?
"true" to enable shellscript support or "false"
to disable.
scripts/user_script
The path to the shellscript you want to use.
If you use shellscript support, the shellscript
here will be executed if aexpl finds a suspios file.
The script also gets as first parameter the file,
as second the userid and third the group id of the
fileowner.
core/lock_file (required)
Aexpl uses a lock file to prevent starting the
daemon more thae once. You can optain the pid
of the running process from this file.
Default: /var/run/aexpl.pid
core/ld_so_conf (required)
Name of your shared library configuration file.
All paths in this file will be excluded from the
scanner.
Default: /etc/ld.so.conf
core/inot_size (required)
When aexpl gets a file for analysis it's stored
in a table, so we do not have to scan the same
file each time it's suplied.
Normaly you don't have to change this value but
if you own a large system with a lot of users,
you may increase this value a little.
Default: 2048
core/max_file_size (required)
Do not scan files bigger than <max_file_size>.
The hashing of the files can take a while if
they are to large, so be carefull when increasing
this value.
Default: 102400
core/queue_size (required)
Aexpl has an internal buffer wich holds files
until they are fetched from the worker proccess
to analyse them. This value can normaly be
very small because the worker is very fast, but
if you decided to scan big files
(See <max_file_size>), you may increase this
value.
NOTE: The queue allocates queue_size * PATH_MAX
bytes virtual memory to store the file
paths, so take care!
Default: 64
proxy/enabled
Enable proxy support.
Possible values are: true or false
proxy/type
Proxy type.
Possible values are: http, socks4 or socks5
proxy/host
Proxy host.
Format is: hostname:port
proxy/login
Proxy login information.
Format is: username:password
2.3 Database format
-------------------
The database format is very simple and nothing special.
The first entry is the md5 sum of the file and the
second is the original filename. Both propertys are
separated by a colon.
Example:
f4a23c9093f9a696bd8d628db2581ac1:wicked_exploit.c
The filename is currently not in use and the database
may change in further releases. For example a information
database is planed and signature support will hopefully
be added soon.
2.4 Update the exploit database
-------------------------------
You can fetch a daily rebuild of the exploit.db from
www.hzeroseven.org/projects/aexpl/exploit.db
You can do this with aexpl -u <path to aexpl.conf>
This will download the latest exploit database and store it
in the specified path.
When AntiExploit is already running, a SIGHUP will be send
to the active process and this will reload the exploit
database.
2.5 Shellscript support
-----------------------
If you configured AntiExploit to execute a shellscript after a
suspious file (see 2.2) has been found, then you can perform
tasks like auto delete the file or notify the system admin etc.
The shellscript gets 3 parameters.
The filename, the userid and the groupid of the fileowner.
2.6 Sample aexpl sessions and outputs
-------------------------------------
This is a simple example session of running AntiExploit and should
give you a short overview about the capabilities.
Lets run the daemon:
%aexpl -c /etc/aexpl.conf
Detaching, please check the log file to see if everything was ok!
Ok lets see if all was ok:
%tail /var/log/aexpl
Sun Aug 1 18:19:32 2004 <info> Starting initialization.
Sun Aug 1 18:19:32 2004 <info> Exploit database loaded with 3657 entries.
Sun Aug 1 18:19:32 2004 <info> Successfully registered with dazuko.
Sun Aug 1 18:19:32 2004 <info> Initialization complete.
Sun Aug 1 18:19:32 2004 <info> AntiExploit started.
Sun Aug 1 18:19:32 2004 <info> Worker thread woken up.
Ah aexpl is running, lets test it:
%wget http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c
--23:44:21-- http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c
=> `linksys-dhcp-exploit.c'
Resolving www.packetstormsecurity.nl... 213.206.75.252
Connecting to www.packetstormsecurity.nl[213.206.75.252]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,721 [text/plain]
100%[====================================>] 11,721 72.91K/s
23:44:21 (72.60 KB/s) - `linksys-dhcp-exploit.c' saved [11721/11721]
Ok check:
%tail /var/log/aexpl
...
Sun Aug 1 18:22:07 2004 <alert> AntiExploit found a suspious file: /home/phantom/linksys-dhcp-exploit.c uid(1000) gid(1000)
And finaly the mail:
++++++++++++++++++++
To: phantom@ph-mobile.h07.org
Subject: AntiExploit Report for ph-mobile.h07.org
From: Enrico <phantom@ph-mobile.h07.org>
Date: Sun, 01 Aug 2004 18:22:07 +0200
AntiExploit Alert!
File: /usr/home/risk/linksys-dhcp-exploit.c
User: 1000 (phantom)
Group: 1000 (users)
Cool or? 
2.7 Troubleshooting
-------------------
If you found a BUG in AntiExploit please open a ticket
in our Trouble-Ticket System: http://www.h07.org/bugs/
You can use this account to open your ticket:
user: `guest'
passwd: `bugsbugs'
ATTENTION!
**********
before you submit a bug please download the daily build @ http://h07.org/projects/aexpl/
to see if the problem is fixed in the latest development-version. Daily-Builds are generated
every day 8pm CET from svn-sources.
EOF |
Install
1: Download the latest version of AntiExploit
2: Extract the tarball
2: Build and install dazuko (read the readme for further instructions)
3: ./configure [options]
4: make
5: Edit etc/aexpl.conf to fit your needs
5: make install (use GNU make on FreeBSD)
5: Update your exploit-database (aexpl -u "path to aexpl.conf")
6: Start Aexpl with aexpl -c "path to aexpl.conf" and check the log file
 |
|
|
|
|
|
|
|
|
| Posted: Tue Apr 26, 2005 6:09 am |
|
|
| y3dips |
| Valuable expert |
 |
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
well, if its true , then it would be good
more better if combine it with rkhunter |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
| Posted: Tue Apr 26, 2005 4:30 pm |
|
|
| LINUX |
| Moderator |
|
|
| Joined: May 24, 2004 |
| Posts: 404 |
| Location: Caiman |
|
|
|
|
|
|
is good combination but really all antirootkits only detect 60% rootkits,
the present time 2005, exist more rootkits private that publics  |
|
|
|
|
| Posted: Wed Apr 27, 2005 1:58 pm |
|
|
| y3dips |
| Valuable expert |
|
|
| Joined: Feb 25, 2005 |
| Posts: 281 |
| Location: Indonesia |
|
|
|
|
|
|
no doubt about that LINUX 
but it would help to minimaze n give more time for the admin to manage the machine |
|
_________________
IO::y3dips->new(http://clog.ammar.web.id); |
|
|
|
www.waraxe.us Forum Index -> Tools
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © 2001-2008 phpBB Group
|
|
|
|
|
|
