Waraxe IT Security Portal
Login or Register
November 24, 2024
Menu
Home
Logout
Discussions
Forums
Members List
IRC chat
Tools
Base64 coder
MD5 hash
CRC32 checksum
ROT13 coder
SHA-1 hash
URL-decoder
Sql Char Encoder
Affiliates
y3dips ITsec
Md5 Cracker
User Manuals
AlbumNow
Content
Content
Sections
FAQ
Top
Info
Feedback
Recommend Us
Search
Journal
Your Account
User Info
Welcome, Anonymous
Nickname
Password
(Register)

Membership:
Latest: MichaelSnaRe
New Today: 0
New Yesterday: 0
Overall: 9144

People Online:
Visitors: 75
Members: 0
Total: 75
Full disclosure
APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1
Local Privilege Escalations in needrestart
APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2
APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1
APPLE-SA-11-19-2024-2 visionOS 2.1.1
APPLE-SA-11-19-2024-1 Safari 18.1.1
Reflected XSS - fronsetiav1.1
XXE OOB - fronsetiav1.1
St. Poelten UAS | Path Traversal in Korenix JetPort 5601
St. Poelten UAS | Multiple Stored Cross-Site Scripting in SEH utnserver Pro
Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionO S/watchOS)
SEC Consult SA-20241112-0 :: Multiple vulnerabilities in Siemens Energy Omnivise T3000 (CVE-2024-38876, CVE-2024-38877, CVE-2024-38878, CVE-2024-38879)
Security issue in the TX Text Control .NET Server for ASP.NET.
SEC Consult SA-20241107-0 :: Multiple Vulnerabilities in HASOMED Elefant and Elefant Software Updater
Unsafe eval() in TestRail CLI
Log in Register Forum FAQ Memberlist Search
IT Security and Insecurity Portal

www.waraxe.us Forum Index -> Tools -> AntiExploit - locate bad files on your server
Post new topicReply to topic View previous topic :: View next topic
AntiExploit - locate bad files on your server
PostPosted: Sat Apr 23, 2005 7:22 am Reply with quote
hebe
Advanced user
Advanced user
Joined: Sep 04, 2004
Posts: 59




http://www.h07.org/projects/aexpl/
Quote:
1 INTRODUCTION
1.1 About AntiExploit
1.2 Illusory security?

2 SETUP AND CONFIGURATION
2.1 Install
2.2 Configuration
2.3 Database format
2.4 Update the exploit database
2.5 Shellscript support
2.6 Sample aexpl sessions and outputs
2.7 Troubleshooting & BUG Submission

#####################################################################
1 INTRODUCTION

1.1 About AntiExploit
---------------------

AntiExploit is the first ON-ACCESS Exploit-Scanner for Linux and
FreeBSD. First aexpl has been a simple perlscript which scanned the
filesystem over the locate database. Now it's a full featured
c-application.

AntiExploit uses the dazuko kernelmodul (www.dazuko.org) to
identify suspious files when they are created or used.

Currently we use a daily updated md5-database to identify files,
but with upcoming versions we introduce file signatures and
extended checks so that bypassing of aexpl will be much harder.

AntiExploit was created to locate possible bad users on a FreeShell-
System.

AntiExploit was written by Enrico Kern and Christin Volmering,
please send feedback and bug-reports to

phantom or risk@hzeroseven.org


1.2 illusory security?
----------------------

I belive that you can't really provide a 100% security for a massive
User-System. But you can do your best to enhance the overall-security
for your System. The most attacks are from script-kiddies, crackers
without deep knowledge who mostly uses known exploit-codes and
easy to detect scans etc.

In this version we use MD5 to identify suspious files, this means you
can bypass bad files if you use modified exploits which are not in the
database or compiled ones. But we work on signature support for
upcoming versions.


####################################################################
2 SETUP AND CONFIGURATION

2.1 Installation
----------------

You need to install dazuko and the aexpl distribution,
for further informations read the file INSTALL.


2.2 Configuration
-----------------

You can tweak aexpl settings in the file etc/aexpl.conf
The .conf file explains itself, but here are some hints:

analyze/exploit_db (required)
Includes the path to the exploit.db, this file
is supplied within the aexpl-tarball and you find
it in the etc directory, but you can set the
database path to /etc/exploit.db for example.
You can create the database with the -u option
and download the latest file from the internet
to the specified location.

analyze/update_url (required)
The update url of the exploit.db.
This is usually: http://www.h07.org/exploit.db
This file is updated daily at 8 pm CET.

analyze/ca_cert
If you have choosen to compile curl with ssl
support, you can optain the database via https.
We, h07 are the certificate authority for the
webserver providing the exploit database and
if you trust us, you can use the the cert:
H07CA.pem wich ships with AntiExploit, to secure
the transmission protocol.
If you want to use this way, change the protocol
in analyze/update_url from http to https if not
already done automatically.

analyze/version_url (required)
Location of the file wich holds the latest version
of AntiExploit.
This should usually be: http://www.h07.org/aexpl.version

analyze/custom_db
This section contains three elements which are
identical in functionality as the same named
ones in the analyze section: exploit_db,
update_url and ca_cert.
Use this optional section to define your own
bad file database.
See section 2.3 of this document for more information
on the database format.

analyze/exclude_paths
Define paths wich should be excluded from aexpl.
This is a colon seperated list. For example:
/home/iamevil:/tmp:/var/spool/mail

reports/mail_addr (required)
A e-mail address where aexpl sends reports to
if a suspious file was found.

reports/facility (required)
Syslog facility for log messages. You can optain
the facility codes from syslog.h. The default
value is LOG_DAEMON (3<<3) = 24.

scripts/run_script
Do you want to use shellscript support?
"true" to enable shellscript support or "false"
to disable.

scripts/user_script
The path to the shellscript you want to use.
If you use shellscript support, the shellscript
here will be executed if aexpl finds a suspios file.
The script also gets as first parameter the file,
as second the userid and third the group id of the
fileowner.

core/lock_file (required)
Aexpl uses a lock file to prevent starting the
daemon more thae once. You can optain the pid
of the running process from this file.
Default: /var/run/aexpl.pid

core/ld_so_conf (required)
Name of your shared library configuration file.
All paths in this file will be excluded from the
scanner.
Default: /etc/ld.so.conf

core/inot_size (required)
When aexpl gets a file for analysis it's stored
in a table, so we do not have to scan the same
file each time it's suplied.
Normaly you don't have to change this value but
if you own a large system with a lot of users,
you may increase this value a little.
Default: 2048

core/max_file_size (required)
Do not scan files bigger than <max_file_size>.
The hashing of the files can take a while if
they are to large, so be carefull when increasing
this value.
Default: 102400

core/queue_size (required)
Aexpl has an internal buffer wich holds files
until they are fetched from the worker proccess
to analyse them. This value can normaly be
very small because the worker is very fast, but
if you decided to scan big files
(See <max_file_size>), you may increase this
value.
NOTE: The queue allocates queue_size * PATH_MAX
bytes virtual memory to store the file
paths, so take care!
Default: 64

proxy/enabled
Enable proxy support.
Possible values are: true or false

proxy/type
Proxy type.
Possible values are: http, socks4 or socks5

proxy/host
Proxy host.
Format is: hostname:port

proxy/login
Proxy login information.
Format is: username:password


2.3 Database format
-------------------

The database format is very simple and nothing special.
The first entry is the md5 sum of the file and the
second is the original filename. Both propertys are
separated by a colon.

Example:
f4a23c9093f9a696bd8d628db2581ac1:wicked_exploit.c

The filename is currently not in use and the database
may change in further releases. For example a information
database is planed and signature support will hopefully
be added soon.


2.4 Update the exploit database
-------------------------------

You can fetch a daily rebuild of the exploit.db from
www.hzeroseven.org/projects/aexpl/exploit.db

You can do this with aexpl -u <path to aexpl.conf>

This will download the latest exploit database and store it
in the specified path.

When AntiExploit is already running, a SIGHUP will be send
to the active process and this will reload the exploit
database.


2.5 Shellscript support
-----------------------

If you configured AntiExploit to execute a shellscript after a
suspious file (see 2.2) has been found, then you can perform
tasks like auto delete the file or notify the system admin etc.
The shellscript gets 3 parameters.
The filename, the userid and the groupid of the fileowner.


2.6 Sample aexpl sessions and outputs
-------------------------------------

This is a simple example session of running AntiExploit and should
give you a short overview about the capabilities.

Lets run the daemon:

%aexpl -c /etc/aexpl.conf
Detaching, please check the log file to see if everything was ok!

Ok lets see if all was ok:

%tail /var/log/aexpl
Sun Aug 1 18:19:32 2004 <info> Starting initialization.
Sun Aug 1 18:19:32 2004 <info> Exploit database loaded with 3657 entries.
Sun Aug 1 18:19:32 2004 <info> Successfully registered with dazuko.
Sun Aug 1 18:19:32 2004 <info> Initialization complete.
Sun Aug 1 18:19:32 2004 <info> AntiExploit started.
Sun Aug 1 18:19:32 2004 <info> Worker thread woken up.

Ah aexpl is running, lets test it:

%wget http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c

--23:44:21-- http://www.packetstormsecurity.nl/0405-exploits/linksys-dhcp-exploit.c
=> `linksys-dhcp-exploit.c'
Resolving www.packetstormsecurity.nl... 213.206.75.252
Connecting to www.packetstormsecurity.nl[213.206.75.252]:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 11,721 [text/plain]

100%[====================================>] 11,721 72.91K/s

23:44:21 (72.60 KB/s) - `linksys-dhcp-exploit.c' saved [11721/11721]

Ok check:

%tail /var/log/aexpl
...
Sun Aug 1 18:22:07 2004 <alert> AntiExploit found a suspious file: /home/phantom/linksys-dhcp-exploit.c uid(1000) gid(1000)

And finaly the mail:
++++++++++++++++++++

To: phantom@ph-mobile.h07.org
Subject: AntiExploit Report for ph-mobile.h07.org
From: Enrico <phantom@ph-mobile.h07.org>
Date: Sun, 01 Aug 2004 18:22:07 +0200

AntiExploit Alert!

File: /usr/home/risk/linksys-dhcp-exploit.c
User: 1000 (phantom)
Group: 1000 (users)

Cool or? Smile


2.7 Troubleshooting
-------------------

If you found a BUG in AntiExploit please open a ticket
in our Trouble-Ticket System: http://www.h07.org/bugs/

You can use this account to open your ticket:
user: `guest'
passwd: `bugsbugs'

ATTENTION!
**********

before you submit a bug please download the daily build @ http://h07.org/projects/aexpl/
to see if the problem is fixed in the latest development-version. Daily-Builds are generated
every day 8pm CET from svn-sources.



EOF


Install

1: Download the latest version of AntiExploit
2: Extract the tarball
2: Build and install dazuko (read the readme for further instructions)
3: ./configure [options]
4: make
5: Edit etc/aexpl.conf to fit your needs
5: make install (use GNU make on FreeBSD)
5: Update your exploit-database (aexpl -u "path to aexpl.conf")
6: Start Aexpl with aexpl -c "path to aexpl.conf" and check the log file





View user's profile Send private message
PostPosted: Tue Apr 26, 2005 6:09 am Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




well, if its true , then it would be good
more better if combine it with rkhunter Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
PostPosted: Tue Apr 26, 2005 4:30 pm Reply with quote
LINUX
Moderator
Moderator
Joined: May 24, 2004
Posts: 404
Location: Caiman




is good combination but really all antirootkits only detect 60% rootkits,

the present time 2005, exist more rootkits private that publics Cool
View user's profile Send private message Visit poster's website
PostPosted: Wed Apr 27, 2005 1:58 pm Reply with quote
y3dips
Valuable expert
Valuable expert
Joined: Feb 25, 2005
Posts: 281
Location: Indonesia




no doubt about that LINUX Wink
but it would help to minimaze n give more time for the admin to manage the machine Smile

_________________
IO::y3dips->new(http://clog.ammar.web.id);
View user's profile Send private message Visit poster's website Yahoo Messenger
AntiExploit - locate bad files on your server
www.waraxe.us Forum Index -> Tools
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT
Page 1 of 1

Post new topicReply to topic


Powered by phpBB © 2001-2008 phpBB Group



Space Raider game for Android, free download - Space Raider gameplay video - Zone Raider mobile games
All logos and trademarks in this site are property of their respective owner. The comments and posts are property of their posters, all the rest (c) 2004-2024 Janek Vind "waraxe"
Page Generation: 0.043 Seconds