Tag Archives: firewall

evasi0n7 can’t be opened because it is from an unidentified developer

Maybe you have heard about the new iOS 7.x jailbreak that has been released to public recently. Some people maybe are getting an error on their Mac OS X saying that: “evasi0n 7” can’t be opened because it is from an unidentified developer

evasion 7 problem

evasion 7 problem

Well, that’s pretty bad. But, we have the solution! 🙂

You can fix the error by navigating to System Preferences. Then go to Security and Privacy. On tab General, check on Anywhere from the “Allow apps downloaded from”.

Please ensure that you click on the lock symbol below before making any changes so that you’re allow to do the changes. You’re required to enter your password to allow changes.

w00tw00t.at.blackhats.romanian.anti-sec – WTF!?

One day you may find a bunch of requests in a short period of time with unusual and suspicious user agent in your Apache web server’s logs. Something like Made by ZmEu @ WhiteHat Team – http://www.whitehat.ro or ZmEu and the requests may be made from Russia or China. Search and you’ll find that ZmEu is a bot that tries to find vulnerabilities in phpMyAdmin (usually looks for phpmyadmin/scripts/setup.php file) and other web applications.

It is kind of script attack in which attacker try to find the loopholes in phpmyadmin and php with Apache and try to manipulate through URL. This is how logs looked like:

Log from nginx access.log
[email protected]:~# grep -r w00t /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”

Another log from nginx access.log
[email protected]:~# grep -r ZmEu /var/log/nginx/*
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:93.174.93.213 – – [23/Jul/2013:08:34:12 +0800] “GET /MyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1” 502 383 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:30 +0800] “GET /admin/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /db/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /dbadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /myadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:31 +0800] “GET /mysql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /mysqladmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /typo3/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:32 +0800] “GET /phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin1/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /phpmyadmin2/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:33 +0800] “GET /pma/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/phpMyAdmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /xampp/phpmyadmin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /web/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:34 +0800] “GET /php-my-admin/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”
/var/log/nginx/access.log:109.230.228.246 – – [23/Jul/2013:10:50:35 +0800] “GET /websql/scripts/setup.php HTTP/1.1” 404 142 “-” “ZmEu”

Dayuumm. You as*h**e run into my server with this so-called script.
You scan me server. Me block you long time. Come. Here I share with you how to mitigate this attack.

First, we install fail2ban on our server. For those who don’t know what is fail2ban, fail2ban is more advanced than DenyHosts as it extends the log monitoring to other services including SSH, Apache, Courier, FTP, and more.

Fail2ban scans log files and bans IPs that show the malicious signs — too many password failures, seeking for exploits, etc.

Generally Fail2Ban then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action could also be configured.

So, to install it, open up your terminal and type:
sudo apt-get install fail2ban

After that, create new file called w00tw00t.conf in /etc/fail2ban/filter.d/
nano /etc/fail2ban/filter.d/w00tw00t.conf

Put this code inside that file:
[Definition]
failregex = ^ .*”GET \/w00tw00t*

ignoreregex =

Edit /etc/fail2ban/jail.conf file:
nano /etc/fail2ban/jail.conf

At the last line of the file, put this code:
[w00tw00t-scans]

enabled = true
action = iptables-allports
sendmail-whois[name=SSH, dest=root, [email protected]]
filter = w00tw00t

##### set the log path ######
logpath = /var/log/nginx/access.log
maxretry = 1

###### ban for 24 hour ######
bantime = 86400

Restart fail2ban service:
/etc/init.d/fail2ban restart

Check fail2ban client status:

[email protected]:~# fail2ban-client status
Status
|- Number of jail: 2
`- Jail list: w00tw00t-scans, ssh

credit to:
http://sharadchhetri.com/2013/06/27/protect-from-w00tw00t-at-blackhats-romanian-anti-sec/
http://myatus.com/p/blocking-w00tw00t-scans/

ssh exchange identification: Connection closed by remote host

This error is caused by problems in your hosts.deny. If you installed all the recommended packages in Ubuntu, you’ll most likely have Denyhosts. If not, /etc/hosts.deny won’t exist, thus this tutorial will not apply to you.

First, ssh to your server via another IP

Open this file:

nano /etc/hosts.deny

Find your IP, and clear the line. It’ll look like:

sshd: [your ip]

You can put # symbol to comment it if you want.

Now lets save and exit out of nano, and restart SSH.

/etc/init.d/ssh restart

Done. Log out, and log back to verify.

If this problem will often repeat itself, so lets fix it so it won’t happen again.
Open this file:

nano /etc/hosts.allow

Scroll to the very bottom, and type this on a new line:

sshd: [your ip]

Save nano, and exit out. Then, restart SSH.

/etc/init.d/ssh restart

Voila, problem solved!

PHP Firewall – Free universal firewall protection for PHP WebSite.

Macam tajuk kat atas,
aku nak share ngan korang 1 benda ni..
Benda ni firewall untuk website korang..
Aku tengok benda ni bagus dari segi fungsi-fungsi yang die berikan..

Antara requirements yang dia nak ialah;

PHP Firewall is recommended for PHP websites only.
Server requirements
PHP Firewall is written in PHP.
PHP 5 and more is required on your server.
No database required.
PHP Firewall runs on Linux server, MS Windows or other one web server.
PHP Firewall is a small free PHP script, but secure all websites writen in PHP.
Last version 1.0.2 – 04/01/2010
PHP Firewall required PHP 5.
PHP Firewall doesn’t use any database, but flatfile system.
It’s very small, very simple, really easy to install and fastest.
PHP Firewall have is own logs system and email alert.
No .htaccess file required for betters performances

So, antara fungsi-fungsi yang ada ialah;

* XSS protection
* UNION SQL Injection protection
* Bads bots protection
* Bads requests methods protection
* Small DOS protection
* Inclusion files protection
* Santy and others worms protection
* Server Protection
* URL Query protection
* Cookies sanitize
* Post vars sanitize
* Get vars sanitize
* IPs range reserved denied
* IPs range spam denied
* IPs protected
* Unset globals PHP var

Haa.. Menarik kan?
So, aku cadangkan korang try pakai benda ni..
Tak rugi pun..

Benda ni free dan boleh didapati di laman yang berikut.
http://www.php-firewall.info/