Category Archives: Computer Security

Computer Security

Thoughts on WordPress Security

It is well known that WordPress installations are a favorite target of hackers. As such, I have taken a number of precautions to protect my site. One of these precautions was installing the Better WordPress Security plugin. Among other things, it blocks known malicious hosts, and I also have it configured to block anyone who has too many failed login attempts. I forgot my login credentials today, so I had to unblacklist myself. Not that this is surprising, but I now have proof that my site is being actively attacked:

mysql> select * from bwps_lockouts;
+----+------+--------+------------+------------+-----------------+------+
| id | type | active | starttime | exptime | host | user |
+----+------+--------+------------+------------+-----------------+------+
| 1 | 2 | 1 | 1356337473 | 1356338373 | 49.156.146.2 | 0 |
| 2 | 2 | 1 | 1364942214 | 1364943114 | 62.141.42.61 | 0 |
| 3 | 1 | 1 | 1365134867 | 1365135767 | 173.230.140.233 | 0 |
| 4 | 2 | 1 | 1365258589 | 1365259489 | 203.174.60.2 | 0 |
| 5 | 1 | 1 | 1365812798 | 1365813698 | 76.113.154.142 | 0 |
| 6 | 2 | 1 | 1366029050 | 1366029950 | 46.28.64.213 | 0 |
+----+------+--------+------------+------------+-----------------+------+
6 rows in set (0.00 sec)

Sometimes I wonder whether or not I’d be better off writing my own website since there’s a very real chance I could be brought down by a WordPress 0-day. With that said, writing secure web applications can be hard, and I’m probably better off from a security perspective using a hardened WordPress installation.

Computer Security Networking

Fun with Wireshark and IE Java Exploits: Part 2

In my previous post, I analyzed a packet capture in which a user is infected with a virus after clicking on a malicious link. In this post, I’d like to take a closer look at how this attack worked. Clicking on a malicious link should not automatically download and execute a virus. What happened here?

read more »

Computer Security Networking Wireshark

Fun with Wireshark and IE Exploits

Recently I’ve written a couple of posts in which I solve puzzles that were posted as part of the Network Forensics Puzzle Contest. While the contest is long over, the puzzles are still interesting and a lot of fun. Puzzles 3 and 4 didn’t seem particularly interesting to me, but puzzle 5 did. A user gets an email with a link to an online pharmacy and is subsequently infected with a virus. We are given a packet capture and told to figure out what happened:

1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
2. What was Ms. Moneymany’s username on the infected Windows system?
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?

read more »

Computer Security Wireshark

Fun with Wireshark and SMTP

This post is kind of a continuation of a previous post of mine, Fun with Wireshark and AIM. The challenge this time is to determine the following from a .pcap file:

1. What is Ann’s email address?
2. What is Ann’s email password?
3. What is Ann’s secret lover’s email address?
4. What two items did Ann tell her secret lover to bring?
5. What is the NAME of the attachment Ann sent to her secret lover?
6. What is the MD5sum of the attachment Ann sent to her secret lover?
7. In what CITY and COUNTRY is their rendez-vous point?
8. What is the MD5sum of the image embedded in the document?

read more »

Computer Security Wireshark

Fun with Wireshark and AIM

I recently used Wireshark at work to better understand one of the protocols in our codebase, and I found it was a much more efficient way of learning how the protocol works (at least on the happy path) than just reading the code. To learn more about Wireshark, I decided to download and analyze some pcap (packet capture) files. One of these pcap files was of an AIM conversation between a rogue employee (Ann) and a mystery person, and the challenge is to determine the following from the .pcap file:

  1. The name of Ann’s IM buddy
  2. The first comment in the captured IM conversation
  3. The name of the file Ann transfered
  4. The magic number of the file
  5. The md5sum of the file
  6. The secret recipe

read more »