Found a couple of backdoors that had been downloaded to a box of mine. They are available here for your convenience (if the links go down, I’ll put them up for download on a mirror):

http://geocities.com/crewnewbie/tools/cbk.tar.gz
http://geocities.com/evikhobare/chanarybot.tar.gz

From my preliminary findings, they both contain the XHide process faker, one of them includes a remote-connect backdoor. I’d welcome any forensic insight into these, as I don’t have a whole lot of experience with doing process/machine forensics. There are still some processes running from the offending user(s), I am wary to kill anything. In the meantime I’ll be doing my own analysis and hopefully reporting on it here.

Advice? Suggestions?

EDIT: The system is a FreeBSD 6.2-RELEASE machine running on a SPARC processor.

In my never-ending quest to find justification for writing NSM-Console, I hereby present the following tutorial on how to decode the SANS Christmas packet challenge using nothing but NSM-Console:

I’m going to be using NSM-Console version 0.4-DEVEL, which adds the features that allow this analysis to be performed without external tools. You can get the development version here. Alright, let’s get this party started:

First things first, the fellows at SANS point you to the first packet in the xmas_Starter.pcap file, so let’s load up NSM-Console with the packet capture

./nsm ~/xmas_Starter.pcap

Next, let’s do a printout of all the packets in this dump (since it’s a small file, there shouldn’t be too many)

Continue Reading »

You can now directly browse the source code for both the Hex liveCD and the source code for NSM-Console directly from the Rawpacket Hex trac.

If you’re interested in upcoming features in NSM-Console, you can check out the latest TODO file here.

Thanks go to spoonfork who switched us over from CVS to SVN without any major headaches

Yep, I’ve just been cranking out code lately, so I am proud to present the 0.3 release of nsm-console!

You can download NSM-Console here:

http://writequit.org/projects/nsm-console/files/nsm-console-0.3.tar.gz

This release was focused a bit more on usability, features and bugfixes rather than the addition of new modules, however, there were still a couple that were added. Since this release has some pretty big changes, let’s start by going over some of the notable ones:

Continue Reading »

Well, I’ve been working on this for the last week or so, trying to get it all working the way I wanted, and after around 15 takes, I finally have a screencast for anyone interested in the idea behind and usage of nsm-console.

The version of nsm-console used in the screencast is the 0.3-DEVEL version. UPDATE: Version 0.3 is now out!

The video is in .mov format and is 12 minutes and 40 seconds, it is around 17MB. Don’t forget to right-click and “Download As”!

• mirror 1 [thanks enhanced]
• mirror 1 w/ssl [thanks again enhanced]
• mirror 2 [my server]

I’m hoping to have a flash version created soon, I’ll update this entry when I do.

If you have any questions, comments or criticisms, feel free to leave a comment below or email me.

I also updated the “about me” page if you absolutely must know what I look like.

Oh, one more thing, ignore the fact that I say “so” around 30 times in this one video, this is my first screencast, gimme a break.

Talking with enhanced in IRC, I realized that I should really do a post listing some of the security blogs that I read, so without further ado, I present you with the list (in no particular order)

My awesome wife’s food blog, Eatables

Hex people

• Geek00l – http://geek00l.blogspot.com/
• Enhanced – http://global-security.blogspot.com/
• Giovani – http://www.cblume.com/
• Chflags – http://bsd.b3ta.org/
• Ayoi – http://blog.hazrulnz.net/
• Takizo – http://www.takizo.com/blog/
• Spoonfork – http://mel.icious.net/blog/
• Bejtlich – http://taosecurity.blogspot.com/
• Security.org.my team – http://security.org.my/
• Fenris – http://blog.myfenris.net/

Other security blogs I read

• http://eatingsecurity.blogspot.com/
• http://erratasec.blogspot.com/
• http://blog.vorant.com/
• http://www.inliniac.net/blog/
• http://www.matasano.com/log/
• http://mcwresearch.com/
• http://blog.metasploit.com/
• http://johncrackernet.blogspot.com/
• http://muraliraju.info/
• http://www.joelesler.net/
• http://rationalsecurity.typepad.com/blog/
• http://rdist.root.org/
• http://www.rootsecure.net/
• http://www.sans.org/reading_room/
• http://www.securitydistro.com/
• http://securosis.com/
• http://spiresecurity.typepad.com/
• http://synfulpacket.blogspot.com/
• http://taossa.com/
• http://blog.uncommonsensesecurity.com/
• http://blog.vodun.org/
• http://www.veracode.com/blog/
• http://www.darkreading.com/

This doesn’t include the regular sysadmin blogs that I read also (as well as all the other stuff). Thanks to all the above for having great posts to read, they give me something to look forward to

Have another blog I should be checking out? Leave a comment letting me know about it, I’ll definitely appreciate it!

A week or so ago I wrote about locality of reference in regards to network security, I found some *actual* research done on the topic and wanted to share it:

http://www.cert.org/netsa/publications/Nspw2003-gates-locality.pdf

I’m still in eager anticipation of the first tool to use locality for malicious activity assesment.

I just pushed out a newer development version of nsm-console out to navi.eight7.org, here are some of the new features:

• Snort module with community rules
  • self-contained snort module will all the community rules and configuration file, this’ll generate alerts into a file after reading the pcap file. I wasn’t sure whether to use community or bleeding edge rules, it’s still easy to point the snort module to your own snort.conf file and do it that way.
• Exec command will do substitution now on the following variables:
  • ${PCAP_FILE}
  • ${PCAP_BASE}
  • ${MODULE_DIR}
  • ${OUTPUT_DIR}
  • This’ll let you do something like “exec tcpdump -X -n -r ${PCAP_FILE}“
  • In addition, exec now logs all the commands run into the regular logfile
• The ‘logfile’ command, real simple, just specifies a new logfile
• Whitespace is handled much much better, there were a lot of bugs with whitespace being handled correctly for the “set” command (among others), it should be handled much better now.
• Category loading now handles non-files much better, before, if you left a “CVS” directory in the categories folder, it would read it but when it went to do a “toggle all”, it would error out, this has been fixed.
• Lots of bugfixes

You can grab the new version here:

http://writequit.org/projects/nsm-console/files/nsm-console-0.3-DEVEL.tar.gz

It’s definitely stable enough for daily use, highly recommended over the older versions. I’m still hoping to get cvs-web interface up to be able to browse the code.

I found out there is internet here, so I’m finally able to post some code changes I was working on while on the airplane.

Firstly, download the files here.
The static page for nsm-console is here.

I finally got around to releasing the next version of the nsm-console. This version incorporates a large amount of bug fixes and additional features, first, I’ll start with some of the features I’m the most happy about Most of these features are in the new Hex 1.0.2 release which came out yesterday (go download it now!)

• Categories
  • You can now toggle certain categories on and off, for instance, one category shipped with the new release is the ‘flow’ categories, you treat them just like a regular module. Simply use “toggle flow” to toggle the flow category (and all of it’s modules) on and off.
  • You can easily add your own categories to customize your work environment, all you have to do is create a file named the same name as the category name in the modules/categories directory.
• Directory analysis
  • When you normally run the nsm-console, you would specify a single pcap file to perform analysis on, now you can use the same “file” command to specify a directory full of files  instead of a single file. When the “run” command is executed, all the toggled module’s operations will be executed on each file in the directory (recursively)
  • To better accommodate this type of operation, I encourage anyone that is writing any modules to write them to output the results into an output file named something like ${PCAP_BASE}.tcpdstat.out (so if you had more than 1 file, the output will go into more than one file)
• The ‘exec’ command
  • I added the exec command because I was tired of spawning an additional shell in order to run a simple ‘tcpdump’. I hope this helps with the automation that I’m going to talk about below.

The directory functionality and the exec command isn’t in the current Hex release, but hopefully it will be in the next release.

Part of the reason I think nsm-console is neat is the ease of automation you can do using simple text files. For instance, if you created a text file called “automate.txt” and put the following lines in it:

file /pcap/data.pcap
output automated-output
toggle aimsnarf
toggle tcpdstat
toggle chaosreader
run
quit

Then, you can run the command:

./nsm < automate.txt > output.txt

Which will run all the commands in the text file automatically, placing all the output in output.txt, simple eh?

If you have any questions, comments or suggestions, feel free to leave a comment or send an email I’d love to hear if/how you’re using nsm-console

Just a short note, I’ll be out of town visiting family for the next week and a half, I won’t have internet, so no updates and no responses to email. Everyone have a Merry Christmas!