pitter patter on the keyboard

Has your outdated wordpress or other shrinkwrapware been compromised? (Yes >.>)

After taking steps to shut down the site you should probably use the find command to check to see if there are any unusual files which have been uploaded recently. If you scramble to close the hole and do updates before this step you will likely end up drowning any suspects in the results.

If you don’t remove, for example, a phishing page before plugging the hole you:

• May never find out it’s there
• Are contributing to phishing
• One day your ISP will probably forward you a sternly worded letter from the victimized institution and threaten to drop your service if the page is not removed in 24 hours

Use your imagination if it’s something worse, like a rootkit or webshell.

It is necessary to determine the earliest possible time the attack could have taken place. It won’t kill you to add a day or two for safety.

# find /var/www/localhost/htdocs/ -type f -ctime -X

Where X is the number of days to look back.

dm-crypt is a part of modern Linux’s device mapper system which allows for the transparent application of a broad range of block cyphers to a virtual block device. The virtual block device is configured with the cryptsetup command and can point to a real block device (i.e. a real hard drive or partition) or a file which has been attached to a loop device as the underlaying source.

There are a lot of great reasons to use LUKS (Linux Unified Key Setup), not the least of which is the ability to encrypt the host operating system’s partition or change the encrypted volume’s passphrase. In this article however, we will simply be covering the mundane encryption of block devices with dm-crypt.

One of the advantages of encrypting a physical hard drive from head to toe is that there is no partition table around to leak metrics; if you followed Filling a Drive with Random Data: urandom, dd and Patience your encrypted file system will span the size of the device and any cryptographic boundaries should be undetectable.

If you will be working with a file instead of a real block device it will be necessary to create the file and set it up on a loop device before proceeding. Just as with wiping a disk it is recommended that /dev/urandom is used to initialize the file insted of /dev/zero but you may find the same benefit for much less time in simply creating a sparse file (please see Managing Raw Disk/File System Image Files for more details).

# dd if=/dev/urandom of=encrypted.img bs=1M count=1000
OR
# dd if=/dev/zero of=encrypted.img seek=1000 bs=1M count=0
THEN
# losetup /dev/loop0 encrypted.img

Now we’re going to run the device through dm-crypt using 256 bit AES and SHA256 ESSIV. ESSIV is a method of generating initialization vectors which are difficult to predict; this helps protect against watermarking attacks. You will be asked to provide a passphrase, the longer and more complex the better.

# cryptsetup -c aes-cbc-essiv:sha256 create encryptedVolume /dev/loop0 (or /dev/sdd, etc)
Enter passphrase:

Alternatively, you may prefer to use a large chunk of random data stored in a file, perhaps on a USB stick.

# dd if=/dev/urandom of=/mnt/usb/passphrase.key bs=1K count=4
# cat /mnt/usb/passphrase.key | cryptsetup -c aes-cbc-essiv:sha256 create encryptedVolume /dev/loop0

This method provides excellent protection against brute force attacks but may add a physical security dilemma. Consider a case where law enforcement agents have a warrant to search and sieze your property; if they find the USB stick and figure out that it contains the key to your encrypted drive they don’t have to pressure you for your passphrase to use it. On the other hand, depending where and with whom the key is stored this approach could have benefits in a rubber-hose attack situation as 4K of random data is virtually impossible to memorize.

Our new virtual block device is located under /dev/mapper. Now we can create the filesystem of our choice on it:

# mke2fs -j /dev/mapper/encryptedVolume

Once the filesystem is in place the device can be mounted and used like any regular block or loop device:

# mkdir /mnt/encrypted
# mount /dev/mapper/encryptedVolume /mnt/encrypted

As long as the device is available through device mapper the contents of the encrypted volume are vulnerable to the same kind of attacks any part of your regular system is: malware, viruses, cockpit error and so on. When not in use be sure to unmount the file system and destroy the device mapper entry:

# umount /mnt/encrypted
# cryptsetup remove encryptedVolume

If your volume is file-backed it is now safe to unhitch it from the loop device:

# losetup -d /dev/loop0

Chances are you’ve seen something like this in your access/error_logs:

[Tue Jul 13 12:13:54 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Tue Jul 13 12:16:45 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 00:26:44 2010] [error] [client 62.103.39.74] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 10:27:20 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)
[Wed Jul 14 10:30:11 2010] [error] [client 74.63.218.250] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

You can start breathing again – it’s just the signature of a slightly outdated vulnerability scanner for windows-based script kiddies. I couldn’t find anything particularly useful on it with Google so this article will show you not only how to block sources of the scans (they could be zombies equipped with other tools after all) but also how to use it.

You can either download DFind from its project homepage (requires an account) or you can grab it from http://foxpa.ws/dist/DFind_1.0.9.rar and extract it somewhere on a windows box. Your antivirus will probably have a fit since it’s a common component of bundled malware, just make it shut up for a bit.

It doesn’t come with much in the way of documentation, just a revision.txt file:

Usage:

DFind is a free command line scanner used to be small, fast, introducing a large number of command lines, helping anyone to identify
in one line the kiddie's doors.

Revision:

---x32.1.0.9---
+PestPatrol detects the last MD5 hash of DFind, quick binary update to bypass
+WEBDAV status scanner on IIS/5.0 added.
+Back to VC6 and old mfc, much smaller and stable
+Symantec detected signature gone; "\x20\x20VULNE" is enough for them to classify it as 'HackTool.DFind', this is updated to "\x20\x20VULN...", keep it up sym ;>
+"DFind -update" added to check like a lazy for new updates, this will calculate and compare the md5hash of the file your are using with the one I publish on the website.
---x32.1.0.8---
+No more using MFC libraries, too recents, too buggy...
+'HackTool.DFind' on Symantec 10.0.1.1000 gone
+New compilation moved under Visual Studio 2005 and Platorm SDK.
+x64.1.0.8 compilation available to the website (for the new 64-bit systems).
---------------

http://getdfind.class101.org (32-bit)
http://getdfind32.class101.org (32-bit)
http://getdfind64.class101.org (64-bit)

Note:

The author of this tool isn't responsible of the bad use of it, just try it on (and secure..) your network before the attacker does.

A.D

Pop open a command line and give it a whirl, you’ll get a help menu similar to this:

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind.exe

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 MAIN MENU
 =============================================================

[+] Usage: DFind <option> <syntax>
[+] <option>:
 _______________________________________________________
 |___-p___|___+p___|___-pu__|__-ban__|__-web__|__-dde__|
 |__-wdv__|
 _______________________________________________________
 |__-rad__|__-wns__|_-http__|_-sock__|__-ipc__|__-nbn__|
 |__-vnc__|
 _____________
 |__-update__|

[+] Type DFind <option> to look the <syntax>
[+] Number of possibles <syntax>: 973

Here’s the help listing for each flag:

================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 TCP port scanner
 =============================================================

[+]  . DFind -p 80 192.168.0.1  [-v]
[+]  . DFind -p 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -p 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -p 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -p 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -p 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind +p

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 PING port scanner
 =============================================================

[+]  . DFind +p 80 192.168.0.1  [-v]
[+]  . DFind +p 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind +p 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind +p 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind +p 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind +p 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -pu

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 UDP port scanner
 =============================================================

[+]  . DFind -pu 80 192.168.0.1  [-v]
[+]  . DFind -pu 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -pu 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -pu 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -pu 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -pu 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -ban

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 BANNER port scanner
 =============================================================

[+] . DFind -ban 80 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -ban 80 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 80 150 192.168.0.1  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -ban 1,.,10 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -ban 1,.,10 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]

 [-spy "text"] == case sensitive

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -web

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 WEBSERVER BANNER port scanner
 =============================================================

[+] . DFind -web 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 80 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 150 192.168.0.1  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]
[+] . DFind -web 1,.,10 192.168.0.1  [-v] [-spy "text"]
[+] . DFind -web 1,.,10 192.168.0.0 192.168.0.255  [THREADS] [-v] [-spy "text"]

 [-spy "text"] == case sensitive

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -dde

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETDDE port scanner
 -----------------------
 ripped from HOD exploit with a recoded nbname checking
 =============================================================

[+]  . DFind -dde 192.168.0.1  [-v]
[+]  . DFind -dde 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -rad

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Famatech LLC RAdmin 2.1 vulnerability scanner
 =============================================================

[+]  . DFind -rad 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 80 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 150 192.168.0.1  [THREADS] [-v|-vv]
[+]  . DFind -rad 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -rad 1,2,..,9,10 192.168.0.1  [-v|-vv]
[+]  . DFind -rad 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -nns

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==

[+] wrong command line, type DFind to view the main menu

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -wns

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft WINS MS04-045 vulnerability and os/sp scanner
 =============================================================

[+]  . DFind -wns 192.168.0.1  [-v|-vv]
[+]  . DFind -wns 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -http

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Anonymous/Transparent/High-Anon HTTP proxy scanner
 =============================================================

[+]  . DFind -http 192.168.0.1  [-v]
[+]  . DFind -http 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 80 192.168.0.1  [-v]
[+]  . DFind -http 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -http 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -http 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -http 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -sock

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Anonymous SOCKS5 proxy scanner
 =============================================================

[+]  . DFind -sock 192.168.0.1  [-v]
[+]  . DFind -sock 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 80 192.168.0.1  [-v]
[+]  . DFind -sock 80 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 80 150 192.168.0.1  [THREADS] [-v]
[+]  . DFind -sock 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v]
[+]  . DFind -sock 1,2,..,9,10 192.168.0.1  [-v]
[+]  . DFind -sock 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -ipc

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETBIOS NULL SESSION port scanner
 =============================================================

[+]  . DFind -ipc 192.168.0.1  [-v]
[+]  . DFind -ipc 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -nbn

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 Microsoft NETBIOS NAME port scanner
 -----------------------------
 ripped from HOD exploit with a recoded nbname checking
 =============================================================

[+]  . DFind -nbn 192.168.0.1  [-v]
[+]  . DFind -nbn 192.168.0.0 192.168.0.255  [THREADS] [-v]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -vnc

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 VNC4 systems vulnerability scanner
 =============================================================

[+]  . DFind -vnc 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 80 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 150 192.168.0.1  [THREADS] [-v|-vv]
[+]  . DFind -vnc 80 150 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]
[+]  . DFind -vnc 1,2,..,9,10 192.168.0.1  [-v|-vv]
[+]  . DFind -vnc 1,2,..,9,10 192.168.0.0 192.168.0.255  [THREADS] [-v|-vv]

 If ([THREADS]==NULL) thread=500, maximum allowed=2500

 visit class101.org for more informations

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind -update

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 DFind updates checker
 =============================================================

[+] -----Calculating the MD5 hash (actual binary:32-bit)-----
[+] "dfind.exe" => 3188826a5c39dd49d0ef3ce3d7bea1c2
[+] -----Retrieving the MD5 hash (official binary:32-bit)-----
[+] "official md5" => 3188826a5c39dd49d0ef3ce3d7bea1c2
[+]
[+] Your version is up to date, no updates required

As you can see it sports an automatic update feature and its small size makes it perfect for bundling in a trojan payload. If you guessed the -web flag was responsible for the log entries you win a gold star:

C:\Documents and Settings\Administrator\My Documents\Downloads>dfind.exe -web xxx.
xxx.xxx.xxx

 ================================================[rev-1.0.9]==
 ==============DFind - #1 Tiny Security Scanner===============
 ============multi-threaded for Linux and Windows=============
 ===================================================[32-bit]==
 WEBSERVER BANNER port scanner
 =============================================================

[+] status..: 100% thread(s):0
[+] results.: 1 / 5 PORT(s) / 1 IP(s) (open:1)

Showed up as this in my error_log:

[Wed Jul 14 15:56:55 2010] [error] [client yyy.yyy.yyy.yyy] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

Since this error is generated by requests missing the mandatory (in HTTP 1.1 but not 1.0) Host header it begs the question if this is just the result of sloppy programming or an intended signature. Either way we can take advantage of it to block hosts using the -web flag. BobA on the hostgator forums suggests blocking these requests with some mod_rewrite rules:

RewriteEngine on
# Block undesired user-agents
RewriteCond %{HTTP_USER_AGENT} ^w00tw00t.at.ISC.SANS.DFind
RewriteRule ^.*$ http://www.thenameofmydomain.com/403.html [L]

That doesn’t really do us any good. Port scanning will still show an exposed web server, which is about all the output you get with the -web flag anyway. Chances are good that if you’re being scanned by this thing it’s not the only tool in the zombie’s box either. We need something that will IP-block the bugger so they can’t keep scanning.

We need a Snort rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC DFind Web Server Scan"; flow:to_server,established; uricontent:".at.ISC.SANS.DFind"; reference:foxpa.ws,301; classtype:web-application-attack; sid:4000001; rev:1; fwsam: src, 1 day;)

You’ll notice I dropped the w00tw00t, it seems some folks are getting test0 and other prefixes and the chances of the rest of the string popping up in your URLs legitimately are fairly slim. Pop this into your snort ruleset somewhere (make sure the SID doesn’t conflict with any other custom rules) and restart, with the addition of snortsam or a similar IPS add-on attackers should now find themselves automatically firewalled.