Hunting Packets

New project for the home network - “network black box”.  More details and a build doc later.

My ISP has patched their DNS and my firewall dns process (pfsense) does not need patch so I should be good. Now I just need to ride the storm of infected systems at work over the next few weeks as people bring them in from home. The bots shall come marching!

This time from WatchGuard.  Usually the podcasts by a company are no good.  WatchGuard has done something great.  They split the “company propoganda” and the good stuff.  If you own a WatchGuard device then you will like the ones that start with “firebox special”, if you don’t just skip them and listen to the others.  The hosts, Scott and Corey do a great job and running you through an exploit or vulnerability instead of just listing off news items like some of the other security podcasts do.

http://www.watchguard.com/education/radiofreesecurity.asp

(also in ITunes catalog)

I am always in search of a good podcast.  Lately i have found Ricky Business.  It is from Australia and meets all of my “likes” below.

http://itradio.com.au/security/

1.  Good audio - there are many that start but don’t invest in good equipment.  There is nothing harder than trying to listen to a podcast that has horrible audio.

2.  Boring content.  I don’t want to listen to something that sounds like someone is reading the newspaper.  I can do that.  I like podcasts that sound like I am eavesdropping on a group of gurus at a security conference.

3.  Keep it to the subject matter.  There are a few out there that get too childish.  I am all for jokes but when it is more than your subject matter that is too much.

The new sslexplorer gui installer works great but what if you want it to run on a server without the desktop

Note - before you start
- Many of the commands below will run from cli as non root but will give you an error until later, to avoid this during this installation run “sudo -i” each time you start a session with the server during install. Issue of this are, write errors, cant start web server on port lower than 1024, …
- All terminal commands below are in boxes

Default 8.04 ubuntu server
- add sshd

Install java and unzip

apt-get install sun-java5-jdk unzip

Patch server and reboot for clean start

apt-get update
apt-get upgrade
reboot

Download sslexplorer (not the gui one)

wget http://download.3sp.com/appstore/files/sslexplorer_unix.zip

- if link above is bad then make your own, view source on http://3sp.com/showSslExplorer.do
- grab a coffee, 42mb from a slow server

Unzip and untar download file

unzip sslexplorer_unix.zip

- zip file has tar file of sslexplorer and pdf of unix installer

tar -zxvf sslexplorer_unix.tar.gz

Install the service

cd sslexplorer/install/platforms/linux/
./install-service -j /usr/lib/jvm/java-1.5.0-sun

- you can also ditch the -j option and set JAVA_HOME for this app to run
- if it works you should get something like this….

Detecting Java
Using /usr/lib/jvm/java-1.5.0-sun
Detected OS debian (x86)
Adding system startup for /etc/init.d/sslexplorer …
/etc/rc0.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc1.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc6.d/K20sslexplorer -> ../init.d/sslexplorer
/etc/rc2.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc3.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc4.d/S20sslexplorer -> ../init.d/sslexplorer
/etc/rc5.d/S20sslexplorer -> ../init.d/sslexplorer
Service installed

Go back to the root of the sslexplorer folder and start installer

./install-sslexplorer

- it will fire up the temp page on http://server_ip:28080
- go there in your browser and run the wizard
- if you need help on wizard check the pdf that came with installer

Go back to shell and check service status

/etc/init.d/sslexplorer status

- it will probably not be started so start it up

/etc/init.d/sslexplorer start

- give it a sec and go to the page - https://your_ip , if you have a login prompt you are good to go.

Doing a little google for my domain and I find a url from webalizer from Feb 2008 on a few foreign sites. It is with hundreds of other domains with the same url string in the comment fields of a blog.

What is the point of this? If it were a list being stored by someone who choose Feb 2008? If there was a bug or something in that page would it not be for all months?

revision3 DOS

There are a couple of things I like or would like to note about this story.

1.  They include the packet capture.

2.  I think the FBI is going to have some fun with this one.  If I caused all that damage by accident I would be in trouble.

3.  Not sure I can swallow the “our servers are just trying to connect back” story.  If they were would the times not double each time?  2000 servers, connect every 3 mins would be an average of 11 hits per second, not 8000.

4.  Looks like they had 2 different data centers hitting in this attack.  Usually that would be for fail over not full production load.  Unless they got two different IP blocks that far apart.

5.  Love the analogy of a DOS.  My Dad could understand that one.

6.  I want a 9 Gbps wan connection.

sslexplorer (great ssl vpn for your home) has a new linux gui installer.  There were a few twitches on the install of my ubuntu 8.04 desktop box.

-  ubuntu 8.04 install

-  turn off all vistual effects from compiz (java5 installer can’t handle the “clearlooks”)

-  install the java5 jdk (sudo apt-get install sun-java5-jdk)

-  all patches (apt-get update/upgrade)

-  download and unpack zip file from http://sshtools.com/showSslExplorer.do to temp dir.

-  reboot

-  run setup file (sudo sh ./sslexplorer-linux.sh)

-  during install you will go to http://localhost:28080 to setup server, if you miss the window and it is down “/etc/init.d/sslexplorer start” will not work - just run the installer and pause on that section again.  Setup your cert and finish the installer.  Again, reboot and it is fine, the restart of service with init.d would not work at this stage for me.