Earlier this week, Czech security experts led by Jan Vykopal, head of the security project of Masaryk University released a report describing “Chuck Norris”,  a BoTnet they discovered running on compromised broadband routers that attempts to intercept sensitive information such as user passwords, bank account details and private email account information.

Once installed, the bot blocks remote communication ports and begins to scan the network for other vulnerable machines. Controlled via IRC, the worm itself can be terminated by restarting the router as it is installed in RAM. However, variations may exist that install itself into NVRAM that may not be so easily removed.

While the Czech experts identified the BoTnet’s footprint only to have extend across Europe, China & South America, North America may not be far behind. Earlier last year, DroneBL – an organization that monitors abuse of infected machines identified a potential PoC (proof of concept) BoTnet called Psyb0t that was soon shut down.

According to this white paper on Psybot, ADSL modem/routers based on the Texas Instruments TNETD7300, similar to the NB5 modem/router manufactured by NetComm were exploitable using their web interfaces that were exposed on the WAN side.

DroneBL team summarized the Psybot characteristics as:

• was the first botnet worm to target routers and DSL modems
• contained shellcode for many mipsel devices
• was not targeting PCs or servers
• used multiple strategies for exploitation, including bruteforce username and password combinations
• harvested usernames and passwords through deep packet inspection
• could scan for exploitable phpMyAdmin and MySQL servers

The DroneBL blog on this botnet estimated about 100,000 Mipsel – a port of Debian Linux for MIPS processors – devices as infected. While the BoTnet is no longer supposed to be active, the short time it took to spread to 100,000 devices is certainly cause for alarm.

The average gateway device used by small-businesses and/or individual users does not enjoy the typical protection the user’s computers may have on the internal network such as virus and malware scanners or periodic software updates. This makes it all the more appealing to potential attackers. In addition, as any external traffic gets routed through the device, it’s the ideal location to intercept sensitive information to/from all network resources.

Guidelines to protect your Gateways & Routers

To reduce potential risk of compromise to your network, ensure the gateway devices at least have;

1. No administrative interfaces (Web, Shell) exposed to the WAN side
2. Strong password policies
   • Use alphanumerically complex passwords
   • Change passwords regularly
   • Do not reuse passwords
3. Changed default user/admin names (Such as ‘admin’)
4. Latest firmware/patches applied
5. Logging enabled and monitored routinely.

One of the most common and dangerous web application vulnerabilities revolve around unsafe SQL (Structured Query Language) handling in applications. SQL injection is a type of security exploit in which the attacker inserts SQL code to a Web form input box to gain access to resources or make changes to data.

Successful SQL injection attempts can cause an attacker to not only steal data from a database, but also modify and/or delete it. Certain SQL Servers may also contain Stored and Extended Procedures (database server functions). If an attacker can obtain access to these Procedures it may be possible to compromise the entire system and through it, access other systems on the network.

Testing for SQL injection vulnerabilities is often a tedious and labor intensive process. Sqlmap is a powerful tool that aid in this test process. Currently at version 0.7 release candidate 1, sqlmap is a command-line automatic SQL Injection tool developed in python.

Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to retrieve remote DBMS databases, user names, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.

sqlmap implements multiple techniques to attempt and exploit a SQL injection vulnerability. Inferential blind SQL injection, also known as boolean based blind SQL injection, UNION query (inband) SQL injection, also known as full UNION query SQL injection and Batched (stacked) queries support, also known as multiple statements support.

In addition to the common input sources, the tool can also test cookies. Since many applications store their session information using a cookie, this is a common practice during SQL injection attempts — one that most penetration tests often overlook.

Sqlmap excels more at exploiting an identified SQL injection vulnerability than finding it. Even with the high degree of automation, it still takes some time to identify vulnerabilities and requires some knowledge of SQL injection techniques.

Latest version of sqlmap is available at sourceforge. For information on preventing SQL injection vulnerabilities, refer to this cheat sheet.

This week, we have been looking at the open source job board application – jobberbase. Originally derived from the successful Romanian IT job board jobber.ro, the current version (ver 1.6) of this job board package is very flexible and leverages smarty templates for customization. Head over to www.jobberbase.org for a standard jobberbase installation example.

Jobberbase’s main features are:

• Allows job posts with a simple one time e-mail verification
• Allows applying to jobs without requiring an account
• Browse / Search based on type (Full-time / part-time), category (E.g: Programmer) and locations of jobs
• RSS feeds of latest jobs
• Counter indicating # of applicants for each posted job
• Clean and crisp UI
• Admin control panel for maintaining jobs & stats
  Continue reading "Jobberbase – the open source job board reviewed" →

Here are some tips for curing the memory allocation errors WP Users may see from various modules when they try to edit, preview or publish a post.

“Fatal error: Allowed memory size of 16777216 bytes exhausted (tried to allocate 500001 bytes)…..”

PHP memory allocation can be increased several ways.

1. Server wide PHP memory size can be increased via php.ini or similar and requires your hosting service partner’s help.
2. Easier solutions are either to

a. add the line php_value memory_limit 32M to your .htaccess file, or

b. add the line define('WP_MEMORY_LIMIT', '32M'); to your wp-config.php file in your Wordpress installation folder.

Note: .htaccess is usually hidden if it exists (in your root Web folder). You may need to turn on the reveal hidden files option in your FTP client to see it.