Google shares malware samples with hacked site admins

google-logo

Google has rolled out a feature that provides webmasters of compromised sites with samples of malicious code and other detailed information to help them clean up.

The search giant has long scanned websites for malware while indexing the world wide web. When it detects outbreaks, it includes language in search results that warns the site may be harmful and passes that information along so the Google Chrome, Mozilla Firefox, and Apple Safari browsers can more prominently warn users. Google also provides administrators a private list of infected pages so they can be cleaned up.

Now, Google will give additional detail by offering samples of malicious code that criminal hackers may have injected into a website. In some cases, the service will also identify the underlying cause of the malicious code. Admins of compromised websites will get the information automatically when logging in to Google’s Webmaster Tools.

“While it is important to protect users, we also know that most of these sites are not intentionally distributing malware,” Google’s Lucas Ballard wrote here in announcing the new feature. “We understand the frustration of webmasters whose sites have been compromised without their knowledge and who discover that their site has been flagged.”

Over the past few years, a variety of studies have concluded that the majority of malware being foisted on web surfers comes from legitimate sites that have been compromised. Web applications that don’t properly vet text entered into search boxes and other website fields is one of the chief causes. Sloppy password hygiene by webmasters and compromises of website administration tools are two others.

The new feature will allow webmasters to view the the malicious javascript, HTML, or Adobe Flash that has been injected in to a site and provide the exact URL where it’s found. Ballard cautioned the information should be considered a starting point in the process of cleaning the sullied site.

“If the underlying vulnerability is not identified and patched, it is likely that the site will be compromised again,” he said.

Source:  TheRegister

Nat Probe

lan

This little, but very usefull program, try to sends ICMP packet out the LAN, and detect all the host that allow it. Whit this you can find bugs in your (“company’s”) network ( or others), for example hosts that allow p2p connections.

Explanation
When we use a Gateway, we send the packets with IP dest of the target, but the dest mac on the Ethernet is the mac at the Gateway. If we send a packet to the different macs in the LAN, we can know who is the gateway when we receive an response from this mac.
Some times we can discover more than one box configured to be an gateway, generally, this is an wrong configuration, and the box will response with an ICMP-Redirect. This is the same, because the script only verify if the mac response.

Source: http://code.google.com/p/natprobe/

HITB Malaysia 2009 and sandboxing

No time for details at the moment, but I’m just back from HITB Malaysia and a great time was had by all! The hospitality and warmth of the organizing crew surpassed anything I’ve ever encountered before.I presented with my colleague Julien Tinnes. See …

No time for details at the moment, but I'm just back from HITB Malaysia and a great time was had by all! The hospitality and warmth of the organizing crew surpassed anything I've ever encountered before.

I presented with my colleague Julien Tinnes. See awesome blog:

http://blog.cr0.org/

We presented on various intriguing aspects of sandboxing on Linux, covering vsftpd and Chromium as test cases. Our slides are located here:

Security in Depth for Linux Software

As per other presentations, I'll leave it at that for now and follow up with a mini series of posts for the more interesting points. I think vsftpd is well covered by previous posts, but Chromium on Linux is awesome and its built-in sandboxing deserves a few notes.

ESXi 3.5 and SSH

vmware

ESXi 3.5 does ship with the ability to run SSH, but this is disabled by default (and is not supported). If you just need to access the console of ESXi, then you only need to perform steps 1 – 3.

  1. At the console of the ESXi host, press ALT-F1 to access the console window.
  2. Enter unsupported in the console and then press Enter. You will not see the text you type in.
  3. If you typed in unsupported correctly, you will see the Tech Support Mode warning and a password prompt. Enter the password for the root login.
  4. You should then see the prompt of ~ #. Edit the file inetd.conf (enter the command vi /etc/inetd.conf).
  5. Find the line that begins with #ssh and remove the #. Then save the file. If you’re new to using vi, then move the cursor down to #ssh line and then press the Insert key. Move the cursor over one space and then hit backspace to delete the #. Then press ESC and type in :wq to save the file and exit vi. If you make a mistake, you can press the ESC key and then type it :q! to quit vi without saving the file.
  6. Once you’ve closed the vi editor, run the command /sbin/services.sh restart to restart the management services. You’ll now be able to connect to the ESXi host with a SSH client.

Update for ESXi 3.5 Update 2 – With Update 2 the service.sh command no longer restarts the inetd process which enables SSH access. You can either restart your host or run ps | grep inetd to determine the process ID for the inetd process. The output of the command will be something like 1299 1299 busybox      inetd, and the process ID is 1299. Then run kill -HUP <process_id> (kill -HUP 1299 in this example) and you’ll then be able to access the host via SSH.