Jason Cooper

Did I miss something? It looked to me that the password is passed to the php script as part of the query string (in the "pass" parameter) and then repeatedly hashed with md5 10,000 times. $h=$_REQUEST[pass]; for($i=0;$i<10000;$i++) $h=md5($h,1); In theory it could be possible to attack it at this line $h=md5($h,1);$e=pack("I",4336671913-unpack("I",$h)[1]).pack("S",86171-unpack("S",$h)[1]); if you can find a value that when used in that line as $h results in a valid method of executing some php code then I suspect that you would have found the value of $h at that point, and from there it would be quite easy to work out the rest of it (with the exception of the actual password which would still require some form of dictionary/brute force attack, or simply snatching it from a real request from the attacker).

Given that the I option of unpack is a machine dependant for size and byte order then not only could 32bit v 64bit could be a problem, but also the endian type of the machines architecture could potentially cause problems. Looking through the logic, there is a great use of hashes to protect the password. One option to tackle this would be to knock up some code to do a dictionary/brute force attack. This would be difficult as you would need to do quite a bit of computation to check the validity of each hash before discarding it. A better option would be to simply replace the php code with some that takes the parameters passed to it and stores them in a file. This it would just be a matter of waiting for the attacker to try to use the script at which point you would have their password and their attempted command, which would make it quite easy to finish the deobfuscation.

First thing to do would be figuring out how they are DOSing you, is it over the wireless (which unless they live in range is almost impossible for a noob to keep up), or are they DOSing your broadband connection from over the internet? If they are attacking your wireless then the easiest way could be to switch away from wireless for a while (till they get bored). A cat 5e network cable would let you connect your machine directly to the switch in your router. If you have a number of machines located around the house that need to connect then you could also invest in some homeplug adapters, which will let you run your network over your house electrics. Actually I prefer them over wireless for stationary devices as this then leaves your wireless network free for your mobile devices. If they are DOSing your broadband connection then you could just see if you can get a new IP, If your router doesn't have an option to release your IP and then switching off you router for a while and then turning it back on could achieve this. Of course if the noob gets your new IP and starts another attack then you will be back in the same place.

A Russian phone socket will be either a RJ11 or a WT-4. If you are going to be using it in different locations then you will want to get an adaptor rather than take the risk of being stuck not being able to connect.

If you already have a public/private key pair then you just need to take you public key and add it to the authorized_keys key file on your pineapple (assuming you are wanting to connect from your machine to the pineapple). If you don't already have a key pair or if you have a specific reason to wanting to use a different key pair to usual (plausible deniability?) then you can generate one using Putty's key generator or OpenSSH's ssh-keygen program. Things you should know before doing this is that you need to get the permissions correct on the files on the pineapple (700 for the .ssh directory and 600 on the authorized_keys file). Also if you have your keys in the putty format then you will want to open it with putty's key generator program and cut and paste the public key from the box at the top (entitled "Public kye for pasting into OpenSSH authorized_keys file") as this will be in the correct format.

Have you ssh'd to any other machines from your pineapple? If not then an empty /root/.ssh directory isn't a problem as you won't have any known hosts. If you have ssh'd to another system from root on your pineapple and you don't have a known hosts file then I would suggest that you start investigating further as that is a big security risk (known hosts is there to make you aware that something has changed at the host you are connecting to (a possible sign of a man-in-the-middle attack).

Another advantage of using virtual machines is that you can experiment with a number of different OSs without having to have lots of partitions or risk overwriting your existing OSs when installing (Trust me you don't want to find out that the installer for an OS repartitions your disk without asking in a live install with other OSs on the disk). Also your i3 has 2 cores with multi-threading, which would let you comfortably run a virtual machine along with your host OS

Using keys with a good long passphrase is good practice for securing ssh and using ssh requiring keys to provide remote access to a server for those people with logins on the server is also good practice. On the other hand it isn't good practice for providing third-parties with limited access to services (It is possible to limit access for users but maintaining the list of what they should be able to access and what they shouldn't gets very difficult to maintain as the number of users increases.). If you want to give your friends access to a single directory of files to download from then you don't want to give them access to a shell on your server, or the ability to set up their own tunnels, or even access to your internal networks. These risks are easy to avoid by using a different method to access the download directory. Also it makes it a lot easier for your friends to access. Some people find the concept of ssh keys, passphrases and ssh/scp/sftp very difficult to understand, but they use a web browser every day. Really it is a case of finding the best way to provide the service required to the users required, you will probably find that ssh is the best option for yourself, but you won't want to give others ssh access.

This is a good point, it is very easy for those of us who deal with Apache and use it to make systems available publicly to forget that while it is a very stable and secure web server, like most systems it is easy for a beginner to make mistakes and open themselves up. From a security point of view, the best thing to do when starting to learn about using and configuring apache is to keep your configuration simple. Don't overreach yourself, decide the task you want it to do and set it up for just that. In the case of serving files, remove the configuration for all the other folders that usually get setup in the default configuration for apache (e.g. cgi-bin, icons, manual). Once you have just the one location being served out then concentrate on setting up your security (setup SSL and your authentication). Once you have it running and you are convinced it is secure then you can put in your port forward on your router and access it from internet (Port forward a high up port as it is less likely to be stumbled across by others and ISPs quite often block incoming connections to ports 80 and 443) Running any service that is accessible directly from the internet will leave you with an increase in the potential to getting your network broken into, you just have ask yourself if the risk is worth the benefit (being able to access some of your files from outside of the network).

If it is purely downloading of files that you are interested in then you could just run apache on the machine and serve the directory containing your files through that. You can do authentication against local passwords added to a .htpasswd file or if you have any authentication services running in your environment (AD, LDAP, Kerberos, etc.) then you can configure it to use those for authentication. Just make sure you configure the server to only serve out over TLS/SSL so that you have encryption. The only difficult situation that you may have is if your server doesn't have a consistent hostname then you may not be able to get an SSL certificate signed by one of the usual CAs and either have to go with a self-signed certificate or generate your own CA certificate that you install on those machines you wish to connect to your server. The easiest way is with a self-signed certificate but you will have to either have a note of the SHA1 hash of the certificate or have it memorised to make sure that you don't get caught in a man-in-the-middle attack.

Ok, one minor fix in the simplfying the loop I missed altering the start of the counter to 0 (to get the same number of loops). Now one issue that isn't so minor. It appears that the forum is capitalizing one of the variables from $b to $B when it is initially assigned. Interestingly it doesn't always seem to do it, it just alters the last two. At first I thought I had made a mistake but when I went back to text file that I wrote it in and cut and pasted from the mistake wasn't there, so I went back and tried to edit the post to correct it but it doesn't want to let that character be lowercase. The final de-obfuscated version should be (assuming the forum lets this through without altering it) my($a,$b,$c); ($a,$b)=(0,1); for($i=0;$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; print "$c\n"; } edit: I have now figured it out the forum was trying to do something with emoticons. If I disable them for the post it works.

OK, deobfuscating the 3rd revision. The starting code is: my($a,$b,$c,$r);($a,$b,$c)=f();sub t{$r=caller if eval{ord(71)};};local $d="\xAA\x79\x53\x54\x44\x4f\x55\x54";"\xAA\x79"=~m/ \xAA\x79/;t($&amp;);my @z=('0','5','6','4',rand(10),'0','','3','8','4');$d=~s///;for($i=$z[int(4+(.714287*7))];$i&lt;125;$i=$i+5){$c=$a+=$b; $a=$b;$b=$c;__("\x0A");}sub __{$xz=pop;syswrite $d,"$c$xz"};sub f{return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))), $b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,,}; Let's start again by putting in some formatting. my($a,$b,$c,$r); ($a,$b,$c)=f(); sub t{ $r=caller if eval{ord(71)}; }; local $d="\xAA\x79\x53\x54\x44\x4f\x55\x54"; "\xAA\x79"=~m/\xAA\x79/; t($&amp;); my @z=('0','5','6','4',rand(10),'0','','3','8','4'); $d=~s///; for($i=$z[int(4+(.714287*7))];$i&lt;125;$i=$i+5){ $c=$a+=$b; $a=$b; $b=$c; __("\x0A"); } sub __{ $xz=pop; syswrite $d,"$c$xz" }; sub f{ return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))),$b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; Now lets remove the obfuscated constant in $d. We can evaluate it just like last time perl -e 'print "\xAA\x79\x53\x54\x44\x4f\x55\x54";' This time though we see that it contains the value two odd characters before the constant "STDOUT". Lets look for the next place that $d is used to see if those characters are removed. The next line that $d is used is $d=~s///; This is where a bit of obscure perl knowledge is required. If an pattern in a substitution regular expression is empty then it uses the last pattern used in a match, which in this case is the regular expression in the line "\xAA\x79"=~m/\xAA\x79/; So it actually substitutes the "\xAA\x79" at the start of $d with nothing, leaving us with "STDOUT". The next place we find $d is in the line syswrite $d,"$c$xz" Which we know that, as $d is "STDOUT", we can replace it with a print. Just before we tidy up by removing those lines we have decided aren't needed anymore lets look at the single call to the subroutine "t". Its parameter is $& which is a perl special variable that refers to the string matched by the last pattern in a regular expression. Looking inside the subroutine we see that it never makes use of its parameter, instead it always sets the global variable $r to "main" as that is the value returned by "caller" when used in this context, and the if statement is checking a constant value so it is always going to be true. As $r is never used elsewhere we can throw the whole of the subroutine away and the one call to it. This now leaves us with the following code my($a,$b,$c); ($a,$b,$c)=f(); my @z=('0','5','6','4',rand(10),'0','','3','8','4'); for($i=$z[int(4+(.714287*7))];$i&lt;125;$i=$i+5){ $c=$a+=$b; $a=$b; $b=$c; __("\x0A"); } sub __{ $xz=pop; print "$c$xz" }; sub f{ return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))),$b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; We can tackle the for loop in a similar way to last time. As it is still all constants used to calculate the index we can calculate it and then remove the whole array lookup. perl -e 'print int(4+(.714287*7))'; returns the value of 9 which is the last entry in the array @z, which is the value 4. So we can replace the initial assignment of $i in the for loop to 4 and throw the @z array away as it isn't used elsewhere. Also looking at the re-initialisation part of the for loop we can see that it is incrementing in steps of 5 and as $i isn't used elsewhere we can simplify the for loop to loop for the same number of times. Which gives us now my($a,$b,$c); ($a,$b,$c)=f(); for($i=0;$i&lt;25;$i++){ $c=$a+=$b; $a=$b; $b=$c; __("\x0A"); } sub __{ $xz=pop; print "$c$xz" }; sub f{ return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))),$b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; Now lets look at the double underscore subroutine. It is called in one location and passes a single constant parameter through. We know that we can replace the "\x0A" with a more common "\n", but looking in the subroutine itself we see that all it does is take that parameter, by using the pop command to pop it off the array of parameters passed to the subroutine,and then it prints out the global variable $c and then the parameter. Knowing this we can remove the whole double underscore subroutine and replace it with a simple print statement. my($a,$b,$c); ($a,$b,$c)=f(); for($i=0;$i&lt;25;$i++){ $c=$a+=$b; $a=$b; $b=$c; print "$c\n"; } sub f{ return("\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333))),$b=(int(((ord " ")+1)*("0.0434782" ))),$c="\x5C\x78".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; we can remove the subroutine f as we know it simply returns a group of constants to set $a, $b and $c. Looking through the rest of the code we see that the next reference to $c is it being assigned an new value so we only really need the first two. perl -e 'print "\x30"+("\x31")*(((1-1)+1)/(1*1)-1)-(int(48*0.020833333));' perl -e 'print (int(((ord " ")+1)*("0.0434782" )));' Having evaluated the two constants we need (as 0 and 1) we can remove the f subroutine and the call to it. my($a,$b,$c); ($a,$b)=(0,1); for($i=0;$i&lt;25;$i++){ $c=$a+=$b; $a=$b; $b=$c; print "$c\n"; } Now we are almost there, but to make it read a little better lets look at the line $c=$a+=$b; As we can see the next line assigns a new value to $a so we don't need to use the "+=" operator we can just use "+" instead. This now leaves us with my($a,$b,$c); ($a,$b)=(0,1); for($i=0;$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; print "$c\n"; } This seems a reasonable place to stop as we can clearly see now what the code does.

For those that need a bit of practice with deobfuscation, let's work through it for first post. The original looks like: my($a, $b, $c);($a,$b,$c) = floor();local $d= "\x53\x54\x44\x4f\x55\x54";my @z=('0','5','6','4',rand(10),'0','','3','8','4'); for($i=$z[int(4+(.714287*7))];$i&lt;25;$i++){$c= $a+$b ;$a=$b;$b=$c;syswrite $d, "$c\x0A";} sub floor{return ("\x30"+ ( "\x31")*(((1-1)+1)/(1*1)) -(int(48*0.020833333))), $b=(int((20+1)*("0.0434782" ) )),$c = "\x".(4 + ("\x2D". 1)).(0),,,,,,,,,,,,,}; First we will start by fixing the formatting my($a, $b, $c); ($a,$b,$c) = floor(); local $d="\x53\x54\x44\x4f\x55\x54"; my @z=('0','5','6','4',rand(10),'0','','3','8','4'); for($i=$z[int(4+(.714287*7))];$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; syswrite $d,"$c\x0A"; } sub floor{ return ("\x30"+("\x31")*(((1-1)+1)/(1*1))-(int(48*0.020833333))),$b=(int((20+1)*("0.0434782" ))),$c = "\x".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; Now lets remove some of the obfuscated constants. perl -e 'print "\x53\x54\x44\x4f\x55\x54";' Shows that we can replace it with "STDOUT". The only place that $d is used is in the syswrite line, and after reading up on syswrite we see that a write to STDOUT is effecitvely a print statement so we can rewrite that line to (Replacing the "\x0A" line with the more common "\n") print "$c\n"; and throw away the declaration of $d. perl -e 'print int(4+(.714287*7));' Shows that we can replace it with 9, and we can then replace the whole array lookup with 4. As the z array isn't used anywhere else we can throw it away. We now have the following. my($a, $b, $c); ($a,$b,$c) = floor(); for($i=4;$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; print "$c\n"; } sub floor{ return ("\x30"+("\x31")*(((1-1)+1)/(1*1))-(int(48*0.020833333))),$b=(int((20+1)*("0.0434782" ))),$c = "\x".(4+("\x2D". 1)).(0),,,,,,,,,,,,, }; Now lets look at that floor subroutine. We know it returns a tuple of at least 3 elements and we only care about the first three elements (Unless we find it is updating global variables) Counting brackets gives us the first three elements which, as they all consist of constants, can be simply evaluated. perl -e 'print ("\x30"+("\x31")*(((1-1)+1)/(1*1))-(int(48*0.020833333)));' perl -e 'print $b=(int((20+ 1)*("0.0434782" )));' perl -e 'print $c = "\x".(4+("\x2D". 1)).(0);' Which gives us a value of 1,0 and 30, so we can throw away the whole the floor subroutine, which leaves us with my($a, $b, $c); ($a,$b,$c) = (1,0,30); for($i=4;$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; print "$c\n"; } Finally $c is only overwitten before it is used so we can throw the first definition of it away. my($a, $b, $c); ($a,$B) = (1,0); for($i=4;$i&lt;25;$i++){ $c=$a+$b; $a=$b; $b=$c; print "$c\n"; }

As it is Perl then there is always more than one way to do it. So here is my one liner (Not overly obfuscated so that people have a hope of figuring it out quickly :) ) @a=(240&amp;15,length(@a)&gt;&gt;length(@a));$_=join(',',map{push(@a,shift(@a)+$a[0]||1);$a[1]}1..100)."\n";print;

As you are learning it because you need to administer it at work then I would suggest using the same distro that you are using at work if you can. If this is RedHat then you can use Fedora or CentOS and avoid having to buy a licence. Fedora would be better for a laptop but CentOS will be a lot closer to the features you will have on RedHat (CentOS is built from RedHats source while Fedora is where RedHat add new features and get them ready for inclusion in their more stable RedHat Enterprise version). If you are having to administer Ubuntu at work then you could use Linux Mint as suggested or debian. Linux mint is derived from Ubuntu which in turn is derived from Debian.

"An internal webserver for a university project so security isn't a issue" sounds like tempting fate to me. :) Personally I would have created a few setuid executables that would make the required changes and then have your CGI scripts call these to do the work that requires root permissions. You could then have your CGI scripts validating your inputs from the web and processing them in to the inputs for your executables. Your executables can then validate the inputs passed to them before processing them. That way someone would have to break through your CGI scripts and then through your setuid executables.

Assuming you are using raspbian, can't you just "apt-get install apache2" to install it? Once it has been installed you can then configure as you wish.

Disabling root login completely sounds a very bad idea to me. Disabling remote root login (e.g. via SSH) makes a lot of sense as root is a known username, even stopping root logging into X-Windows makes some sense, but blocking root from logging in sounds like something that will you will regret at some point in the future, usually just after discovering that something seriously wrong has happened and stuffed up your own account so much that you can't login. In those situations is it nice to be able to login as root and fix the issues without having to boot up a live CD. Also if your account has enough sudo permissions and sudo isn't configured to require the root password instead of the users, then I can see how they may think root having the same password isn't any less secure. After all if the attacker has your password they can just login to your account and then run "sudo su -" or some other variation to get a root shell.

Make, model, version and firmware version of the router might help us to advise or suggest suitable material.

A lot of switches and access points will at least give you some options. Find out which ones you can get management data from and which you can't. You might be able to adjust the layout of your network to position those switches you can query of management data so that you can at least narrow down the possibilities. so if you currently have a setup like [router] <--------> [Queryable Switch] <--------> [Non-queryable Switch A] <---------->[Non-queryable Switch B] you could connect the two non-queryable switches to different interfaces on the Queryable switch. [router]<--------> [Queryable Switch] <----------> [Non-queryable Swtich A] ^-------------------------------------------------------------------->[Non-queryable switch B] That way if you are looking at bandwidth usage reports you would at least know which of the three switches they were connected to.

When cutting the coax cable for this sort of antenna and you aren't as adept as some at the cutting then try making a jig (a few blocks of wood glued and cut in a way that lets you put a piece of cable in and make the cuts in the correct place and to the correct depth). You will have to turn the cable in the jig 5 or 6 times for where you are just trimming bits back or your jig will be very complex. Once you have a jig sorted you can push out a the individual lengths of coax cut and trimmed quite quickly and know that the quality will be pretty consistent from piece to piece.

Is it a hard disk or an SSD? Why do I ask, well securely erasing files from each is different. Hard Disks you have already been given a lot of good advice, but SSDs on the other hand don't necessarily follow the same rules. They have what is referred to as wear levelling (http://en.wikipedia.org/wiki/Wear_leveling). Long story short, you think you have wiped out the entire disk with something like DBAN but you haven't (some contents may be left to reappear later when a memory cell is reused). Best advice here is to use a disk erase tool that use the ATA Securiy Erase Unit command. This will only work on ATA disks (but these days that is all you will most likely encounter). It works on SSDs as the firmware will erase the all the memory locations on the device in one go (fast!), it will work on hard disks with just two passes and it even physically offsets the heads on both passes to overwrite the edges of the tracks (Just in-case your attacker has an electron microscope to view the platters with).

What are they connected by? Is it a single switch or a number of switches/access points? If it is just switches then check to see what information you can get out of that. Some will keep simple bandwidth counts for each of their interfaces and you could simply query this (either manually or via SNMP if the switch supports it). The big advantage is that you don't need to make any changes to your machines and you are only polling one device for information.

I'm not saying that this is what happened, but have you considered that your root password stopped working because it was left as the default and someone else logged in and changed it? Really changing any default password should be the first thing on your lists when installing an OS.

As digininja says, start learning SQL injection by hand. Not only will you understand what the tools are doing for you, but you will also be able to make much better use of the tools and also when there is no point trying to use the tool at all.