Valsacar
Active Members-
Posts
48 -
Joined
-
Last visited
-
Days Won
1
Recent Profile Visitors
The recent visitors block is disabled and is not being shown to other users.
Valsacar's Achievements
Newbie (1/14)
-
Ah, well I was thinking of a relatively mature organization where all actions are logged in some sort of tracking system (trouble tickets, or the like) where it would be fairly easy to know if it's legit or not. So in the example of psexec, a quick search of the ticket/work log system would tell me that a sysad is working on those systems and therefore it is pretty safe to assume that it's not an attacker. Of course, if it's not in the logs it would require further investigation, but that's kind of the point of this exercise, identify specific log entries that definitely warrant looking into vs those that are pretty benign. For example, if I were to audit logon events (which is a good thing to log, if something comes up later) I wouldn't want to investigate each one, as that would be a huge waste of time and resources. Something like psexec, or 552, would be relatively easy to deconflict if you had a good, centralized, tracking system of all admin type work.
- 4 replies
-
- mubix
- firewall logs
-
(and 1 more)
Tagged with:
-
So, I was reading Mubix's blog a little while back and he wrote about how PSEXEC shows up in the events log. It got me thinking, why can't I find a list anywhere of things like that which should be red flags in event, and other, logs? Anyone care to help build such a list? I'm starting off with what Mubix mentioned (though, I'm sure it will get changed later) and another obvious one. Windows Server 2003 Event ID 552 - when someone uses something such as RUNAS, it could be a sysad doing their job or an attacker doing something else, but worth looking into. What other things can we all think of? Assuming a network that has a centralized log management server, so all server (say Windows 2003/2008 and maybe some Linux or Solairs ones) logs can be easily alerted off of, as well as firewall events. Anything that's an obvious red flag (like PSEXEC) or warrants further research.
- 4 replies
-
- mubix
- firewall logs
-
(and 1 more)
Tagged with:
-
OMG I want that laptop case...
-
According to that, we can use the 036H as an extender... but I can't get it to recognize it. The extender diagram is actually what I want it to do.
-
That's why the random script deletes the /www/index.html and then builds a symlink to whatever is up next.
-
<HTML><Head><Title>NYAN CAT!!! </Title></Head> <Body> <img src="NYAN.gif" width="500" height="350"><br /> <audio controls="controls" autoplay="true" loop="loop"> <source src="/NYAN.mp3" type="audio/mp3" /> </audio> </Body></HTML> Adding the loop="loop" will cause it to keep looping instead of playing just one. One thing I don't like is seeing the audio controls, but I haven't found a way to remove them. Also, have you tested this on Firefox? From what I've read firefox does not support mp3 in html5. Adding an ogg to the source list SHOULD let it work on all, but so far I have not gotten that to work (ubuntu). For fun, I made up a little script to randomly change all of the different rick rolls that have been posted (pbj, nyan, and rick). First move all of your stuff to USB, I made a folder called webfun. /usb/webfun/rick, pbj, and nyan Add a simlink to each folder from /www (ie /www/rick, /www/pbj, etc). Then create the following script (I put it in /root and called it random.sh) #!/bin/bash read RAND RAND=$(($RAND % 3)) touch /www/index.html rm /www/index.html case $RAND in 0) ln -s /usb/webfun/pbj/index.html /www/index.html 1) ln -s /usb/webfun/nyan/index.html /www/index.html 2) ln -s /usb/webfun/rick/index.html /www/index.html esac Be sure to chmod +x random.sh The reason for the touch is that I had an issue where somehow the index file was gone and the thing just liked to complain about it, so touch first to make sure it's there to delete. Then in your Jobs tab, add this line to your crontab: */5 * * * * dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/random.sh End result is that every 5 minutes it changes (randomly) which of the three ones shows up... just for a little added amusement. The part in crontab is what makes the random number, I couldn't find any other way to do random as the normal bash random feature isn't present... basically what it does is take one byte from urandom then turns it into a decimal number (0-255), the first few lines of random.sh use mod to bring that down to 0-2 (3 possibilities).
-
I found something like that, but it's even better. The cable splits between the Type M connector (the power) and a female USB, so I don't lose the port. I can't put anything powered on it (pineapple can't draw enough if I do) but I can still use it for something like a USB key. Since my laptop only has 2 USB ports, it's really useful.
-
Thanks, I just finished my script that will randomly flip between the three every 5 minutes... random fun!
-
From what I understand from reading and playing with things, it's the uci that's causing a lot of the problems. /etc/config/wireless tells it how many things should be, and if there is a conflict it either stops working (as has happened when you change MAC) or it reverts back to what it things it should be. Changing that config file and doing a uci commit wireless;wifi will solve most... well I think I forgot to mention that before, when you do the change to /ect/config/wireless you do have to do uci commit wireless before it takes effect (but I'm 95% sure reboot would also work).
-
Did you try doing just changemac.sh manually to see if the mac change is going through? or try manually running the line from your boot script: dd if=/dev/urandom bs=1 count=1 | hexdump -e '5/1 "%1d"' | /root/changemac.sh make sure that is in there right and doing as expected (waiting up to 15 seconds, then doing the mac change).
-
You could always add one by editing the index.php page appropriately. Of course, that will only last until you upgrade firmware.
-
I had that same problem, but disabling no script for that "site" worked fine (pops up at the bottom of the page).
-
1. Yes, edit the appropriate line in /etc/config/wireless (the one that sets essid to pineapple) 2. The log is just that, a log, it shows what has happened not what is currently happening. 3. Not sure, I use a laptop... look at the wp4.sh script, should be able to use that as a starting point 4. Gateway is the door to the internet, so it would be your phone. No clue on sharing the SDCard on the phone... but my guess is no.
-
Even with the change to /etc/config/wireless and running wifi after bringing wlan0 back up it still doesn't work?