I always cringe when I hear people telling others to ‘just accept the certificate’ when their browser warns them that it is invalid, so I’m going to attempt to use a Billy Joel song and an old TV commercial asking if you’ve ‘ever hired a movie that just wasn’t quite ‘right’, to attempt to explain what browser certificate warnings actually mean and why accepting an invalid certificate could cast rather a gloom over the evening. Continue Reading

To analyse the cna12 MySQL attacks, I had to install MySQL Express Server as the attacks were prematurely exiting when connecting to Dionaea. Extracting the binary files from the libpcap files was annoying, so I decided to change Dionaea so that it would automatically extract the binary files used in the cna12 attacks. Continue Reading

Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my parsetds.py script to extract such information.

Continue Reading

Certain memory conditions have to be met before malware can unpack code and run it — the memory has to be writeable to unpack code to it, and executable to be able to execute it. The question is, can we use Win32 API calls to detect malware creating these conditions, and subsequently not only detect and identify unpacked code, but also find the original entry point? Continue Reading

This post explains some measures that you can take to prevent the MySQL cna12.dll attacks from infecting your MySQL server. It follows on from a previous post which explains the attacks. If you find that a cna12.dll file or a piress user account keep reappearing on your MySQL server, then read on. Continue Reading