To analyse the cna12 MySQL attacks, I had to install MySQL Express Server as the attacks were prematurely exiting when connecting to Dionaea. Extracting the binary files from the libpcap files was annoying, so I decided to change Dionaea so that it would automatically extract the binary files used in the cna12 attacks. Continue Reading
What do you do when you notice MS-SQL connections topping the list of top ten destination ports hitting your honeynet? You install an MS-SQL server, give the sa user a week password, and see what happens of course (don’t try this at home). Continue Reading
Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my parsetds.py script to extract such information.
‘Remember the days of the old school yard?’ Or rather of the old school computer lab. Now that I’ve got this blog thing going, I couldn’t let the 06th of March go by without reminiscing about the Michelangelo virus, and rambling on about viruses ‘back when I was a lad’. Continue Reading
Certain memory conditions have to be met before malware can unpack code and run it — the memory has to be writeable to unpack code to it, and executable to be able to execute it. The question is, can we use Win32 API calls to detect malware creating these conditions, and subsequently not only detect and identify unpacked code, but also find the original entry point? Continue Reading
This post explains some measures that you can take to prevent the MySQL cna12.dll attacks from infecting your MySQL server. It follows on from a previous post which explains the attacks. If you find that a cna12.dll file or a piress user account keep reappearing on your MySQL server, then read on. Continue Reading
Since attacks often involve trying to run a shell on a remote host, usually by exploiting a vulnerability in a network service, why don’t we get the shell to log some pertinent information when it starts up. Information that will both alert us to the fact, and identify which potentially compromised process started it. Continue Reading
