What do you do when you notice MS-SQL connections topping the list of top ten destination ports hitting your honeynet? You install an MS-SQL server, give the sa user a week password, and see what happens of course (don’t try this at home). Continue Reading
Archives
All posts by karl
Sometimes in life you find yourself wanting to have a quiet afternoon in front of a computer, extracting login credentials and SQL commands from captured MS-SQL TCP connections. Other times you may find yourself needing to do so to analyse some MS-SQL attacks. Whatever your reason, this post explains how to use my parsetds.py script to extract such information.
‘Remember the days of the old school yard?’ Or rather of the old school computer lab. Now that I’ve got this blog thing going, I couldn’t let the 06th of March go by without reminiscing about the Michelangelo virus, and rambling on about viruses ‘back when I was a lad’. Continue Reading
Certain memory conditions have to be met before malware can unpack code and run it — the memory has to be writeable to unpack code to it, and executable to be able to execute it. The question is, can we use Win32 API calls to detect malware creating these conditions, and subsequently not only detect and identify unpacked code, but also find the original entry point? Continue Reading
This post explains some measures that you can take to prevent the MySQL cna12.dll attacks from infecting your MySQL server. It follows on from a previous post which explains the attacks. If you find that a cna12.dll file or a piress user account keep reappearing on your MySQL server, then read on. Continue Reading
Since attacks often involve trying to run a shell on a remote host, usually by exploiting a vulnerability in a network service, why don’t we get the shell to log some pertinent information when it starts up. Information that will both alert us to the fact, and identify which potentially compromised process started it. Continue Reading
Have you, or your anti-virus software, noticed a file called ‘cna12.dll’ on your computer? Have you suddenly found that you have an imaginary friend called ‘piress’ whom you didn’t know about? If so, you may have fallen victim to a MySQL attack (and ‘piress’ may not be so imaginary, nor friendly for that matter). Continue Reading
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? This post finishes the dynamic analysis and, for those who wish I’d hurry up and get to the point, contains the conclusion. This post is long, but a lot of it is log output. Continue Reading
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? This post follows on from the previous post which discussed how to run a Cuckoo Sandbox analysis of a MySQL attack.
This post starts analysing the results and notices an issue with a particular malware trait and Cuckoo (v0.4.2). Awfully gripping stuff — I was on the edge of my seat, but then that could be because my table was too far away from my chair. Continue Reading
Seeing an increase in MySQL attacks hitting your network and interested in knowing more about them? This post discusses how to run the attack within the Cuckoo Sandbox. Subsequent posts will analyse the results.