20. September 2007 23:15
Every once in a while I receive a request to look at a crash dump file. I always like a good challenge and a break from my usual work. Tool that I use for basic analysis is MicrosoftWinDbg.
3: kd> !analyze -v <- First command that I usualy use
** Bugcheck Analysis ** ************************************************************
DRIVER_IRQL_NOT_LESS_OR_EQUAL (d1) <- Error also reported on "Blue Screen"
An attempt was made to access a pageable (or completely invalid) address at aninterrupt request level (IRQL) that is too high. This is usuallycaused by drivers using improper addresses.
If kernel debugger is available get stack backtrace.
Arg1: 0000000c, memory referenced
Arg2: d0000002, IRQL
Arg3: 00000001, value 0 = read operation, 1 = write operation
Arg4: f6287cea, address which referenced memory
f6287cea 83671c00 and dword ptr [edi+0x1c],0x0
LAST_CONTROL_TRANSFER: from f6287cea to 80836de5
f78bec84 f6287cea badb0d00 00000000 85d10470 nt!KiTrap0E+0x2a7
f78bed18 f628e5ac 00000000 fbd60618 f7d29800 tcpip!IpTerminateOffload+0x9bf78bed30 f78bed30 fbd60618 00000002 00000000 tcpip!TcpInitiateUpload+0x8df78bed58 f628d634 fbd60618 00000002 891a87d4 tcpip!OlmNotifyUploadIndicate+0x60f78bed6c f71fafbd f7d29824 00000003 00000009 tcpip!TcpOffloadEventHandler+0x5bf78bed80 f76a07ef f7d29824 00000003 00000009 NDIS!NdisMTcpOffloadEventIndicate+0x1a
WARNING: Stack unwind information not available. Following frames may be wrong.
f78beda0 f72d4196 891a87d4 898ff708 00000000 bxnd52x+0x97ef<- File named bxnd52.sys f78bedc0 f72d4880 00000000 00000000 8914d9c0 bxvbdx+0x10196
f78bedd4 f72da925 89b1f004 839364a8 00000000 bxvbdx+0x10880
f78bedf4 f72daa95 89b1f004 f78bee54 00000001 bxvbdx+0x16925
f78bee18 f72dab3e 89b1f004 f78bee54 00000001 bxvbdx+0x16a95
f78bee3c f72dabc6 89b1f004 89b20d08 000012b2 bxvbdx+0x16b3e
f78bef54 f72c9be3 00000000 00000007 f72ca338 bxvbdx+0x16bc6
f78bef80 f72ca4ac f7737a40 89b203b0 f72ca41c bxvbdx+0x5be3
f78bef9c 8083d99a 89b203b0 89b1f004 00000001 bxvbdx+0x64ac
f78beff4 80839833 f535cd10 00000000 00000000 nt!KiRetireDpcList+0xca
f78beff8 f535cd10 00000000 00000000 00000000 nt!KiDispatchInterrupt+0x37
80839833 00000000 0000000a 0083850f bb830000 0xf535cd10
f76a07ef 85ff test edi,edi
IMAGE_NAME: bxnd52x.sys <- File name (driver) that most likely caused the computer to crash
3: kd> lmvm bxnd52x <- this command can give us more information on the file bxnd52.sys
start end module name
f7697000 f76a7000 bxnd52x (no symbols)
Loaded symbol image file: bxnd52x.sys
Image path: \SystemRoot\system32\DRIVERS\bxnd52x.sys
Image name: bxnd52x.sys
Timestamp: Fri Jun 30 18:41:42 2006 (44A55446) <- driver date (it looks a bit old -- more then 1 year)
CheckSum: 00013D96 ImageSize: 00010000
Translations: 0000.04b0 0000.04e0 0409.04b0 0409.04e0
Googling the file bxnd52x.sys reveals that this is a Broadcom NIC (Network Interface Card) driver. In this case it is shipped as HP NC373i Multifunction Gigabit Server Adapter. At the time of writing, latest driver for this NIC awailable from HP was released in July 2007 (v. 126.96.36.199).
While doing this research on Google, I noticed that there were a lot of servers with this error, specially servers that where updated to Windows Server 2003 SP2 .
18. September 2007 03:20
In last few weeks I was monitoring my FTP servers for repeated attacks against them. At the moment I was able to identify few different types of attack.
One of them successfully logged on to the FTP server with account that was created for this purpose. This time attack came from IP address 188.8.131.52 which according toAPNIC belong so Japan Network Information Center.
In the picture below, you can see successful authentication to the FTP server.
Note that password was edited out since I plan to use this account a bit longer :-).
Click image to enlarge
After successful authentication ftp client tried to erase a folder named "sarcaxxo" which does not exist on my server. After that they logged out of the system (picture below) and attack was over.
Click image to enlarge
I Googled the name "sarcaxxo" and found quite a few references
to it.For my next post on these attacks, I will try to find out more about the other attack that I am frequently seeing.
11. September 2007 05:07
Few days ago I was searching for information when I came across a website that was defaced. The only evidence of the crime on the page was a title text where hacker left his signature "hacked by ertuqrul" (picture below).
No, I will not reveal the site's name. ;-)
I Googled the name "ertuqrul" and found that visited website was not the only one attacked by this person.
I believe that this page was a victim of SQL Injection attack. Input fields on this server lack any serious input validation. When performing simple test, I received standard error which is usually strong indicator that SQL Injection is possible.
I tried to contact the owners of the website through regular e-mail addresses such as webmaster@...si and info@...siwhich are defined in RFC 2142. Both times I received Non Delivery Report (NDR) indicating that these mailboxes do not exist. I finally found an e-mail on the website which worked. I also notified SI-CERT just in case...
- If you are an owner of the web server or web site, make sure it is secure. Make sure that if you have any input fields on the site that you do validation of the data passed to the server. Note that client side validation is not (!!!) enough
- Make sure that general e-mail addresses such as webmaster, postmaster, hostmaster, abuse, etc. valid and monitored
Hijacked servers are not only bad for bad reputation of the owner. They can also be very dangerous for any visitor that comes across it. Hacker could include malicious code on the pages and infect the visitor's computer. As demonstrated earlier this year at RSA Conference in San Francisco, such attacks can be platform and browser independent.
Of course attackers prefer the servers with high volume of visitors such as Super Bowl Web Sites that was hacked this year (2007).
My personal "favorite" attack on the client where malicious website reconfigures your home router. Actually the only thing that it changes is DNS server. Innocent? Not necessarily.
Imagine that you want to visit your online bank. You query (well, your browser does the querying) a DNS server for IP address of your online bank server. The only problem is that now you are using hacker's DNS server and he can take you wherever he wants...
- In general I would recommend that any "hacked" server is first taken offline
- Consider if you want to legally pursue the attackers, contact law enforcement agencies and follow their advice from here
- Analyze the server for security holes (e.g. lack of security in applications; input validations, etc) and remove them
- It can often be pretty difficult to determine the extent of "damage" on the server. For this reason in the end I usually opt for reinstallation of the server.