SecureSlash.com

Its getting hit by Trojan virus:

Read the News about Thousands of infected websites.

A lot of sites are now being attacked with JavaScript Trojans

the server is not attacked by virus , this happens to both Linux and windows server sites.

so it is doesnt look like a server based attack

How this happens?

when the computer from where you upload data thru FTP/fp is infected , it injects some JavaScript to all html files.

so how you can prevent this happening is keep your pc up2date by having recent antivirus,antispyware and then change your ftp logins.

If there is a Repeating same pattern of JavaScript on 100s of your files you have a shell script for Linux server users that can remove these injected javascript .

so you can request your host or you yourself can run this on your shell

find ./ -type f -exec sed -i ‘/unescape/d’ {} \;

this command will remove all the lines with pattern ‘unescape’

some virus has lines of function okban, in that case you can try pattern ‘okban’

it depends on your need.

you can do the same with a software called GrepWin for replacing/searching PERL Regular Expression patterns on your files

http://tools.tortoisesvn.net/grepWin

use it to search for patterns and replace with null or use the options to delete those lines

this can be either used on a windows server or client side (but then you have to upload all modified files again )

Write a simple .htaccess file to redirect your subdomain to a domain. This .htaccess will redirect all dead subdomains to a domain name. Ex: It will redirect http://dead.domainname.com to http://IamMRabc.com.

#############################
#############################
####Subdomain to Domain redirection###
####From SecureSlash.com##########
RewriteEngine On
RewriteCond %{HTTP_HOST} dead\.domainname\.com
############Place your subdomain info###
RewriteRule ^(.*) http://IamMrAbc.com$1
############Place the destination domain
############################
############################

Save above code as .htaccess and place it under your subdomain folder,
Ex: /subdomains/dead/.htaccess
/public_html/dead/.htaccess

It depends upon server’s directory structure.

Just visited SBI(State Bank of India) bank’s online section. It is one of the Biggest Government Bank in India. Its customers can do online banking via its website www.onlinesbi.com …

Select “Personal Banking” in the Login box.

You will be redirected to https://www.onlinesbi.com/login.html by an Applet.

I entered a username and password generally.
Lets say Username: kumar Password:asdfasdf

I got “Invalid Username or Password” error. Yes it may be wrong.

Again i entered the same logins.. Again and again.. After 4th or 5th attempt. I got “You have been locked out for the day because of three invalid attempts during the day.”

Someone’s account got blocked for today!

I think i am not 100% perfect.. I think my ip may be blocked.. So i asked my friend to login with “same Username” and some other password. He got the “Locked out” message in his veryfirst try…

So no one can login with the username “kumar” for today…

Sorry Kumar!!!

But the shame information is… That website got a certificate from “VeriSign”

https://seal.verisign.com/splash?form_file=fdf/splash.fdf&type=GOLD&sealid=1&dn=WWW.ONLINESBI.COM〈=en

They can block my IP due to invalid login attempts or they may send an email to account holder about the login attempts.. They do nothing… they simply blocked the account access…

I went to see how is free hosting market. Just googled for “php free hosting”

i got “http://phpnet.us” in first SERP

After filling the signup form i got this url
http://phpnet.us/created.php?username=lkajsdf&password=lkjlkj

Great secured PHP Hosting site…. I got some other username/pass of phpnet.us users in google. Thank you Google.

Same crap registration system in few other sites…
http://www.netfast.org
&
http://www.my-place.us

I am posting this flaw here. Because they must improve their security to protect user privacy.

This is not about hacking paypal.com. Paypal knows enough about securing itself. Are you using Paypal IPN script in your websites? Then you have to take care on something.

First of all plan and decide your product delivery strategy.

Product delivery methods

1.Email product after a successful payment

2.Redirect user to product page to download directly

Invalidated data always put you in a hell.

See the below example:

<form action=”https://www.paypal.com/cgi-bin/webscr” method=”post”>
<input type=”hidden” name=”cmd” value=”_xclick”>
<input type=”hidden” name=”business” value=”see the #Hidden Code#below”>
<input type=”hidden” name=”item_name” value=”Your Product”>
<input type=”hidden” name=”item_number” value=”100″>
<input type=”hidden” name=”amount” value=”15.00″>
<input type=”hidden” name=”return”
value=”hxxp://www.yourbusiness.com/secret-location/product.zip”>
<input type=”image” src=”hxxp://www.paypal.com/images/x-click-butcc.gif”
border=”0″ name=”submit”>
</form>

#Hidden Code #

<!– var prefix = ‘ma’ + ‘il’ + ‘to’; var path = ‘hr’ + ‘ef’ + ‘=’; var addy81733 = ‘you’ + ‘@’ + ‘yourbusiness’ + ‘.’ + ‘com’; document.write( ‘<a ‘ + path + ‘\” + prefix + ‘:’ + addy81733 + ‘\’>’ + addy81733 + ‘</a>’ ); //–>

This is for redirecting user to your exact product page after a successful payment. Don’t do such a worse code ever. Just give some transaction or purchase code to user and ask that code while they trying to download.

Encrypted values

$hash = $paypal_transcation_id.$productno.$user_id;
$purchase_code = md5($hash);

Put this $purchase_code in a `transactions` table for the user and email to them.

Ok now user is trying to download product. What should we check?

Considerations:
1.Ask the purchase code in a <form>
2. Force user to login in your site.
3. Check weather you have any rows in `transactions` table for the user.
4. If yes then fetch row and arrange one checker variable
$checker = $row[‘paypal_transaction’].$row[‘productno’].$user_id;
$user_entered_hash = $_POST[‘purchase_id’];
$our_checker_hash = md5($checker);
If($our_checker_hash == $user_entered_hash)

By this manner you can proceed.
You have to take care on url encode.
Temporary product url generation. It must expire after some hours.
All information should be encoded and highly validated.
Then only you can see profit. So don’t just install/write ipn scripts as it is. Take care on input and url validation always.

An Orkut user by the name of Tantek has exposed a flaw in Orkut’s security system.Orkut is the Microsoft ASP.NET and Google-powered Web community. Every user can define a variety of details (like hometown, sexual orientation, activities) and additionally set those details to be viewed by friends only. And you choose who your friends are… well, unless someone is tricking the system.

A simple inline-frame, hidden in the browser by absolute-positioning it with negative values, can trigger the “add as friend” or “join community” command. An anonymous poster in Orkut writes:

“This is a clear example of why it would be very silly to trust Orkut’s permissions system for sharing your information with only your trusted friends.

Web developers who don’t even understand basic cross site scripting precautions shouldn’t be trusted with more than the cookies they give us. Surely most google coders have a little more sense than the ones that wrote this particular app.”

The page in question with the possible Orkut exploit can be found at

[and I suggest to not open this if you logged in to Orkut with this browser] <http://tantek.com/log/2004/02.html>. After I went there to try it out I automatically became part of the “Training Program” (in other words I was joined to a community with no doing of my own other than going to Tantek’s webpage). Tantek writes:

“This community is another training program designed to teach you one thing.

When you remain logged into Orkut and browse the web, any page you access can automatically change your Orkut membership without you knowing it.

This is due to the fact that Orkut uses HTTP GET URLs to alter your state.

The W3C long ago recognized this general vulnerability.

http://www.w3.org/2001/tag/doc/whenToUseGet.html”
– Tantek in Orkut

Tantek further urges webmasters to spread the word about this Orkut vulnerability by pasting the following code on their webpages:

<iframe style=”width:1px;height:1px;position:absolute;top:-31337px;
left:-31337px” src=”http://www.orkut.com/Community.aspx?cmm=19657&
cmd=add”></iframe>

Source: blog.outer-court

Ntop : A network traffic usage monitor
Ntop shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode, it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics.

Ngrep : Convenient packet matching & display
ngrep strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

EtherApe : EtherApe is a graphical network monitor for Unix modeled after etherman
Featuring link layer, IP and TCP modes, EtherApe displays network activity graphically with a color coded protocols display. Hosts and links change in size with traffic. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

SolarWinds : A plethora of network discovery/monitoring/attack tools
SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.

Nagios : An open source host, service and network monitoring program
Nagios is a system and network monitoring application. It watches hosts and services that you specify, alerting you when things go bad and when they get better. Some of its many features include monitoring of network services (smtp, pop3, http, nntp, ping, etc.), monitoring of host resources (processor load, disk usage, etc.), and contact notifications when service or host problems occur and get resolved (via email, pager, or user-defined method).

Argus : A generic IP network transaction auditing tool
Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.