Suspicious signs of intrusion include at least the following:

User Indications

• Failed log-in attempts
• Log-ins to accounts that have not been used for an extended period of time
• Log-ins during hours other than non-working hours
• The presence of new user accounts that were not created by the system administrator
• Log-ins from strange places, as well as repeated failed attempts
• System Indications
• Modifications to system software and configuration files
• Gaps in system accounting that indicate that no activity has occurred for a long period of time
• Unusually slow system performance
• System crashes or reboots
• Short or incomplete logs
• Logs with incorrect permissions or ownership or with strange timestamps
• Missing logs
• Abnormal system performance
• Unfamiliar processes
• Unusual graphic displays or text messages.

File System Indications

• The presence of new, unfamiliar files or programs
  
• Changes in file permissions
• Unexplained changes in file size.
• Unfamiliar file names in directories
• Missing files

Network Indications

• Repeated probes of the available services on your machines
• Connections from unusual locations
• Repeated login attempts from remote hosts
• Arbitrary log data in log files, indicating attempt at creating either Denial of Service, or crash services

source:  www.linuxsecurity.com

Unit 61398, which operates out of a 12-story building in Shanghai, has restarted its clandestine online attacks against private firms and government organizations, three months after its identity was first exposed by Mandiant. The security company, which helps guard organizations from these attacks, has not specified the latest targets, reports The New York Times.

Mandiant first exposed the unit in mid-February detailing the group it called “APT 1,” which had broken into the networks of 141 companies, spanning 20 major industries. The White House believed a campaign of publicizing the unit’s activities might force it to cease its hacking efforts, but the Times cites American officials and security companies who say it has resumed the attacks at roughly 70 percent of its original capacity.

Unit 61398 employs roughly 1,000 people, according to the Mandiant report, and is alleged to have stolen technology blueprints, proprietary manufacturing processes, test results and business plans. The report also says the group’s activities are likely government sponsored.

The Chinese Foreign Ministry denounced these claims as “groundless,” and the Defense Ministry denied any connection with the unit.

–Source: US News and World Report

http://www.usnews.com/news/articles/2013/05/20/chinese-cyber-hackers-are-back-in-business

Well, Metasploit dumped the Subversion updates and went with GitHub.com. This is a really good idea but terribly painful to me. So let me tell you the saga…

Why did I have re-install it 50 times, mainly because I have some sort of Dyslexia or ADD that prevents me from reading details. Add this to the fact that there is no real documentation or  instructions written. I would fully document the process,  but I have been beaten down so much I just want to give words of advice.

• Re-install all the prerequisite applications

• Install RVM (if you don’t have ruby setup already.)

• Register at Git so you have a username, password, ssh key and all that.

• Download your updated Metasploit Framework with Github.com using your username and password. This will let you do all kinds cool updating later.

Follow these instructions: (Excellent Documentations- Kudos to whoever wrote this!!!!)

https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment

Notes:

They want you to put Metasploit in your home directory. I liked Metasploit where it was, so when I did the ‘git’ I put it back under the /opt directory after I removed the old Metasploit framework files using ‘rm -rf” command.  The command  stands  for Remove Recursively and Force. (Kinda sounds like a Rock Band.)

After I finished, msfconsole wouldn’t start and it kept asking me to perform a gem install bundler every time. I would mess around with it and finally it would work but I would reboot and the whole process started over.

It took me two days to finally figured out that multiple versions of Ruby were causing the problems.  Apparently Ruby was confused and flapping between version 1.8 and 1.9.3. 

Also, msfupdate worked but I got errors from ruby saying that the same file(s) was missing… So here are my tips.

• Make sure that you are using Ruby 1.9.3. If you have Ruby 1.8 on your machine you will have weird problems. So the best think to do is do a “curl” and update Ruby to 1.9.3 then remove the older version of Ruby. In my case it was 1.8.

• You might need to do some tweaking to get everything running smooth. Make sure that you apply the environmental variables to make  sure that all the ruby files load in the database config file for postgresql. See Comments below.

• These commands are all run at the root level. I don’t like using sudo because it creates just one more word I have to type.

So, first on the hit parade is Numero Uno.  This command removes Ruby 1.8 and all it’s evil sidekicks. If you are feeling extra vindictive you can use ‘apt-get purge.’

#apt-get remove libruby1.8 ruby1.8 ruby1.8-dev rubygems1.8

This next command adds a statement to /etc/profile, I really don’t know  if you need it. I tried it without the statement and it ran the same. Put it in anyway to be on the safe side or live life dangerously and don’t.

#echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml >> /etc/profile

#source /etc/profile

The next statement let’s you use the Metasploit scanner modules.

#cd /opt/metasploit-framework/external/pcaprub

#ruby extconf.rb && make && make install

Long Island Software Programmer Arrested For Hacking Into Network Of High-Voltage Power Manufacturer

As alleged in the complaint, Meneses, who had voiced displeasure at having been passed over for promotions, tendered his resignation from the victim company in late December 2011, giving two weeks’ notice. After his network access was terminated, Meneses launched a three-week campaign to inflict damage on the company by gaining unauthorized access to its network and sabotaging the company’s business. Meneses employed various high-tech methods to hack into the victim company’s network and steal his former colleagues’ security credentials, including writing a program that captured user log-in names and passwords. Meneses then used the security credentials of at least one former colleague to remotely access the network via a virtual private network (VPN) from Meneses’s home and from a hotel located near his new employer, corrupting the network. Meneses’s efforts ranged from using a former colleague’s email account to discourage new applicants from taking Meneses’s position, to sending commands to alter the business calendar by one month, disrupting the company’s production and finance operations. The victim company suffered over $90,000 in damages as a result of Meneses’s intrusions

Source: Press Release US District Attorney’s Office, Eastern District of NY

http://www.justice.gov/usao/nye/pr/2013/2013may02.html

Eight Members Of New York Cell Of Cyber-crime Organization Indicted In $45 Million Cyber-crime Campaign

New York Cell Withdrew $2.8 Million In Cash From Hacked Accounts In Less Than 24 Hours

A four-count federal indictment was unsealed in Brooklyn charging eight defendants with participating in two worldwide cyber-attacks that inflicted $45 million in losses on the global financial system in a matter of hours.

These defendants allegedly formed the New York-based cell of an international cyber-crime organization that used sophisticated intrusion techniques to hack into the systems of global financial institutions, steal prepaid debit card data, and eliminate withdrawal limits. The stolen card data was then disseminated worldwide and used in making fraudulent ATM withdrawals on a massive scale across the globe.

The eight indicted defendants and their co-conspirators targeted New York City and withdrew approximately $2.8 million in a matter of hours. The defendants are charged variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering.

Source: Press Release US District Attorney’s Office, Eastern District of NY

http://www.justice.gov/usao/nye/pr/2013/2013may09.html

Denial of Service (Pirate Version)

Okay Web Heads, it’s time to put on your upgrade caps and get your websites to the latest Revision of Word Press Code. It seems that there is a flaw in code that it older than June 21, 2012.Here is the full brief as stated by US-Cert and NIST:

Original release date: April 15, 2013

US-CERT is aware of an ongoing campaign targeting the content management software WordPress, a free and open source blogging tool and web publishing platform based on PHP and MySQL. All hosting providers offering WordPress for web content management are potentially targets.

Hackers reportedly are utilizing over 90,000 servers to compromise websites administrator panels by exploiting hosts with admin as account name, and weak passwords which are being resolved through brute force attack methods.

CloudFlare, a web performance and security startup, has to block 60 million requests against its WordPress customers within one hour elapse time. The online requests reprise the WordPress scenario targeting administrative accounts from a botnet supported by more than 90,000 separate IP addresses. A CloudFlare spokesman asserted that if hackers successfully control WordPress servers, potential damage and service disruption could exceed common distributed denial of service (DDoS) attack defenses. As a mitigating strategy, HostGator, a web hosting company used for WordPress, has recommended users log into their WordPress accounts and change them to more secure passwords.

US-CERT encourages users and administrators to ensure their installation includes the latest software versions available. More information to assist administrators in maintaining a secure content management system

include:

* Review the June 21, 2012, vulnerability described in CVE-2012-3791, and follow best practices to determine if their organization is affected and the appropriate response.

* Refer to the Technical Alert on Content Management Systems Security and Associated Risks for more information on securing a web content management system

* Refer to Security Tip Understanding Hidden Threats: Rootkits and Botnets for more information on protecting a system against botnet attacks

* Additional security practices and guidance are available in US-CERTs Technical Information Paper TIP-12-298-01 on Website Security

Relevant URL(s):

<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3791>

<http://www.us-cert.gov/ncas/tips/ST06-001>

<http://www.us-cert.gov/sites/default/files/publications/TIP-12-298-01-Website-Security.pdf>

<http://www.us-cert.gov/ncas/alerts/TA13-024A>

____________________________________________________________________

Produced by US-CERT, a government organization.

___________________________________________________________________

This product is provided subject to this Notification:

http://www.us-cert.gov/privacy/notification/

Privacy & Use policy:

http://www.us-cert.gov/privacy/

This document can also be found at

http://www.us-cert.gov/ncas/current-activity/2013/04/15/WordPress-Sites-Targeted-Mass-Brute-force-Botnet-Attack

In my last Video Demo, I exploited the Default SNMP String on a Cisco Router and gained access to the router. In this video, I have made it a little harder and changed the SNMP Community Strings to something else. I also changed the password. I used NMAP this time for the scan, Metasploit again and John the Ripper instead of Cain and Abel. Check it out. So the moral of the story is to “Don’t Use SNMP unless you absolutely have to and make sure that it is a complex text string.