PDA

View Full Version : "web attack expierience " ?



lunaluna
June 13th, 2008, 06:01 PM
i don't know if i'm on right forum...

how many of you do you have a true "web attack experience"...
and if you're one of the them could you give some details?

:popcorn:

cprofitt
June 14th, 2008, 12:44 AM
Could you clarify web attack.

wpshooter
June 14th, 2008, 12:57 AM
Could you clarify web attack.

They've been gone for about 5 hours. I think they had one, whatever it is !!!

Joeb454
June 14th, 2008, 12:59 AM
They've been gone for about 5 hours. I think they had one, whatever it is !!!

True, but a web attack could mean getting a virus, or it could mean hacking attempts on a home server.

Which is why I'd quite like to see some clarifcation too :)

hovzio
June 14th, 2008, 01:00 AM
I am also curious as to whether or not anyone has had an security issues concerning intrusion via the internet on an ubuntu desktop. Haven't ever heard of anything but wouldn't mind hearing about some experiences. (I am assuming this is what was meant.. if not sorry )

DirtDawg
June 14th, 2008, 01:02 AM
Web Attack Experience!
http://ecx.images-amazon.com/images/I/41QSXGV2SML._SL500_AA280_.jpg

cprofitt
June 14th, 2008, 01:02 AM
I am also curious as to whether or not anyone has had an security issues concerning intrusion via the internet on an ubuntu desktop. Haven't ever heard of anything but wouldn't mind hearing about some experiences.

The question still remains -- what kind of intrusion attempt...

trojan / root kit that is web launched?

remote code execution and priv. escalation.

Joeb454
June 14th, 2008, 01:03 AM
Well as I run a web server from home, which naturally, is the first thing you'll get if you type in my IP address, I'm sure I've had some login attempts made (it runs SSH server too) :)

_sphinx_
June 14th, 2008, 01:04 AM
I also don't have any such kind of experience but I just wanted to know how could someone do this web attack sort of thing, I mean can anybody give me some overview.

_sphinx_
June 14th, 2008, 01:05 AM
Well as I run a web server from home, which naturally, is the first thing you'll get if you type in my IP address, I'm sure I've had some login attempts made (it runs SSH server too) :)

So how could one possibly crack SSH password.

hovzio
June 14th, 2008, 01:06 AM
@ PrivateVoid: Something along the lines of a rootkit. Thats what I had in mind. I must add, my knowledge concerning the subject is minimal.

wpshooter
June 14th, 2008, 01:07 AM
I am also curious as to whether or not anyone has had an security issues concerning intrusion via the internet on an ubuntu desktop. Haven't ever heard of anything but wouldn't mind hearing about some experiences.

Well down to the serious side. I have been running various versions of Ubuntu for about 2 to 3 years now and to my knowledge, I have NOT experienced the first security breach of any type. And this is with only what security is built into the O/S, i.e. no virus protection software or software firewalls.

I would hate to think about how polluted my system would be by now if I had been running that M$ O/S under those same circumstances.

Joeb454
June 14th, 2008, 01:14 AM
So how could one possibly crack SSH password.

It depends what the password is ;) Mine has letters (both cases) numbers and symbols :)

cprofitt
June 14th, 2008, 01:22 AM
So how could one possibly crack SSH password.

that all depends on how the SSH sever and client are setup.

Here are some good articles to read:

http://www.security-hacks.com/2007/05/23/protecting-against-ssh-brute-force-attacks

http://www.linux.com/articles/60955

cprofitt
June 14th, 2008, 01:25 AM
@ PrivateVoid: Something along the lines of a rootkit. Thats what I had in mind. I must add, my knowledge concerning the subject is minimal.


Here are some links for those:

http://www.sans.org/reading_room/whitepapers/linux/901.php

http://linuxhelp.blogspot.com/2006/12/various-ways-of-detecting-rootkits-in.html

http://en.wikipedia.org/wiki/Rootkit

http://www.linuxdevcenter.com/pub/a/linux/2001/12/14/rootkit.html

kansasnoob
June 14th, 2008, 01:50 AM
Well there are ongoing discussions about security:

http://ubuntuforums.org/forumdisplay.php?f=338

I tend to watch the two little applets I've dropped in my lower panel ..... temp & cpu usage ..... if either seem high then I look further. Of course the first thing I look at is the little leds on my DSL modem to see if there's activity when there shouldn't be.

If something seems afoul I open Firestarter which I've previously dl'ed from synaptic and I can open from either "Internet" or "Administration". Then I can actually see what's going on just by clicking the "events" tab.

The sad thing is I've found no way to log events without editing sudoers to have Firestarter auto-start and that in itself creates a vulnerability.

And I know that ufw is now installed by default, but I'm just too slow minded for cli ............. I need gui!

kansasnoob
June 14th, 2008, 01:57 AM
/home/lance/Desktop/Screenshot-Firestarter lance-desktop.png

Joeb454
June 14th, 2008, 02:09 AM
I think you'll need to re-upload that ;)

kansasnoob
June 14th, 2008, 02:24 AM
Read this:

http://ubuntuforums.org/showthread.php?p=5182069#post5182069

In spite of mastering dual boots and a number of other hurdles I'm still just an old fart that can't figure out the forum tools.

Paste that link into your browser and take what you like from my puter ........... maybe! Not much there, it's a fairly new setup.

I guess I at least chose a good screen-name! Noob definitely describes me :)

kansasnoob
June 14th, 2008, 02:26 AM
Joeb454,

You've helped me before, I wouldn't get mad if you helped me again :confused:

aysiu
June 14th, 2008, 02:34 AM
i don't know if i'm on right forum... I've moved it to the Community Cafe, which seems a more appropriate place.

srt4play
June 14th, 2008, 02:35 AM
web Attack Experience!
http://ecx.images-amazon.com/images/i/41qsxgv2sml._sl500_aa280_.jpg

Lmao

Joeb454
June 14th, 2008, 02:36 AM
/home/lance/Desktop/Screenshot-Firestarter lance-desktop.png


I think you'll need to re-upload that ;)

That's what I was referring to.

It looked like you were trying to upload an image, but you just pasted it's location on your system :)

Lord Xeb
June 14th, 2008, 03:51 AM
I have not experienced a "web attack" per se, but I have found a root kit that would link a hack to my PC and allow them to control it to their will. It was in a game my brother played here and their. I looked at some records on my firewall and did see an attempt that was supposedly thorted, but it was not and the jerk put it inside his game. e_e not cool.

lemuriaX
June 14th, 2008, 04:10 AM
Hi there...interesting thread.

I'm curious about this one:



The sad thing is I've found no way to log events without editing sudoers to have Firestarter auto-start and that in itself creates a vulnerability.



I thought Firestarter was just a GUI for managing IPTables, how would having it start automatically open a vulnerability?

kansasnoob
June 14th, 2008, 04:59 AM
That's what I was referring to.

It looked like you were trying to upload an image, but you just pasted it's location on your system :)

Yes!

That's why I posted the link to my asking how to use the Forum tools.

I don't get it????????????

But I'm working on it :confused:

kansasnoob
June 14th, 2008, 05:05 AM
"I looked at some records on my firewall"

How? I've never found a way to access an activity log other than Firestarter and then only if it's running on top of iptables at the time the traffic is ............. uh, trafficking :confused:

Is there a ufw log that can be looked at?

kansasnoob
June 14th, 2008, 05:09 AM
"I thought Firestarter was just a GUI for managing IPTables, how would having it start automatically open a vulnerability?"

I decided it was unwise to edit sudoers. I think that anytime you remove a level of password protection you create a new vulnerability.

Then again, I am a nOOb, therefore the moniker!

lemuriaX
June 17th, 2008, 06:18 AM
I decided it was unwise to edit sudoers. I think that anytime you remove a level of password protection you create a new vulnerability.

Then again, I am a nOOb, therefore the moniker!

Well Im in the n00b camp myself so would have to let someone more experienced say for sure.

lemuriaX
June 24th, 2008, 05:43 AM
Okay well obviously removing a level of password protection would not be a good idea in general. I'm not too familiar with editing sudoers yet.

I did read some info suggesting that running Firestarter all the time maybe isn't so wise since it runs as root - http://ph.ubuntuforums.com/showthread.php?t=694198

It is nice to have a GUI for monitoring port activity though, what would be good to use for that instead of Firestarter?

hovzio
June 24th, 2008, 05:58 PM
Okay well obviously removing a level of password protection would not be a good idea in general. I'm not too familiar with editing sudoers yet.

I did read some info suggesting that running Firestarter all the time maybe isn't so wise since it runs as root - http://ph.ubuntuforums.com/showthread.php?t=694198

It is nice to have a GUI for monitoring port activity though, what would be good to use for that instead of Firestarter?

I have found myself asking the same question (and the forums) several times. The following link is a thread I started asking the same as above. I must say I haven't gotten too many answers other than netstat.

http://ubuntuforums.org/showthread.php?t=832108

Netstat kicks out a bunch of information but as a noob I find it hard to fish out the stuff I (think that I) need. :) I'm sure there are commands to filter results but I haven't had time to check it out. (excuses..)

lemuriaX
June 24th, 2008, 08:33 PM
Netstat is an amazing tool which I do want to learn more about. Have used it some but like you don't really know how to interpret a lot of the data.

But even though I plan to develop my skills there more, I still would like a simple GUI that would just monitor port activity. I liked that about using Firestarter, that I could check real quick to see what ports I had connections running on, and it would show a little graphical alert if detecting "events".

tomplast
June 24th, 2008, 08:48 PM
I'm administrating a server which got hacked (or something, at least it tried to DDOS servers or something like that) and after that nobody (except me) is allowed to login, Intrusion Detection Systems over the place, avoiding give out software signatures (like Apache version, FTP version etc).

hovzio
June 24th, 2008, 08:57 PM
I'm administrating a server which got hacked (or something, at least it tried to DDOS servers or something like that) and after that nobody (except me) is allowed to login, Intrusion Detection Systems over the place, avoiding give out software signatures (like Apache version, FTP version etc).

Do you how you got hacked? What took place? Are you talking about "security measures" when mentioning intrusion detetection systems and software signatures?

monstermudder78
June 24th, 2008, 09:06 PM
Intrusion Detection Systems over the place, avoiding give out software signatures (like Apache version, FTP version etc).

Huh? Is this the result or the advice you are giving?

nick09
June 24th, 2008, 09:13 PM
Yes!

That's why I posted the link to my asking how to use the Forum tools.

I don't get it????????????

But I'm working on it :confused:

When you post click Manage Attachments in Additional options to upload the png file and Submit your reply.

Or you could use a image host like imageshack (http://imageshack.us/) and emb using these tags:

(insert link to image here)

tomplast
June 25th, 2008, 03:04 PM
Do you how you got hacked? What took place? Are you talking about "security measures" when mentioning intrusion detetection systems and software signatures?

The only out of the order stuff that I found was some oddly timed logins (in the middle of the night) by one of the students (the server hosts their web pages) and after those logins the outgoing traffic increased exponentially.

Anyway, I do believe that a better firewall policy would have helped but lessons are meant to be learned, and I surely learned mine. Intrusion detection systems, restrict logins on the server was now a must for me.

I surely never wanna get a long piece of paper again that shows that "my server" has attacked others :mad:, and hopefully I will never have to deal with that again.