Twitter defacement

It is all over the news today that Twitter was defaced yesterday. Lots of speculation regarding what happened, but that’s the alert I received yesterday from Sucuri Network Monitor:

Sucuri nbim: twitter.com DNS modified

Modifications:
3a4
< twitter.com has address 128.121.146.100
< twitter.com has address 168.143.162.52
> twitter.com has address 66.147.242.88

This alert was generated by the Sucuri Network Integrity Monitor. Log in to your dashboard at http://sucuri.net.

So we can see that it was indeed a DNS redirection attack and that probably their servers weren’t attacked directly.

If you are curious were they are hosting their DNS, here it is:

Domain Name: TWITTER.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com
Name Server: NS1.P26.DYNECT.NET
Name Server: NS2.P26.DYNECT.NET
Name Server: NS3.P26.DYNECT.NET
Name Server: NS4.P26.DYNECT.NET
Status: clientTransferProhibited
Updated Date: 27-may-2009
Creation Date: 21-jan-2000
Expiration Date: 21-jan-2018

If you tried to access their services last night, we recommend changing your password ASAP. If you want to monitor your own domain names for this kind of issue (for free), visit http://sucuri.net

Searching vulnerable sites with Google

At http://sucuri.net/ we have a free online tool that allows you to scan any domain name for security issues. It is very simple and report web server versions, possible domain names being leaked, vulnerable web apps running, etc.

Lately, I noticed that “Google Bots” has been using our site and scanning thousand of hosts per day. You know what that means? Well, now you can google for vulnerable sites and it will show the results from our scanning tool. Just choose a vulnerable application (or version you are looking for) and restrict to site:http://sucuri.net.

For example:

  1. Search Looking for all Nginx web servers
  2. Search Looking for all Nginx web servers running version 0.4
  3. Search for all sites powered by PHP
  4. Search for sites leaking the WordPress internal path
  5. Sites with their public DNS pointing to private IP addresses

Note that Google just started scanning us that way (a few days ago), so the number of reported sites is likely to increase a lot in the next weeks…

On a side note, there is a project called SHODAN that also allows you to search for web server versions and open ports. Their database is way larger than ours and based on the IP addresses (while our is per domain).

Process monitoring with OSSEC

OSSEC v2.3 was just released and one feature that really interested me was the Process monitoring. That’s what the OSSEC team says about it:

“We love logs. Inside OSSEC we treat everything as if it was a log and parse it appropriately with our rules. However, some information is not available in log files but we still want to monitor them. To solve that gap, we added the ability to monitor the output of commands via OSSEC and treat those just like they were log files.”

Basically, it allows you to monitor the output of any command and generate alerts/active responses from them.

Cool, let’s try it out. First, let’s monitor the output of “httpd status” to receive alerts if Apache ever goes down. I added the following command to my ossec.conf and the following rule to my local_rules:


command
/etc/init.d/httpd status


530
ossec: output: ‘/etc/init.d/httpd status':
is stopped
Apache STOPPED.

Now, if I manually stop Apache to try it out, I get in a few seconds via email:

2009 Dec 08 10:45:04 (sucuri) xx->/etc/init.d/httpd status
Rule: 100200 (level 10) -> ‘Apache STOPPED.’
Src IP: (none)
User: (none)
ossec: output: ‘/etc/init.d/httpd status': httpd is stopped

Perfect! Now I can have all my monitoring in just one tool… Next step is to create an active response to restart the service on failure.

Improve Domain Name Security, Lessons Learned

I was very glad to interested to read this article by http://syedaqeel.com/ where he talks about a recent domain name hijacking that he suffered and how our Sucuri monitoring service helped him. This is what he said:

One thing that save me from lot of trouble in this domain hijack attempt is ‘Network Integrity Monitoring’. When cracker made changes with my domain names, I got an alert in email instantly and upon investigating I discovered that my domain account is compromised. If wouldn’t had ‘Network Integrity Monitoring’ may be it would have been too late for me to know about that. I got this service from sucuri.net. And another amazing this is, this handy service is free to use.

Check out the whole article at: Improve Domain Name Security, Lessons Learned From Domain Name Hijacking