More WordPress XMLRPC Brute Force Attacks

If I never see this file again, it might be too soon.

We’re seeing an uptick in requests to xmlrpc.php, the API endpoint for WordPress. The wp.getUsersBlogs method is being hit across a large number of domains; I managed to grab a series of request payloads:

Read more »

Enabling PCRE JIT in OpenResty on CentOS

I’m quickly finding that openresty is an excellent stack, bundling a large number of nginx modules and Lua functionality. One of the most useful features I’ve found so far is the nginx Lua API’s ability to perform PCRE matches (Lua offers string.find, using a search syntax that is similar to PCRE, but lacks robustness). Performance with PCRE can be increased by using PCRE JIT (just-in-time) compilation; this is required to be present within the underlying system’s PCRE package. JIT was introduce in PCRE 8.21, and, go figure, the upstream package on CentOS is PCRE 7.8.

Read more »

Don’t Be This Guy

Seriously, this crap is really annoying.

Logging Mod_Security in JSON

mod_sec audit logs are atrocious. There have been a few attempts to make parsing audit data more palatable- BitsOfInfo recently wrote up a proof of concept of working through audit logs with logstash, and the AuditConsole project from JWall provides a more comprehensive approach to collecting log data, but neither solutions addresses the inherent problem of how messy native audit log data is.

As part of my Master’s thesis I need a way to efficiently audit, sort and store audit logs; building my own parser, while doable, would be a waste of time, so I’ve forked the ModSecurity project on Github and built a patch that implements JSON logging directly in the application, replacing the old data log structures entirely. There’s still a long way to go, but the initial patch seems stable and produces valid JSON. Read more »

Pulling Apart ‘Closed Source’

For a while my mom was using Living Cookbook, a .NET-based desktop solution for managing recipes. It’s decent software, fairly stable and feature-filled, but its commercial closed source nature means locked-in users- and no alternative for when you lose your license as a result of a hardware failure (or human error). So when mom called in a mild panic over losing Grandma’s lasagna recipe, I knew I had to take a gander.

Read more »

ZOMG REMOTE SHELL EXPLOIT!!!! … Or, Not

A new post to the Full Disclosure mailing list today detailed a remote code exploit vulnerability within all available versions of the Nagios Remote Plugin Executor (NRPE), and provided a PoC that included gaining a reverse shell on the target server. Note that this reported exploit relies on a separate (but similar) vulnerability report in CVE-2013-1362. In today’s post, Dawid Golunski properly identifies a weakness within the NRPE argument sanitation that could allow a client to execute arbitrary commands on the remote host within the context of the NRPE user. At first this seems like a pretty serious vulnerability, but further analysis shows that successful exploitation hinges on a series of bad practices not related to NRPE code itself.

Read more »

Big Things

Are brewing. And not breaking. All good things.

More later.

Obligatory InfoSec Blog Heartbleed Post

http://heartbleed.com/

Too lazy to write anything else. You know what to do.

Also, http://wordpress.org/news/2014/04/wordpress-3-8-2/

Brute Force Uptick

Okay, so just to clarify, am I actually breaking this news? No. Definitely not. But my automated log scanner picked up a jump in malicious activity yesterday on my network, so it’s worth taking a closer look. First, we see the jump in numbers:

Note that addresses have been lazily obfuscated but do not actually belong to the same class C, though some do share common ASNs (and some do indeed share a common class C). Wonderful, so let’s take a look at the log itself (a small sample is presented below for brevity):

Read more »

On Struggle

No code today.

It’s 2 AM and I’m at that wonderfully frustrating in-between stage of fatigue where one is too tired to complete any tasks requiring significant concentration, and one is too active to sleep. Plus, I’m slated to start a two week graveyard rotation at work, so I need to tweak my sleep schedule a bit, which makes this a perfect time to crack open that Red Bull and muse about my existence. Or maybe just sit here and stare blankly at my screen while the second season of Big Bang Theory hums on in the background.

Read more »