Archives pour 06/2015

MMD-0035-2015 – .IptabLex or .IptabLes on shellshock.. sponsored by ChinaZ actor

30/06/2015 Comments off

Source: Malware Must Die!

The background

.IptabLex & .IptabLes ELF DDoS malware is the malware made by China DDoSer crime group, designed to infect multiple architecture of Linux distribution, was aiming for Linux boxes in the internet with the low security and authentication flaw in SSH as vector of infection, was an emerged ELF threat in 2014.

Historically, MalwareMustDie, NPO (MMD) is the first entity who detected this malware around May last year and named it as Linux .Iptablesx|s on our last year’s alert MMD-0025-2014 [link] released on June 15, 2014. And we build malware repository for this ELF family for sharing samples and trend for researchers and industries on kernelmode started from September 4th 2014 [link], since the threat was gone so wild at the time and there was so few information about this malware that causing low awareness and detection ratio, so we managed all we can to suppress the growth of infection rate.

The DDoS attacks originated from this malware, in quantity of incidents and traffic used, was so massive in 2014 causing some warning was released from important security entities in September 2014, as per announced by Prolexic (thank you for mentioning MalwareMustDie) [link] in their Threat Advisory with « High Risk » level, following by Akamai‘s warning referred to the Prolexic’s advisory announcing the world wide warning [link] of .IptableS|X.

Afterward, Linux .IptableS / .IptablesX ELF malware was still be detected in the wild until the end of October 2014, but since November 2014 we did not find any significant wave of infection using these family, wiped by the emerge of many other China DDoS new malware families that we detected also afterwards. From the early this year (January 2015), we started to assume the malware popularity and development of .IptabLes|x was stopped..

However, on June 27th 2015 I was informed in the twitter by a friend @TinkerSec for what was suspected as Linux/ChinaZ infection. I supported him with ELF binary sample’s « real time » analysis in twitter as per shown in his report below:

Today, our team mate @benkow has detected a shellshock attack with having the same payload as sample, and curiousity made me taking a deeper analysis this time, to find and feel so surprised to realize that the payload is a Linux IptableS or .IptablesX variant actually. I can not believe this myself so I checked many times until I am very positive with this conclusion and after understanding why we were thinking it was Linux/ChinaZ I wrote this information as the follow up, the return of 2014’s DDoS disaster, the IptableS|X threat. Below is the detail.

Lire la suite…

Categories: Réseau, Sécurité Tags: , ,

OpenVPN Documentation

25/06/2015 Comments off

Source: OpenVPN official documentation

OpenVPN daemons (JSON format):

./sacli VPNStatus

Show the number of users currently connected to the VPN:

./sacli VPNSummary

Show the status of internal Access Server services:

./sacli status

Stop internal Access Server services:

./sacli stop

Start/restart internal Access Server services:

./sacli start

The ‘start’ command is smart in the sense that if the Access Server
is already running, and you modified the configuration via
the Config DB, only those services whose parameters are changed
will be restarted. Note that if you modify any parameters in
the Access Server bootstrap configuration file
(/usr/local/openvpn_as/etc/as.conf), you will need to do a full unix
restart in order for those settings to take effect.

Also note that the start/stop commands above don’t actually start or
stop the Access Server daemon itself, only internal services
within the daemon. To start/stop the access server daemon itself,
use the traditional unix syntax:

Start the Access Server daemon:

/etc/init.d/openvpnas start

Stop the Access Server daemon:

/etc/init.d/openvpnas stop

Restart the Access Server daemon:

/etc/init.d/openvpnas restart
Categories: Réseau, Système Tags: , ,

Find Duplicate Files (based on size first, then MD5 hash)

19/06/2015 Comments off
Terminal – Find Duplicate Files (based on size first, then MD5 hash)
find -not -empty -type f -printf "%s\n" | sort -rn | uniq -d | xargs -I{} -n1 find -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate
Find Duplicate Files (based on size first, then MD5 hash)

This dup finder saves time by comparing size first, then md5sum, it doesn’t delete anything, just lists them.

Terminal – Alternatives
find -type f -exec md5sum '{}' ';' | sort | uniq --all-repeated=separate -w 33 | cut -c 35-

Calculates md5 sum of files. sort (required for uniq to work). uniq based on only the hash. use cut ro remove the hash from the result.

find -type d -name ".svn" -prune -o -not -empty -type f -printf "%s\n" | sort -rn | uniq -d | xargs -I{} -n1 find -type d -name ".svn" -prune -o -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

Improvement of the command « Find Duplicate Files (based on size first, then MD5 hash) » when searching for duplicate files in a directory containing a subversion working copy. This way the (multiple dupicates) in the meta-information directories are ignored.

Can easily be adopted for other VCS as well. For CVS i.e. change « .svn » into « .csv »:

find -type d -name ".csv" -prune -o -not -empty -type f -printf "%s\n" | sort -rn | uniq -d | xargs -I{} -n1 find -type d -name ".csv" -prune -o -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separate

find -not -empty -type f -printf "%-30s'\t\"%h/%f\"\n" | sort -rn -t$'\t' | uniq -w30 -D | cut -f 2 -d $'\t' | xargs md5sum | sort | uniq -w32 --all-repeated=separate

Finds duplicates based on MD5 sum. Compares only files with the same size. Performance improvements on:

find -not -empty -type f -printf "%s\n" | sort -rn | uniq -d | xargs -I{} -n1 find -type f -size {}c -print0 | xargs -0 md5sum | sort | uniq -w32 --all-repeated=separateThe new version takes around 3 seconds where the old version took around 17 minutes. The bottle neck in the old command was the second find. It searches for the files with the specified file size. The new version keeps the file path and size from the beginning.

find . -type f -exec md5 '{}' ';' | sort | uniq -f 3 -d | sed -e "s/.*(\(.*\)).*/\1/"

This works on Mac OS X using the `md5` command instead of `md5sum`, which works similarly, but has a different output format. Note that this only prints the name of the duplicates, not the original file. This is handy because you can add `| xargs rm` to the end of the command to delete all the duplicates while leaving the original.

Categories: Système Tags: ,

Split OpenVPN configuration files

18/06/2015 Comments off

Source: npm

Splits OpenVPN (.ovpn) files into separate files for private key, user+ca certificates and tls-auth key, for use with network-manager in debian/ubuntu.

openvpn-config-splitter can be installed using npm:

# NPM:
npm install -g openvpn-config-splitter
# Install globally
$ npm install -g openvpn-config-splitter
# Run it, specifying your unsplit OpenVPN configuration file
$ ovpnsplit path/to/some/config.ovpn
# Config is now split into separate files, new configuration
# linking to the split files has been generated
$ ls path/to/some
ca.crt  client.key  client.ovpn  client.split.ovpn  ta.key  user.crt
var fs = require('fs'),
 configPath = '/some/path/to',
 splitter = require('openvpn-config-splitter');
var paths = {
 'caCert': configPath + '/openvpn-ca.crt',
 'userCert': configPath + '/openvpn-user.crt',
 'privateKey': configPath + '/openvpn-private.key',
 'tlsAuth': configPath + '/openvpn-tls.key'
fs.readFile(configPath + '/config.ovpn', function(err, originalConfig) {
 if (err) {
 console.error('Could not read file (' + err.path + ')');
 splitter.split(originalConfig, paths, function(err, parts, missing) {
 if (err) {
 * `parts` now contain the matched parts of the config + new config
 * (caCert, userCert, privateKey, tlsAuth, config)
 * `missing` is an array containing the parts that were NOT found -
 * use this if you want to warn the user or fall back if you require
 * a specific part to be present
 // Want to write the split files? 
 splitter.writeToFiles(parts, paths, function(err) {
 if (err) {
 console.log('Hooray, we split the files and wrote them to disk!');
Categories: Réseau, Système Tags: , ,

Typical iptables

11/06/2015 Comments off
# Modify this file accordingly for your specific requirement.
# 1. Delete all existing rules
iptables -F

# 2. Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP

# 3. Block a specific ip-address
#iptables -A INPUT -s "$BLOCK_THIS_IP" -j DROP
 Lire la suite...

(D)DoS Deflate

10/06/2015 Comments off


(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n

IP addresses with over a pre-configured number of connections are automatically blocked in the server’s firewall, which can be direct iptables or Advanced Policy Firewall (APF). (We highly recommend that you use APF on your server in general, but deflate will work without it.)

Notable Features

  • It is possible to whitelist IP addresses, via /usr/local/ddos/ignore.ip.list.
  • Simple configuration file: /usr/local/ddos/ddos.conf
  • IP addresses are automatically unblocked after a preconfigured time limit (default: 600 seconds)
  • The script can run at a chosen frequency via the configuration file (default: 1 minute)
  • You can receive email alerts when IP addresses are blocked.


chmod 0700


chmod 0700 uninstall.ddos


Although most things are explained on this page, if you have any further questions, you may contact the original developer of the script, Zaf.

Categories: Réseau, Système Tags: ,

How To Use Port Knocking to Hide your SSH Daemon from Attackers on Ubuntu

04/06/2015 Comments off


Servers, by definition, are implemented as a means of providing services and making applications and resources accessible to users. However, any computer connected to the internet is inevitably targeted by malicious users and scripts hoping to take advantage of security vulnerabilities.

Firewalls exist and should be used to block access on ports not being utilized by a service, but there is still the question of what to do about services that you want access to, but do not want to expose to everybody. You want access when you need it, but want it blocked off otherwise.

Port knocking is one method of obscuring the services that you have running on your machine. It allows your firewall to protect your services until you ask for a port to be opened through a specific sequence of network traffic.

In this guide, we will discuss how to implement port knocking as a method of obscuring your SSH daemon on an Ubuntu 12.04 VPS using the knockd package.

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, « iptables » only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called « ip6tables », which can be used to maintain firewall rules for IPv6 network addresses.

If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS

Lire la suite…

How To Configure Port Knocking Using Only IPTables on an Ubuntu VPS

04/06/2015 Comments off



Servers that are connected to the internet are subjected to all manners of attacks and probes by malicious users, scripts, and automated bots. It is sometimes a balancing act to secure your server from attacks without affecting legitimate access to your services and resources.

Certain types of services are meant to be visible and consumable to the public internet. An example of this is a web server. Other types of services are typically used by only the system administrator or a select number of individuals and are not meant to be a public resource.

A concept known as port knocking is a way of shielding processes that fit into the latter description. Port knocking works by covering the ports associated with a process behind a firewall until a specific, predetermined sequence of network activity occurs. At this point, the port knocking service reconfigures the firewall to allow access to the protected application.

In a previous article, we discussed how to enable port knocking through a specially designed port knocking service. In this article, we will discuss an alternative method of configuring port knocking.

This method does not rely on an external application to alter the firewall rules. Instead, the iptables firewall can take advantage of a state-tracking module called « recent » to do all of this within the firewall rules themselves.

We will be configuring this on an Ubuntu 12.04 droplet, but any kind of Linux server should operate in a similar manner.

Note: This tutorial covers IPv4 security. In Linux, IPv6 security is maintained separately from IPv4. For example, « iptables » only maintains firewall rules for IPv4 addresses but it has an IPv6 counterpart called « ip6tables », which can be used to maintain firewall rules for IPv6 network addresses.

If your VPS is configured for IPv6, please remember to secure both your IPv4 and IPv6 network interfaces with the appropriate tools. For more information about IPv6 tools, refer to this guide: How To Configure Tools to Use IPv6 on a Linux VPS

Lire la suite…

25 Most Frequently Used Linux IPTables Rules Examples

02/06/2015 Comments off


At a first glance, IPTables rules might look cryptic.

In this article, I’ve given 25 practical IPTables rules that you can copy/paste and use it for your needs.

These examples will act as a basic templates for you to tweak these rules to suite your specific requirement.

For easy reference, all these 25 iptables rules are in shell script format: iptables-rules
Lire la suite…

Categories: Réseau, Sécurité Tags: ,

Configurer IPTables pour Netfilter sous Debian Squeeze

02/06/2015 Comments off

Qu’est-ce que c’est?

IPTables regroupe les lignes de commandes nécessaires à la gestion de Netfilter. Oui mais que fait Netfilter ? Pour les anglophones, vous aurez remarquer que dans Netfilter, il y a Net et il y a Filter donc à priori ça va parler d’Internet et de filtrage. Et qui dit filtrage, veut dire Firewall.

Voilà le mot est laché ! Le couple Netfilter/IPTables permet de faire du filtrage de port grâce à des règles de pare-feu. Il sera alors possible de bloquer certains paquets IP et de laisser passer ceux qui nous intéressent. Par exemple par le port 80 (le port pour http), le trafic Internet sera possible et votre navigateur préféré vous emmènera sur les autoroutes du savoir offert par Internet. Lire la suite…