I already wrote long ago about the netstat command windows in post View the TCP / UDP sessions with the active command prompt .

Today I will explain how to identify malware or do not like applications with this simple but powerful tool.

Here is how to monitor TCP connections using netstat, and get a detailed log of the processes accessing the internet without our knowledge:

Before starting the monitoring phase is well close all programs that connect to the internet as browsers, chat programs, clients peer 2 peer, etc. .. As we want to get a log file as "clean" as possible.
Make sure that your computer no more active connections , and leaving the PC connected to interntet start the command prompt and type:

netstat -bn [intervallo] >connections.log

the output statistics will be saved in a file connections.log:
all TCP connections will be logged the IP ports (-n) and the name of the processes that have initialized connections (-b). The interval, specified in seconds, is the frequency with which the command is invoked in loop.

netstat -bn 10 >connections.log

This is potentially an infinite loop, but you can stop at any time by pressing Ctrl + C.
Ideally leave listening for several hours or overnight.

And the output, here you see a connection to MSN Messenger:

Active Connections
TCP 192.168.1.1:1031 207.46.108.86:1863 ESTABLISHED 288
[Msnmsgr.exe]

[...]

You could also automate the time tracking using AT to stop the process time favorite:

C:\>time
The current time is: 00.00.00,00
Enter the new time:
C:\>at 06:00 cmd /c "taskkill /F /IM cmd.exe"
C:\>netstat -bn 10 >connections.log


• 0 Comments

PHPIDS Intrusion Detection System

PHPIDS is an Intrusion Detection System for easy installation that allows you to protect all your web applications, websites and php script without affecting the speed of execution of the same.

PHPIDS is free and it is now at version 0.5.3.

How it works

The script, which is included on pages to secure (or responsible in any http requests via a php.ini setting that we will see shortly), analyzes the requests without filtering or "stripping" the input, simply recognizes the code malignant reacting exactly as you want, even according to the severity of the attack, for example you can instruct the IDS to finish loading the page after you logged ip input and the potential intruder.

PHPIDS is able to detect attempted attacks XSS, SQL injection, header injection, directory traversal, RFE / LFI, DoS and LDAP. It can also detect hostile requests that have been obscured, as the code injected into the charset encoding of UTF-7 or unicode entity, decimal and hexadecimal.

Example of UTF-7:

+ ADW-script + AD4-alert ('Hacked!') + + AD4-ADsAPA-/script

that decoded becomes:

<script> alert ('Hacked !');</ script>

The analysis of the inputs is based on a set of filtering rules together in a single XML file in constant development and this helps us a lot in keeping up to date definitions of the attacks.
Each rule is assigned a "impact" in numerical form, which determines the severity of the attack you are experiencing: according to the impact is therefore possible to define and customize the behavior of the PHPIDS neutralize the intrusion attempt.
To keep track of the attacks reported are available logging functions on text files, databases or by sending mail and we can implement these functions simultaneously.

If ($ result-> getImpact ()> = 40) / * Impact * /
(
require_once 'IDS / Log / file.php';
require_once 'IDS / Log / Email.php';
require_once 'IDS / Log / Composite.php';
$ CompositeLog IDS_Log_Composite = new ();
$ CompositeLog-> addLogger (IDS_Log_File:: getInstance ($ init)
IDS_Log_Email:: getInstance ($ init)) / * Lodges file and email * /
/ * Stop loading * /
die ('Your attack was <h1> Logged </ h1>');
)

Read the rest of this entry »

• 1 Comment

To meet the now arcistufi users of Windows Vista, Microsoft has published (July 2008) an e-book that aims to provide a guide for hand-optimizing the system and a substantial increase in performance.

Here is an overview of the topics covered in the tutorial:

• Configure the system to increase the response speed applications.
• Adaptation and optimization of the hardware.
• Speed up loading the operating system.
• Improve your computer performance by making more "safe."
• Lessons on performance monitoring.

The guide is available in English, but it is very understandable and full of pictures and examples.

Download: Windows Vista ® Performance and Tuning Tutorial

Source | - Scattered Notes

• 0 Comments

I am not mad: yes, we do believe the site to be a spider googlebot easily.
Why would it? Simple, because in some cases this trick saves us the "trouble" of having to adjust to various sites, blogs, forums during our research on the web.

The typical scenario is where, when we type a search on google and follow one of the results we are faced with a request for registration, required to access the desired content. Which sometimes is very annoying.

Clearly, then Googlebot , the famous spider (or crawler) that at any time scours the Web looking for content to be indexed, has opened the doors a bit more than others. The reason I have already said as spider analyzes and indexes the pages, indexing means popularity, popularity means increased visibility and wanting more money for the webmaster, even if their pages show a bit of advertising.
That's why everyone should have an interest to read its content to googlebot in office, even if you normally would not be accessible to unregistered users, and this is what happens for a simple discussion of vision.

How it works?

Just change the User-agent of your browser, a text string ( header ) sent to different servers during the http requests and used to identify the client (browser) used for navigation.
Quite simply, if you have firefox, the string sent is:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Googlebot also sends a header when knocking on doors of a web page, and it is this:
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)

If you want to try I recommend you use Firefox , installing a lightweight add-ons that change at will the HTTP header: Modify-Headers .
Install it and add the string as googlebot image, activate the change and have fun.
My advice is to turn the header only when you do research, because some domains tend to feed the bot Lo-Fi versions of pages.

• 0 Comments

DTIData makes available on its official blog a series of articles and tips for the Protection of personal data.
About CHKDSK (checkdisk) utility available in DOS and Windows systems for file system check, Jacqui Best explains why it is important to do a full backup before you use it when the media is not working properly are important data.

CHKDSK is a tool developed for the control and restore the integrity of the file system, can also be used to detect bad sectors and ensure that these are ignored by the system and finally is the first built-in resource available to the system when Windows will not start.
What is usually ignored is that CHKDSK was not thought to check the integrity of the data.
I quote from a Microsoft Knowledge Base article that discusses the utility function:

Also Notes That NTFS Does Not Guarantee the integrity of User Data After an instance of disk corruption, even if you run a full CHKDSK operation Immediately. There Might Be That CHKDSK can not recover files, and recover files That Does CHKDSK Might still be internally corrupted. It remains vitally important That You protect mission-critical data by performing periodic backups or by using Some Other robust method of data recovery.

If you want to minimize the possibility of losing your data, the advice is to make a disk image before groped checkdisk with the recovery, as well as you lose (much) time and further damage the hard drive could make hard work even for a specialist.

Disable Chkdsk

To prevent any unwanted execution of the command (windows tends to schedule the first reboot in case of errors), at least until the data that interest us are not safe, you can use a little trick:
from a DOS prompt, that if the system we use does not start even in safe mode, we type
Chkntfs /x C:
where instead of <C:> enter the drive letter of the damaged disc.

• 0 Comments