I already wrote long ago about the netstat command windows in post View the TCP / UDP sessions with the active command prompt .
Today I will explain how to identify malware or do not like applications with this simple but powerful tool.
Here is how to monitor TCP connections using netstat, and get a detailed log of the processes accessing the internet without our knowledge:
Before starting the monitoring phase is good to close all programs that connect to the Internet as the browser, chat programs, clients peer 2 peer, etc. .. As we want to get a log file as "clean" as possible.
Make sure that your computer no more active connections , and leaving the PC connected to interntet start the command prompt and type:
netstat -bn [intervallo] >connections.log
the output statistics will be saved in a file connections.log:
all TCP connections will be logged the IP ports (-n) and the name of the processes that have initialized connections (-b). The interval, specified in seconds, is the frequency with which the command is invoked in loop.
netstat -bn 10 >connections.log
This is potentially an infinite loop, but you can stop at any time by pressing Ctrl + C.
Ideally leave listening for several hours or overnight.
And the output, here you see a connection to MSN Messenger:
Active Connections
TCP 192.168.1.1:1031 207.46.108.86:1863 ESTABLISHED 288
[Msnmsgr.exe][...]
You could also automate the time tracking using AT to stop the process time favorite:
C:\>time
The current time is: 00.00.00,00
Enter the new time:
C:\>at 06:00 cmd /c "taskkill /F /IM cmd.exe"
C:\>netstat -bn 10 >connections.log
Protecting web applications with PHPIDS Intrusion Detection System
16 Oct
Posted by Tacu in Internet , Security
Tags: Intrusion Detection , php , PHPIDS
PHPIDS Intrusion Detection System
PHPIDS is an Intrusion Detection System for easy installation that allows you to protect all your web applications, websites and php script without affecting the speed of execution of the same.
PHPIDS is free and it is now at version 0.5.3.
How it works
The script, which is included on pages to secure (or responsible in any http requests via a php.ini setting that we will see shortly), analyzes the requests without filtering or "stripping" the input, simply recognizes the code malignant reacting exactly as you want, even according to the severity of the attack, for example you can instruct the IDS to finish loading the page after you logged ip input and the potential intruder.
PHPIDS is able to detect attempted attacks XSS, SQL injection, header injection, directory traversal, RFE / LFI, DoS and LDAP. It can also detect hostile requests that have been obscured, as the code injected into the charset encoding of UTF-7 or unicode entity, decimal and hexadecimal.
Example of UTF-7:
+ ADW-script + AD4-alert ('Hacked!') + + AD4-ADsAPA-/script
that decoded becomes:
<script> alert ('Hacked !');</ script>
The analysis of the inputs is based on a set of filtering rules together in a single XML file in constant development and this helps us a lot in keeping up to date definitions of the attacks.
Each rule is assigned a "impact" in numerical form, which determines the severity of the attack you are experiencing: according to the impact is therefore possible to define and customize the behavior of the PHPIDS neutralize the intrusion attempt.
To keep track of the attacks reported are available logging functions on text files, databases or by sending mail and we can implement these functions simultaneously.
If ($ result-> getImpact ()> = 40) / * Impact * /
(
require_once 'IDS / Log / file.php';
require_once 'IDS / Log / Email.php';
require_once 'IDS / Log / Composite.php';
$ CompositeLog IDS_Log_Composite = new ();
$ CompositeLog-> addLogger (IDS_Log_File:: getInstance ($ init)
IDS_Log_Email:: getInstance ($ init)) / * Lodges file and email * /
/ * Stop loading * /
die ('Your attack was <h1> Logged </ h1>');
)
I am not mad: yes, we do believe the site to be a spider googlebot easily.
Why would it? Simple, because in some cases this trick saves us the "trouble" of having to adjust to various sites, blogs, forums during our research on the web.
The typical scenario is where, when we type a search on google and follow one of the results we are faced with a request for registration, required to access the desired content. Which sometimes is very annoying.
Clearly, then Googlebot , the famous spider (or crawler) that at any time scours the Web looking for content to be indexed, has opened the doors a bit more than others. The reason I have already said as spider analyzes and indexes the pages, indexing means popularity, popularity means increased visibility and wanting more money for the webmaster, even if their pages show a bit of advertising.
That's why everyone should have an interest to read its content to googlebot in office, even if you normally would not be accessible to unregistered users, and this is what happens for a simple discussion of vision.
How it works?
Just change the User-agent of your browser, a text string ( header ) sent to different servers during the http requests and used to identify the client (browser) used for navigation.
Quite simply, if you have firefox, the string sent is:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.0.3) Gecko/2008092417 Firefox/3.0.3
Googlebot also sends a header when knocking on doors of a web page, and it is this:
User-Agent: Googlebot/2.1 (+http://www.googlebot.com/bot.html)
If you want to try I recommend you use Firefox , installing a lightweight add-ons that change at will the HTTP header: Modify-Headers .
Install it and add the string as googlebot image, activate the change and have fun.
My advice is to turn the header only when you do research, because some domains tend to feed the bot Lo-Fi versions of pages.
Extract audio tracks online videos of Youtube / FLV
Sep 29
Posted by Tacu in Internet , Software
tags: download , youtube
Online FLV to MP3 Converter
With this converter you can extract web-based 'fly' the audio track of any video or Youtube FLV on the web.
Do upload or enter the URL of the FLV file, and start the conversion Download your audio track in mp3 format.
To convert Youtube movies simply copy the address of the display page (eg http://www.youtube.com/watch?v=UdYRzH10L2M ).
If you want to convert movies from other video-hosting sites you can use this popular Firefox plugins to get the flv: Fast Video Download .
We talk about openDNS from Italy when we started to feel a strong smell of censorship. Not that these practices had never been implemented by our government (see the long list of sites on gambling that have been banned), but the straw that broke the camel's back was definitely the shutdown of The Pirate Bay , one of the largest BitTorrent trackers in the world.
Those of TPB did talk about him far and wide thanks to their rebellion and protest against the policies of 'country locked' imposed by certain countries that absolutely personal-opinion-have simply fueled the curiosity of people against these channels, because in fact they are resources that have something really interesting and facilitate inter alia, the disclosure of a large amount of free material, such as Linux distributions.
OpenDNS makes its way at the right time with a DNS service of high quality, competitive, because based on generosity, cooperation, and the 'independence from providers, unfortunately, subject to government influence.
In addition to improving immune to the effects of the coutry lock is definitely superior service and favorable than that provided by common ISP, since the offer has more than reliability, many additional services custom designed for businesses, schools, but also common for home networks. Personally I'd also like to pay if not already totally free of charge.
To access these services require only a Web site registration: free, immediate and open to everybody, while for the benefit of the Domain Name System service only sufficient to indicate the connection properties in the DNS addresses 208.67.222.222 and 208.67.220.220, without no inscription.
Reasons for use openDNS
As I said, using these DNS 'free' you can circumvent the censorship just because the service is free from any interest to the detriment of the highest user satisfaction.
But let's start talking about security and content filtering: the good one.
The great advantage of this solution is the protection against phishing and fraud for surfers, but you can choose between 6 different levels of filtering for your home or corporate network.
Precise categories and blocks are managed by the community of users of the service (only a few million) through polls and vote on domain names and addresses whose nature is still uncertain. If a valid e escaped content filtering, in addition to report it immediately, you can lock in your network.
here are six possibilities:
- high (block sites in categories: phishing, video sharing, entertainment, social networking, pornography, warez, illegal)
- (grabbing categories: phishing, pornography, warez, illegal)
- Low (protects against phishing and block pornography)
- minimal (protects against phishing) * recommended mode
- none (no locks, no security)
- Custom (you can select the categories you want to block)
With OpenDNS browsing is faster because the servers are reserved for large amounts of memory for caching address : not having to query other DNS servers for each request received, reduces greatly the response time. More requests are always redirected to the server physically closest to you.
Another 'feature' is interesting Typo Correction feature when typing a wrong URL into your browser (eg writing http://wikipedia.ogr ) recognizes and corrects spelling error point to the correct domain.
If you are users of services like TinyUrl , know that here you can use the same solution, called Shortcut: In fact into your control panel (or dashboard) you will be able to set a few words as shortcuts to address more complex and difficult to store (eg . "mail" -> http://mail.google.com/mail).
For managers of small and medium networks, is a beautiful facility service statistics , which helps to analyze the amount of requests made by users by explanatory charts or tables with the ability to export all data to CSV (fields separated comma) or printable. The data collected are as follows:
- Total DNS requests
- Total Unique Domains
- Total Unique IPs (useful for larger networks)
- Requested Domains
- Blocked domains Requested
- Request Types (A, MX, PTR)
You can see the definitions to distinguish the nature of the requests submitted by your users during the analysis. Plus anytime you can reset all data and start over.
On page http://system.opendns.com (or http://208.67.219.60/ if you have problems of resolution) is always a page server monitoring, ofwhich five are living in America and one in London. The page includes the current status of the servers, that the last 30 days, some statistics on trends and the number of resolved DNS requests per day: very impressive at the time, both in numbers and in the absence of negative reports.
Why all this? What do we gain?
openDNS earns giving an error page containing relevant advertising every time you type an invalid address in your browser. When you offer and the service is very good and reliable you can also earn so little, for the happiness of all.
To use the service, I refer you to the instructions on the official page. You can also configure your router to automatically distribute the OpenDNS service via DHCP.
Updating
In the last hours The Pirate Bay has been release from seizure :-)
