Skip to main content


Showing posts from August, 2008

Welcome to Mark Baggett - In Depth Defense

I am the course Author of SANS SEC573 Automating Information Security with Python. Check back frequently for updated tools and articles related to course material.


I recently had the no so pleasurable task of dissecting an 0wn3d host to determine what happened.  The attacker did the system owner a favor and tagged the site with a defacement image making detection pretty easy.  The image appeared in small title frame on the top of the page.   My initial guess was they had a directory traversal vulnerability in the image upload engine and some weak permissions on a folder structure.   We took a look at the date/time of the defaced pic and it showed the image had change the previous evening.    "find / -mtime 0" showed a few other files that had changed around the same time.   One of them was a new PHP file.   vi revealed it was a variant of the c99 PHP Shell.    So we go to the apache logs and find the attackers IP and try to figure out how he got in.     There are two interesting entries:
[14/Aug/2008:22:18:42 - - [14/Aug/2008:22:18:42 -0400] "POST /index.php?option=com_user&task=completereset HTTP/1.1" 301 - […