Tag Archive : security

/ security

I Passed eMAPT Certification

June 20, 2017 | Publication | No Comments

Two days ago, I had completed my journey in eMAPT (eLearnSecurity Mobile Application Penetration Tester) certification. The certificate ID is eMAPT-117 which can be verified here. This is my second certification process and I am glad that I pass this.

So what’s the fun in eMAPT?

As eLS said, eMAPT certification is really practical. It uses no multiple-choice style of exam. In the certification process, I was tasked to create a program to exploiting the vulnerabilities in certain application. Worry not. In the MASPT (Mobile Application Security and Penetration Testing) course, the course provided for eMAPT certification, we can learn many things from the basic and fundamental concept. I can say that eLS had done a good job elaborate the course materials with lots of labs experience.

Oh, the course itself has two sections. One for Android and another one for iOS.

That’s for it. I won’t spoil the fun more than it is.

Creating a Web Bug

December 11, 2015 | Article | No Comments

Web Bug is a simple graphic on a web site or in a email that collects information about the user who is visiting the website or who is reading the email. In early day of internet, it is often used for several purpose.

People often say to look for graphics which are 1×1 pixel big to identify web bug. However even a normal graphic can be a Web Bug.

In this article we will discuss about how to create such a web bug.

For do such purpose, we use:

  1. Apache Web server (either self-hosted or host it on other location) which allows .htaccess files
  2. PHP scripts enabled with GD library installed.


Create a new folder, something like “webbug” folder.

Create a “.htaccess” file which contains following line on “webbug” folder :

ForceType application/x-httpd-php

It tells the server to treat everything in this folder as php file (even with no or different extension). So “randompic.jpg” will be treated like a php file and not like a jpg file.

Put a jpg file (the one which is going to be the Web Bug later) into the “webbug” folder. Let say “xathrya.jpg”

Create a new file and save it as (let say) “sig.jpg” on “webbug” folder. This is a file with all the php code. Copy following code as content of “sig.jpg”.

header("Content-Type: image/jpeg");

// This is used to log the IP of people viewed the site with the picture.
   $ip = $_SERVER["REMOTE_ADDR"];
$ip = "IP: ".$ip."<br />";

// Open file stream to write
$hfile = fopen("data.txt", "w+");
fwrite($hfile, $ip);

// Open image as stream and write it as response.
$BGImage = imagecreatefromjpeg("sigpic.jpg");

The snipet there will be treated as a jpg file by browser, after we write whatever to log information. This simple script will log user IP address and in the end present a JPEG data so the image gets shown and nobody has a clue that something else is going between.

What Web Bug capable of? Many things, just like common PHP scripts do. However, this is interesting as people might not know what happen before they do inspection.

Why Linux/Unix is Less Infected by Malware?

December 11, 2015 | Article | 1 Comment

Initially I wrote this as a reply to local group discussion with similar question. And then my friend said I should publish my answer as a post. Thanks for the advice, and here is our discussion.

First, what is malware?

Malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to certain computer. It can appear in the form of executable code, script, active content, anything. From user perspective, any malware often called as virus but it’s not exactly true. Virus is one malware categories. Malware can be divided into some categories such as computer virus, worm, trojan horse, adware, rootkits etc. If we want to discuss about malware, it can be another topic so let’s limit our discussion to computer virus and worm.

There’s a myth, if you are using Linux you are immune to malware. This is partially true. Viruses and Worms are exists even in Unix world. You can read some list from Wikipedia.

Now, it comes to the real question, why Linux/Unix is less infected by malware? Some people might answer from user demographic (who use Linux and other OS). Personally I don’t choose this answer and rather go to more technical answer.

Please note that this is my own opinion and might be biased.


From OS distribution, most operating system used worldwide is still Windows. I pick the statistics from W3schools, Linux and Unix got less than 10% each. Per September 2014, most operating system used are Windows 7.

Linux and Unix mostly used for server, embedded system, devices, etc although quite many people use Linux as their main operating system. As we know one who creating something must have specific goal or purpose. As the OS market share still dominated by Windows then no wonder malware for Windows are keep popping up. Mostly they are targeting users.

If by chance Linux dominating the market share, it should be obvious malware will sprung and targetting linux. This is natural.

The Insides

To determine the answer, first we need to look to inside of both OSs.


Why Windows sucks?

  1. Windows API – Windows has rich APIs. Some of Windows API (WIN32 API) can be executed by any user. Yes, you got the point. When one user make mistakes, boom! The system is in danger. Also, Windows is famous with its being want to be backward compatible as possible (hence, we have Windows 10 instead of Windows 9) which implicate that you can use that API.
  2. Access Control List – Yes, Windows have ACL. But how many of us knows, or using it? People don’t know and maybe not apply it. Without control, malware can spread freely. Yes, you can use ACL but by default each resource you have is not affected by ACL.
  3. Multiuser Design – Windows have common user and superuser (known as Administrator). But on most system, one user on the system is also a super user.
  4. Device Access – Literally! On some Windows, any program can access any devices connected if you program it. Life is easier.
  5. Registry system – Windows use a huge database for it’s global configuration, known as registry. Like I said in point (1), whoever you are, you can access registry. Also you can change configuration easily, you can even set the autostart entry in registry to call your malware.
  6. Extensions – Most worms used other extension to camouflage. For example, a worm might disguise itself as Word Document program, using the same icon as the Microsoft Word. User can be fooled by this appearance. Also, the extension itself is registered to registry. Windows will look registry and call the appropriate program for this extension.


Now let’s compare it to Linux.

  1. API – Linux also has API for some operations. But, the operation is guaranteed always complies with Access Control. You can do what you are given. Linux/Unix access control is often called as Discretionary Access Control and it is enforced in the kernel itself. You cannot do something which you are not privileged to.
  2. Access Control – The Discretionary Access Control used by Linux/Unix is describing read/write/execute access to resource (file, directory, nodes, etc). This strict rule is integrated to kernel. Also, as a Linux/Unix user you are always inform to follow Least Privilege principle. Least Privilege principle means any operation you do should be done as low privilege as possible, you might request more privilege if the previous privilege is not sufficient but you should not always use super user privilege. Often some Linux distribution limit yourself from using root access.
  3. Multiuser Design – Linux is multiuser and multitasking. However, Linux make clear separation of each users. Linux have term users and groups to separate system power. On every Linux/Unix system you have a superuser account (root) and you are obligated to create your own user account. Most distribution will enforce you to create and use your own user account. This account however is different with root so you are guaranteed to not harm your system by accident, unless you are doing so.
  4. Device Access – be a network interface, printer, scanner, or any device connected all are managed by kernel by udev or similar mechanism. And the good news is any node has specific privilege.
  5. Registry System – what is registry? Linux/Unix doesn’t know that. To configure a system globally, one should modify config files and most of them stored in privileged directory. Unless you are root or given access to it, you are powerless.
  6. Extensions – Linux recognize file not by extension but by their header. Every file format has header and something we called magic words to distinguish the format and other formats. Even if the extensions are changed, Linux/Unix can know what it is and still give you correct information.

Apart from above comparison, there is one thing extra you should know! Windows executable is using PE (Portable Execution) format while executable format in Linux is ELF (Executable and Linkable Format). So you cannot run Windows program natively, in case you don’t know 🙂

Finding Backdoor in a Hacked WordPress Website

December 11, 2015 | Article | No Comments

Every website is vulnerable to malware, trojan, and also viruses until it is safeguarded using the various technologies available. WordPress is no exception. Malicious code can be embedded inside pre-existing file or create a new file and put them on our server to get their ulterior motive fulfilled.

The reasons for such security issues can be many, ranging from a flawed plugin to an outdated version of WordPress. If WordPress is our CMS (Content Management System), then ensuring good health and safe from malicious hackers is our job.

In this article, we will discuss about how to detect whether there is a backdoor in our server. The term spoken here is as generic as possible so we won’t cover specific WordPress version.

Backdoor Definition

A backdoor is program or script or any executable file, which is used to bypass normal authentication and gaining the ability to remotely access the server while remaining undetected. This backdoor allows hackers to regain access even after we find and remove the exploited plugin. Backdoors often survive the upgrades, so our site is vulnerable until we clean this mess.

Some backdoors simply allow users to create hidden admin username. Whereas the more complex backdoors can allow the hacker to execute any PHP code sent from the browser. Others have a full fledged UI that allows them to send emails as your server, execute SQL queries, and everything else they want to do.

In all the cases, the backdoor was disguised to look like a legitimate WordPress file.

The Locations

Where is backdoor hidden?

The easiest way to locate a backdoor infection is to look for files in WordPress installation that should not really be there: the ones named php3.php or crucial-wp.php! However, sometimes backdoors may conceal themselves within an otherwise legitimate file. You can figure out by taking a look at your files, though often, encrypted/encoded backdoors are not the easiest to detect.

Mostly, backdoor are stored in the following location, so they are potential for checking:

  1. Themes – Most likely it is not in the current theme. Hackers want the code to survive core updates. So if we have the old theme sitting in themes directory, or another inactive theme, then the codes will probably be in there. This is why we recommend deleting all the inactive themes.
  2. Plugins – Plugins are a great place for the hacker to hide the code for three reasons. One because people don’t really look at them. Two because people don’t like to upgrade their plugins, so they survive the upgrades. Three, there are some poorly coded plugins which probably have their own vulnerabilities to begin with.
  3. Uploads Directory – For some bloggers, they never ever check uploads directory (are you one of them?). You just upload the image, and use it in your post. You probably have thousands of images in the uploads folder divided by year and month. It is very easy for the hacker to upload a backdoor in the uploads folder because it will hide among thousands of media files. Plus you don’t check it regularly. Most folks don’t have a monitoring plugin like Sucuri. Lastly, the uploads directory is writable, so it can work the way it is supposed to. This makes it a great target. A lot of backdoors we find are in there.
  4. wp-config.php – This is also one of the highly targeted files by the hackers. It is also one of the first places most folks are told to look.
  5. Includes Folder – /wp-includes/ folder is another place that we find backdoors. Some hackers will always leave more than one backdoor file. Once they upload one, they will add another backup to ensure their access. Includes folder is another one where most people don’t bother looking.

In all the cases we found, the backdoor was disguised to look like a WordPress file.

For example: in one site we cleaned up, the backdoor was in wp-includes folder, and it was called wp-user.php (this doesn’t exist in the normal install). There is user.php, but no wp-user.php in the /wp-includes/ folder. In another instance, we found a php file named hello.php in the uploads folder. It was disguised as the Hello Dolly plugin. But why the heck is in the uploads folder?

It can also use names like wp-content.old.tmp, data.php, php5.php, or something of that sort. It doesn’t have to end with PHP just because it has PHP code in it. It can also be a .zip file. In most cases, these files are encoded with base64 code that usually perform all sort operations (i.e add spam links, add additional pages, redirect the main site to spammy pages, etc).

Now you are probably thinking that WordPress is insecure because it allows for backdoors. You are DEAD WRONG. The current version of WordPress has no known vulnerabilities. Backdoors are not the first step of the hack. It is usually the second step. Often hackers find an exploit in a third-party plugin or script which then gives them access to upload the backdoor. It can be all sort of things though. For example, a poorly coded plugin can allow user privilege escalation. If your site had open registrations, the hacker can just register for free. Exploit the one feature to gain more privileges (which then allows them to upload the files). In other cases, it could very well be that your credentials were compromised. It could also be that you were using a bad hosting provider.

Find and Clean Backdoor

If you suspect there is a backdoor in your WordPress, then it’s time to find and clean it (if found). Cleaning is as easy as deleting the file or code. However the difficult part is finding it.

Using plugins

There are lot of WordPress plugin for malware scanner can be used for this purpose: Theme Authenticity Checker (TAC), Exploit Scanner, Sucuri.

Theme Authenticity Checker is a free plugin that scans all of your WordPress theme files for potentially malicious or unwanted code. Often hackers target themes to inject links, so this plugin is a good way of checking for that.

Exploit Scanner is another free WordPress plugin that is much more robust than the Theme Authenticity Checker because it search all files and database of your WordPress install. It checks for signs that may indicate if your installation has fallen victim to malicious hackers.

But remember, base64 and eval codes are also used in plugins. So sometimes it will return a lot of false positives. You have to know what you are doing to see if the error is really malicious or if it is ok. If you are not the developer of the plugins, then it is really hard for you to know which code is out of its place in the thousands of lines of code.

Sucuri is by far the BEST WordPress security scanner out there. They have a very basic free site scanner, which checks your site to see if your site is doing ok. But the real value is in their paid version. In short, once you install Sucuri, it automatically monitors your website 24Ă—7 against all threats. It audits all the activities that happen on your site to keep track of where things went wrong. If something looks fishy, Sucuri blocks the IP. They also send you alerts if they notice something going on with your site. Last but not least, they offer a malware cleanup service which is included in the price of their service (no matter how big or small your site is).

Also, this service is not just for beginners. Major publications like CNN, USAToday, PC World, TechCrunch, TheNextWeb, and others are recommending these guys.

Search the Uploads Directory

One of the scanner plugins will find a rogue file in the uploads folder. We can, actually, do it manually. If you are familiar with SSH, we can do some commands to search it. Assuming our server is UNIX (and its derivation):

find uploads -name "*.php" -print

There is no good reason for a .php file to be in your uploads folder. The folder is designed for media files in most cases. If there is a .php file that is in there, it needs to go.

Delete Inactive Themes

As mentioned above, often the inactive themes are targeted. The best thing to do is delete them (yup this includes the default and classic theme). But wait, we didn’t check to see if the backdoor was in there. If it was, then it is gone now. You just saved your time from looking, and you eliminated an extra point of attack.

.htaccess File

Sometimes the redirect codes are being added there. Just delete the file, and it will recreate itself. If it doesn’t, go to your WordPress admin panel. Settings » Permalinks. Click the save button there. It will recreate the .htaccess file.

wp-config.php File

Compare this file with the default wp-config-sample.php file. If you see something that is out of place, then get rid of it.

Database Scan for Exploits and SPAM

A smart hacker will never have just one safe spot. They create numerous ones. Targeting a database full of data is a very easy trick. They can store their bad PHP functions, new administrative accounts, SPAM links, etc in the database. Yup, sometimes you won’t see the admin user in your user’s page. You will see that there are 3 users, and you can only see 2. Chances are you are hacked.

If you don’t know what you are doing with SQL, then you probably want to let one of these scanners do the work for you. Exploit Scanner plugin or Sucuri (paid version) both takes care of that.


Prevention or removal of backdoors is easier than detection. You can minimize the chances of backdoor attacks by limiting access to your website’s core files. Keep strong backups and start using a monitoring services.

Here are the recommended things to do:

  1. Use strong password – Force strong passwords on your users. Start using a password managing utility like 1Password.
  2. 2-Step authentication– If your password got compromised, the user would still need to have the verification code from your phone.
  3. Limit Login Attempts – This plugin allows you to lock the user out after X numbers of failed login attempts.
  4. Disable Theme and Plugin Editors – This prevents user escalation issues. Even if the user’s privileges were escalated, they couldn’t modify your theme or plugins using the WP-Admin.
  5. Password Protect WP-Admin – You can password protect the entire directory.
  6. Disable PHP Execution in Certain WordPress Directories – This disables PHP execution in the upload directories and other directories of your choice. Basically so even if someone was able to upload the file in your uploads folder, they wouldn’t be able to execute it.
  7. Stay UPDATED – Run the latest version of WordPress, and upgrade your plugins.

Introduction to HoneyPot and HoneyNet

December 7, 2015 | Article | No Comments

Honeypot, some people might familiar with this term. Some people maybe even implement it to their network. But what is this Honepot exactly?

Literally, a honepot is a pot / jar / other container used to store honey. But in this case, honeypot is a metaphor. A honeypot, or some people refer it as honeytrap, in computer science terminology means a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information system.

Honeypot in general consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attacker.

Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient.

Usually, Honeypot and Honeynet implemented as parts of larger Network Intrusion Detection Systems.

So What are the Benefits to Us?

There are many. Here are some benefits we can get from honeypot:

Early Detection
Honeypot will notifies and alerts us when attacks occurred. At least when unauthorized access attempts to break our system, it gives us more times to prepare countermeasures.
Analyze the Threat
A trapped attacker on honeypot can be analyzed. By this, we can know newest threats and newest attacking vectors used by attacker in attempt of ‘privilege escalation’. This also gives use information about who the enemy is, what he did, and what methods.
Secure the System
This method trap the attacker and make him only do his break in to honeypot system only thus the real server still in good shape. The defense system will give better security as attacker won’t attack server directly. But there is no guarantee that our system will be absolutely secure.
Disrupting Attacker
Honeypot is a method to disrupt and make attacker confuse. With many alternative and virtual system in network system, at least attacker confuse for distinguishing the real and virtual system.

HoneyPot Components

Network Devices Hardware
Honeypot acts as part of network, of course we net network devices.
Monitoring or Logging Tools
A set of tools or components to monitor and log activities inside Honeypot.
Alert Mechanism
A message system to notify or give a warning if an attack detected.
Keystroke Logger
Logging information about what attacker do including keystroke origin from attacker.
Packet Analyzer
Giving information about packet in and out between honeypot and attacker.
Forensic Tools
Giving information about forensic system used by attacker against System.

What are the Types of Honeypot?

From the degree of interaction, we can split honeypot into two categorizes: High-Interaction and Low-Interaction.

High-Interaction is a fake-system which emulates all aspects of a machine (operating system). We have a system running a specific operating system, certain services such as a web server and some web apps. A high-interaction honeypot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks.

Low-Interaction simulates only services that cannot be exploited to get complete access to the honeypot. This type of honeypots are more limited, but they are useful to gather information at a higher level, e.g, learn about network probes or worm activity.

We can also differentiate honeypot to physical and virtual honeypots.

A physical honeypot is a real machine on network. It is dedicated machine with its own IP address.

Avirtual honeypot is simulated by another machine that respondes to network traffic sent to the virtual honeypot.

When gathering information about network attacks or probes, the number of deployed honeypots influences the amount and accuracy of the collected data. A good example is measuring the activity of HTTP based worms. We can identify these worms only after they complete a TCP handshake and send their payload. However, most of their connection requests will go unanswered because they contact randomly chosen IP addresses. A honeypot can capture the worm payload by configuring it to function as a web server. The more honeypots we deploy the more likely one of them is contacted by a worm.

Physical honeypots are often high-interaction, so allowing the system to be compromised completely, they are expensive to install and maintain. For large address spaces, it is impractical or impossible to deploy a physical honeypot for each IP address. In that case, we need to deploy virtual honeypots.

Where Should Honeypot placed?

Honeypot can be placed on some place:

  1. Directly connected to internet without firewall
  2. Between firewall and internet connection
  3. Honeypot is on DMZ

Social Share Buttons and Icons powered by Ultimatelysocial