Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Anyone have problems with aanval?

from [Michael Scheidell] Network Security [Permanent Link]
Subject: [Snort-users] Anyone have problems with aanval?
Date: Thu, 26 Jan 2006 22:32:25 -0500 
Started to test 'aanval' for its better reporting that base.

Found some interesting things.  They insist you take php out of safe
mode (saying that they have secured aanval, and there is no need for
safe mode).

Also found something that may be a bug in aanval, or something worse.

We traced a very large data transfer from the host we had running aanval
to 82.165.229.52

(21GB of data)

Killall -9 httpd didn't stop it.
Killall -9 php didn't stop it.
(process starts itself again and again)

Had to null route 82.165.229.52 to block the traffic.

Processes involved in transfer:
root     php      26953    0 tcp4   204.89.241.133:1831
82.165.229.52:80

ps -p26953    -auxww
USER   PID %CPU %MEM   VSZ  RSS  TT  STAT STARTED      TIME COMMAND
root 26953  0.0  5.4 33328 27868  ??  S    10:12PM   0:14.14 php -q
/usr/local/www/hackertrap/aanval/apps/processorB.php

Tcpdump of traffic appears to be random (or encrypted) data.

Interesting thing about that ip address:
host www.aanval.com
www.aanval.com is a nickname for aanval.com
aanval.com has address 82.165.229.52
aanval.com mail is handled (pri=10) by mail.aanval.com

Anyone else use or try to use aanval? (ps, I didn't turn off safe mode.
It requires safe mode to install, but once installed, runs fine if you
re-enable it and HUP apache)

Needless to say, we will be taking aanval php source code apart to see
what is was doing.

If anyone has an answer, I would appreciate it.

-- 
Michael Scheidell, CTO
561-999-5000, ext 1131
SECNAP Network Security Corporation
Keep up to date with latest information on IT security: Real time
security alerts: http://www.secnap.com/news
 


-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Black/Nyxem, Matthew Watchinski
Next by Date:  [Snort-users] On leave, Danny Li
Previous by Thread:  [Snort-users] Black/Nyxem, Ron Jenkins
Next by Thread:  Re: [Snort-users] Anyone have problems with aanval?, Nerijus Krukauskas
Indexes:  [Date] [Thread] [Top] [All Lists]