20 Mart 2016 Pazar

May be someone try to open a backdoor, catch it with using OSSEC alerts!

Recently i am thinking about incident response? And than i am asking this question? How can you provide better incident response? How can you check your vulnerabilities? How do you catch attackers?

I came across this article while surfing the Internet. [ Server Security: Indicators of Compromised Behavior with OSSEC ]


Indicator of Compromised Behavior Definition!
Attackers are always evolving and changing their tactics and security products are never 100% on their detection of malicious behavior.

However, there is an additional data point that can be monitored: your own users and servers, specifically how they interact with each other. Not looking for malicious behaviour, but looking at their normal behaviour and trying to find anomalies that may signal a compromise.

Over a period of time, the same person (or server) will start to display patterns that remain consistent and are measurable. This allows us to move beyond focusing on malicious behavior and allows us to measure and look at the patterns created to better understand what users are doing.

Just think at most security tools we employ on our servers. Traditionally, they would focus on failed login attempts, for example. On blocking brute force attempts or blocking an IP after a possible abuse is detected. What if, we stopped focusing on failed attempts and focused on successful ones? What if we ignored the 403’s (forbidden) errors on HTTP and focused on the 200 (success) requests?

May be someone try to open a backdoor, catch it with using OSSEC alerts!

Clearly i understood Indicators of Compromised behavious with Ossec article. At the end of the article, comments consist of real uploding shell scenario, and how do you catch it using ossec alerts? Than i am publishing this article for educational and information only. İf you want to read full article, you should visit here! Thanks,

This alert is actually a real OSSEC alert that found a backdoor:
OSSEC HIDS Notification.
2013 Jun 16 23:48:29
Received From: hetzner->/var/www/logs/error.log
Rule: 31421 fired (level 5) -> "PHP internal error (missing file or function)."
Portion of the log(s):
2013/06/16 23:48:27 [error] 2252#0: *9980497 FastCGI sent in stderr: "PHP message: PHP Fatal error:
Call to undefined function includ_once()
in /var/www/docs/wp-content/themes/bluetheme/footer.php on line 1" while reading upstream, client: 5.9.164.69, server: hetzner, request: "GET /wp-content/themes/bluetheme/images/favico

Thanks for sharing Jonas Lejon



1 yorum :

Blog Arşivi