PenrodCC

Security and Technology Ramblings…

1. Install and maintain a firewall configuration to protect cardholder data
2. Don’t use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of card- holder data across open, public networks
5. Use and regularly update anti- virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to card- holder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for all personnel

Topic: Using OSSEC to detect / block the XMLRPC.PHP attack.

The basis of this post came from this persons blog. A big thanks to he/she/it for the info!

Link: Void.GR

For my purposes however, I made a couple small changes.

First, for some reason, the Apache log was being tagged a a pureftp-transfer decode. Since I dont run PureFTP, I simply disabled this decoder and removed the pure xml config file from ossec.conf.

I added the below config to the local rules file, but also included the group name to make sure it was added to web,accesslog.


<group name="web,accesslog,">
   <rule id="100167" level="1">
    <if_sid>31108</if_sid>
    <url>xmlrpc.php</url>
    <match>POST</match>
    <description>WordPress xmlrpc attempt.</description>
  </rule>

  <rule id="100168" level="10" frequency="2" timeframe="600">
    <if_matched_sid>100167</if_matched_sid>
    <same_source_ip />
    <description>WordPress xmlrpc attack.</description>
    <group>attack,</group>
   </rule>
</group> <!-- Web access log -->

There are a lot of IP security cameras out there today at really good deals.
Putting one in your house to keep an eye on things is a great idea and they are easy to setup.

But, do you trust them? What about the cheaper ones you can get from China? After all, you hear in the news all the time about some of the products being imported being prebuilt with Trojans or other malicious software.

I have several cameras by a popular Chinese based manufacturer. I decided to check up and see what happens when it boots up and whom it tries to talk to while it’s running.
Disclaimer: I run these in a dedicated / isolated VLAN and they normally have no ability to talk to the Internet or see the rest of my network. Essentially for my purposes, I really don’t care whom they try to talk to.
For my test, I tried to boot the camera two ways. First boot was with the firewall blocking the connection. Second test was with the firewall wide open allowing the camera to do whatever it felt like doing.

Firewall: Cisco ASA5505
Switch: Cisco 2960 (Camera port #13, traffic mirrored to #33)
Sniffer: WireShark on my laptop, plugged into #33

My first test with the firewall blocking all connections resulted in the camera trying to establish a remote TCP connection to one of six different IP addresses; all of which are located in China. Destination ports 80, 443 and 8000 are attempted. All firewall blocked.

My second test resulted in the camera actually connecting to three separate IP addresses 61.188.37.216(china), 50.19.254.134(amazonEC2) and 114.215.137.159(china). This can’t be good, right?

After those connections were established, every three minutes or so, the camera then tried to talk to three more IP addresses, 50.7.235.90(Czech Republic), 107.20.132.192(amazonEC2) and 114.215.179.104(china).

I would call it highly suspicious that these cameras call home like they are doing and would suspect either malware or some other nefarious purpose.

1 2 3 62