On a Saturday evening I spent some time in upgrading my MacBook Pro with an SSD. The only SSD I had was having security Onion built on it. So I fired up the best NSM OS and tested.
Is that during the test I found a compromised site – http://www.efendim.net. My SQUIL was up and straight away triggered following signature :
– ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
– Heap spray attempt is a technique that assists in exploiting web applications by sending large strings. It facilitates Arbitrary code execution. To be clear Heap Spray attempt does not exploit a vulnerability, however, due to its manipulating attributes, it makes it easier to exploit a vulnerability.
Attached Screenshot shows the SQUIL output
Attached Screenshot shows the payload.
As you can see in the payload this one was using Javascript with a character ¨%41¨ and concatenating with itself over and over.
Following IP address is where the site is hosted.
188.40.53.185 – http://www.ipvoid.com/scan/188.40.53.185/
IP address have bad reputation and blacklisted.
Did not find any further communications suggesting that website has other re-directions to any sort of malicious content yet.
From this analysis I can say that there are sites where by the legacy techniques are still being used to compromise them – saying that it means that security in relation to generic websites is still lacking which puts any kind of users in risks.
These endpoints needs to be secured but How ? How can we secure each an every site ? Answer is its not feasible, however we as a user can always increase our level of understanding security and its applicability.
Happy Holidays !!!!!!!