ZeroAccess Trojan - Network Analysis Part I

A few days ago, I talked about How to detect ZeroAccess in your Network   Now, I want to show you how this trojan works. The goal of this trojan is to earn money through Click Fraud... It is a type of crime that abuses pay-per-click advertising to make money through fraudulent or fake clicks on advertisements. ZeroAccess makes money when it generate...

Read More

DNS Enumeration with Fierce in Backtrack and Kali Linux

Fierce is a great script written in Perl by RSnake . This tool will help you for the first steps of a pentesting: the reconnaissance. The idea is to gather as much interesting details as possible about your target before starting the attack. Fierce is used for DNS Enumeration and has been included in Backtrack and Kali Linux distributions. It...

Read More

Pentesting Web Servers with Nikto in Backtrack and Kali Linux

Nikto is one of the most popular web security application when you are beginning a web pentesting project. You can download Nikto from http://cirt.net/nikto2 This tool has been included in Backtrack and Kali Linux distributions. Nikto is an Open Source web server scanner. This tool performs test against web servers making requests for multiple items....

Read More

Detecting ZeroAccess in your Network with Fortigate and Ossim

ZeroAcces is a Trojan horse who use an advanced rootkit to hide itself and create a back door on the compromised host. The computers are infected  by "drive-by download" attacks: People who download and execute suspicious programs (ActiveX, Java applet...) without understanding the consequences. Downloads that happening without user authorization...

Read More

Anonymizing your attacks with Tor and Proxychains

Are you using some anomyzer? Anonymizing your connection is one the main requirements you need to do when you want to do bad things... For this purpose we are going to use TOR.  "Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy,...

Read More

Detecting web shells uploaded to compromised servers with Google

In this post we are going to search with Google, servers that have been compromised and they are hosting a webshell. The most common method to upload a webshell to a server is RFI (Remote File Inclusion). RFI is a vulnerability that allows an attacker to upload a remote file like a script or webshell. With a webshell, you can manage the server, read/create/remove...

Read More

Large increase in the traffic log after upgrading to FortiOS 4.0 MR3

If you recently have upgraded your Fortigate Firewall to FortiOS 4.0 MR3 perhaps you have noticed an increase in the traffic log. FortiOS 4.0 MR3 has the value of extended-traffic-log enabled by default instead of previous versions where this value was disabled by default. If you want to disabled this new default option, here you have the commands: config...

Read More

HA on Fortinet Fortigate Firewalls: Commands to keep in mind

When you build a Firewall in High Availability you need to be sure if the cluster's members are totally synchronized. I am going to give you some commands in order to change the CLI session between the members for checking your HA. First of all you need to watch how many members there are. If you have an active-pasive cluster, you need to know who...

Read More

Deleting old policy rules on Fortinet Fortigate Firewalls

Some times, firewall security administrators have told me... "I have a lot of policy rules on my firewall, how can I discover unused policy rules?" or "I just created a new policy rule, how can I know if this rule has been matching? With Fortinet Firewalls is really easy to do. First of all you need to add  a new column in Policy -> Policy...

Read More