Friday, January 28, 2011

Egypt Telecom AS isolation - BGPlay show it ?

January 31, 2011 – Update:
An interesting snapshot of Egyptian's malware activity. ASN 20928 appears like still active

Egypt's malware activity post internet shutdownhttp://www.unveillance.com/latest-news/egypts-malware-activity-post-internet-shutdown/

Why One Egyptian ISP is Still Online

http://newsgrange.com/why-one-egyptian-isp-is-still-online/

January 29, 2011 – Update:


I try to make the following video to shown what's  happened. BGP Isolation "frame by frame":

video

January 28, 2011:

Following
isolation of the Internet in Egypt, I tried to see if is possible see something with a good tool: BGPlay. As input data I inserted AS8452 (Egypt Telecom) prefix labeled as "all routers". This information I obtained via robtex as follows: http://www.robtex.com/as/as8452.html#bgp. So, the inserted data are the prefix 81.10.0.0/17 and the range date/time in latest 24h:



The result
is interesting
. For an animation could be better try to insert the value using BGPlay directly. (http://bgplay.routeviews.org/)

The BGP traffic situation at 27/01/2011:


After the BGP withdrawals sequence the situation, now, appear in this mode:



The RIPE has also released a tool for check BGP withdrawals and announment requests:

Saturday, January 22, 2011

the sourceforge entry point seems still active

February 3, 2011 - Update:

A discussion on e107 official web site: http://e107.org/comment.php?comment.news.878


February 2, 2011 - Update:

Just another evidence of the sourceforge breach used by a web bot. At least , from the following screenshot, seems that the entrypoint was detected by a web vuln scanner bot. The following figure shown a well known method by web bots to post in some pastebin clone web site the result of their work.


This pastie was released at the end of 2010. The bad thing is that OFF keyword tell to bots admin that php_safe is OFF


January 30, 2011 – Update:
Sourceforge has formally admitted the problems that I have notify in December 2010. My research and my message on full disclosure mailing list about the possible exploiting of a not so new e107 bug that could permit privilege escalation attempts, looks like confirmed. Here the update:

Sourceforge Attack: Full Report
http://sourceforge.net/blog/sourceforge-attack-full-report/

January 28, 2011 - Update:

On Hacker news is reported an update about and seem that the sourceforge server has been compromized:

Sourceforge servers compromised
http://news.ycombinator.com/item?id=2150639

The SourceForge response:
http://sourceforge.net/apps/wordpress/sourceforge/2011/01/27/sourceforge-net-attack-update/

January 22, 2011:

just now I found a post from Imperva http://blog.imperva.com/2011/01/major-websites-govmiledu-are-hacked-and-up-for-sale.html. Intrigued by their results, similar to that published in my previous post approximately one month ago (http://extraexploit.blogspot.com/2010/12/some-considerations-on-ettercap-source.html), I decided to do some check. I noticed that the entry point of source forge is still active. This is what seem possible from the error message that appears on this page. As you can see from this screen shot the problem seems reside in a project home page that include a bugged e107 version:

sourceforge2

With further investigation is possible find the page where is placed the vulnerable (to a remote command execution issue) version of e107 . This entry point could be used from a remote script for send system command on the server (http://php-security.org/2010/05/19/mops-2010-035-e107-bbcode-remote-php-code-execution-vulnerability/index.html). The following screen shot is the well common form that expose sourceforge  to this vulnerability:

forme107

The problem is that this breach, if confirmed, can be exploited to modify source code so as to fail the trust levels of applications mantained by this software repository.