Using Google Alerts to Check your Web Sites

I recently found Google Alerts very useful as a quick way to detect whether any of our web sites are hosting spam.  (For those who do not know, Google Alerts gives you updates of the latest relevant Google results based on your choice of query or topic. They can be in the form of email, or news feed).

What I did was, I defined several search terms such as the followings in Google Alerts.

• viagra site:yourdomain.com
  
• mortgage site:yourdomain.com
  

I chosed comprehensive search type, delivered to my email address, and once a day in the alert settings.

When Google found new entries, it would email me the summary once a day.  I can then glanced through the summary to verify if any of those entries could possibly be legitimate.  Or else, I would send that to the appropriate party to follow-up.

SQL Injection Attacks by Country of Origin

Here is a world map of SQL injection attacks by their country of origin from January to October this year. The darker the color, the higher the number of hits or percentage.



Here is a pie chart representation of the information.

Wrapper for Microsoft SQL Injection Source Code Analyzer Tool

Microsoft has released a SQL Injection Source Code Analyzer for ASP code. Refer to KB 954476 for more information about the tool. However the analyzer can only check one ASP page at a time. It does not automatically recursive scan all ASP files in a folder. Therefore I wrote a simple wrapper around it. Here is the source code:

@echo off
setlocal
set source=\\servername\applicationname
set include=%source%\include
set logfile=check_applicationname.log
IF EXIST %logfile% DEL %logfile%
FOR /F "usebackq tokens=1 delims=?" %%i IN (`dir /S /B %source%\*.asp`) DO (
msscasi_asp.exe /NoLogo /GlobalAsaPath=%source% /input="%%i" /IncludePaths=%include% >> %logfile%
)
endlocal

Signs That Your Machine May Be Compromised

Here are some of the signs to look for which may indicate your machine is being compromised.

• Your web site is being defaced, or have javascript inserted that send users to another site.
  
• Your machine is listening on some new or unknown ports.
  
• The logs suddenly become much larger than what they usually are.
• The logs are not logging any thing.
• Disk space utilization of your machine suddenly increases.
• Network utilization of your machine suddenly increases.
• Your machine runs unusually slow.
  
• Someone reported that your machine doing some kind of attacks on theirs, or spamming, or hosting copyrighted movies, etc.
• Google search for "viagra site:yourwebsite.com" or other keyword. Result came out positive, but you did not post those pages there.

List of CDs with the Evil Sony BMG Rootkit

Details on which CDs, and how to identify them can be found on the Electronic Frontier Foundation's web site:
http://www.eff.org/deeplinks/archives/004144.php

After over a week of furor surrounding this issue, Sony BMG has finally said that they will stop manufacturing CD with the rootkit.
http://blog.sonymusic.com/sonybmg/archives/xcp.html

But does Sony want you to uninstall the rootkit? Read Mark Russinovich (SysInternals)'s blog:
http://www.sysinternals.com/blog/2005/11/sony-you-dont-reeeeaaaally-want-to_09.html

Using Active Directory Group Policy to Make hosts File Read Only

According to SANS NewsBites Nov 4, 2004 New Phishing Tactic is Stealthy,

MessageLabs has reported seeing what could become a new twist in phishing scams. These emails contain a script that, once the email is opened, rewrite host files to automatically redirect users to phishing sites when they attempt to visit legitimate banking sites.

The article advised you protect from this particular kind of attack by disabling Windows Scripting Host. However, if your users are technical people and require to use this for their dayto day work, you don't have the luxury.

But you can change the hosts file to read only and enforce it via Group Policy. Here is how:

• In Group Policy Management Console, create a new group policy.
• Go to Computer Configuration | Windows Settings | Security Settings | File System.
• Add the file:
  %SystemRoot%\system32\drivers\etc\hosts
• Change the permissions of the file to:

  Type	Name	Permission
  Allow	BUILDIN\Administrators	Read
  Allow	NT AUTHORITY\SYSTEM	Read
  Allow	BUILDIN\Users	Read

• Save and link this group policy to the desired OU accordingly.

Don't forget to enable security policy enforcement. Best practice is to define this as your baseline policy.

• In Group Policy Management Console again, create a new baseline group policy (or click on your baseline group policy if you already have one).
• Go to Computer Configuration | Administrative Templates | System | Group Policy.
• Click on Security policy processing.
• Choose Enabled radio button, and check the Process even if the Group Policy object have not changed.
• Save and link it to the desired OU accordingly.
  
  

Using Active Directory Group Policy to Protect Against SYN Flood DoS Attack

I have been seeing waves of SYN Flood denial of service attack against our applications every so often. During the attack, hugh volume of TCP SYN packets was being sent to our web application until they exhausted all the resources on the corresponding server. It is pretty annoying because it affects the experience of our other legitimate users using our applications.

Our firewalls could keep track of the number of connections from a single source, and if that exceeds a certain threshold, they could deny further connection attempts. This does a pretty good job so far. But I am a little concerned about the growing number of those attacks, and eventually a distributed denial of service one.

Turns out on the Windows 2000/ 2003 server, there are several registry settings that one can use to harden the TCP/IP stack. e.g. SynAttackProtect. By setting this registry value to 1, the server will time out all half open connections more quickly during a SYN attack (determined by several thresholds), and be able to recover the resource sooner to serve legitimate users.

I want to enable it on all our servers. Can Active Directory Group Policy help? Yes! Here is how:

• Created a custom Administrative Template as follows:
  
  CLASS MACHINE
  CATEGORY "Network"
  CATEGORY "TCP/IP Hardening"
  POLICY "SynAttackProtect"
  KEYNAME "SYSTEM\CurrentControlSet\Services\Tcpip\Parameters"
  EXPLAIN "This registry value causes Transmission Control Protocol (TCP) to adjust retransmission of SYN-ACKS. When you configure this value, the connection responses time out more quickly during a SYN attack (a type of denial of service attack). Set SynAttackProtect to Disabled (0 - default) for typical protection against SYN attacks. Set SynAttackProtect to Enabled (1) for better protection against SYN attacks. This parameter causes TCP to adjust the retransmission of SYN-ACKS. When you set SynAttackProtect to 1, connection responses time out more quickly if the system detects that a SYN attack is in progress. Refers to Microsoft KB 324270 for more information."
  VALUENAME "SynAttackProtect"
  VALUEON NUMERIC 1
  VALUEOFF NUMERIC 0
  END POLICY
  END CATEGORY
  END CATEGORY
  
  
• Save the file as SynAttackProtect.adm.
• In the Group Policy Editor, go to View menu | Filtering, uncheck the "Only show policy settings that can be fully managed" checkbox.
• Then go to Computer Configuration | Administrative Templates, and use Add/Remove Template to add this SynAttackProtect.adm custom administrative template.
• Now, under Administrative Template | Network, a TCP/IP Hardening category will appear.
• Under this TCP/IP Hardening category, double-click on SynAttackProtection and change the status to Enable.
• Close the Group Policy Editor to finish.
• Link this group policy to the right OU to apply onto all the servers under it. (always do it on test servers first!)
• Within 90 minutes (default time for Active Directory Group Policy refresh), the servers will have the new registry setting.
• You still have to reboot the servers to make the registry change effective.

One thing you have to know is that this kind of group policy is a tattoo type policy. The registry setting would not be changed back to the original value if you later on remove this group policy. To undo the change, you will have to explicitly change this group policy SynAttackProtect setting to Disable.

Refer to Microsoft KB 324270 article for complete detail on how to harden the TCP/IP stack against denial of service attacks in Windows Server 2003.

Using Active Directory Group Policy to Protect Against Adware/ Spyware Tracking Cookies

Continuing my journey to fully utilize Active Directory to streamline computer management, I found that we could use Group Policy to block adware and spyware tracking cookies.

Here is how:

• Start Group Policy Editor.
• Under User Configuration | Windows Settings | Internet Explorer Maintenance | Security,
• Right-click on Security Zones and Content Ratings.
• Under Security Zones and Privacy, choose Import the current security zones and privacy settings.
• Note: Before you click on Modify Settings
  It will import the Internet Explorer Security Zones and Privacy settings of the machine where you are running the Group Policy Editor. Be careful! Since Windows 2003 disables a lot of IE settings by default, you may not want to run the editor on a Windows 2003 machine and define a IE group policy for Windows XP machines.
  
• Click Modify Settings.
• Go to Privacy tab. Click Sites.
• Add the advertisement sites/ domains that you want to block their tracking cookies.
• Click OKs to finish.

This approach only works for Internet Explorer. Of course, it doesn't compare with a real adware/ spyware checking software, since they can do other checks, like file system, registry. I call this a poor man's version. It doesn't cost you anything, other than the time it takes to configure the group policy, and then link it to the right Organization Unit (OU) for deployment.