Cisco Blogs


Cisco Blog > Security

Tools of the Trade: The Compressed Pcap Packet Indexing Program

Prologue
The Compressed Pcap Packet Indexing Program (cppip) is a tool to enable extremely fast extraction of packets from a compressed pcap file. This tool is intended for security and network folk who work with large pcap files. This article provides a complete discussion of the tool and is split into two parts. The first part, intended for end-users, will explain in detail how to build and use the tool. The second part, intended for C programmers, covers cppip’s inner workings.

Introduction
Cppip is a command line utility designed to make packet extraction from large pcap files extremely fast — without having to uncompress the entire file. It relies on pcap files that have been compressed using the freely available bgzip, a backward compatible gzip utility that boasts a special additive — the ability to quickly and cheaply uncompress specific regions of the file on the fly. You will find cppip quite useful if you work with large pcap files and have the need to extract one or more packets for subsequent inspection. As you’ll see, preparing your pcap files for use with cppip is a two step process of compressing the pcap file with bgzip and then indexing it with cppip. But before you can use cppip, you first have to install it. Read More »

Tags: , , ,

Possible Exploit Vector for DarkLeech Compromises

April 24, 2013 at 5:34 am PST

Often it is quite surprising how long old, well-known vulnerabilities continue to be exploited. Recently, a friend sent me an example of a malicious script used in an attempted attack against their server:

injection_attempt_1

The script attempted to exploit the Horde/IMP Plesk Webmail Exploit in vulnerable versions of the Plesk control panel. By injecting malicious PHP code in the username field, successful attackers are able to bypass authentication and upload files to the targeted server. These types of attacks could be one avenue used in the DarkLeech compromises. Although not as common as the Plesk remote access vulnerability (CVE-2012-1557) described in the report, it does appear that this vulnerability is being actively exploited.  Read More »

Tags: , , , , , ,

Latest Oracle Java Patches and Security Best Practices

Java exploits account for 87% of total web exploits - Cisco 2013 Annual Security Report

This month’s release of the Oracle Java SE Critical Patch Update includes patches for 42 vulnerabilities. Vulnerabilities in the Oracle Java SE Java Runtime Environment (JRE) component have received widespread attention as of late because of the potential for an attacker to bypass security restrictions, access sensitive information, execute arbitrary code, or cause a denial of service condition. To make matters worse, Java vulnerabilities are often harnessed by exploit packs with tremendous success.

Many in the industry, as well as Cisco analysts, advise against having Java installed unless absolutely necessary. And if you must have Java installed, they advise using only the Java plug-in and Java Web Start provided with the latest JDK or JRE 7 release. But is there more to it than that?  Read More »

Tags: , , , , ,

London Calling

The Infosec London Conference is coming up this week, running April 23-25 at the Earl’s Court Exhibition Center. Cisco will be there of course, in a booth showing the latest Cisco security innovations and presenting four papers on:

• “Securely Accelerate Access to Data Center Applications” (Tuesday, April 23, 10:30)
• “The Changing Landscape of Identity: Is 802.1X Enough?” (Tuesday, April 23, 16:00)
• “Outbound Content Security” (Wednesday, April 24, 10:30)
• “BYOD Demo—Onboarding the iPad With Cisco Identity Services Engine” (Thursday, April 25, 10:30)

While taking in Cisco content at the show is definitely a must do item, I have a little insider travel tip to impart. Show goers should also check out the small and emerging companies usually found next to the walls in the convention hall. Read More »

Tags: , , , , , ,

Customized WordPress, Joomla Brute Force Login Attempts

In recent weeks, the occurrence of brute force login attempts targeting WordPress and Joomla installations have significantly increased in volume, with some entities reporting triple the attempts seen in the past. The attack volume has been so severe that it has led some hosting providers to block all attempts to access wp-login.php, even for site owners or administrators. While blocking all access outright might seem a bit draconian, about 25% of websites globally include WordPress installations – a tremendous attack surface if left undefended.

During the course of its investigation, Cisco TRAC discovered a repository of data believed to potentially be feeding the brute force login attempts. The trove included user lists, site lists, and password lists. Additionally, there is a list that appears to be a compilation of usernames and passwords used in previous brute force login attempts, scrapings from phishing and cracking forums, as well as the Nmap password list of common passwords. The compiled list has over 25,000 entries, half of which were duplicates. After cleaning up the duplicates, we were left with 783 unique usernames and 11,001 unique passwords -- resulting in over 8.6 million possible combinations. However, it doesn’t appear the attackers are going to that extent; the total list of username/password pairs (with dupes removed) contained just over 13,000 combinations.

Examples of some of the more complex passwords discovered include:

  • 1numb2000core
  • 89525560336sasa
  • e10adc3949ba59abbe
  • 56e057f20f883e
  • 3l3c7rocard1ograph$
  • p1206n057ic47i0n
  • kaeLAA$3

Read More »

Tags: , , , ,