Personal blog of Alex Muratov

Python SUDS, WSDL, HTTPS proxy and SOAP authentication.

pythonToday I would like to share a recipe how to utilize WSDL (SOAP) in a Python SUDS script behind the HTTPS proxy. It may be useful for getting some commercial feeds on a server sitting behind the corporate firewall.

First of all, I find out the Python SUDS are very convenient. You can download it here or just install it via yum (or apt-get):

yum install python-suds

It is compatible even with older Python 2.4 (too bad that it does not have ElementTree).

OK, but now the issue – SUDS ignores env setting for proxy, whenever you try to connect to a WSDL service, it simply time outs. Furthermore all attempts to explicitly specify proxy settings fail:

Depending how you specify the proxy settings, the SUDS either time outs or returns really weird error about EOF in communication. The reason is simple – by default the urllib2 is not compatible with HTTPS proxy. It is able to utilize a HTTP proxy, but not a HTTPS proxy. Too bad!

Finally I find out the following solution:

1. Implement a “opener” for SSL proxy:

urrlib2 opener for SSL proxy (CONNECT method) (Python recipe)

2. Utilize this opener properly:

3. Add credentials to the WSDL client object:

The last step depends on particular WSDL service specification for credentials, please consult the Web API service document.

Posted in Python | Tagged , , , | Leave a comment

Logger and CIFS share on a Windows 2008 R2 Server

ArcSightHere is a workaround for the issue with mounting a CIFS share (Windows 2008 R2 Server) at a Logger.
I followed usual procedure to configure a remote file system at a Logger.
All required parameters for CIFS share were specified:

step1

Surprisingly it did not work:

step2

I carefully checked parameters, login credentials – everything was correct. Furthermore, the same share was successfully mounted from another Linux box.

The next step was getting access to the Logger (via SSH) and checking logs:

Well, “logon failure”… It is weird, since credentials are correct!

What I found later, the CIFS kernel component has some security settings are located in the file /proc/fs/cifs/SecurityFlags

By default a Logger has this flag is set to 0x7:

This flag is the root cause of the problem – it is not compatible with Windows 2008 R2 Server. I had to change this flag to 0x81:

Now try again to mount the CIFS share:

step3

Success!

step4

Done.

Posted in ArcSight, Linux | Tagged , , | 1 Comment

RedKit Java exploit – under the hood

VirusHere I put some technical details about RedKit Java exploit.
I will use real sample of captured network traffic. The analysis was done using the following tools: CuckooBox 0.6, Java Decompiler GUI, Wireshark.

Don’t follow any URLs in this post! They may still contain the malware.

OK, now step 1: a victim visits an infected web page at simtek.cc.free.fr

Browser loads a pretty simple web page with a Flash video to entertain a victim while malware is loading.

Here is the network capture:

launchpad-1

It looks like nothing is wrong, but … it contains an injected iframe that redirects browser to another host: qiqojahe.ru:

launchpad-2

Posted in Malware | Leave a comment

Facebook hacked

Mauritania hacker (AnonGhost) hacked Facebook. Cool!
PasteBin
Facebook:
facebook-hacked

Posted in Uncategorized | Tagged | Leave a comment

ESM ArcSight plugin – correct device time

Recently I find out a situation when some device puts time stamps using the GMT time zone. It could be easily fixed by changing connector settings. But here is a problem again – settings are global, so it will fix time stamps for this device and will broke time stamps for all other device. The only solution that I found – create a small plugin that is looking for particular deviceVendor value and fix the time accordingly. See the code below:

Posted in ArcSight, SIEM | Tagged , , , | 2 Comments

ESM ArcSight plugins – how to

Introduction

I attended many sessions at the “HP Protect 2012” conference last September and one of them – the “Plug it in!” by Doron Keller (HP/ArcSight) was very interesting for me. As a former software developer, I always like any possibilities of enriching features of an existing product by writing few lines of code. Furthermore I was looking for such feature because sometimes ESM rules are not powerful enough to do some calculations over a set of fields. I remember that in the ESM 4.x there were possibility to put a Java script code for rule’s variables but I never figured out how to do it, since the documentation never explained how to do it properly. But now I was demonstrated that it is relatively simple to create a piece of Java code and do it inside of the ESM Manager. Performance!

The presentation explained a lot of details and also “Protect 724” also has few threads about ESM plugins. Surprisingly creation of a simple “Hello World” took some efforts to figure out all required steps. So I decided to create this tutorial to simplify the first step in creating a new ESM ArcSight plugin.

Step 1 – setup the development environment

Download the Eclipse http://www.eclipse.org/downloads/ Choose the version that allows plugin-development: for example the “Eclipse IDE for JEE Developers”. The version “Eclipse IDE for Java developers” won’t work.

One of the suggested step is creating a target platform for plugin projects, though I find out that it does not solve all issues.

Create a platform target.

Run the Eclipse IDE and open the menu item Windows -> Preferences, then choose “Plug-in Development -> Target Platform”.

Press the “Add..” button and select a new target:

Choose a new name:

Now add “content” by pressing the “Add..” button:

Press “Next” and see the next dialog:

Press the “Browse…” button and locate the “arcsight-dm” folder in the ESM Manager folders structure:

See the updated dialog and press “Finish”:

Now the target is created:

Review and press the “Finish” button, you will see the new target platform in the list:

Press check-mark at the “ESM 5.0.2” to make it active and press “OK” to close the dialog.

Posted in ArcSight, SIEM | Tagged , , , | Leave a comment

ESM ArcSight – how to convert events for Replay (Test Alert) agent

The “Replay” (also known as Test Alert) agent at the ESM ArcSight – is a very powerful tool for developing and debugging rules. You don’t need to wait until a real (and probably rare!) event will be received by the ESM Manager only to check that the rule produced incorrect result.
Of course a test ESM ArcSight server is required.

Steps:

    1. Export events from the ESM Console:
      1. select events at an Active Channel, right click and press “Export”;
      2. choose a destination folder and click on the radio button “Selected rows only” because the option “All in channel” take forever!
    2. Copy the CSV file to the ESM ArcSight connector server, to the folder:
      <path to the connector>/current/replayagent
    3. make it writable: chmod 666 myevents.csv
    4. Convert the CSV file to the EVENTS replay file – this is the most tricky part because of the way how the script handles parameters

 

../bin/arcsight agent csvconvert -S /usr/local/arcsight/Replay/current/replayagent/myevents.csv -D myevents.events

The command “arcsight agent csvconvert” expects at least two parameters:

-S full_path_to_source_file
-D local_path_to_destination_file

now you see the difference. If everything is correct, the following output will be produced:

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

Using agent Component

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight csvconvert starting…

[Fri Nov 02 15:05:12 EDT 2012] [INFO ] Initializing Agent Framework
Processing line 2
Processing line 3
Processing line 4
Processing line 5

Recorded in replayagent/myevents.events 5 messages out of 5
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Shutting down Agent Modules now...
Shutting down Connector System Health...done.
Shutting down Persistance [genericupgrade_.genericupgrade_]...done.
Shutting down Agent Stats...done.
Shutting down Command File Listener...done.
Shutting down M1 id manager...done.
Agent shutdown completed.
[Fri Nov 02 15:05:13 EDT 2012] [INFO ] Shutting Down Agent Framework

Now go to the folder “bin” and start the agent:

./arcsight agents

Assuming ARCSIGHT_HOME: /usr/local/arcsight/Replay/current
Assuming JAVA_HOME: /usr/local/arcsight/Replay/current/jre

ArcSight Connectors starting...
...
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] ArcSight Home: /usr/local/arcsight/Replay/current
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM name: Java HotSpot(TM) Server VM
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM path: /usr/local/arcsight/Replay/current/jre
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM vendor: Sun Microsystems Inc.
[Fri Nov 02 15:28:37 EDT 2012] [INFO ] JVM version: 20.1-b02
...
[Fri Nov 02 15:28:47 EDT 2012] [INFO ] Agent [TestAlert] started.

If everything OK (including the X-11), you will see the agent window:

Then click the tab “Replay”, it will show the list of available “events” files:

Click on the check mark and enable it:

Select desired speed and click on the button “Continue” to start feeding the ESM Manager:

That’s it! Now you can locate the Replay connector at the list of connectors and create a live active channel to see that the ESM Manager receives replayed events.

Posted in SIEM | Tagged , , , | Leave a comment

BitCoin malware

Last weekend a friend of mine told me about some issue with her new laptop: suddenly IE’s home page was set to Desjardins (https://accesd.desjardins.com/). Well, nothing wrong, it is a legitimate web site except one thing that she was not able to change it! I agreed to take a look and asked to run the “Hijack This”. Immediately I found something suspicious:

Running processes:
...
C:\Users\...\AppData\Roaming\Ehopty\uwfo.exe
...
O1 - Hosts: 198.15.104.132 www.google-analytics.com.
O1 - Hosts: 198.15.104.132 ad-emea.doubleclick.net.
O1 - Hosts: 198.15.104.132 www.statcounter.com.
O1 - Hosts: 72.29.93.243 www.google-analytics.com.
O1 - Hosts: 72.29.93.243 ad-emea.doubleclick.net.
O1 - Hosts: 72.29.93.243 www.statcounter.com.
...
O4 - HKCU\..\Run: [Intel] C:\Users\...\AppData\Roaming\BF002E.exe
O4 - HKCU\..\Run: [HotKeysCmds] C:\Users\...\AppData\Local\Temp\CF4F.EXE
O4 - HKCU\..\Run: [xivwxuaggnirrpeecys] C:\Users\...\AppData\Roaming\xivwxuaggnirrpeecys.exe
O4 - HKCU\..\Run: [Emarco] C:\Users\...\AppData\Roaming\Ehopty\uwfo.exe

First of all I’m very suspicious about any EXEs are residing in the “AppData” folder. Also it is really suspicious when well-known web hosts like google-analytics.com and doubleclick.net are redirected to unknown host, and it is very suspicious when the browser opens the Google.com instead of the virustotal.com

I checked the “AppData/Rouming” folder, it contained mentioned EXE files and also their numerous copies. My next step was to remove malicious registry keys and reboot the laptop. It did the magic – IE’s home page was changed with easiness and the virustotal.com was not redirected to Google.com. Suspicious files were submitted to the virustotal.com. No surprise – McAfee/Symantec did not detect trojans (the laptop had OEM version of McAfee) but some less popular antiviruses had heuristic hits. Results:

xivwxuaggnirrpeecys.exe
uwfo.exe
3FDE.exe

Last two files “ufwo.exe” and “3FDE.exe” have dynamic names – each of them starts malware re-create the same files with different names.

I was curious and tested the “xivwxuaggnirrpeecys.exe” using the VMWare (Windows XP). The Wireshark quickly revealed that the trojan has yet another purpose – using an infected computer to mine BitCoins and send results to the host pool2.50btc.com

Right, the trojan not only steals user’s passwords but also it turns the victim to a cell of a virtual super-computer for BitCoin mining.

Posted in Malware | Tagged | Leave a comment

Now I have a patent 8,001,082

Today I suddenly revealed that last year USPTO approved the patent application that was filed a long time ago.

The patent “System and method of data security in synchronizing data with a wireless device” was filed when I used to work for the “PDA Defense” project. The company “Good technology, Inc” is current assignee. I don’t know was it supposed to let me know or not about approval, but anyway now I am an official inventor 🙂

 

Here is the link: Patent 8,001,082

 

Update: here is another one, “Method and system for protecting data within portable electronic devices”, 7,159,120

 

Posted in Smartphones | Tagged , | Leave a comment

Why is important to choose strong passwords

Today I got an automatic email from Twitter:

 

Hi, alexvirt1

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

 You’ll need to create a new password for your Twitter account. You can select a new password at this link:

My first thought was about possible fraud, by it was completely legitimate email. I quickly changed my password and immediately noticed that few minutes before somebody posted on my Twitter the following message:

Sadly it was the truth: somebody was able to  hack my Twitter account and post  a malicious link.

Google shows that the mentioned malicious domain name was injected on many web resources during past two weeks. So the lesson learned – always use really complex password on publicly available resources (it was done a long time ago for email accounts) and change them at least from time to time.

Also I am very pleased to see that Twitter detected the compromise so quickly.

 

Posted in Uncategorized | Leave a comment

BOINC

BOINC

Ads

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Calendar

September 2017
M T W T F S S
« Aug    
 123
45678910
11121314151617
18192021222324
252627282930  
%d bloggers like this: