Verizon’s Report Outlines Time to Respond for Web Incidents

Web Incident Response Times

Web Incident Response Times

While it took days for 42% of respondents to contain a web incident, you can take the following steps to prevent these incidents:

  • Move on from Single Password authentication.
  • Setup an Automated patching for your favorite CMS (WordPress, Joomla, Drupal)
  • Always validate user inputs
  • Enforce lockout policies
  • Monitor outbound connections of your server
  • To learn more, download the full report http://www.verizonenterprise.com/DBIR/2014/?utm_source=earlyaccess&utm_medium=redirect&utm_campaign=DBIR

    How to Remove Leading Zeros in Excel

    I had the occasion to download a blacklist of IPs. The problem was that this machine generated list padded zeros in front of it. For example, instead of 1.2.3.4 it was listed as 001.002.003.004. I didnt relish having to manually edit all 10,000 IP addresses. So I did research.

    This post gave a formula to do it:
    =INT(MID(A1,1,3)) & “.” &
    INT(MID(A1,5,3)) & “.” &
    INT(MID(A1,9,3)) & “.” &
    INT(MID(A1,13,3))

    Source: http://superuser.com/questions/931682/excel-remove-leading-0s-from-ip-address

    Splunk Notes: Main Index growing

    My splunk enterprise shows that the main index is growing much faster than the squid access logs i sent to squid-access-log index.
    Upon review, it seems that during setup of the splunkforwarder service, i added the entire c:\squid\var\logs folder as a directory to be ‘monitored’
    This directive was stored in the default splunk directory/etc/app/splunk_TA_Windows/local/input.conf

    All i had to do was to remove the entries there then go to the splunk server and enter:
    ./splunk clean eventdata

    (Warning all data in the indexes will be lost)

    Using Squid to block WordPress XMLRPC attacks

    Have you been hit with a lot of xmlrpc based attacks on your wordpress installation?
    Are attackers planning to insert malware into your wordpress installation (soak-soak)?

    I have a simple solution to share with you.

    Since this website uses BNShosting web mirror service, i thought of using the squid service to block the tons of WordPress attacks using XMLRPC from ever getting to the origin server.

    On your squid proxy configuration (squid.conf) add the following entries:

    # for Identifying WordPress xmlrpc attacks in URL
    acl wordpressAttackers url_regex xmlrpc
    acl wordpressAttackers1 url_regex wp-includes/template-loader.php

    # Block WordPress Xmlrpc Attackers
    http_access deny wordpressAttackers
    http_access deny wordpressAttackers1

    Save the file, then restart the squid service.
    The next time a hacker attempts to brute force your password or insert malware via the xmlrpc or /template-loader.php, the squid service will deny the attempt and filter these attacks before it even gets to the source server.

    How to Work on Large Log files in Windows

    I had to search through a 400++ gb squid proxy log file. The problem here is that you can’t use Notepad or Wordpad on such a large file. It wont open due to the large size.
    Quick idea: use GREP command to filter out the large file into a smaller workable file. The problem is that there is NO GREP command on the windows server. Thankfully, WINDOWS does have an equivalent though — Findstr command to the rescue.

    So i opened a command prompt and entered:

    findstr “string-to-be-search” filename.ext > result.txt

    This gave me a smaller file that i could work with. Other ideas to try is to find the UNIX date string and use it to filter the log file into the date range you want to work with.

    Hope this helps others.