Web Incident Response Times
While it took days for 42% of respondents to contain a web incident, you can take the following steps to prevent these incidents:
To learn more, download the full report http://www.verizonenterprise.com/DBIR/2014/?utm_source=earlyaccess&utm_medium=redirect&utm_campaign=DBIR
No Comments »
Filed under: Computing, Security
I had the occasion to download a blacklist of IPs. The problem was that this machine generated list padded zeros in front of it. For example, instead of 1.2.3.4 it was listed as 001.002.003.004. I didnt relish having to manually edit all 10,000 IP addresses. So I did research.
This post gave a formula to do it:
=INT(MID(A1,1,3)) & “.” &
INT(MID(A1,5,3)) & “.” &
INT(MID(A1,9,3)) & “.” &
INT(MID(A1,13,3))
Source: http://superuser.com/questions/931682/excel-remove-leading-0s-from-ip-address
No Comments »
Filed under: Computing, Security
My splunk enterprise shows that the main index is growing much faster than the squid access logs i sent to squid-access-log index.
Upon review, it seems that during setup of the splunkforwarder service, i added the entire c:\squid\var\logs folder as a directory to be ‘monitored’
This directive was stored in the default splunk directory/etc/app/splunk_TA_Windows/local/input.conf
All i had to do was to remove the entries there then go to the splunk server and enter:
./splunk clean eventdata
(Warning all data in the indexes will be lost)
No Comments »
Filed under: Big Data
Have you been hit with a lot of xmlrpc based attacks on your wordpress installation?
Are attackers planning to insert malware into your wordpress installation (soak-soak)?
I have a simple solution to share with you.
Since this website uses BNShosting web mirror service, i thought of using the squid service to block the tons of WordPress attacks using XMLRPC from ever getting to the origin server.
On your squid proxy configuration (squid.conf) add the following entries:
# for Identifying WordPress xmlrpc attacks in URL
acl wordpressAttackers url_regex xmlrpc
acl wordpressAttackers1 url_regex wp-includes/template-loader.php
# Block WordPress Xmlrpc Attackers
http_access deny wordpressAttackers
http_access deny wordpressAttackers1
Save the file, then restart the squid service.
The next time a hacker attempts to brute force your password or insert malware via the xmlrpc or /template-loader.php, the squid service will deny the attempt and filter these attacks before it even gets to the source server.
No Comments »
Filed under: Computing, Security
I had to search through a 400++ gb squid proxy log file. The problem here is that you can’t use Notepad or Wordpad on such a large file. It wont open due to the large size.
Quick idea: use GREP command to filter out the large file into a smaller workable file. The problem is that there is NO GREP command on the windows server. Thankfully, WINDOWS does have an equivalent though — Findstr command to the rescue.
So i opened a command prompt and entered:
findstr “string-to-be-search” filename.ext > result.txt
This gave me a smaller file that i could work with. Other ideas to try is to find the UNIX date string and use it to filter the log file into the date range you want to work with.
Hope this helps others.
No Comments »
Filed under: Computing
