Recently I had the chance to get myself a copy of a malicious httpd executable used by an unknown party while exploiting CVE-2019-19781. Even though I do not have anything else but a layman’s understanding of forensics I still wanted to dig into it. This is my journal about a journey into looking into a malware as a noob. While I hope to encourage others to also try to look behind the curtain I also want to stress that this is all potentially dangerous and you should not do this from within a sensitive network.
While working on my DNS firewalling @home I was studying unbound.conf and found what I already had forgotten, unbound’s DNS rebinding protection.
DNS rebinding is a an attack where a malicious website is using your browser to resolve internal addresses (e.g. RFC1918) in order to get their hands on internal ressources like e.g. your routers admin interface. There have been attacks in the wild using that technique and I bet there still are. rebind.network is a site that actually tries to find some internal ressources on your network; the site needs javascript. Anywho and without further ado, here’s the setting that I am running on my unbound – courtesy of unbound.conf(5):
Update: Added some remarks about what DNS RPZ actually is, what my objective is and what the outcome will be.
A friend of mine and I tried to play w/ RPZ and knot yesterday and gravely failed. The fact that knot as well as RPZ had been new to us didn’t help. Discussing the failure later that night I remembered that I was already doing something similar at home for adblocking at the DNS level instead of every application on every client. In some way this is also DNS RPZ.
There’s one thing that I am really missing under OpenBSD, a network manager which
seemlessly handles running around with my laptop. So my main itches to scratch are
doing magic things at boot and resume so I don’t have to bother with fiddling with
hostname.if(5) ever.
I came up with the idea to utilize Open Source Threat Feeds, or OSINT on my
private setup and quickly cooked up the shell script below in a rough, first
try. The funny thing is that I more or less instantantly got hits from the 5346
IP addresses in the table:
I am fed up with VMWAre Workstation and I’d like to check if Hyper-V is a better alternative for me. This is not a tutorial but just a primer and scratchpad note mainly for me, thus those very brief notes.
A night without sleep later I am slowly getting a clearer picture of how the
pieces are fitting together. Ricing my blog is getting smoother and smoother as
my understanding of sblg, HTML and CSS
increases and I was able to unclutter both my Makefile and the HTML code. But
there is a lot of additional chopping to be done.
Update: I have corrected chown www /var/www/data
to be chown www /var/www/rainloop/data in getting rainloop ready to rock
-
installing php and php-curl (and unzip)
pkg_add -i php php-curl unzip
-
getting rainloop ready to rock
Just in case somebody else is getting the cannot resolve getgrav.com error: just copy /etc/resolv.conf into the chroot:
mkdir /var/www/etc
cp /etc/resolv.conf /var/www/etc/
And I already feared that I need to create /dev/random and shit like that. Damn it that took too long to find out.
