Heap Spray attempts : Compromised site http://www.efendim.net

On a Saturday evening I spent some time in upgrading my MacBook Pro with an SSD. The only SSD I had was having security Onion built on it. So I fired up the best NSM OS and tested.

Is that during the test I found a compromised site – http://www.efendim.net. My SQUIL was up and straight away triggered following signature :
– ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
– Heap spray attempt is a technique that assists in exploiting web applications by sending large strings. It facilitates Arbitrary code execution. To be clear Heap Spray attempt does not exploit a vulnerability, however, due to its manipulating attributes, it makes it easier to exploit a vulnerability.

Attached Screenshot shows the SQUIL output
ips signature

Attached Screenshot shows the payload.response payload

As you can see in the payload this one was using Javascript with a character ¨%41¨ and concatenating with itself over and over.

Following IP address is where the site is hosted. – http://www.ipvoid.com/scan/

IP address have bad reputation and blacklisted.

Did not find any further communications suggesting that website has other re-directions to any sort of malicious content yet.

From this analysis I can say that there are sites where by the legacy techniques are still being used to compromise them – saying that it means that security in relation to generic websites is still lacking which puts any kind of users in risks.

These endpoints needs to be secured but How ? How can we secure each an every site ? Answer is its not feasible, however we as a user can always increase our level of understanding security and its applicability.

Happy Holidays !!!!!!!