Heap Spray attempts : Compromised site http://www.efendim.net

On a Saturday evening I spent some time in upgrading my MacBook Pro with an SSD. The only SSD I had was having security Onion built on it. So I fired up the best NSM OS and tested.

Is that during the test I found a compromised site – http://www.efendim.net. My SQUIL was up and straight away triggered following signature :
– ET SHELLCODE Possible %41%41%41%41 Heap Spray Attempt
– Heap spray attempt is a technique that assists in exploiting web applications by sending large strings. It facilitates Arbitrary code execution. To be clear Heap Spray attempt does not exploit a vulnerability, however, due to its manipulating attributes, it makes it easier to exploit a vulnerability.

Attached Screenshot shows the SQUIL output
ips signature

Attached Screenshot shows the payload.response payload

As you can see in the payload this one was using Javascript with a character ¨%41¨ and concatenating with itself over and over.

Following IP address is where the site is hosted.

188.40.53.185 – http://www.ipvoid.com/scan/188.40.53.185/

IP address have bad reputation and blacklisted.

Did not find any further communications suggesting that website has other re-directions to any sort of malicious content yet.

From this analysis I can say that there are sites where by the legacy techniques are still being used to compromise them – saying that it means that security in relation to generic websites is still lacking which puts any kind of users in risks.

These endpoints needs to be secured but How ? How can we secure each an every site ? Answer is its not feasible, however we as a user can always increase our level of understanding security and its applicability.

Happy Holidays !!!!!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s