I only know enough binary to ask where the bathroom is

It finally happened, my server was hacked.  The attacker was on a path of destruction and simply destroyed all of my data and locked me out of the server.  Fortunately, I keep good backups.  Unfortunately, I’ve been busy with a new job so I haven’t been able to restore any of it until today

Notes:

I believe this attack was initiated by a former co-worker, as the timing for the intrusion lines up directly with my leaving my old position.  This leads me to believe that the server/sites were not necessarily mis-configured or vulnerable, rather a former manager / co-worker who knew some of my common passwords simply logged in and destroyed my data.

It also could have been a Steam phisher that I upset a few months back.  He messaged me a link to his phishing page saying that I would receive a free game for logging in.  I immediately knew what was going on and started taunting the phisher and then ddosed his phishing page.  The attacker very well could be related.

However, this is no execuse.  I broke one of the basic first rules of web security, use different passwords for everything.  Now, all services and users have their own unique password….so far….so good.

I found this gem of an Nmap command yesterday. I was unable to write about this nifty command because my site was offline. But I’m back now!

Important Notes:

You will need to download the latest version of nmap from insecure.org, or you can click here

The command:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

Just remove [targetnetworks] and replace that value with the subnet you wish to scan. Since my gateway is 192.168.1.1, I altered the command to scan my network to look like the following:

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 192.168.1.*

Analyze the output:

A clean machine should report at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright.

I wrote this script for a friend who needs to get around a work firewall. The script uses Plink to create an SSH tunnel to a server of your choice.

I haven’t added any error handling in it, but I like how it integrates FTP in a batch script. For this script to work, you’ll need at least one server with both FTP and SSH enabled. Make sure to lock down both accounts that you use in the script, and you’ll need to make sure that plink.exe is accessible in the root of the FTP account.

Click Here to check it out