I just finished an article about "Remote log
injection", that shows some methods to inject data
into SSH and vsftpd logs that can cause log analysis
tools to parse them incorrectly.
This paper also exposes some vulnerabilities on
DenyHosts, Fail2ban and BlockHosts that can lead to
arbitrarily injection of IP addresses in
/etc/hosts.deny. To make it more "interesting" (i.e.
worse), not only IP addresses can be added, but also
the wild card "all", causing it to block the whole
Internet out of the box (bypassing white lists).
The following paper discuss these issues and contain
the available patches for them:
Snippet from the article:
"
This paper talks about remote log injection, where an
external attacker can modify a log, based on the input
it provides to an application (in our case OpenSSH and
vsftpd). By modifying the way the application logs, we
are able to attack these log analysis tools. We
are not talking about local log modification or
"syslog injection".
"
Link to the article:
http://www.ossec.net/en/attacking-loganalysis.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
________________________________________________________________________
____________
Novo Yahoo! Cadê? - Experimente uma nova busca.
http://yahoo.com.br/oqueeuganhocomisso
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
I just finished an article about "Remote log
injection", that shows some methods to inject data
into SSH and vsftpd logs that can cause log analysis
tools to parse them incorrectly.
This paper also exposes some vulnerabilities on
DenyHosts, Fail2ban and BlockHosts that can lead to
arbitrarily injection of IP addresses in
/etc/hosts.deny. To make it more "interesting" (i.e.
worse), not only IP addresses can be added, but also
the wild card "all", causing it to block the whole
Internet out of the box (bypassing white lists).
The following paper discuss these issues and contain
the available patches for them:
http://www.ossec.net/en/attacking-loganalysis.html
Snippet from the article:
"
This paper talks about remote log injection, where an
external attacker can modify a log, based on the input
it provides to an application (in our case OpenSSH and
vsftpd). By modifying the way the application logs, we
are able to attack these log analysis tools. We
are not talking about local log modification or
"syslog injection".
"
Link to the article:
http://www.ossec.net/en/attacking-loganalysis.html
Thanks,
--
Daniel B. Cid
dcid ( at ) ossec.net
________________________________________________________________________
____________
Novo Yahoo! Cadê? - Experimente uma nova busca.
http://yahoo.com.br/oqueeuganhocomisso
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis
[ reply ]