Pakistani Hacker's Website Hacked by Lucky..!!

Posted by Ganesh Murugaraju

Nov 2:

Indian Hacker Lucky Hacked The pakistani Hacker's Website "pakjanoon.com".
This hack is in response to the challenge made by CYBER_SWATI yesterday to ICA & All Indian Hackers.
but the Sadest part  was on the very first Day itself their website was hacked by Indian Hacker..! And also Lucky had left a message in that website for cyber_swati.
Indians Again Proved Themself.. Always They are a step Ahead of Pakistani Hackers..!!
Jai Ho..!!
Proud To Be an Indian.!!

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi210A9AffqXDguBavwfX3WFqp51vGZcfWYp5aoXWLaa3x_3e0tmThIUe9nBRG_YjC5nhhRVsLrAH738ecTcuVc2feVlwASeRW6_juBnBt8sztgShEq_4fj0nw0IhLRS6JLq43qfI7L26zw/s1600/Cyber+Swati+Hacked.JPG

Facebook Apps leaking personal Data

Posted by Ganesh Murugaraju


Facebook privacy has been in the news numerous times and it’s a subject we’ve also covered many times, with the sheer mass of users on the site the amount of data (especially personal data) is phenomenal.
The latest buzz is that many of the most popular 3rd party apps (mostly games like Farmville and Texas HoldEm Poker) are leaking the unique Facebook ID that enables tracking of an individual Facebook user.
A number of Facebook apps have been providing advertisers with information that make social networking users easily identifiable, according to an investigation by the Wall Street Journal.
All 10 of Facebook’s most popular apps, including Farmville and Texas HoldEm Poker, are among those leaking the unique ‘Facebook ID’ number to outside firms. Every Facebook number is individual and assigned to every profile. Searching for the number will provide access to the Facebook user’s profile and anyone can view the information a user has chosen to share with ‘everyone’. This can include their name, date of birth and even photos.
Farmville, which has 59 million users, also passes this information about a user’s friends. The WSJ said at least 25 firms were being sent the Facebook IDs, which they were using to build profiles of web users, and in some cases, even track their web browsing. It’s not known if the developers knew their apps were leaking data.
It’s become a big issue because WSJ reported on it – Facebook in Privacy Breach, it seems that with the data that the apps leak + some good old data mining advertising and marketing companies can build fairly comprehensive databases about individuals on the Internet.
Not that this is a new problem for anyone who has followed the issues Facebook has been dealing with and in part making worse themselves with lax default privacy settings. It’s a contradiction really because for a service like Facebook the more data they can collect the more valuable they are and on the flip-side everyone and his dog is so worried about privacy…but they still use Facebook.
Millions of Facebook users have been affected, even those that use the social network’s strongest privacy settings. It also breaks Facebook’s rules concerning privacy, which state app developers can not pass on users’ data to outside firms, even if the user has given permission.
Facebook admitted a user’s ID “may be inadvertently shared by a user’s internet browser or by an application” but it “does not permit access to anyone’s private information on Facebook”.
Third-party developers are usually responsible for developing the apps. Facebook stopped users accessing several apps thought to have been leaking personal data.
“We have taken immediate action to disable all applications that violate our terms,” Facebook said. The WSJ named RapLeaf as one of the developers using the Facebook IDs in its own database as well as passing them onto to several other firms.
Facebook claims that somehow they are going to address these issues (by introducing new technology), perhaps another use for a OTP or some kind of token access for the application which allows you to use the application without revealing ANY personal info – including the Facebook ID.
But then I’m not sure how games like Farmville would track your progress and link to your account if they can’t use your Facebook ID.

Source: Network World

Free Utilities download

Posted by Ganesh Murugaraju

Free Anti virus online scanners
BitDefender Online Scanner
BitDefender
Online Scanner is an on-demand virus scanner which incorporates the
award-winning BitDefender scanning engines. You can use it to scan your
system’s memory, all files and drives’ boot sectors, and to
automatically clean infected files.
Kaspersky Online Scanner
Welcome to Kaspersky Online Scanner 7.0! Use the program to check your computer for viruses and other malware for free.
HouseCall
This is a free Online Virus Scan from Trend Micro.
Symantec’s Scan for Viruses
Examine
your computer using Symantec’s award-winning virus detection technology
to determine if it is infected by any known virus or Trojan horse.
Panda ActiveScan
Panda
ActiveScan is Panda Software’s online antivirus, that works directly
over the Internet. With a simple click from your browser you can scan
all your files and e-mail for viruses.
  
Free Anti virus
AVG Free Edition
AVG
Free Edition is the well-known anti-virus protection tool. AVG Free is
available free-of-charge to home users for the life of the product!
Rapid virus database updates are available for the lifetime of the
product, thereby providing the high-level of detection capability that
millions of users around the world trust to protect their computers.
AVG Free is easy-to-use and will not slow your system down (low system
resource requirements).
Avira AntiVir Personal
Avira
AntiVir Personal – FREE Antivirus is a reliable free antivirus
solution, that constantly and rapidly scans your computer for malicious
programs such as viruses, Trojans, backdoor programs, hoaxes, worms,
dialers etc. Monitors every action executed by the user or the
operating system and reacts promptly when a malicious program is
detected. Avira AntiVir Personal is a comprehensive, easy to use
antivirus program, designed to offer reliable free of charge virus
protection to home-users, for personal use only, and is not for
business or commercial use. Available for Windows or UNIX.
avast! Antivirus Home Edition
avast!
antivirus Home Edition represents the best antivirus protection
available and is available free of charge for non-commercial, home use.
It is designed to protect your valuable data and programs, as well as
keep itself up-to-date. It also comes with the kind of built-in
features that many vendors charge for additionally, or don’t include at
all such as anti-spyware, anti-rootkit and strong self-protection.
Simply install and forget.
   Software Firewall for personal use.
Comodo Firewall (Free edition)
Unlike some other free firewalls, this is not a stripped down version, but is a fully functional product. Updates are also free.
  • Complete protection from Hackers, Spyware, Trojans and Identity theft
  • Host Intrusion Prevention System stops malware from being installed
  • Clean PC Mode registers your current applications then will allow only applications that you approve to be installed on your computer
  • Malware Scan Feature checks your computer for viruses, spyware and trojans before you install Comodo Firewall Pro
  • Free Download. No charges or license fees ever.
Install now for out-of-the-box protection against identity theft hackers, trojans, viruses, scripts and other unknown threats.
ZoneAlarm (Free edition)
Easy-to-use
firewall blocks hackers and other unknown threats. Stealth mode
automatically makes your PC invisible to anyone on the Internet. The Free version provides you with only the basic protection, but it is enough to keep you and your PC safe from intruders.


                                                               Virtualization tools
VMware Server
Begin
enjoying the benefits of server virtualization for free. VMware Server
is a hosted virtualization platform that installs like an application
on any existing server hardware and partitions a physical server into
multiple virtual machines.
Microsoft Virtual PC
With Microsoft
Virtual PC 2007, you can create and run one or more virtual machines,
each with its own operating system, on a single computer. This provides
you with the flexibility to use different operating systems on one
physical computer.
VirtualBox
VirtualBox
is a general-purpose full virtualizer for x86 hardware. Targeted at
server, desktop and embedded use, it is now the only
professional-quality virtualization solution that is also Open Source Software.

 Hard disk Backup and Restore tool
Double Driver
Double
Driver is a very simple and useful tool which not only allows you to
view all the drivers installed on your system but also allows you to
backup, restore, save and print all chosen drivers simply and reliably.
FBackup
FBackup
is a free backup software for both personal and commercial use. It
protects your important data by backing it up automatically to any
USB/Firewire device, local or network location. The backed up data can
be either compressed (using standard zip compression) or an exact copy
of the original files.
Areca Backup
Backup
solution for Linux and Windows. It basically allows you to select a set
of files / directories to back-up, choose where and how (as a simple
file copy, as a zip archive, …) they will be stored, and configure
post-backup actions (like sending backup reports by email or launching
custom shell scripts)
Cobian Backup
Cobian Backup is a multi-threaded program that can be used to schedule
and backup your files and directories from their original location to
other directories/drives in the same computer or other computer in your
network. FTP backup is also supported in both directions (download and
upload).
Many Other goodies coming soon happy visiting  !!!

How to get stored Passwords from Browsers

Posted by Ganesh Murugaraju

hi friends.. Here is the small tutorial to recover your Saved Passwords from your Browser, 

Google Chrome :

ENABLE PASSWORD SAVE OPTION
You can easily enable Chrome to save passwords for website you visit. Click the Tools menu > Select Options > Click the Minor Tweaks tab and then check option ‘Offer to save passwords’. Now Chrome will save username and passwords for you.


HOW TO VIEW STORED PASSWORDS?
Click the Tools menu > Select Options > Click the Minor Tweaks tab. In the ‘Passwords’ section, click the Show saved passwords button.

Firefox :

In Firefox, navigate to the Tools \ Options menu item. Select the Privacy button, the Passwords tab, and then click on View Saved Passwords. You’ll be presented with this screen:
Click the Show Passwords button, and navigate down to the website password you are looking for


Safari :

 
In Firefox world viewing the saved passwords is really easy . You just need to go to Firefox preferences in Mac ( and tools> options in Windows ) then to Security tab and click on the “Saved Passwords” then “Show Passwords” . Its not possible from Safari menu to see the Autofill passwords . In Mac there is something called “Keychain Access” which does this thing of saving and revealing the saved passwords from Safari as well as other Mac application . So basically to see the Safari saved password in Mac open Keychain Access navigate to the website or username whose password you forgot , right click the particular row and click ” Copy Password to Clipboard” . You can paste it to any text editor ( eg. Textedit ) and see the saved password. This way finally , i got my lost password :-) .
In Windows version of Safari its not possible to see the saved password as Windows version of Safari also doesn’t have show password option in its Preferences> Autofill . Note: not for Windows

Google's next project

Posted by Ganesh Murugaraju

Google has a penchant for making computers do all kinds of things. It’s latest project includes driving a car without the need of a person actually driving it. That basically means no driver is required. The logic for Google? Simple, they want to remove human errors which leads to accidents on the road.
Google announced that they have cars which drive themselves, using a on-board computer. They have completed over 160,000 miles quite safely.
google cars Google testing automated cars!

How the Google car works?

  • The car has a video camera which reads traffic lights and helps the car’s computer recognize traffic on the road.
  • A radars which help decide positions of faraway objects.
  • Another radar like device at the top which creates a 3D map of the car’s surroundings.
  • This information is crunched by computers on-board the car and help it navigate around on the roads without the need of a driver.

What is driving Google?

  • Genuine concerns of safety. Imagine cars which just did not allow people to drive rashly or over the speed limit. It will obviously make car travel safer. Most road safety research statistics show that rise in number of accidents are due to human errors.
  • The other thing that could be this is a great way for Google to showcase their technology (android, google maps).
According to NY Times, the earliest we can see such cars is 2018. What do you think about Google’s latest experiment? Are they losing focus or are they focusing on something truly visionary? Do drop in your comments and views.

Firebug script for your IE, chrome, safari etc..

Posted by Ganesh Murugaraju

Firebug Lite is a Java Script that enables us to use Firebug like features in other browsers. It gives the same look and feel like Firebug. If you wish to use Firebug Lite for IE6 or other browsers like Chrome,Safari then here’s the way how to do that.

Just add the following code at the top of the of your page inside script tag :

Stable Live Link:  "text/javascript"src="https://getfirebug.com/firebug-lite.js"
Stable Local Link:  "text/javascript" src="/local/path/to/firebug-lite.js"

Features
    * Compatible with all major browsers: IE6+, Firefox, Opera, Safari and Chrome.
    * It has the same look and feel as Firebug.
    * Inspect HTML and change style in real-time in different browsers.

200 evasion techniques are used by hackers

Posted by Ganesh Murugaraju

New cyber threats bypass most network security systems,


Cybercriminals are using new, advanced evasion techniques that can pose a serious threat to existing network security systems worldwide, says security firm Stonesoft.

Companies may suffer a significant data breach including the loss of confidential corporate information, the firm warned.

According to the Stonesoft's Helsinki research labs, the threats significantly extend what was previously known about evasion techniques.

The researchers found that the new techniques provide cybercriminals with a master key to any vulnerable system such as ERP by bypassing network security systems.

"It does not matter what intrusion prevention systems are in place, because these master keys can bypass most of them," said Ilkka Hiidenheimo, chief executive at Stonesoft.
200 evasion techniques

Cybercriminals are now using 200 different evasion techniques in combination to create an almost infinite number of different attack methods, he told Computer Weekly.

A range of content inspection technologies are affected, said researchers, which means cybercriminals can use them to evade many network security systems.

Field tests and experimental data show many of the existing network security solutions fail to detect these techniques and thus fail to block the attack inside.

The details of this discovery have been shared with CERT-FI in Finland for vulnerability co-ordination purposes and validated by ICSA Labs.

CERT-FI said it would work with Stonesoft and other network security suppliers to remediate the vulnerabilities exposed by the new evasion techniques.

ICSA Labs said the advanced evasion techniques could result in lost corporate assets with potentially serious consequences for breached organisations.

The dynamic and undetectable nature of these advanced evasion techniques could have a direct effect on the network security landscape, said Juha Kivikoski, chief operating officer at Stonesoft.

"The industry is facing a non-stop race against this type of advanced threats and we believe only dynamic solutions can address this vulnerability," he said.
Defence

The best defence against these evasion techniques is through flexible, software-based security systems with remote update and centralised management capabilities, said Ash Patel, country manager for UK and Ireland at Stonesoft

However, most organisations today use static hardware-based solutions, which can be difficult or even impossible to update against rapidly evolving and dynamic threats, he said.

"By working at different layers in the TCP/IP stack, cybercriminals can set up invisible communication channels in which they can embed attacks," he said.

According to Patel, 99% of network security systems are vulnerable to these techniques, and it is therefore important for all organisations to identify all their critical data assets and find out as much as they can about the threat to ensure they are protected.

Stonesoft has published detailed information and a video on the advanced evasion techniques, and called on the network security industry to collaborate on combating them.

how to clear computer's memory

Posted by Ganesh Murugaraju


It often happens our computer to operate its work very slowly.Most of people restart computer, but we have another simple method to proceed without restarting your OS.

1. Right-click on desktop and choose New-Shortcut
2. In the Type the location of the item write this code: %windir%\system32\rundll32.exe advapi32.dll,ProcessIdleTasks
3. Click Next
4. Name as Clear Memory
5. Click Finish.


Now whenever you see that your PC is working slowly go to this icon and click it, without restarting PC would clear your memory and speed up processes

5 individuals arrested on Cybercrime in Ukraine

Posted by Ganesh Murugaraju


Ukraine authorities have arrested five individuals who allegedly directed a global cybercrime scheme that used a version of the Zeus Trojan computer virus to steal $70 million from U.S. bank accounts, FBI officials said on Friday.

They told a news briefing that Ukraine authorities took the five individuals into custody and conducted searches under eight warrants on Thursday as part of an international crackdown that dismantled the operation this week.

The officials said the scheme targeted small and medium-sized U.S. businesses. It involved the use of malware, a software code that captures passwords, account numbers and other data used to log into online banking accounts.

The crackdown had previously been disclosed with some arrests announced in New York on Thursday and in London on Wednesday.

The FBI officials declined to identify any of the U.S. banks that had been victims or to say how many banks had suffered losses in the scheme.

They said the investigation began in May of last year after a complaint from a company in Omaha, Nebraska, and quickly spread to New York and New Jersey.

The U.S. cases involved more than 300 victims. In the United States, 92 people have been charged and 39 have been arrested, the officials said.

The scheme involved the use of foreigners who entered the United States on student visas and who were recruited as "mules" to open bank accounts under fake names. The accounts were then used to receive and transfer the stolen funds overseas.

"During this investigation, the FBI worked closely with our overseas counterparts to identify subjects who were instrumental in the development and control of the malicious software, those who facilitated the use of malware, and those who saw a means to make quick, easy money -- the mules," said Gordon Snow, assistant director of the FBI's Cyber Division. (Reporting by James Vicini, Editing by Gerald E. McCormick)

How to Remove Brontok Virus

Posted by Ganesh Murugaraju

Remove Brontok Virus Urself - It's easy!

its the most sticky virus ..
u can Remove it
be an ethical Hacker
It works~~!!

Start ur computer in safe mode with command prompt and type the followinf
command to enable registry editor:-

reg delete HKCU\software\microsoft\windows\currentversion\policies\system /v
"DisableRegistryTools"
and run HKLM\software\microsoft\windows\currentversion\policies\system /v
"DisableRegistryTools"

after this ur registry editor is enable
type explorer
go to run and type regedit
then follow the following path :-
HKLM\Software\Microsoft\Windows\Currentversion\Run

on the right side delete the entries which contain 'Brontok' and 'Tok-' words.

after that restart ur system
open registry editor and follow the path to enable folder option in tools menu

HKCU\Software\Microsoft\Windows\Currentversion\Policies\Explorer\
'NoFolderOption'
delete this entry and restart ur computer

and search *.exe files in all drives (search in hidden files also)
remove all files which are display likes as folder icon.

ur computer is completely free from virus brontok..!

Windows xp - Basic tricks

Posted by Ganesh Murugaraju

Windows XP- TRICKS :

Speed up your browsing of Windows 2000 & XP machines
Here's a great tip to speed up your browsing of Windows XP machines. Its actually a fix to a bug installed as default in Windows 2000 that scans shared files for Scheduled Tasks. And it turns out that you can experience a delay as long as 30 seconds when you try to view shared files across a network because Windows 2000 is using the extra time to search the remote computer for any Scheduled Tasks. Note that though the fix is originally intended for only those affected, Windows 2000 users will experience that the actual browsing speed of both the Internet & Windows Explorers improve significantly after applying it since it doesn't search for Scheduled Tasks anymore. Here's how :

Open up the Registry and go to :

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/Current Version/Explorer/RemoteComputer/NameSpace

Under that branch, select the key :
{D6277990-4C6A-11CF-8D87-00AA0060F5BF}
and delete it.
This is key that instructs Windows to search for Scheduled Tasks. If you like you may want to export the exact branch so that you can restore the key if necessary.

This fix is so effective that it doesn't require a reboot and you can almost immediately determine yourself how much it speeds up your browsing processes.
 

How to make your Desktop Icons Transparent

Go to ontrol Panel > System, > Advanced > Performance area > Settings button Visual Effects tab "Use drop shadows for icon labels on the Desktop"


Remove the Recycle Bin from the Desktop

If you don't use the Recycle Bin to store deleted files , you can get rid of its desktop icon all together.
Run Regedit and go to:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/explorer/Desktop/NameSpace
Click on the "Recycle Bin" string in the right hand pane. Hit Del, click OK.

All About Trojan Horses (virus)

Posted by Ganesh Murugaraju

"Trojan Horses" (or Backdoors) have been in the news just recently, the term probably sounds familiar to you. But perhaps you’re not quite sure what a Trojan Horse is and what damage it is capable of doing to your system. Trojan Horses, of which there are now more than one thousand in circulation (including modifications and variants), are a relatively new and probably the most dangerous strain of viruses that have appeared in recent times.

The Meaning of its Name :

The name "Trojan Horse" derives itself from a page in Greek history when the Greeks had lain siege to the fortified city of Troy for over ten years. Their spy, a Greek called Sinon offered the Trojans a gift in the form of a wooden horse and convinced them that by accepting it, they would become invincible. The horse though was hollow and was occupied by a contingent of Greek soldiers. When they emerged in the dead of night and opened the city gates, the Greeks swarmed in, slaughtered its citizens and subsequently pillaged, burned and laid waste to the city.


How it Works :

In order to gain access to a user’s computer, the victim has to be induced to install the Trojan himself. The usual method is to offer a seemingly useful system enhancement or perhaps a free game that has the Trojan attached to it. By installing it, the user also installs the Trojan.
The most common sources of infection are as follows:
  • Executing any files from suspicious or unknown sources.
  • Opening an e-mail attachment from an unknown source.
  • Allowing a "friend" access to your computer while you are away.
  • By executing files received from any online activity client such as ICQ.
  • Virtually every Trojan virus is comprised of two main parts. These are the called the "server" and the other, the "client". It is the server part that infects a user’s system.
Once infected, the computer becomes accessible to any remote user, usually referred to as a "cracker" or "intruder", that has the client part of the Trojan. That person can perform any action that the user can. For example, if the user keeps his credit card details on the computer, the intruder can steal that information. He may not necessarily make use of the credit card himself, but he can certainly sell the information to a third party who can then go on a spending spree at the user’s expense. The intruder can also steal passwords in order to gain access to restricted information or to password protected web sites as well.
In addition, the intruder can cause the system to reboot without warning, shutdown without warning, eject the CDROM tray, delete files, add files, make use of the user’s e-mail client, etc. etc. The possibilities are endless.

Problems Caused by it :
Let's suppose that you have already been infected. How do intruders attack and get a full control of your computer?
Practically every Trojan virus has two functional parts called the server and the client. The server part is the part of the program that infects a victim's computer. The client part is the one that allows a hacker to manipulate data on the infected machine.
Intruders scan the Internet for an infected user (technically speaking, an attacker sends request packets to all users of a specific Internet provider) using the client part of the virus. Once an infected computer has been found (the server part of the virus that is located on infected machine replies to client part's request) the attacker connects to that user's computer and creates a "link" between the two just like the one in an ordinary telephone conversation. Once that has happened (this procedure may only take a few seconds), the intruder will be able to get unrestricted access to the user's computer and can do anything he likes with it. The intruder becomes the master and the user the slave because short of disconnecting from the Internet, the user is helpless and has no means at his disposal to ward off an attack.
Intruders can monitor, administer and perform any action on your machine just as if they were sitting right in front of it.
A Trojan Horse works a bit like the backdoor to your house. If you leave it unlocked, anybody can come in and take whatever they want while you're not looking. The main difference with a backdoor installed on your computer is that anybody can come in and steal your data, delete your files or format your hard drive even if you are looking. There are no visible outward signs that anything untoward is happening other than perhaps unusual hard disk activity for no apparent reason. 


Types of Trojans :
Each of the Trojan classes described next contains a variety of cracker's tools. Tauscan is capable of removing all of these classes if it detects them. To view the Trojans in each class, click on the Database button on the Tauscan toolbar.

Remote Access Trojans

These are the probably the most popular and very likely the most dangerous of the many Trojan classes currently available. It is these types that work in the server/client mode. The server part installs itself on the unsuspecting user's computer and the client remains on the attacker's system. Once an infected machine has been discovered, the intruder establishes a link between the two. He can subsequently perform any action the user can and more. For example, let's assume that the user has valuable data stored in a folder called "ABC" on his C: drive. In order to steal that data, all the intruder needs to do is to drag and drop the folder called ABC from the user's C: drive onto his own. It's as simple as that!

Mail Trojans

Another popular type of Trojan in hackers' circles is the mail Trojan. It works in server mode only and its main function is to record certain data such as the keystrokes the user enters when passwords are typed, the web sites he regularly visits and files in general. An infected machine will automatically send the information by e-mail to the attacker. These are very difficult to spot because the e-mail client is part of the Trojan itself.

FTP Trojans

This particular class of Trojan works in server mode only. It allows FTP access to an infected machine and can download or upload files at the intruder's whim.

Telnet Trojans

Telnet Trojans run in server mode only and allow an intruder to execute DOS commands on a remote machine.

Keylogger Trojans

These Trojans record the keystroke input on an infected machine and then stores the information in a special log file that the intruder can access in order to decipher passwords.

Fake Trojans

This type of Trojan uses fake dialog boxes and other bogus windows that purport to show that the user has attempted to perform an illegal operation. By displaying a dialog box, its sole purpose is to get the user to enter his user name and password. That information is then stored on file so that the intruder can use it at a later date.

Form Trojans

This is a Trojan that once installed ascertains the users personal data such as IP address, passwords and other personal data that he or she has stored on their system and then by connecting to the cracker's web page, submits the online form via HTTP. A cracker can then use the information gained whenever he wishes. The Trojan performs this function without any user intervention and without the user's knowledge. The user will not see any indication of the transmission such as pop-up windows that would indicate that this is taking place.

E.Book : Computer Security And Cryptography

Posted by Ganesh Murugaraju

E.Book : Computer Security And Cryptography




Image

Computer Security And Cryptography
Wiley-Interscience | 2007 | 544 pages | PDF | 8.4 MB

Gain the skills and knowledge needed to create effective data security systems. This book updates readers with all the tools, techniques, and concepts needed to understand and implement data security systems. It presents a wide range of topics for a thorough understanding of the factors that affect the efficiency of secrecy, authentication, and digital signature schema. Most importantly, readers gain hands-on experience in cryptanalysis and learn how to create effective cryptographic systems.

The author contributed to the design and analysis of the Data Encryption Standard (DES), a widely used symmetric-key encryption algorithm. His recommendations are based on firsthand experience of what does and does not work.

Thorough in its coverage, the book starts with a discussion of the history of cryptography, including a description of the basic encryption systems and many of the cipher systems used in the twentieth century. The author then discusses the theory of symmetric- and public-key cryptography. Readers not only discover what cryptography can do to protect sensitive data, but also learn the practical limitations of the technology. The book ends with two chapters that explore a wide range of cryptography applications.


Download:

Download with FileServe:
Code:
http://www.fileserve.com/file/WtA58bU/Comp.Sec.Crypto.rar

Inox Website is infected

Posted by Ganesh Murugaraju

Latest sources says that Inoxmovies.com was infected.
The source code for http://www.inoxmovies.com contains references to . A Google search for "" gives
jyothylaboratories.com as one of the results. Apparently making
detergents and showing movies doesn't involve securing corporate
websites.

Another search for intext:".info/ur.php>" shows a lot more
domains that have a similar naming convention (eg: http://google-stats45.info/ur.php)
and which are marked as suspicious by Google Safe Browsing.

A lookup on the URL gives the IP 77.78.239.63, which is presumably
located in the Republic of Moldova (which is is a landlocked country
in Eastern Europe, located between Romania to the west and Ukraine to
the north, east and south - src:Wikipedia.com) and is hosted with an
ISP called Maxhosting-services. Another IP Geo Location result puts it
in Bosnia And Herzegovina. The domain is registered as ruslan7777.com
by this dude called Avaris Pinofopoulos (src:
http://www.malwareurl.com/listing.php?ip=77.78.239.63). Another search
puts the registrant to be Vasea Petrovich, who stays (or works) in
Varlaam, Moscow, Postal Code 76549.

Google says the google-stats55.info site is clean (http://
www.google.com/safebrowsing/diagnostic?site=http://google-stats55.info).
It also says that the site acted as an intermediary for the infection
of 3 sites. Im not trusting them on this one.

Proceeding further on Inoxmovies.com takes you to a fake antivirus
software site that shows how it has scanned your computer and found
several infections in My Computer.

Thanks to Riyaz Ahamed for researching on this topic..!

Chinese Cyber-War against India

Posted by Ganesh Murugaraju

STUXNET Worm :

Stuxnet is a Windows-specific computer worm first discovered in June 2010 by VirusBlokAda, a security firm based in Belarus. It is the first discovered worm that spies on and reprograms industrial systems.  It was specifically written to attack Supervisory Control And Data Acquisition (SCADA) systems used to control and monitor industrial processes. Stuxnet includes the capability to reprogram the programmable logic controllers (PLCs) and hide the changes.

The idea that Israel might be waging cyberwar against Iran was first floated in a 2009 article by Dan Williams of Reuters. It is the first-ever computer worm to include a PLC rootkit. It is also the first known worm to target critical industrial infrastructure. Furthermore, the worm's probable target has been said to have been high value infrastructures in Iran using Siemens control systems. According to news reports the infestation by this worm might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start up of Iran's Bushehr Nuclear Power Plant. Siemens has stated, however, that the worm has not in fact caused any damage.
Russian digital security company Kaspersky Labs released a statement that described Stuxnet as "a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world." Kevin Hogan, Senior Director of Security Response at Symantec, noted that 60 percent of the infected computers worldwide were in Iran, suggesting its industrial plants were the target. Kaspersky Labs concluded that the attacks could only have been conducted "with nation-state support", making Iran the first target of real cyber warfare.
https://doc-0k-88-docs.googleusercontent.com/docs/secure/pqateap3cr6amg8cf7h3e51he53i6rds/lk24t7qmd3u0topvdb3tbum15f9ld5ql/1286863200000/05265634174686640166/05265634174686640166/0By1CIvDEeQn3MjViOTkwOGEtNzUwZi00Y2M3LWJhYzgtYWUzNTEyZjhhMmFi?nonce=j6ht3i7p6tg1m&user=05265634174686640166&hash=g4eop0tqoe69en8p1gt8809v7cptf66b   

 MUMBAI: Isro has ruled out possibility of the deadly Stuxnet internet worm attacking Insat-4 B satellite on July 7, resulting in 12 of its 24 transponders shutting down.

Speaking to TOI from Bangalore on Monday, Isro officials, requesting anonymity, said that the worm only strikes a satellite’s programme logic controller (PLC).

“We can confirm that Insat-4 B doesn’t have a PLC. So the chances of the Stuxnet worm attacking it appear remote. In PLC’s place, Insat-4 B had its own indigenously-designed software which controlled the logic of the spacecraft,’’ said a source.

PLC’s main function is to control the entire “logic of the spacecraft’’. Other space experts described PLC as a digital computer used for automation of electro-mechanical processes.

Sources, however, said Isro is awaiting Jeffrey Carr’s presentation at Abu Dhabi next to know the full details of the Stuxnet internet worm. Carr in a blog published in Forbes recently suggested that the resumes of two former engineers at Isro’s Liquid Propulsion Systems Centre (LPSC) at Mahendra Giri in Tamil Nadu said that the Siemens S7-400 PLC was used in Insat-4 B, which can activate the Stuxnet worm.

An Isro announcement on July 9 said that “due to a power supply anomaly in one of its (Insat-4 B) two solar panels, there is a partial non-availability on India’s Insat-4 B communication satellite’’. It said that the satellite has been in operation since March 2007 and the power supply glitch had led to the switching off of 50% of the transponder capacity.

The worm infects only computers equipped with certain Siemens software systems. Isro, however, reiterated that the Siemens software wasn’t used in Insat-4 B. The Stuxnet worm was first discovered in June, a month before Insat-4 B was crippled by power failure.

Carr’s blog says, “China and India are competing with each other to see who will be the first to land another astronaut on the Moon.’’ 



Operation

Stuxnet attacks Windows systems using four zero-day attacks (including the CPLINK vulnerability and a vulnerability used by the Conficker worm) and targets systems using Siemens' WinCC/PCS 7 SCADA software. It is initially spread using infected USB flash drives and then uses other exploits to infect other WinCC computers in the network. Once inside the system it uses the default passwords to command the software. Siemens, however, advises against changing the default passwords because it "could impact plant operations."
The complexity of the software is very unusual for malware. The attack requires knowledge of industrial processes and an interest in attacking industrial infrastructure. The number of used zero-day Windows exploits is also unusual, as zero-day Windows exploits are valued, and hackers do not normally waste the use of four different ones in the same worm. Stuxnet is unusually large at half a megabyte in size, and written in different programming languages (including C and C++) which is also irregular for malware. It is digitally signed with two authentic certificates which were stolen from two certification authorities (JMicron and Realtek) which helped it remain undetected for a relatively long period of time. It also has the capability to upgrade via peer to peer, allowing it to be updated after the initial command and control server was disabled.  These capabilities would have required a team of people to program, as well as check that the malware would not crash the PLCs. Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not years.
A Siemens spokesperson said that the worm was found on 15 systems with five of the infected systems being process manufacturing plants in Germany. Siemens claims that no active infections have been found and there were no reports of damages caused by the worm. Jeffrey Carr raised the possibility that the Stuxnet took India’s INSAT-4B Satellite out of action, making it effectively dead. However, ISRO has provisionally ruled out the possibility of Stuxnet attack, and awaits further details from Carr's presentation on the topic.

Removal

Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing the Microsoft patch for vulnerabilities and disallowing the use of third-party USB sticks.
The worm's ability to reprogram external programmable logic controllers (PLCs) may complicate the removal procedure. Symantec's Liam O'Murchu warns that fixing Windows systems may not completely solve the infection; a thorough audit of PLCs is recommended. In addition, it has been speculated that incorrect removal of the worm could cause a significant amount of damage.

PASSWORD HACK LOCATION

Posted by Ganesh Murugaraju




Password Location :


* Internet Explorer 4.00 – 6.00: The passwords are stored in a secret location in the Registry known as the “Protected Storage”.
The base key of the Protected Storage is located under the following key:
“HKEY_CURRENT_USERSoftwareMicrosoftProtected Storage System Provider”.
You can browse the above key in the Registry Editor (RegEdit), but you won’t be able to watch the passwords, because they are encrypted.
Also, this key cannot easily moved from one computer to another, like you do with regular Registry keys.


* Internet Explorer 7.00 – 8.00: The new versions of Internet Explorer stores the passwords in 2 different locations.
AutoComplete passwords are stored in the Registry under HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsStorage2.
HTTP Authentication passwords are stored in the Credentials file under Documents and SettingsApplication DataMicrosoftCredentials , together with login passwords of LAN computers and other passwords.


* Firefox: The passwords are stored in one of the following filenames: signons.txt, signons2.txt, and signons3.txt (depends on Firefox version)
These password files are located inside the profile folder of Firefox, in [Windows Profile]Application DataMozillaFirefoxProfiles[Profile Name]
Also, key3.db, located in the same folder, is used for encryption/decription of the passwords.


* Google Chrome Web browser: The passwords are stored in [Windows Profile]Local SettingsApplication DataGoogleChromeUser DataDefaultWeb Data
(This filename is SQLite database which contains encrypted passwords and other stuff)


* Opera: The passwords are stored in wand.dat filename, located under [Windows Profile]Application DataOperaOperaprofile


* Outlook Express (All Versions): The POP3/SMTP/IMAP passwords Outlook Express are also stored in the Protected Storage, like the passwords of old versions of Internet Explorer.


* Outlook 98/2000: Old versions of Outlook stored the POP3/SMTP/IMAP passwords in the Protected Storage, like the passwords of old versions of Internet Explorer.


* Outlook 2002-2008: All new versions of Outlook store the passwords in the same Registry key of the account settings.
The accounts are stored in the Registry under HKEY_CURRENT_USERMicrosoftWindows NTCurrentVersionWindows Messaging SubsystemProfiles[Profile Name]9375CFF0413111d3B88A00104B2A6676[Account Index]
If you use Outlook to connect an account on Exchange server, the password is stored in the Credentials file, together with login passwords of LAN computers.


* Windows Live Mail: All account settings, including the encrypted passwords, are stored in [Windows Profile]Local SettingsApplication DataMicrosoftWindows Live Mail[Account Name]
The account filename is an xml file with .oeaccount extension.


* ThunderBird: The password file is located under [Windows Profile]Application DataThunderbirdProfiles[Profile Name]
You should search a filename with .s extension.


* Google Talk: All account settings, including the encrypted passwords, are stored in the Registry under HKEY_CURRENT_USERSoftwareGoogleGoogle TalkAccounts[Account Name]


* Google Desktop: Email passwords are stored in the Registry under HKEY_CURRENT_USERSoftwareGoogleGoogle DesktopMailboxes[Account Name]


* MSN/Windows Messenger version 6.x and below: The passwords are stored in one of the following locations:
1. Registry Key: HKEY_CURRENT_USERSoftwareMicrosoftMSNMessenger
2. Registry Key: HKEY_CURRENT_USERSoftwareMicrosoftMessengerServ ice
3. In the Credentials file, with entry named as “Passport.Net*”. (Only when the OS is XP or more)


* MSN Messenger version 7.x: The passwords are stored under HKEY_CURRENT_USERSoftwareMicrosoftIdentityCRLC reds[Account Name]


* Windows Live Messenger version 8.x/9.x: The passwords are stored in the Credentials file, with entry name begins with “WindowsLive:name=”.


* Yahoo Messenger 6.x: The password is stored in the Registry, under HKEY_CURRENT_USERSoftwareYahooPager
(”EOptions string” value)


* Yahoo Messenger 7.5 or later: The password is stored in the Registry, under HKEY_CURRENT_USERSoftwareYahooPager – “ETS” value.
The value stored in “ETS” value cannot be recovered back to the original password.


* AIM Pro : The passwords are stored in the Registry, under HKEY_CURRENT_USERSoftwareAIMAIMPRO[Account Name]


* AIM 6.x : The passwords are stored in the Registry, under HKEY_CURRENT_USERSoftwareAmerica OnlineAIM6Passwords


* ICQ Lite 4.x/5.x/2003: The passwords are stored in the Registry, under HKEY_CURRENT_USERSoftwareMirabilisICQNewOwners [ICQ Number]
(MainLocation value)


* ICQ 6.x: The password hash is stored in [Windows Profile]Application DataICQ[User Name]Owner.mdb (Access Database)
(The password hash cannot be recovered back to the original password)


* Digsby: The main password of Digsby is stored in [Windows Profile]Application DataDigsbydigsby.dat
All other passwords are stored in Digsby servers.


* PaltalkScene: The passwords are stored in the Registry, under HKEY_CURRENT_USERSoftwarePaltalk[Account Name].

 
 

Useful Commands

Posted by Ganesh Murugaraju

bootcfg - Configures, queries, or changes Boot.ini file settings.



driverquery - Displays a list of all installed device drivers and their properties.


getmac - Returns the media access control (MAC) address and list of network protocols associated with each address for all network cards in each computer


gpresult - Displays Group Policy settings and Resultant Set of Policy (RSOP) for a user or a computer


netsh - You can use commands in the Netsh Interface IP context to configure the TCP/IP protocol


schtasks - Schedules commands and programs to run periodically or at a specific time


systeminfo - Displays detailed configuration information about a computer and its operating system


dxdiag - shows u full system info.

Posted by Ganesh Murugaraju




How Not To Get Caught

I think one of the most unclear areas to the up and coming hacker is how to avoid being caught when penetrating systems and networks. I've read and heard many very misinformed myths on this subject, and I've seen more than a few people get in a lot of trouble by making dumb mistakes.

I should take a second here first to go over something. I'm not promoting illegal activities or saying anybody should go out and do anything illegal or damaging. I'm just trying to be informative.

Contents

1 Things you should not do
1.1 Use AOL, MSN, or any small ISP (assuming you're doing this from your home).
1.2 Make any operational changes to the compromised computer(s)
1.3 Leave a calling card
1.4 Use Proxies
1.5 Use automated exploit scanning tools
1.6 Tell anybody about what you're doing or have done
1.7 Attempt unrealistic methods of intrusion
1.8 Give yourself a user account
1.9 Do it from a public computer
1.10 Write things down or print things off
1.11 Respond to any odd communications you get regarding your target
1.12 Use mind altering drugs or hack when you've had a lack of food or sleep
2 Stuff you should do
2.1 Your Environment
2.2 Proxies - Revisited
2.3 Data Protection
2.4 Wireless
2.5 Using Exploits
2.6 Hacking Web Apps
2.7 Dealing with Logs
3 Hiding out on a Linux System
4 Hiding out on a Windows System


Things you should not do
There are some things that you should avoid doing at all costs if you don't want to get caught. I think it's important to go over these first because there are a lot of common myths and falsehoods that should probably be cleared up before I go on and explain good ways to protect yourself. Keep in mind, these are things you _shouldn't_ do.

Use AOL, MSN, or any small ISP (assuming you're doing this from your home).
If you do stuff from home, or even just do research of some kind from home, you should avoid MSN, AOL, and smaller "home-town" type ISP's. AOL and MSN watch their customers very closely for any activity that might indicate you are involved in breaking into a system and may call the cops, turn off your internet, or a multitude of other things. Smaller ISP's tend to do the same kind of thing. Citation needed

Make any operational changes to the compromised computer(s)
When you compromise or probe a system you should not do anything that has a good potential of negatively impacting the performance of that system. People will notice if something stops working right or starts working slower than normal, and will investigate the reason behind it.

Leave a calling card
Don't leave any sort of calling card that'll tip someone off to your presence. This includes defaced web pages, deleted system logs, logs edited in ways that aren't believable, etc. This is again, because it lets the target know that someone has been messing with things.

Use Proxies
This mostly applies to the proxies found on public proxy lists, but it should be held as a general rule. Do not use proxies to try to mask where you are connecting from. Most proxies keep logs of who uses them and for what. If your mark realizes something is going on they can probably just get the party responsible for the proxy to release the relevant logs. This isn't to say that proxies should never be used. They just should not be relied on. Ideally, any proxy you use should be one you are sure does not log anything, or one which you can access and delete log entries related to you.

Use automated exploit scanning tools
Don't use programs like X-Scan, Nessus, Saint, SuperScan, Languard, or anything else like that to get info about targets. These programs tend to check for every possible thing which could be wrong with a given system, which will generate a lot of error messages on your target's system and fill their logs, which is a pretty good indication to them that someone is attacking them. Such programs also tend to trigger intrusion detection systems like Snort.

Tell anybody about what you're doing or have done
The fewer people who know, the better, because then there are less people who can rat you out or let it slip. Avoid working in groups if possible.

Attempt unrealistic methods of intrusion
Don't try to do stuff like use IIS exploits against Apache, or IA32 shellcode on a computer with a PPC processor in it. These are sure-fire tip offs to someone that something is going on, and will also trigger most IDS devices. Along with this, you should avoid using automated password guessing programs because they'll cause you the same kind of trouble, and you probably won't gain anything.

Give yourself a user account
Avoid giving yourself a user account on a target system. If you can, use an existing account or access the system using a method that doesn't require authentication.

Do it from a public computer
Although it might be tempting, you shouldn't use public computers for any kind of hacking. While it does grant you relative anonymity, you can't be sure that someone won't walk past and see what you're doing, that there are no cameras around, or that the machine doesn't log what you use it for.

Write things down or print things off
Keep stuff on computer where you can encrypt it and hide it from prying eyes. Don't write stuff down or print it off because then someone might find it laying around. Plus, papers found with you can be used as evidence while most text-based computer documents can't be.



Respond to any odd communications you get regarding your target
This might sound obvious, but don't respond to any communications you get from anyone regarding your target. If someone contacts you about your target then cease all activity right away.



Use mind altering drugs or hack when you've had a lack of food or sleep
All of these can cause you to make stupid, stupid mistakes.



Stuff you should do
Enough with things you should avoid doing, and on to things you should do. This section is broken up into little segments about different topics.



Your Environment
Something that is a lot more important than you would think is the environment in which you work. Make sure you are relaxed, have access to some place comfortable to sit, and are not rushed. Avoid recurring distractions like the telephone, and turn off things like the TV or the radio. Music is good, but don't listen to music that makes you feel particularly rushed, excited, or tense. Turn off any messaging programs or anything like that.

The idea is to make it so you can completely focus on the task at hand without feeling rushed or uncomfortable. If you maintain a relaxed state of mind and body you will make less mistakes and will think through your actions more carefully. It's really easy to forget what you're doing and then make a mistake later if you get pulled away from the computer by the phone or something. Take frequent brakes and sit down and relax. Also, make sure you have plently of sleep, food, and what not so you're brain is working well. Needless to say, save the cannibus, alcohol. or whatever else for the victory dance, hehe.



Proxies - Revisited
Yeah, I said not to use proxies. That's because it's easier to tell someone not to do something than to explain to them the right way to do it. So, this is the "right way". When it comes to proxies your best source of them is yourself. You should use proxies you have set up on other people's machines. There are many pieces of software available online which will act as a SOCKS proxy if you install it on someone's computer.

Register an account with a free dynamic DNS service like dyndns.org and then install proxies on home machines, and use the dynamic DNS services so you can always find the machines you've made into proxies. The advantage of this approach is that individual home users are a lot less likely to monitor their computers (many home PC's are part of a bot net anyway), and you don't have to worry about logs.

It's best to use proxies which support encryption so the traffic sent between the proxy and your machine can't be sniffed by anyone in between.

Also, on the topic of proxies, it should be noted that any program can be used through a proxy if you take the correct measures. Two pieces of software you should look into are tsocks and proxychains. Both of them can take all of the TCP I/O of a program and send it through a chain of proxies. You can even use them to do anonymous portscanning and the like. About the only thing they don't work well with is FTP, due to the way FTP connections work.

If you have the time to do so you should check out the Tor project (http://tor.eff.org/), which is a decentralized, encrypted network of proxies which anyone can use to mask the source of a connection. It seems to work prety well, except that connections over Tor have a higher latency than connections without it.

Data Protection
Protect the data on your computer(s) from prying eyes. Don't use some kind of stupid method like a commercial crypto-disk software which probably has a backdoor in it. There are better ways. One of the best ways I have seen is to use the cryptodisk function found in the Linux kernel. Basically, you can make a image file which can be mounted as a file system (with the correct password). When it's not mounted the data is encrypted using any algorithm you like (anything from 3DES to AES or Twofish). There's a good tutorial on how to set this up here: http://www.tldp.org/HOWTO/Cryptoloop-HOWTO/

If you're not able to take that route, using PGP/GPG is a good idea. GPG is an open source encryption program that uses a public key architecture and is pretty much the de-facto standard for encrypting documents. It's a good idea to encrypt any saved logs or data using it. If you're using a system with it installed (any *NIX) open a command prompt, run gpg --gen-key and follow the directions. It's a very useful piece of software.

As far as hiding and encrypting data it's a good idea to avoid any commercial software and the methods of encryption used by programs like Winzip and Winrar. In short, don't use any application-specific method of protecting your data. Don't rely on the password protection of Word documents, for example.

Also, it's not a horrible idea to have some kind of plan in place to destroy all of your data very quickly in the event of a raid or something like that. Granted, you probably won't ever have to actually use the plan, but it's like hacking insurance. Better safe than sorry. It's best to dispose of magnetic disks like floppies and hard drives using very strong magnets or very high heat. Heat is best, since the media will warp and expand. One thing I used to do was keep a coffee can with a magnet taped to the lid, and keep floppies in the can. That way knocking over the can would erase the disks.

Hiding your data somewhere no one will look is a good idea as well. Some HP network printers use a version of DOS which will allow you to store files on the flash drive in the printer, for example. Who is going to look for your stored files on a printer? All the better if they're encrypted too.



Wireless
The spread of wireless internet access has made it a lot easier to hide one's identity on the internet. If an attack is made from a network with an attached wireless AP, it's almost impossible to know who did it. However, if you choose to go this route you need to take special precautions.

Obviously, don't be suspicious, and don't get yourself on camera. Also don't use programs like Net Stumbler to find networks. Use a passive tool like Kismet, or just put your card in monitor mode and use Ethereal. Do NOT use a Windows computer for this. Windows loves to broadcast all sorts of identifying data all over the place, and you don't want that on someone else's wifi net. In fact, make sure any programs which automatically connect to anything online are turned off so you don't make any more traffic than you have to. It's also a good idea to change the MAC address of your wifi card using a program like macchanger or travesty. You can change the reported MAC address in Linux easy enough with ifconfig.

If you can, you should get into the AP and delete logs related to your computer as well. That way no one even knows anyone out of the ordinary was using the network. Otherwise you might suddenly find that networks you frequent become closed.



Using Exploits
Probably one of the most effective ways into a system is to exploit a vulnerability in a piece of software installed on that system. It could be an exploit for anything from an anti-virus program, to a web server, to something as odd as a word processor. Such exploits are plentiful, available all over the internet, and most systems have at least one piece of software installed which is vulnerable to an exploit. All of this makes using known exploits very attractive. Well, before you happily go and use someone else's exploit code there are some precautions you should take.

First of all, most of the time when a vulnerability is discovered one to two pieces of code are released for exploiting it. In most cases these pieces of code send some kind of distinguishing data to the target, so such data is often added to the signature lists of IDS software very quickly. Exploits which cause something to listen on a port are usually added to IDS software pretty quickly too, because they tend to use the same port all the time. So, if you just plan to use someone else's un-modified code, you probably shouldn't. The best practice is usually to write your own code that exploits a known vulnerability in a fashion that won't set off too many alarms. If you don't have that level of skill, you can always try modifying someone else's code.

Most exploits have a section somewhere in them called the "payload" which is basically the instructions the exploit has the target run. Most of the time "shellcode" is placed here, which is a hashed and obfuscated list of command line instructions. Again, most of the time the goal of shellcode is just to get the remote system to bind a command shell to a given port. In many cases you can simply remove the shellcode in an existing exploit and replace it with your own. Tools like the Metasploit Framework can help you generate code to your specs.

Also, the best practice as far as exploits go is to use or find one that not many people know about at all. If an exploit isn't public knowledge then most people will not know what to look for, and most IDS devices won't flag the usage of it.



Hacking Web Apps
A common way into a server is to exploit something wrong with a web-based application like forum or gallery software. This is actually a very good way into a server that carries a lower risk than you might think. If you do this sort of thing it's best to do it during peak hours because so much traffic will already being hitting your target that yours will probably go unnoticed. Web server log files get very large and most people never read through them unless they think something's messed up or not working right. Furthermore, most *NIX based systems use logrotate to delete old log files, so chances are, your logs will be deleted anyway after a little while. Some systems are even configured so that log files are "rotated" once they reach a certain size.

However, you are still vulnerable to detection by intrusion detection software. Thus, you should take two precautions. The first is to use a randomized chain of proxies so that your requests don't all appear to be coming from the same IP. Multiproxy (for Windows) and proxychains (for Linux/UNIX) can do this for you. The second is to use SSL (https://) if you can. SSL encrypts all data between you and the web server to prevent people from snooping. It also prevents IDS software from seeing the data you're sending the server.



Dealing with Logs
How to deal with system log files is a hotly debated subject. Generally, you should never just delete all the logs on a system. Missing log files are a huge tip off that something is wrong. Also, you should always check to see if the logs on a system are being saved somewhere other than the usual place. On a Linux or UNIX system you'll probably want to take a look at /etc/syslog.conf and look to see if logs are being logged to any remote hosts. Windows doesn't have a built in way of logging to a remote computer (at least, not that I am aware of), so it's harder to tell if something like that is set up on a Windows box.

It is a good idea to edit logs. However, you have to be careful and pay attention to what you're doing. You probably shouldn't just delete all evidence that you ever touched the system. Rather, you should alter the evidence to make it look like someone else did. For example, say you break into a server in a college. It wouldn't be a bad idea to alter and change all instances of your IP to an IP somewhere on the same IP block as the student dorms. A plausible explanation is always better than no explanation. People won't look as hard for an answer if there's already an apparent, obvious one in front of them.

On *NIX systems there's a file called /var/log/lastlog which keeps track of the last time each user logged in and from where. Generally, when a user logs in it will show them the last time they logged in. Deleting lastlog is a bad idea, and there is no good way to edit it. One good way to deal with it is to secure shell to localhost and log in again. Most people won't really think anything of it if the server says the last time they logged in was from TTY1 or something. Now, yeah, an admin will know something is up, but if the account you used belongs to someone less experienced they'll just ignore it and assume the admins must have been fixing something.



Hiding out on a Linux System
If you break into a Linux system there are some things you should check for before you poke around too much. You should probably check to see what modules are loaded (lsmod) and look for anything odd which might indicate you're inside a virtual machine (might be a honeypot). Another good way to check for that is to cat /proc/cpuinfo. If it's vmware cpuinfo will say so.

Also, you should see if process accounting is installed and enabled. Look for the executable accton, which is typically located in /sbin. Look for any kind of integrity software as well, including chkrootkit, rkhunter, tripwire, samhain, integcheck, etc. If you do find software which will detect your presence you should not disable it. Rather, see if you can reconfigure it to ignore you.

Generally, because of the way a Linux system logs actual log ins you'll probably want to install some sort of rootkit or back door to let yourself in later. The best sort of rootkit for this sort of thing is one that's not readily detectable. Good ideas are replacing ssh with a patched version which does not log your logins, or replacing /sbin/login with a version that doesn't log you. There are plenty of rootkits out there which you can get ideas and the like from.

There are also a lot of more obscure ways of gaining access, including programs which send command over ACK packets, ICMP, or HTTP. Such programs are very useful since a firewall won't normally think anything of them. Also, of note here are netcat and the GNU version of awk, both of which can be used to make a remote shell you can connect to. These are nice because both of them are usually installed on most Linux systems.

Also, a final note on rootkits. Do not compile them on your own system and them upload them, especially if they replace vital system files on the target system. If your system happens to have different versions of a required library or something of that nature the rootkit might cause the "patched" version of /sbin/login or some other program to not even run, which that is a first class way to let someone know something is wrong.



Hiding out on a Windows System
Windows is a lot easier to hide on. There are plenty of good programs which will dodge antivirus software and disable logging of your connections. Also, if the target system uses NTFS you can use NTFS file streaming to hide files on the system (the book Hacking Exposed talks about how to do this).

As far as backdoors and the like go, you should avoid using traditional trojan horses. They are easy to detect and usually have a lot of functionality issues. Installing something like tightvnc, turning on Remote Desktop/Terminal Services, or something like that is the way to go. Most Windows servers do not have the logging facilities to notice a change like that, and it's easy to hide such changes or software installs if you use a rootkit like the one that comes on those CD's Sony is distributing right now (hides any file where the name starts with $sys). People tend to expect a little oddness and quirkiness out of Windows, so you have more leeway for installing backdoors.

Honestly though, there aren't many reasons to want to break into a Windows system. They do make excellent members of a list of a proxies.