[Plug-security] Ongoing Forensics Projects

[Lisa Kachold]

The PLUG Security Hackfest endeavor has had various ongoing forensic
projects, some supported, some unannounced, and yet others happily
gathering data at every event.

Since 2008, we have changed our focus from a DefCon CTF training team
approach to a Presentation Only fest (for lack of network facilities where
our endeavors were welcome), and full hackfest ONLY 4 times a year, to our
current 20 station lab with storage for our VMWare server.  We have had
challenges with providing file sharing for our members scripts and
presentation materials.   Through the process of building our own online
resources (it-clowns.com, our best forensics data opportunities arose.
 Since early on, we have had the honor of GoDaddy's Security Team
attendance and proactive support.

Here's a list of the more interesting surviving forensics:

ONLINE/ONGOING:

Project Clown HoneyPot:
Drupal 6/7, WordPress, MediaWiki, Joomla, XOOPs site Hack IPs
SSH Exploit attempts and successes IPs (cross referenced to other data in
some cases)
Apache misconfigured .htaccess, file permissions
File changes (ongoing shell code hacks for html file documents mysteriously
appearing)

HACKFEST FORENSICS:

Tap data kicked off during the hackfest hours on open "flat" networks
including ARP poisoning, scans, and all port access cross referenced,  and
includes packet requests for access outside of the intranet gateway.  NOTE:
This information has been obfuscated (or there wouldn't be any fun, how
would there?)

By far the most interesting information has come, not surpisingly from
online pharmacy drug spammers, since the sheer number of exploited chained
sites and toss out email addresses their automated signup (and
authenticate) bot process uses is daunting.  Of course, Hackfest volunteers
limit reverse hacking, deep trapping, and retaliation to those IP's that we
can socially identify to fall under an unspoken "fair game" policy (never
bypassing escalation where in writing auth is required).  Sadly we too
easily identify the source, or we quickly find, it's not fun tripping
people as they depart the "short bus" with shiny "L33t" red stars.

Again, we have an open call for forensic volunteers and at some point, we
will publish the "house of shame" to teach that obtaining the flag only
wins a shirt (and bragging rights) in the real world - getting in, while
getting logged can bring CONSEQENCES!

-- 
(503) 754-4452 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
it-clowns.com
Chief Clown
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-security/attachments/20121125/add944c6/attachment.html>