Comments on: Miracle workers – Remote include path http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html What's with the blog? Tue, 06 Dec 2011 17:11:44 +0000 hourly 1 http://wordpress.org/?v= By: ayoi http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html/comment-page-1#comment-51 ayoi Mon, 04 Dec 2006 15:40:19 +0000 http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html#comment-51 It's kinda difficult to hire a proper security analyst. Whut I mean is the one who knows (basics/little bit/aware) of security. To find a candidate who know or even aware of NSM, that's a miracle. :D I do really hope if anyone who think they can do the job, please come forward. Susah ini macem.. It’s kinda difficult to hire a proper security analyst. Whut I mean is the one who knows (basics/little bit/aware) of security. To find a candidate who know or even aware of NSM, that’s a miracle. :D I do really hope if anyone who think they can do the job, please come forward. Susah ini macem..

]]> By: JengKlen http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html/comment-page-1#comment-50 JengKlen Mon, 04 Dec 2006 05:01:26 +0000 http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html#comment-50 Yes...i agree with you geek00L....I think NSM is better than IDS.... Yes…i agree with you geek00L….I think NSM is better than IDS….

]]> By: geek00L http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html/comment-page-1#comment-48 geek00L Mon, 04 Dec 2006 01:47:24 +0000 http://blog.hazrulnz.net/116/miracle-workers-remote-include-path.html#comment-48 Looking for all world writtable directories, such as /tmp, /dev/shm and as well as user home directory, I usually run my own script of digging out all perl files that belong to user who runs the web server(nobody or _apache) on those three directories and you will most properly figure out which particular sites are exploited. Looking at web server log surely gives a clue and it is always good to correlate host services log with the network alert data. Since this is mostly done by the automated coded worms, some of them will perform deletion on the script once it is executed so that you won't be able to analyse their script, that's where session/flow data delivers its value because it definitely tells you where your server has connected to download the malicious script and so forth. Maybe in the future, hire the NSM analyst instead of IDS analyst :) Looking for all world writtable directories, such as /tmp, /dev/shm and as well as user home directory, I usually run my own script of digging out all perl files that belong to user who runs the web server(nobody or _apache) on those three directories and you will most properly figure out which particular sites are exploited.

Looking at web server log surely gives a clue and it is always good to correlate host services log with the network alert data.

Since this is mostly done by the automated coded worms, some of them will perform deletion on the script once it is executed so that you won’t be able to analyse their script, that’s where session/flow data delivers its value because it definitely tells you where your server has connected to download the malicious script and so forth.

Maybe in the future, hire the NSM analyst instead of IDS analyst :)

]]>