Penetration Testing mailing list archives
Re: Looking for help against Chinese Hacking Team
From: "David Glosser" <david.glosser () gmail com>
Date: Sat, 13 Dec 2008 07:17:39 -0500
1.Have you used a web application scanning tool against your web site which specifically tests for sql injection and cross site scripting (not sure what "pen test product" means)? 2.Have you identified the sql injection entry point? It should be in your IIS logs. 3.Have you identified the source IP networks? Can they be blocked at your firewall? 4.Can you place a web application firewall in front of your web servers? (URLScan is free for IIS, or you can run a linux proxy server with mod_security in front of your IIS servers - The OS, apache, and mod_security are free, there would only be hardware costs. 5. Do you have an IDS or IPS in front of your servers as well as monitoring your database servers? Snort has a minimal cost. - Show quoted text - On Fri, Dec 12, 2008 at 9:45 PM, Serg B <sergeslists () gmail com> wrote:
Few hundred dollars is not going to get you far... Instead of blowing the cash on pen-testing, and one-size-fits-all (because vendor told me) security software; how about you get your systems administrator to audit your web server log files and trace the vulnerability that way. Again: Get your awesome systems administrator to look through log files, to identify which files are vulnerable (something he or she should have been doing in the first place). These links may help: http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx http://isc.sans.org/diary.html?storyid=4844&rss Also, this sounds like an SQL worm prorogation, not a targeted attack which I understood from your email. Cheers Serg On Sat, Dec 13, 2008 at 11:59 AM, harveyfrank <joet () ticadvisors com> wrote:We've been battling the Chinese for several months now and have gone through several waves of US security experts who have failed to stop them. In their defense, we are not on an unlimited budget and they've gotten us to a point where it looks as though somewhere among the site's 400 scripts is a SQL injection vulnerability. Automated testing by a few pen test products seems to think we're fine. We definitely are not. Is it possible to hire a CEH to find the Chinese-discovered vulnerability for a few hundred dollars? (We aren't just being cheap, we've blown our wad on security that hasn't worked.) Would someone with intimate knowledge of the latest wave of Chinese attacks be required for this job? Besides our first rate security team that's just been beat, I've tried the $200 pen test folks and they have all failed. Microsoft security help has also failed. Advice (Besides porting to Linux)? Help? -- View this message in context: http://www.nabble.com/Looking-for-help-against-Chinese-Hacking-Team-tp20986210p20986210.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Looking for help against Chinese Hacking Team harveyfrank (Dec 12)
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 12)
- RE: Looking for help against Chinese Hacking Team Shenk, Jerry A (Dec 12)
- Message not available
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 14)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- RE: Looking for help against Chinese Hacking Team Alex Eden (Dec 16)
- Re: Looking for help against Chinese Hacking Team Mike Hale (Dec 12)
- Re: Looking for help against Chinese Hacking Team David Glosser (Dec 13)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team Daniel Clemens (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 16)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 18)
- <Possible follow-ups>
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)
- Re: Looking for help against Chinese Hacking Team Adriel T. Desautels (Dec 15)
- Re: Looking for help against Chinese Hacking Team ArcSighter Elite (Dec 15)