This has always been a hot topic on forums and will be one for a long time: how do I make X undetectable for virus scanner Y? This is actually quite simple.

There are two main ways a virus scanner "scans":

1. Checks for a certain string in a file
2. Checks for the behaviour of the file (e.g. specific location in registry or file system)

So, this means you need to protect your program in two ways, by:

1. Changing the encryption of the source code, adding even the slightest piece of code changes the source code if it's a binary file. For scripts, you should add something like base64, as many times as you want.
2. Change its behaviour. This can be done in lots of ways, you can make the install locations random, use different registry settings, bind with other applications..

Does this only apply to malware? Definitely not. Your application or script can get on the blacklist of an antivirus way faster than you might think (Realplayer for example, but they really deserved it), and the process of getting off it again is long and will cost you a lot of users.

I don't feel like writing an exploit but I want to point out these lines in validate.php in AV Arcade v3 script:

$userid = $_REQUEST['id'];
$code = $_REQUEST['code'];

$sql = mysql_query("UPDATE ava_users SET activate='1' WHERE id='$userid' AND password='$code'");

So far for awesome security.

Hey, this isn't new! This is the exact same thing as my previous Simple Machines Forum 1.1.4 password hash cracker! Yes, it is. They didn't change the method this time, it's still a very basic SHA1 encryption. The download can be found here. If you're interested in a more extensive explanation, head over to my old post.

Everyone loves challenges (atleast I do), so here are some for you. They all involve bypassing some sort of filter or doing something very basic, don't expect anything hard here. It's all very obvious, maybe the admin password thing will make you stare at your screen for a couple of minutes, not more if you're used to this kind of things.

Feel free to contact me by commenting on this post about ideas, bugs, bad recognition or solutions you proudly found to the made up problems.

I'm writing too much junk apparently, so here is a idea I had that would solve a lot of SQL injection damage.

Instead of hashing your passwords with md5($password), or instead of the safer md5(md5($password)), or even instead of md5(md5($password).md5($salt)), why not try md5(base64_encode($password))? Not used enough! I'm talking about websites where the source code isn't open for the public (exit: any free PHP CMS that isn't modified on the password storing part).

The scenario I'm talking about is the one where your website gets hacked, owned or roflz0rsyousuckpwned, through a method that doesn't involve executing system commands, but rather stays on the level of the web application. The first two on the top of my head are SQL injection and XSS.

So, the hacker used SQL injection on index.php, like this:

/index.php?id=1' UNION SELECT password FROM userTable

Alright, he has just retrieved a password that is most likely hashed, with SHA1 or md5, in 90% of the occasions. If the attacker is dedicated to his job, he'll open up some sweet cracking tool and start reversing it. Now, if you had a weak password, or your co-administrator had one, the attacker will be able to log in. Now, since the attack didn't involve any source code reading, the attacker will not know what way the password was hashed, md5 was an easy job since it contained 32 chars, a - f and 0 - 9. Double hashing would work good, but thinking on the level of a scriptkiddy: PasswordsPro cracks this. So, here comes the fun: just hash your password like this (play with it, base64_encode(rot13()) in the middle would be fun too :-) ):

md5(base64_encode($password))

Providing your attacker doesn't have your source code, try this method, even after an attack there won't be a way to recover the password.

Note: this method isn't new, just reminding.

All packed up & ready for your enjoyment: PHP Source Auditor 4! So, if you have (most likely) never heard of it, this is the deal:

PSA4 is a Perl script that connects to your local webhost and scans all files (recursively) in the www root, for vulnerabilities. It scans for:

1. Remote File Inclusion
2. Remote Command Execution
3. Remote Code Execution
4. Cross Site Scripting
5. SQL injection (very weak scanning on this though)
6. Local File Inclusion (results sometimes get buggy)

The difference with other scanners is, it actually can tell whether the script is vulnerable or not since it exploits it on the fly by entering weird data into the variables. You can download it right here and (for now) nowhere else :).

No, I'm not talking about ironing cloths, more talking about my very own algorithm. It's not that special and seems to produce a lot of duplicates, and is quite reversable (credits to sraeG for reversing it in a challenge). I might write a completely new one, more advanced maybe. Source code is in PHP:

function iron($nr,$method = 'numeric')
{
$chrs = preg_split('//', $nr, -1, PREG_SPLIT_NO_EMPTY);
$d = '';
foreach($chrs as $c)
{
if(substr($d,-2,2) == round(ord($c)/2))
{
$d .= round(ord($c)/2)*round(ord($c)/2);
}
else
{
$d .= round(ord($c)/2);
}
}
switch($method)
{
case 'ascii':
$char = '';
for($i = strlen($d); $i > 0; $i -= 2)
{
$char .= chr(substr($d,-$i,2));
}
break;
default:
$char = $d;
break;

}
return $char;
}

Usage is as simple as iron("string","ASCII") for ASCII output (recommended only if you hash it with another algorithm after) or iron("string","numeric") for the normal numeric output. Online hasher is here.

Remember my post about stopping comment spammers with Javascript? It has proven to be a very reliable method as long as you make sure to change the data that is generated with Javascript from site to site. A little example of only today from "spam that didn't quite make it":

[root@rbox /]# cat /var/log/randombase.com.log|grep "POST /news"
87.255.64.233 - - [19/Apr/2008:01:18:31 -0500] "POST /news/33 HTTP/1.1" 200 8922 "-" "-"
87.255.64.233 - - [19/Apr/2008:01:18:35 -0500] "POST /news/33 HTTP/1.1" 200 8922 "-" "-"
83.247.31.93 - - [19/Apr/2008:02:12:29 -0500] "POST /news/33 HTTP/1.0" 200 8811 "-" "-"
83.247.31.93 - - [19/Apr/2008:02:12:31 -0500] "POST /news/33 HTTP/1.0" 200 8811 "-" "-"
85.232.230.225 - - [19/Apr/2008:03:10:46 -0500] "POST /news/33 HTTP/1.1" 200 8924 "-" "-"
85.232.230.225 - - [19/Apr/2008:03:10:48 -0500] "POST /news/33 HTTP/1.1" 200 8924 "-" "-"

In this case it is clear they tried to spam us, no useragent nor referer set.

I couldn't find any good hash cracker for SMF. This one isn't actually finished but it has the most used/important function being dictonary attack. The menu/usage is quite simple:

Menu..
1. Numeric attack
2. Alphabetic attack or whatever
3. Mix 'em up Johnny
4. Dictionary attack
< Choice >

Of course, this is not a hack tool of any kind. It just helps you recovering passwords that are hashed in the database. You'll need a Perl executer though and the DIGEST::Sha1 extension but this comes with most Perl distributions already. Download the source code here. A screenshot of the tool included below.

Read more »

Someone linked me some news article on wired.com (Hackers Assault Epilepsy Patients via Computer). The article itself is quite shocking, this has nothing to do with hacking but all with the most antisocial people you can imagine. But when you read this part:

 Circumstantial evidence suggests the attack was the work of members of Anonymous, an informal collective of griefers best known for their recent war on the Church of Scientology. The first flurry of posts on the epilepsy forum referenced the site EBaumsWorld, which is much hated by Anonymous. And forum members claim they found a message board thread -- since deleted -- planning the attack at 7chan.org, a group stronghold.

The article just lost its credibility. I understand it is useful to have an organisation to blame for everything that goes wrong on the internet, but this goes too far. The so called "proof" is pure guessing, the thread has been suddenly deleted and it is claimed by some forum members. I just can't believe big sites like wired fall for this junk.