Perl: Connecting to MSSQL with DBI

I need to provide statistics of top 10 Network status for the past 24 hours. All the data is stored in a database. Using a Perl Module; DBI I, i came out with this script. How to communicate with Database using Perl can be summarized by the picture below:



Using this script, i managed to query Top 10 statistic and dumped the data into xml format to generate graph using Flash Graphing tool.

#!/usr/bin/perl

use DBI;
use POSIX 'strftime';

#Define yesterday date
my $yesterday = strftime "%Y-%m-%d",localtime(time - (24*60*60));
my $filename = strftime "%Y%m%d",localtime(time - (24*60*60));

#Creating XML file for Top 10 Ports
my $file="attack$filename.xml";

open ( my $FILE, ">> $file") or die "Cannot open file";

#Colors Array for Graph
@colors =( "AFD8F8", "F6BD0F","8BBA00","FF8E46","008E8E","D64646","8E468E","588526","B3AA00","008ED6");
$dbh = DBI->connect('dbi:Sybase:192.168.200.6',myadmin,mypasswordisharewithu);
die "Unable to connect: $DBI::errstr\n"
unless (defined $dbh);

# Querying the Top 10 Ports from the database
my $sql = qq { SELECT whatever yadayada };

$sth = $dbh->prepare ( $sql ) or

die "Unable to prepare databases query: ".$dbh->errstr."\n";

$sth->execute or
die "Unable to execute database query: ".$dbh->errstr."\n";

#Print into file
$value=0;

print $FILE " \n";

while ($aref = $sth->fetchrow_arrayref) {

$sth->finish;

$dbh->disconnect or
warn "Unable to disconnect: ".$dbh->errstr."\n";

Banner verification: nmap vs grabbb

A lot of verifications have to be made before escalation process can be carried out (this is not a good procedure according to CISSP) in network analysis. Let say you received "HTTPD v3.0 BOF shit" alert, you need to verify is the victims of this alert running HTTP v3.0 or not. The best method is to contact the owner of the victim's server due to:

1) The owner is the best person with a deep knowledge of the server.

But the cons is:

1) Time consuming

So, the alternative is an intrusive method which is banner grabbing. I have no interest in other banner grabbing except Fyodor's Nmap and Teso's Grabbb*. Grabbb is a robust banner grabber compared to Nmap. What i did was:

Grabbb
C:\MyOS\$ time ./grab -i ../ip-TIME-smtp-overflowid.txt 25
Nmap
C:\MyOS\$ time nmap -sV -iL ../ip-TIME-smtp-overflowid.txt -p25

and the result is:

Grabbb -> real 0m30.570s
Nmap -> real 0m22.289s

To my surprise; nmap performed better than Grabbb. But bear in mind, this timing method is not a credible process since a lot of factor need to be considered:

1) Grabbb was compiled on MyOS which run glibc version gazillion but the grabbb was a dinosaur program coming out of Jurassic World.
2) Network load during the process
3) Host load during the process
4) Nmap did not scan the hosts if there were no icmp echo reply since -P0 was not used. ;)

* Disclaimer: I have not gone through the codes for verification, and if you're backdoored because of your inability to read the code; which is equal to mine; please do not hesitate to bang your head to the door.

Quest for a handphone

For me, be it Iphone, Nokia or whatever it is.. the requirement is quite simple.

Must:

1) Rock hard solid Operating System
2) No or Less java based Application
3) With the ability to text and call.
4) Camera but not a fancy one.
5) With universal battery charger.
6) Wifi / Bluetooth enable that meets I3E standard.
7) That have email client that support OWA/POP3S/STMPS.


Extra:

1) Mobile accounting package that can be synced back to normal Accounting Application such as GnuCash.
2) That can export/import phone book into csv format.
3) Can be sync easily to a pc / macbook.
4) That can run Karmetasploit . ( Am i asking too much? )

SSH, a handy tool!

I need to check some configurations in several servers located all over the net. I was thinking to use perl, nahhh... better to use shell script with ssh using sshkey.

#!/bin/bash

for in x `grep ^ iplist` do; ssh admin@"$x" "cat /etc/snort.config; mysql -uusername -ppassword snortdb -e "select * from events where event_id =9"; >> $x.result; done

Thats it.

My Intrusion Prevention System is better than yours

"I have IPSs and i've seen some weird query/log during the testing. It was something like cmd.exe, net user mofo mofo123 /add and other commands being executed on our server."

Oh darling, if you have an IPS, it should be dropping those connection already. If not, give a kick to the nuts-sack of the IPS vendors and tell them www.go.to.hell.org!! I, myself would not mind to give them an uppercut kick just like zohan

It was an attack, wasn't it?

Sample
FWBongek, 1 July 2008, 08:32, 10.10.10.10:3124, 1.1.1.1:23, TCP
.
.
.
FWBongek, 2 July 2008, 10:00, 10.10.10.10:3124, 1.1.1.1:23, TCP


Using my super lazy skills,
cat firewall.log | cut -d ',' -f 3 | cut -d ':' -f 1 | sort -rn | uniq -c



I've found out, it just a normal internet behavior, kind of things that u will see once u'r connected to the internet. The cause might be, worm,botnet and mass scanning.