Sopho: Patch your firewalls – zero day runs wild

Over the weekend, Sophos announce it had released a hotfix for Sophos XG firewalls. This hotfix patched an SQL injection attack which allowed attackers to download payloads to the device.

It looks like the hashed usernames and passwords have been stolen from the XG devices. This means all XG owners should reset the passwords for administration and any local VPN users as well.

It appears the attack was done either on the admin portal (port 4444) or the user portal (port 443). Normally the administration portal is closed on the WAN, however, it is normal practice to have the user portal exposed on the WAN.

If your firewall has been compromised, Sophos recommends these steps

  1. Reset device administrator accounts
  2. Reboot the XG device(s)
  3. Reset passwords for all local user accounts
  4. Although the passwords were hashed, it is recommended that passwords are reset for any accounts where the XG credentials might have been reused

We are awaiting further information from Sophos.

IIS6 Connections_Refused

I just had a call from a customer who said their IIS service is no longer accepting HTTP connections. They though this might be related to network settings.

Upon logging in to the system, I looked at various services that might be listening on port 80 using:

netstat -aon | findstr 80

You will get something similar to the following:

TCP                 LISTENING       4

This is the system process with id 4 listening on port 80. This is normally IIS.

Once I was certain IIS was actually working, I decided to go and have a look at the IIS log files. On Windows 2003 you will find these under C:WINDOWSsystem32LogFiles

Looking in the HTTPErr folder, I found the following logged items:

#Fields: date time c-ip c-port s-ip s-port cs-version cs-method cs-uri sc-status s-siteid s-reason s-queuename
2014-07-12 22:35:05 - - - - - - - - - 6_Connections_Refused -
2014-07-12 22:35:10 - - - - - - - - - 1_Connections_Refused -
2014-07-12 22:35:25 - - - - - - - - - 1_Connections_Refused -
2014-07-12 22:35:40 - - - - - - - - - 1_Connections_Refused -
2014-07-12 22:36:10 - - - - - - - - - 1_Connections_Refused -

A list of IIS errors can be found here. Within this page, you will find the error for connection refused.

The kernel NonPagedPool memory has dropped below 20MB and http.sys has stopped receiving new connections

Now we are getting somewhere.

This is caused by the system running out of available NPP memory. A good article can be found here.

I recommend turning on aggressive memory in order to fix this issue. The article for this can be found here.

Ubiquiti Unifi Cloud Controller on Ubuntu Part1

Ubiquiti make great wireless access points and controllers for the enterprise. We have been looking to condense all our controllers in to a single controller for all of our clients. This makes management far easier, as well as providing additional revenue streams.

This is a step by step guide on how to configure your own cloud controller for unifi products on Ubuntu.

  1. Grab a vps from somewhere like AWS, Rackspace, our download the free VMWare ESXi and host it yourself
  2. Install Ubuntu
  3. Log in to Ubuntu and edit your source files and add (/etc/apt/sources.list)
    deb precise ubiquiti
  4. Type apt-get update
  5. Type apt-get install unifi-beta
  6. Once this has finished installing, go to the web address @ https://hostname:8443
  7. You should see the following information. Fill it in, then login with your username and password
  8. Now you need to point your APs to your hostname and publish it externally. That’s a bit too hard to go in this article, but leave a comment if you get stuck here. Follow this Youtube link on how to configure your APs to an external address.
  9. In part two, I will show you how to connect the clients and create client groups.
  10. Your done. leave any comments below 🙂