Track your Java usage with my JavaUsageTracker

If you found this page, you probably know that Oracle decided to charge for Java updates. If you are using Java in a non-profit environment or for personal use, you don’t have to worry about it. On the other hand, if you are a for profit organization, you need to figure out what to do if you haven’t done so already.

Most organizations run Java, some cases Java is installed but forgotten because it was free to use and update, so no one cared. This has changed after Oracle’s announcement. Now the organizations are under pressure to figure out what to do. On the server side, things are a bit easier as the environment is much tightly controlled and OpenJDK can be leveraged.

How about the endpoints? Stale Java version at the endpoints is a security risk. So, we must patch these systems, but how many? Many organizations have inventory tools that show how many Java installations in the environment, but how many of those are actually used? You don’t want to pay for those installations that happened to be there but not used. Enter the JavaUsageTracker.

I developed this quick and dirty solution when my organization faced the same dilemma. This is an open source solution that configures the endpoints to report their usage to a simple UDP server. If your organization is facing the similar problem, go check the JavaUsageTracker. It helped my organization and I hope that it will help yours too.

JavaUsageTracker

Corrected Yara rule for the Wiper malware

Ars Technica has recently published an article about the “wiper” malware. In that article they published a Yara  rule provided by FBI. However, the rule does not work due to a syntax error. Following rule corrects the syntax error and can be used with Yara 3.2.0.
Happy hunting!

[php]
rule unknown_wiper_error_strings
{    
    meta:
        description = "unique custom error debug strings discovered in the wiper malware"

    strings:
        $IP1 = "203.131.222.102" fullword nocase
        $IP2 = "217.96.33.164" fullword nocase
        $IP3 = "88.53.215.64" fullword nocase
        $MZ = "MZ"

    condition:
        $MZ at 0 and all of them

}
[/php]

Massive WordPress attacks are in progress

I see a lot of brute-force attempts made to my site lately. In fact, the unsuccessful login attempts using the “admin” user id are increased by 300 fold. My preliminary investigation showed that all of the offending systems are running Linux. Compromised systems include online retailers, academic institutions, and individuals.

Upon investigating offending hosts, I realized that they ran Parallel’s Plesk, Mysql, nginx or Exim (or combination thereof). Not surprisingly, major security vulnerabilities found on all of these systems in 2014. This goes to show that the security is still not a priority for some hosting providers and organizations. I don’t know how badly these systems are compromised, but for now they are being used to attack WordPress sites.

You can protect yourself from this type of attacks by installing iThemes Security plug-in. This plug-in would guide you how to secure your site from brute-force attacks and among others.