Published on
October 28, 2011 in
Security.
Unless you are expert in device driver development I would not recommend anyone to attempt doing a file system filter driver themself if they are on a tight deadline. I would recommend you pick up framework and build on that , it easier and more reliable. I had one such requirement from a client which required on the fly data modification ( encryption and Access control ) and after some search found the following –
- Very hard to write,avoid unless you know what you are doing.
- Hard to debug and develop
- Very few experts and project development costs are very expensive if outsourced
- No real reference source code unless you wish to invest a lot of time
- OSR is where the experts hang out and best resource and forum if you plan to do it yourself.
Doing some research we planned to use a commercial framework for faster turn around and more reliability, since I am not a Device driver experts and here are some which i found which offer File system filter driver with sources.
- Crypto Driver – Its a new entrant , plug and play architecture which is easily extendable. Not much documentation or support options for now.
- Alfa Transparent File Encryptor – Well documented and complete in most ways. You cannot change crypto unless you get the code.
- CallBackFilter – Very flexible,well documented and was found easiest to use, They have very flexible pricing which is startup friendly.
- OSR DMK – Best in the league but was way out of our budget.
If you find more do let me know i will add them to my list and keep them for reference.
Recently one of my sites was hacked , It was a closed source web application. I came to know next day when i saw changes made to some settings for my web – application. Anyhow here is how i tracked down what was wrong , might help some one in the same mess i was in.
The first thing i noticed was that Administrator account passwords were changed, So i instantly knew something was wrong.
Since i usually store main settings in a file for faster access , i just opened FTP to look at the time stamp associated with the file. This showed me the last modifed date of the file and an approximate idea when the hacker changed the details.
Next step was to dig up the raw access logs from CPanel , After downloading the access logs for that specific file i opened them in PSPad ( My fav editor ) . Logs are not small of busy sites so you will be looking at a very large amount of data.
But i knew specific url which can be used to change the settings so i just did a Ctrl-F and put in the url with a POST prefix , as a form has to be submitted to change settings . This gave me a few instances of that URL with POST request.
Now looking at the time stamp i was able to find out when the hacker did the settings change. Means I had the IP.Doing another another CTRL-F on the IP and pressing list put all the hacker logs in another window , which makes its easy for us to go step by step at his efforts to crack the system.
After going from the start i noticed after certain URL he suddenly had got access to the admin section , And once i put in the url myself, i knew what the problem was.
And so it was fixed.
