[SecurityRatty] tag: extensive

Skype security flub leads to discovery of Chinese monitoring

Thu, 02 Oct 2008 22:00:10 +0000

Researchers have found evidence that Skype and Chinese partner TOM Online are monitoring text communications online for "sensitive" topics, and storing extensive logs on publicly-accessible servers. Not only is this a major security risk, it also raises questions as to what level Skype is complying with the requests of the Chinese government.

A Diverse Portfolio of Fake Security Software - Part Seven

Tue, 30 Sep 2008 12:35:15 +0000

In case you haven't heard - Microsoft and the Washington state are suing a U.S based -- naturally -- "scareware" vendor Branch Software :

"We won't tolerate the use of alarmist warnings or deceptive 'free scans' to trick consumers into buying software to fix a problem that doesn't even exist," Washington Attorney General Rob McKenna said. "We've repeatedly proven that Internet companies that prey on consumers' anxieties are within our reach."

Sadly, Branch Software is the tip of the iceberg on the top of the affiliates participating in different affiliation based programs, which similar to IBSOFTWARE CYPRUS and Interactivebrands, which I've been tracking down for a while, are the aggregators of scareware that popped up on the radars due to their extensive portfolios. These three companies offering software bundles or plain simple fake software, are somewhere in between the food chain of this ecosystem, with the real vendors paying out the commissions on a per installation basis slowly starting to issue invitation codes that they've distributed only across invite-only forums/sections of particular forums.

Behind these brands is everyone that is participating in the franchise and is putting personal efforts into monetizing the high payout rates that the fake security software vendor is paying for successful installation. These high payout rates -- with the financing naturally coming straight from other criminal activities online -- are in fact so high, that I can easily say that the last two quarters we've witnesses the largest increase of such domains ever, and they're only heating up since the typosquatting possibilities are countless and they seem to know that as well.

It's important to point out that their business model of acquiring traffic is outsourced to all the affiliates that do the blackhat SEO, SQL injections, web sessions hijacking of malware infected hosts in order to monetize, so basically, you have an affiliates network whose actions are directly driving the growth into all these areas. Throwing money into the underground marketplace as a "financial injection", is proving itself as a growth factor, and incentive for innovation on behalf of all the participants.

Here are some of the most recent fake security software domains, a "deja vu" moment with a known RBN domain from a "previous life" that is also parked at one of the servers, and evidence that typosquatting for fraudulent purposes is still pretty active with a dozen of Norton Antivirus related domains, some of which have already started issuing "fake security notices" by brandjacking the vendor for traffic acquisition purposes.

Antivirus-Alert .com (203.117.111.47) where pepato .org a domain that was used in the Wired.com and History.com IFRAME injections, which back in March was also hosted at Hostfresh (58.65.238.59).

softload2008name .com (78.157.143.250)
softload2008nm .com
softload2008n .com
softload2008jq .com

microantivir-2009 .com (91.208.0.223)
scanner.microantivir-2009 .com
microantivir2009 .com
microantivirus-2009 .com
microantivirus2009 .com

ms-scan .com (91.208.0.228)
msscanner .com
ms-scanner .com

Personalantispy .com (93.190.139.197)
freepcsecure .com
quickinstallpack .com
quickdownloadpro .com
advancedcleaner .com
performanceoptimizer .com
internetanonymizer .com

ieprogramming .com (92.62.101.83)
uptodatepage .com
fileliveupdate .com
qwertypages .com
sharedupdates .com
ierenewals .com

norton-antivirus-alert .com
norton-anti-virus-2007 .com
norton-antivirus-2007 .com
norton-antivirus2007 .com
nortonantivirus2007 .com
norton-antivirus-2008 .com
nortonantivirus2008 .com
nortonantivirus2008freedownload .com
norton-antivirus-2009 .com
nortonantivirus2009 .com
norton-antivirus-2010 .com
nortonantivirus2010 .com
nortonantivirus360 .com
nortonantivirus8 .com
nortonantivirusa .com
nortonantivirusactivation .com
norton-antivirus-alert .com
nortonantivirusalerts .com
norton--anti-virus .com
norton-anti-virus .com
norton-antivirus .com
nortonanti-virus .com
nortonantivirus.com
nortonantiviruscom .com
nortonantiviruscorporate .com
nortonantiviruscorporateedition .com
nortonantiviruscoupon .com
nortonantivirusdefinition .com
nortonantivirusdefinitions .com
nortonantivirusdirect .com

Fake Antivirus Inc. is not going away as long as the affiliate based model remains active. If the real vendors were greedy enough not to share the revenues with others, they would have been the one popping up on the radar, compared to the situation where it's the affiliate network's participations greed that's increasing their visibility online.

Related posts:
A Diverse Portfolio of Fake Security Software - Part Six
A Diverse Portfolio of Fake Security Software - Part Five
A Diverse Portfolio of Fake Security Software - Part Four
A Diverse Portfolio of Fake Security Software - Part Three
A Diverse Portfolio of Fake Security Software - Part Two
Diverse Portfolio of Fake Security Software
Cybersquatting Symantec's Norton AntiVirus
Cybersquatting Security Vendors for Fraudulent Purposes
Fake Porn Sites Serving Malware - Part Three
Fake Porn Sites Serving Malware - Part Two
Fake Porn Sites Serving Malware
EstDomains and Intercage VS Cybercrime
Fake Security Software Domains Serving Exploits
Localized Fake Security Software
Got Your XPShield Up and Running?
Fake PestPatrol Security Software
RBN's Fake Security Software
Lazy Summer Days at UkrTeleGroup Ltd
Geolocating Malicious ISPs
The Malicious ISPs You Rarely See in Any Report

Links List 9.29.08

Mon, 29 Sep 2008 23:00:14 +0000

Trade shows, trade shows and more trade shows. VMworld and Interop dominated the stage a couple of weeks ago and then there was the annual Oracle blowout in SF last week. Has anyone gotten any work done lately?? (image from cdye1)

Does Oracle run the world? I would have to say no but Raj (Larry Ellison is his idol) and the 40,000 Oracle customers that descended upon SF last week might beg to differ. What do James Carville and Mary Matalin have to do with enterprise software? Pretty much nothing, except for the fact that they delivered the opening keynote for Oracle OpenWorld. (And that’s the only and last politically-oriented thing you’ll hear from me as we run up to the election). For a surprisingly funny and extensive photo gallery of the eye-popping event, check out cdye1’s photostream on Flickr.

But UB40, Elvis Costello and Seal aside, Oracle OpenWorld did offer training, certifications, and always entertaining speeches by Ellison. Ben Worthen’s favorite – “Larry Ellison’s Brilliant Anti-Cloud Computing Rant” delivered to analysts on Thursday. From Ben’s slightly-edited excerpt:

“The interesting thing about cloud computing is that we’ve redefined cloud computing to include everything that we already do. I can’t think of anything that isn’t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women’s fashion. Maybe I’m an idiot, but I have no idea what anyone is talking about. What is it? It’s complete gibberish. It’s insane. When is this idiocy going to stop?

“We’ll make cloud computing announcements. I’m not going to fight this thing. But I don’t understand what we would do differently in the light of cloud computing other than change the wording of some of our ads. That’s my view.”

So did everyone catch that? Cloud computing is complete gibberish and idiocy, but apparently Oracle’s already been doing enough around it to advertise the fact. I will have my cake and eat it too!

We’ve been pumping out the posts from the shows we went to – let me tell you, live-blogging is hard when you’re trying to share apparently miniscule amounts of bandwidth with 14,000 other attendees – and we have even more to share as we step back, contemplate and describe how some of the announcements, info and especially roadmaps fit into our overall picture over here at ScienceLogic.

For example, we released the results of our annual industry IT survey last week. Twice a year – at FOSE (for Government IT) and at Interop NY (for enterprises) – we take advantage of the fact that we have a big beautiful booth at these shows and offer a fabulous ScienceLogic t-shirt in return for a couple of minutes time with attendees living the problems we try to solve. Instead of telling people what their problems and priorities are, we like to ask.
Interop NY Survey - Trends and Challenges
Detailed Reports on Trends and Comparison to Government IT

And I just had to share this one because it is so bizarre. Are VMware and Paul Maritz guilty of plagiarism? You have to check this out to get even part of the picture. Apparently this guy has posted his slides (we know they are from VMworld 2007 because it says so in the lower-right-hand corner…) which prove that the “virtual datacenter operating system” idea was his idea a year before it showed up on Maritz’s keynote this year. Hmmm. And then after posting all these slides and making all the connections between his presentation and Maritz’s, he says he’s just kidding about the plagiarism. Can anyone sort this out and let me know?

I’ll tell you who wasn’t kidding when I went by their booth at VMworld – a certain chargeback vendor and VMware “partner” who was quite shocked two months ago when they walked into a meeting with VMware about future roadmap. Apparently, the slides they saw (preview of VMware’s announcement re adding extended chargeback capability within vCenter management services) were mighty might similar to slides they had given in a presentation to VMware about their own roadmap. Coincidence? I’ll let you decide. And I’ll also say, their strategy to combat this – support for Hyper-V coming early in 2009.

Plan-based Complex Event Detection across Distributed Sources

Thu, 25 Sep 2008 12:49:02 +0000

Here is an interesting 2008 paper, Plan-based Complex Event Detection across Distributed Sources.

Abstract

Complex Event Detection (CED) is emerging as a key capability for many monitoring applications such as intrusion detection, sensorbased activity & phenomena tracking, and network monitoring. Existing CED solutions commonly assume centralized availability and processing of all relevant events, and thus incur significant overhead in distributed settings. In this paper, we present and evaluate communication efficient techniques that can efficiently perform CED across distributed event sources.

Our techniques are plan-based: we generate multi-step event acquisition and processing plans that leverage temporal relationships among events and event occurrence statistics to minimize event transmission costs, while meeting application-specific latency expectations. We present an optimal but exponential-time dynamic programming algorithm and two polynomial-time heuristic algorithms, as well as their extensions for detecting multiple complex events with common sub-expressions. We characterize the behavior and performance of our solutions via extensive experimentation on synthetic and real-world data sets using our prototype implementation.

More Details on McAfee's Artemis

Fri, 19 Sep 2008 07:25:41 +0000

I spoke with McAfee recently, following my column about its Artemis technology. I learned a few things. Artemis kicks in when the local anti-virus scanner sees, through behavioral methods, if the file is suspicious. Then it sends a fingerprint of the file up to the Artemis servers for further analysis. I had assumed that this fingerprint was a hash of some kind, but that was a simplistic assumption. The fingerprint includes characteristics of the file, including the ones that the scanner used to determine that the file was suspicious: Is it packed? Using certain packers in particular? Is it compressed (not the same thing)? Is it a certain size? In case I was unclear before, none of this involves signatures in the conventional sense. It occurs to me that this could lower false-positives, compared with conventional behavioral analysis, because it subjects suspicious threats to more extensive analysis in the cloud. It all depends on how aggressive McAfee is at that stage. Another thought I had is that since Artemis kicks in as a result of behavioral analysis, the threat has already hit the system by the time Artemis is invoked. Presumably the process is asynchronous and Artemis could return its analysis some time after the submission. If this is the case, it could be awhile during which malware is running rampant on your system.

Spam Campaign Abusing Yahoo's Services

Wed, 17 Sep 2008 05:25:24 +0000

Think spammers.Yahoo.com trusts Yahoo.com, consequently, a spam campaign that using bogus Yahoo.com email accounts, and spamming only Yahoo users with links to Yahoo's search engine using queries leading to the exact spammer's URLs, is almost 100% sure to make it through spam filters. That seems to be case with this spam campaign perfectly fitting into the "spam that made it through" category.

Sample search queries resulting in a single result with the spammer's URL :
- yahoo.com/////////////////////////////search/search;_ylt=?p=())))))))))))))callfold(((((((((((((((()))))))))))((((()))))))5000)))))))))))(((((((
- search.yahoo.com/search?p=(((((())))))))((((((((((((((housetear((((())))))(((((((())))))))(((((((((5000((((((())))))))))))))))))))
- yahoo.com/search/search;_ylt=?p=]]]]]]]]]]]][[[[[[galestay[[]]]]]]][[[[[[[[[[[[[[[[[[[[$229[[[[[[[[[[[[[[[[[[[]]]]
- yahoo.com/search/search;_ylt=?p=(((((())))))))))galestay((((((()((((((((((((((((($229)))))))))))(((()
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))))))))))(((((richorbit((((((((((((((())))))))))))((((((())))))$229)))))))))))(((((((
- yahoo.com/////////////////////////////search/search;_ylt=?p=))))))(((())))))))))richorbit((((((((((((())))))))((((((((((((((((((((((((((((($229))))))((((())

The search queries lead to galestay.com; housetear.com; callfold.com; richorbit.com with several hundred spam domains participating in the campaign parked at 218.61.7.21 and 220.248.185.64.

With CAPTCHA solving and automatic account registration getting easier to outsource next to the easily obtainable segmented email databases of a particular ISP or web based email service provider, launching such a campaign requires less efforts than it used to before. Interestingly, the spammed through Yahoo emails never leave Yahoo Mail since it's only spamming Yahoo users according to the extensive number of emails CC-ed.

What's to come in the long-term? With an entire spamming infrastructure build on the foundation of the hundreds of thousands of bogus accounts at legitimate services, spammers are already starting to embrace the "legitimate sender" mentality and are working on ways to integrate that infrastructure in their spam systems, evidence of which can be seen in several different managed spamming services.

Related posts:
Microsoft’s CAPTCHA successfully broken
Gmail, Yahoo and Hotmail’s CAPTCHA broken by spammers
Spam coming from free email providers increasing
Inside India’s CAPTCHA solving economy

EstDomains and Intercage VS Cybercrime

Tue, 16 Sep 2008 05:09:44 +0000

Surreal, especially when you get to read that EstDomains has "ruthlessly suspended over five thousand domains only for last week", and also, that it "has a reliable ally in its battle against malware in a face of Intercage, Inc".

Here's the press release :

"The EstDomains, Inc management does not deny the fact that no one is secured from having a customer who uses provided services for delinquent purposes. But it must be noted that the carefully planned infrastructure of EstDomains, Inc makes the special provision for the cases of malware distribution that may originate from the domain name registered under the company's name. Such domain names are suspended immediately along with domain holder's account if there is an evidence of malware presence on the web site. According to the most recent statistics over five thousand domain names were detected and ruthlessly suspended by EstDomains, Inc specialists only last week.

The company also has a reliable ally in its battle against malware in a face of Intercage, Inc which provides company with the hosting services of the highest quality. But the outstanding performance of hosting services is not the sole reason why EstDomains, Inc appreciates this partnership so greatly. Intercage, Inc generously provides EstDomains, Inc specialists with reports regarding discovered malware vehicles. As the main database for additional domain name management services is located in Intercage Data Center, EstDomains, Inc has the perfect opportunity to get notifications of the slightest mark of malware presence in the shortest time and take measures in advance. "

The press release reminds me of RBN's defacement of my blog posted on the 1st of April, and despite that EstDomains started "performing for the community" as of recently, thanks to the collective intelligence and persistence of everyone turning their research into actionable intelligence against them, this performance aiming to minimize the effect of the negative PR is more or less futile considering all the cybercrime activities that they've been tolerating or ignoring for the past couple of years. For future generations to see, this is how EstDomains "performs for the community" :

"We've suspended all the domains listed in this topic. But please don't make posting these domains on this forum a habit. We have a 24/7 online tech support which can be contacted at https://support.estdomains.com

Best regards,
EstDomains Team

EstMate says : Ihatemondayand.com and antispycheck.com - both suspended. If any of the suspended websites are still active to you it maybe be because of your computer's or ISP's DNS-cache, others won't be able to access these websites

googlescanners-360.com isn't registered with us. As for other domains, the ones, which were registered through us, have been suspended. Regarding our preventive measures, the fact that you don't see them doesn't mean there isn't any. Yes, we don't write about them but in most cases we suspend whole accounts with problematic domains and look for connections to other accounts etc. During the last week we've suspended over 15000 different domains."

What's more disturbing regarding this particular domain registrar is that it's a U.S based operation, namely, using the lack of international cybercrime cooperation as an excuse for not taking actions earlier doesn't fit into the picture. Moreover, this is just the tip of the iceberg, and taking into consideration a personal mentality that the cybercriminals you know are better than the cybercriminals you don't know, the RBN or any of its "leftovers" aren't fully taking advantage of the tactics they could be using in order to make it harder to shut them down, but how come? Simply, they don't have to put extra efforts and would once again remain online for years to come, which is perhaps more disturbing at the first place.

What in the world is the Russian Business Network, is it still alive and kicking, are the same people that used to maintain my favorite netblock ever, still the ones running it, and what tactics are they taking advantage of in order to make it harder for the community to establish direct links with a particular netblock and the RBN itself?

With RBN's "leftovers" -- InterCage, Inc., Softlayer Technologies, Layered Technologies, Inc., Ukrtelegroup Ltd, Turkey Abdallah Internet Hizmetleri, and Hostfresh -- making headlines just like the way it should be, what I've been researching for the past couple of months is how they've migrated from the centralized hosting provider to what appears to be a fully operational franchise. The business model is very simple, the RBN through its extensive underground networking skills supplies to customers to franchisers operating small anti-abuse netblocks across the globe, where they offer dedicated hosting and share revenue with the RBN. Anyone trusted enough and capable of supplying such netblocks starts running the RBN anti-abuse franchise. It's also worth pointing out that these franchises are in fact starting to cut the middle man, and disintermediate the RBN by actively advertising their services in order for them to create a self-sustainable business model without having to rely on the RBN connecting them with customers.

What used to be a centralized cybercrime powerhouse operating several highly visible anti-abuse netblocks, is today's decentralized infrastructure, with the profit margins for the anti-abuse services that it's logically capable to break-even and earn profits even with a few high profile dedicated hosting customers. Anyone can be the Russian Business Network, gain experience into the market segment, then disintermediate them by starting to advertise their own services. From a powerhouse to a franchise model, what the RBN had to offer can be easily duplicated by a countless number of local RBN's, and this is only starting to take place.

Related posts:
Lazy Summer Days at UkrTeleGroup Ltd.
The Malicious ISPs you Rarely See in Any Report
Geolocationg Malicious ISPs
The New Media Malware Gang - Part Four
The New Media Malware Gang - Part Three
The New Media Malware Gang - Part Two
The New Media Malware Gang
RBN's Fake Account Suspended Notices
HACKED BY THE RBN!
Rogue RBN Software Pushed Through Blackhat SEO
RBN's Phishing Activities
RBN's Puppets Need Their Master
RBN's Fake Account Suspended Notices
A Diverse Portfolio of Fake Security Software
Go to Sleep, Go to Sleep my Little RBN
Exposing the Russian Business Network
Detecting the Blocking the Russian Business Network
Over 100 Malwares Hosted on a Single RBN IP
RBN's Fake Security Software
The Russian Business Network

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that’s due out in October. While many Analysts and Reporters have already written on the topic (I’ll be releasing an extensive update on Burton Group’s PCI coverage around the October release date), they really haven’t commented on what’s still not been addressed by the standard for enterprises still working on attaining compliance.

While I applaud the PCI Security Standards Council in further clarifying and adjusting the standard, a lot of work still needs to be done. I receive about one or two PCI questions a week from our clients and they seem to revolve around a couple of topics I’ve yet to see addressed:

Guidelines for selecting a Qualified Security Assessor (QSA) – while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can’t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA – organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there’s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices – while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments – while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn’t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit – while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model – what are the best practices around merging PCI security requirements into an enterprise’s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won’t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group’s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I’d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

PCI V1.2, a good start but still not enough

Wed, 03 Sep 2008 12:56:31 +0000

Blogger: Randall Gamby

Two weeks ago the PCI Security Standards Council released the preliminary details of the PCI Data Security Standard (DSS) V1.2 that???s due out in October. While many Analysts and Reporters have already written on the topic (I???ll be releasing an extensive update on Burton Group???s PCI coverage around the October release date), they really haven???t commented on what???s still not been addressed by the standard for enterprises still working on attaining compliance.

Guidelines for selecting a Qualified Security Assessor (QSA) ??? while there are a large number of QSA organizations listed on the PCI Security Standards Council web site; they can???t really recommend a particular QSA for an individual organization. This leads a lot of organizations to struggle with determining what criteria they should use in selecting a QSA for their certification.
The role of the QSA ??? organizations are also still trying to understand the role of a QSA. Should they get a QSA involved in the gap and remediation process in advance of certification? If so, should it be the same QSA that will do their certification (knowing there???s a risk that the QSA will be pre-disposed to only care about certain vulnerabilities)?
Industry-specific best practices ??? while each organization may have different infrastructures, in general, most industries try to be consistent with the major functions they perform. So are credit card transactions handled differently between say, a major retailer with 10,000 POS systems and an insurance company that has hundreds of independent agents receiving remittances? Probably, so what are best practices around these industry-specific configurations?
Virtualized environments ??? while the PCI Security Standards Council recognizes that some organizations have moved to virtual services for consolidation and management, the DSS really doesn???t provide guidelines for QSAs to evaluate and certify these environments.
Monitoring and audit ??? while the PCI DSS recommends minimum timeframes for scanning, doing pen tests, etc. what are the real levels of monitoring and audit needed for ensuring security? With the Hannaford and Okemo breaches that occurred (both where PCI compliant), neither discovered the problem until months after the breaches had happened. So identifying what should be scanned and tested and if some of this should be on a continuous basis still requires refinement.
PCI as part of an overall security model ??? what are the best practices around merging PCI security requirements into an enterprise???s overall security model? Should it be maintained separately? Should some components be integrated with similar security mechanisms? Should PCI be at the top of the security model and other configurations be based upon its requirements? There are really no answers coming forth on this topic and the other question is where will they come from? Surely enterprises won???t expect the PCI Security Standards Council to tell them how to run their security services.

I will be providing Burton Group???s perspective on most of these questions in my upcoming report, but rather than relying on third parties to resolve these, I???d hope that the PCI Security Standards Council will be able to continue to provide answers to the questions they can in future updates, and releases, of the PCI DSS.

Anton Security Tip of the Day #16: Virtually There - Journey Into VMWare ESX Log Analysis

Mon, 25 Aug 2008 08:11:00 +0000

Following the new "tradition" of posting a security tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Security Tip of the Day #16: Virtually Screwed - Journey Into VMWare ESX Log Analysis

CISecurty guide for VMWare (here) and DISA STIG for virtual machines (here) both mandate collection and analysis of VM platform logs; none goes into enough details on what to look for in logs. Let's try to shed some light on security-focused log analysis of VMWare ESX v. 3.x logs.

First, at least until ESXi becomes the default choice, one needs to keep in mind that ESX as "Linux-inside" and thus diving into /var/log will not reveal any "alien technology" (well, not much :-)). However, one of the most useful logs is /var/log/hostd.N which is not a descendant of Linux standard logs. Extensive VM event records are written into this file.

Let's focus on various types of logins to the ESX platform and identify logs that indicate a successful and failed attempts to log in. Here are a few useful examples to analyze:

Successful logins:

May 30 09:20:42 esx2 su(pam_unix)[9405]: session opened for user root by jhonny(uid=1626)

This is a classic Linux root login message; you can watch for these by searching VMWare ESX logs for "session AND opened AND user AND root." Notice the user name of the user who switched to root.

May 30 09:20:34 esx2 sshd(pam_unix)[9364]: session opened for user jhonny by (uid=0)

This is also a classic Linux message for a normal (non-root) user login.

[2008-05-25 06:57:48.774 'ha-eventmgr' 111639472 info] Event 40645 : User jhonny@1.1.1.1 logged in

This is a VMWare -specific application login to ESX. You can track such events by username, by event ID or by keywords "event AND logged AND user" (if you are using search)

Failed logins:

May 30 09:20:31 esx2 sshd[9356]: Failed password for jhonny from 1.1.1.1 port 54773 ssh2

Another classic Linux message from the ESX system; a failure to login due to incorrect password.

May 27 12:06:59 esx2 sshd[4756]: Failed password for illegal user jonny from 1.1.1.1 port 30594 ssh2

A message indicating a failure to login due to incorrect username (note a typo).

May 25 07:03:48 esx1 sudo: jhonny : 3 incorrect password attempts ; TTY=pts/0 ; PWD=/var/log ; USER=root ; COMMAND=/bin/bash

This ESX Linux platform message should also be familiar to Linux/Unix admins: it indicates multiple sudo password failures; look for such messages in the logs.

BTW, do you need to be reminded to track NOT only failed, but also successful login events?!

Overall, you must prepare for the future by learning to analyze VMWare logs, just like you handled "legacy OS", such as Linux/Unix and Windows.

As I said before, I am tagging all the tips on my del.icio.us feed; here is the link: All Security Tips of the Day.

Technorati tags: security, tips, logging, log management