Actually most scans are no longer forged, the level of "noise" from script kiddies/etc is amazing, you get broadband at home, you too can be a 'leet uber-cracker and scan a million hosts in <1 hour. Reporting rarely works, although if more people reported it might, something I am working on. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: "Douglas Trainor" To: Cc: Sent: Friday, January 04, 2002 1:38 PM Subject: Re: [suse-security] Somebody has tried to break in. What to do with him?

You may have a full-time job in the future doing just reporting!

It's somewhat likely that anyone scanning like that would forge the IP address...

douglas

alexeys@inventigo.com wrote:

...

Hello,

look at the log. Is the a way to report on that guy?

- Alexey.

139.130.148.203 - - [03/Jan/2002:11:45:17 -0800] "HEAD /....../etc/hosts HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:45:16 -0800] "HEAD /../../../../etc/hosts HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:36:02 -0800] "HEAD /cgi-bin/shop.cgi/page=../../../../etc/passwd HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:22 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:19 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:16 -0800] "HEAD /../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:13 -0800] "HEAD /../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:10 -0800] "HEAD /../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"

{ http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually)

------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

this is why shitty tcp-ip stacks (with guessable sequences/etc) are a problem. Plus let's say I have two boxes, I spoof connection from A (make it appear from B), if someone complains about B I go "I didn't do it, here, I can proove it, my isp now monitors that stuff outgoing!". Or let's say you have access to a bunch of computers on a hub network (sound familiar?) I can just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc. TCP-IP doesn't even think about security. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/ ----- Original Message ----- From: To: Sent: Friday, January 04, 2002 2:07 PM Subject: Re: [suse-security] Somebody has tried to break in. What to do with him?

I did not know that it is possible to forge IP address in stream connections - it is required for handshake.

- Alexey.

{ http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually)

------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

Hi, just my 2 cents: Have you ever heard of Proxies ? Maybe Socks-Proxies ? There are lots of proxies out in the net which DO NOT protocol accesses or usage at all. So if someone is using such a proxy the under normal circumstances it would mean a lot of work to trace it back to him. When using a proxy you don't have to worry about sniffing packages because they come right back to you. Or should I be wrong ? Stephan -----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Freitag, 4. Januar 2002 22:58 An: suse-security@suse.de Betreff: Re: [suse-security] Somebody has tried to break in. What to do with him? Hi *! At first, I think the subject is wrong. I don't think that somebody really tried to break in; I would guess some scanner tool, and I cannot imagine that the http://../../etc/shadow attack has large chances for success... * Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:

this is why shitty tcp-ip stacks (with guessable sequences/etc) are a problem.

This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...

Plus let's say I have two boxes, I spoof connection from A (make it appear from B),

Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...

if someone complains about B I go "I didn't do it, here, I can proove it, my isp now monitors that stuff outgoing!". Or let's say you have access to a bunch of computers on a hub network (sound familiar?) I can just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.

Well, in the same subnet it's not a problem. Maybe you can fake a switch with ARP fakes, but it's more hard to spoof a router. In contrast to UDP (which is happily used by windows :-) SCNR) it's not trivial to spoof it.

TCP-IP doesn't even think about security.

Well, it's a networking protocol :) [...full quote cut...] Have a nice weekend, dear list. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

* Kurt Seifried wrote on Fri, Jan 04, 2002 at 15:35 -0700:

...

This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...

no. you simply need a single box anywhere near the path that either directly sees the packets,

Well, I don't think that Script "The Kid" Averadge has access to such a box.

or can arp poison/etc to see them.

If that's possible. It's not possible behind ISDN or DSL lines, since they don't use ARP and I hope that most routers won't be so silly to accept ARP "reply" packets on the "wrong" interface; by that, you shouldn't be able ot modify it's routing decision. I would assume that most TCP scans with connect don't do any address spoofing; and I think that's not even neccesary, since most ISPs won't care about such issues...

Or an end host that will accept them (like someone's hacked home machine on adsl).

:) But in that case there is no address spoof taking place at all.

...

Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...

I control B. end of story there =).

Yep, you control, not spoof :-)

You need to go take a look at dsniff, very user friendly.

IIRC I tried it, or some other tool, but it worked in the local subnet only. But I'm not sure here.

...

Well, it's a networking protocol :)

And that is the wrong attitude (why we are in this mess right now =).

Again I don't think so. You can use more secure protocols on IP like IPSec or use more secure protocols no top of TCP like SSL/TLS. Finally, applications may secure the traffic, which is the only way to have some kind of endpoint-endpoint security. I think after all security in general is not that bad, with some efford you can have servers online without beeing hacked :) And finally, we make our money with it :-). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.