Somebody has tried to break in. What to do with him?
Hello, look at the log. Is the a way to report on that guy? - Alexey. 139.130.148.203 - - [03/Jan/2002:11:45:17 -0800] "HEAD /....../etc/hosts HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:45:16 -0800] "HEAD /../../../../etc/hosts HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:36:02 -0800] "HEAD /cgi-bin/shop.cgi/page=../../../../etc/passwd HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:22 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:19 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:16 -0800] "HEAD /../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:13 -0800] "HEAD /../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:10 -0800] "HEAD /../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" { http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually) ------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/
On Fri, Jan 04, 2002 at 09:12:20AM -0800, alexeys@inventigo.com wrote:
Hello,
look at the log. Is the a way to report on that guy?
- Alexey.
139.130.148.203 - - [03/Jan/2002:11:45:17 -0800] "HEAD /....../etc/hosts HTTP/1.1" 404 0 "-" "Mozilla/5.0"
dsmith@holly:~ > whois 139.130.148.203 Telstra Corporation Limited (NET-TELSTRA-AU) Locked Bag 5744 Canberra, ACT 2601 AU Netname: TELSTRA-AU Netblock: 139.130.0.0 - 139.130.255.255 Coordinator: Huston, Geoff (GH105-ARIN) gih@telstra.net +61 2 6208 1908 (FAX) +61 2 6248 6165 Domain System inverse mapping provided by: NS.TELSTRA.NET 203.50.0.137 NS1.TELSTRA.NET 139.130.4.5 telstra.net appear to be an Australian ISP. Try abuse@...
You may have a full-time job in the future doing just reporting! It's somewhat likely that anyone scanning like that would forge the IP address... douglas alexeys@inventigo.com wrote:
Hello,
look at the log. Is the a way to report on that guy?
- Alexey.
139.130.148.203 - - [03/Jan/2002:11:45:17 -0800] "HEAD /....../etc/hosts HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:45:16 -0800] "HEAD /../../../../etc/hosts HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:36:02 -0800] "HEAD /cgi-bin/shop.cgi/page=../../../../etc/passwd HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:22 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:19 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:16 -0800] "HEAD /../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:13 -0800] "HEAD /../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:10 -0800] "HEAD /../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"
{ http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Actually most scans are no longer forged, the level of "noise" from script
kiddies/etc is amazing, you get broadband at home, you too can be a 'leet
uber-cracker and scan a million hosts in <1 hour. Reporting rarely works,
although if more people reported it might, something I am working on.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From: "Douglas Trainor"
You may have a full-time job in the future doing just reporting!
It's somewhat likely that anyone scanning like that would forge the IP address...
douglas
alexeys@inventigo.com wrote:
Hello,
look at the log. Is the a way to report on that guy?
- Alexey.
139.130.148.203 - - [03/Jan/2002:11:45:17 -0800] "HEAD /....../etc/hosts HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:45:16 -0800] "HEAD /../../../../etc/hosts HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:36:02 -0800] "HEAD /cgi-bin/shop.cgi/page=../../../../etc/passwd HTTP/1.1" 404 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:22 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:19 -0800] "HEAD /../../passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:16 -0800] "HEAD /../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:13 -0800] "HEAD /../../../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0" 139.130.148.203 - - [03/Jan/2002:11:30:10 -0800] "HEAD /../../etc/passwd HTTP/1.1" 400 0 "-" "Mozilla/5.0"
{ http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
I did not know that it is possible to forge IP address in stream connections - it is required for handshake. - Alexey. { http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually) ------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/
this is why shitty tcp-ip stacks (with guessable sequences/etc) are a
problem. Plus let's say I have two boxes, I spoof connection from A (make it
appear from B), if someone complains about B I go "I didn't do it, here, I
can proove it, my isp now monitors that stuff outgoing!". Or let's say you
have access to a bunch of computers on a hub network (sound familiar?) I can
just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.
TCP-IP doesn't even think about security.
Kurt Seifried, kurt@seifried.org
A15B BEE5 B391 B9AD B0EF
AEB0 AD63 0B4E AD56 E574
http://www.seifried.org/security/
----- Original Message -----
From:
I did not know that it is possible to forge IP address in stream connections - it is required for handshake.
- Alexey.
{ http://trelony.cjb.net/ } Alexey N. Solofnenko { http://www.inventigo.com/ } Inventigo LLC Pleasant Hill, CA (GMT-8 usually)
------------------------------------------------- This mail sent through IMP: https://mail.inventigo.com/horde/imp/
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi *! At first, I think the subject is wrong. I don't think that somebody really tried to break in; I would guess some scanner tool, and I cannot imagine that the http://../../etc/shadow attack has large chances for success... * Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:
this is why shitty tcp-ip stacks (with guessable sequences/etc) are a problem.
This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...
Plus let's say I have two boxes, I spoof connection from A (make it appear from B),
Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...
if someone complains about B I go "I didn't do it, here, I can proove it, my isp now monitors that stuff outgoing!". Or let's say you have access to a bunch of computers on a hub network (sound familiar?) I can just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.
Well, in the same subnet it's not a problem. Maybe you can fake a switch with ARP fakes, but it's more hard to spoof a router. In contrast to UDP (which is happily used by windows :-) SCNR) it's not trivial to spoof it.
TCP-IP doesn't even think about security.
Well, it's a networking protocol :) [...full quote cut...] Have a nice weekend, dear list. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi, just my 2 cents: Have you ever heard of Proxies ? Maybe Socks-Proxies ? There are lots of proxies out in the net which DO NOT protocol accesses or usage at all. So if someone is using such a proxy the under normal circumstances it would mean a lot of work to trace it back to him. When using a proxy you don't have to worry about sniffing packages because they come right back to you. Or should I be wrong ? Stephan -----Ursprüngliche Nachricht----- Von: Steffen Dettmer [mailto:steffen@dett.de] Gesendet: Freitag, 4. Januar 2002 22:58 An: suse-security@suse.de Betreff: Re: [suse-security] Somebody has tried to break in. What to do with him? Hi *! At first, I think the subject is wrong. I don't think that somebody really tried to break in; I would guess some scanner tool, and I cannot imagine that the http://../../etc/shadow attack has large chances for success... * Kurt Seifried wrote on Fri, Jan 04, 2002 at 14:20 -0700:
this is why shitty tcp-ip stacks (with guessable sequences/etc) are a problem.
This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...
Plus let's say I have two boxes, I spoof connection from A (make it appear from B),
Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...
if someone complains about B I go "I didn't do it, here, I can proove it, my isp now monitors that stuff outgoing!". Or let's say you have access to a bunch of computers on a hub network (sound familiar?) I can just spoof one of the other IP's, or using dsniff hijack arp/ip's/etc.
Well, in the same subnet it's not a problem. Maybe you can fake a switch with ARP fakes, but it's more hard to spoof a router. In contrast to UDP (which is happily used by windows :-) SCNR) it's not trivial to spoof it.
TCP-IP doesn't even think about security.
Well, it's a networking protocol :) [...full quote cut...] Have a nice weekend, dear list. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...
no. you simply need a single box anywhere near the path that either directly sees the packets, or can arp poison/etc to see them. Or an end host that will accept them (like someone's hacked home machine on adsl).
Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...
I control B. end of story there =).
Well, in the same subnet it's not a problem. Maybe you can fake a switch with ARP fakes, but it's more hard to spoof a router. In contrast to UDP (which is happily used by windows :-) SCNR) it's not trivial to spoof it.
You need to go take a look at dsniff, very user friendly.
Well, it's a networking protocol :)
And that is the wrong attitude (why we are in this mess right now =).
Steffen
-Kurt
* Kurt Seifried wrote on Fri, Jan 04, 2002 at 15:35 -0700:
This cannot be easily used, i.e. not by script kiddies, since you need to sniff the answer packets (at least in scans; in exploit not neccesarily if you guess the seqs). Those answer packets get routed to the faked IP and so you'd need control over a router in between...
no. you simply need a single box anywhere near the path that either directly sees the packets,
Well, I don't think that Script "The Kid" Averadge has access to such a box.
or can arp poison/etc to see them.
If that's possible. It's not possible behind ISDN or DSL lines, since they don't use ARP and I hope that most routers won't be so silly to accept ARP "reply" packets on the "wrong" interface; by that, you shouldn't be able ot modify it's routing decision. I would assume that most TCP scans with connect don't do any address spoofing; and I think that's not even neccesary, since most ISPs won't care about such issues...
Or an end host that will accept them (like someone's hacked home machine on adsl).
:) But in that case there is no address spoof taking place at all.
Well, then you have either to guess seq no, which is in case of linux not trivial or to sniff the answer packets. Usually you have to do something to prevent B from sendet RST. So it's not that easy...
I control B. end of story there =).
Yep, you control, not spoof :-)
You need to go take a look at dsniff, very user friendly.
IIRC I tried it, or some other tool, but it worked in the local subnet only. But I'm not sure here.
Well, it's a networking protocol :)
And that is the wrong attitude (why we are in this mess right now =).
Again I don't think so. You can use more secure protocols on IP like IPSec or use more secure protocols no top of TCP like SSL/TLS. Finally, applications may secure the traffic, which is the only way to have some kind of endpoint-endpoint security. I think after all security in general is not that bad, with some efford you can have servers online without beeing hacked :) And finally, we make our money with it :-). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Thanks to everyone who responded to my question about changing the default umask for FTP! There are a lot of smart people on this list. Now I will be quiet and learn from what you say. Thanks again! Mike --- Outgoing mail has been certified as virus free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.311 / Virus Database: 172 - Release Date: 12/27/2001
participants (7)
-
alexeys@inventigo.com
-
David Smith
-
Douglas Trainor
-
Kurt Seifried
-
Mike H.
-
OKDesign oHG Security Administrator
-
Steffen Dettmer