Darksat IT Security Forums
March 28, 2024, 04:14:02 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Darksat IT Security Forum
From Firewall Support, AntiVirus Questions, Spyware problems, Linux and Windows Security, Black Hat SEO right down to Website Design and Multimedia
 
  Home Help Search Gallery Links Staff List Login Register  
  Show Posts
Pages: [1] 2
1  General / Gaming / Re: WoW Private Servers on: December 06, 2007, 05:41:54 pm
Haven't tried any.  I've seen some fun videos of people playing god on their own server. 

I'd actually start playing my own MUD again before playing a private WoW one, though.
2  Hardware, Software and Security / IT Security Forum / Re: Comcast packet spoofing on: December 06, 2007, 03:59:42 pm
Ok, I got 'em.  Here's me trying to do a simple wget from my server at work, and what I see on a packet sniffer on both ends.  On my work machine, I see 4 requests, then a reset, then my requests start retrying.

On my server, I only see the requests.  I'm sending responses that never get to my work computer..  Here are the packets going back and forth...to port 80, mind you.  Now, I'm using Wireshark at work (gui) and snort at home (console), so that is why the formatting is different.  But you can see not only the ID's, but the ports & sizes match when they hook up.

You can also see...the request gets through, my server sends a response which never arrives.  Then, after a few more tries and a pause, a mysterious reset packet shows up.  For completeness, a packet is shown after.

Code:
work:
388
2007-12-06 15:30:50.050948
YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX
TCP 33028 > http [SYN] Seq=0 Len=0 MSS=1460 TSV=97922341 TSER=0 WS=6

server:
12/06-15:30:50.062572 0:D:72:1E:10:F9 -> 0:1:3:69:44:AF type:0x800 len:0x4A
YYY.YYY.YYY.YYY:33028 -> XXX.XXX.XXX.XXX:80 TCP TTL:53 TOS:0x0 ID:23969 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF7467084  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 97922341 0 NOP WS: 6

12/06-15:30:50.062600 0:1:3:69:44:AF -> 0:D:72:1E:10:F9 type:0x800 len:0x4A
XXX.XXX.XXX.XXX:80 -> YYY.YYY.YYY.YYY:33028 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xE32982FD  Ack: 0xF7467085  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4071114589 97922341 NOP
TCP Options => WS: 7

work:
no such packet

------------

work:
900
2007-12-06 15:31:20.044749
XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
TCP http > 33028 [RST] Seq=0 Len=0

home server:
no such packet

------------

work:
1131
2007-12-06 15:31:35.050804
YYY.YYY.YYY.YYY XXX.XXX.XXX.XXX
TCP 33028 > http [SYN] Seq=0 Len=0 MSS=1460 TSV=97967341 TSER=0 WS=6

home server:
12/06-15:31:35.060509 0:D:72:1E:10:F9 -> 0:1:3:69:44:AF type:0x800 len:0x4A
YYY.YYY.YYY.YYY:33028 -> XXX.XXX.XXX.XXX:80 TCP TTL:53 TOS:0x0 ID:23973 IpLen:20 DgmLen:60 DF
******S* Seq: 0xF7467084  Ack: 0x0  Win: 0x16D0  TcpLen: 40
TCP Options (5) => MSS: 1452 SackOK TS: 97967341 0 NOP WS: 6

12/06-15:31:35.060540 0:1:3:69:44:AF -> 0:D:72:1E:10:F9 type:0x800 len:0x4A
XXX.XXX.XXX.XXX:80 -> YYY.YYY.YYY.YYY:33028 TCP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0x5D3FB13D  Ack: 0xF7467085  Win: 0x16A0  TcpLen: 40
TCP Options (5) => MSS: 1460 SackOK TS: 4071159587 97967341 NOP
TCP Options => WS: 7

work:
no such packet

Now, up to this point, allegations have been that Comcast is sending resets on p2p traffic.  However, I'm seeing this on ALL requests to my server now...web, mail, you name it.  It's like they've blocked me for no good reason.
3  Hardware, Software and Security / IT Security Forum / Comcast packet spoofing on: December 06, 2007, 12:01:14 pm
Ok, so check this one out.  I started at a new job this week.  They use Comcast & a cable modem for their connection.  As I've mentioned before, I run my own box.  So, this morning, I'm ssh'ed in, when I notice that I can't get to my webmail.  Seems strange, but I figure maybe it's my server.  I IM a few people, and everyone can hit my web server just fine.  They can hit everything else just fine.

Me, however, different story.  Mail, web, even a new SSH connection: nopers.  Nada.  Everything just times out.

So, I fire up Wireshark and see what's happening.  Well, well...I'm getting reset packets.  Now, I have to see if I can run a command line version of Wireshark on the other end, but it looks like *all* traffic to my IP is being blocked by Comcast with their reset mode.  Now, I'm not running P2P thru them.  The only thing I can figure is that either a) by ssh'ing I triggered something, or b) they're trolling for P2P packets, because I've been sharing Fedora since it launched last month.

Any thoughts on other ways to prove that they're in fact blocking by IP as opposed to just certain traffic?
4  General / General / Support / Re: Weird request in my server log on: November 27, 2007, 11:28:33 pm
I'm running OSSEC, which is how I found out about the probes in the first place.  It's got logging, checksum'ing, the works.  It seems like it's very similar to Tripwire.  I'll check if I can run both.

The bigger thing that bothers me is that this seems to be a common Apache config on Fedora (at least).  I'm trying to suss out how the vulnerability got there.  The timing of the attack (day after Thanksgiving) coupled with the frequency (once every 25 minutes) shows that whoever did this is patient, clever, and trying their hardest not be seen.  Not the usual behaviors for spammers.  Also, since you have to hack Apache to see what data was being sent with a POST, I have no idea what was being sent.

I'm sufficiently protected on the Apache side now, but I'm going to look into more sophisticated log analysis.  All my other ports are (and have been) secure.  If I hadn't been paranoid up to this point, I'd never have seen it.

I'll keep trying to poke at Apache/Fedora folk to find out why a blind POST to the webroot would allow this.  It's not like they were using a php/cgi that was lying around.  This is a default capability in Apache that seems to be enabled quite a bit.
5  General / General / Support / Re: Weird request in my server log on: November 26, 2007, 11:16:21 am
It stopped on Saturday some time after I finally shut its opening down.  Here's what what happening.

Apparently, there's a semi-known vulnerability in that apache, configured a certain way, will allow blind CONNECT and POST requests to the root of the server.  What happens then is that the request will basically use POST as a defacto relay for spam.   After looking into it more and more, I began checking my web logs.  I started to see things like this:

Code:
199.8.89.120 - - [23/Nov/2007:21:33:11 -0600] "POST http://lti-mail01.ltinetworks.com:25/ HTTP/1.0" 400 317
199.8.89.120 - - [23/Nov/2007:21:33:11 -0600] "CONNECT http://lti-mail01.ltinetworks.com:25 HTTP/1.0" 400 305

Those two were of a reject (you can tell by the 400 after).  The two numbers after the request are 1) the return code, and 2) the bytes transfered.  So, these were the last failed attempts.  From what I can gather, I relayed about 23 spam between Nov 1 (one of the first probes) and Friday when the attack started in earnest.  Most of them were on Friday before I figured out what was happening. 

The spurious GET requests that led me to this were the bot looking for a web connection to try.  Since Ruby and other new servers are running on higher ports (I believe Ruby's default is 5000), the bots scan the higher ports looking for any webservers.  They fire off a GET.  If they get a response, they try the POST/CONNECT pair with the open mail relay (notice the request for port 25).

It's a NASTY exploit, because apache doesn't log the data in the POST usually, just the size.  And because POST is such a common request, unless you're watching your web logs with a fine toothed comb, you're not going to see the request coming in about every 25 minutes.  It's going to get hidden in the normal web log traffic.  The only reason I saw it was that they hit my SSH port, which was ABOVE port 80 (not normal at all).  If I hadn't seen it, I'd never have found this.  That original request I got was a probe, and they forwarded a message.  After I filtered through, I was added to the relay list, and the traffic started in full the day after Thanksgiving.

I verified this by telnet'ing into my server and manually adding a POST.  It happily sat there waiting for more data.  That's when I started looking into how to block it.  Anyway, I shut down server, blocked some POST requests, and installed mod_security.  Not sure which did it, but after that, the POST requests were returning 400 instead of 200.  The bot kept trying for about 4 more hours (and came from 67.53.100.90 a few times, too...system is still up with ports open...rr.com DSL customer, I think), but finally gave up.  I haven't seen a peep since.

Funny thing...nothing changed on my server.  If this has been a vulnerability, I've had it for YEARS.  I dunno if it's a default install from Fedora or what.  I'm going to keep looking into what really causes it and see who I might let know about it.
6  General / General / Support / Re: Weird request in my server log on: November 23, 2007, 12:15:26 pm
Wow, it's really banging on my door.  I added its IP to hosts.deny after it kept trying, but that doesn't seem to be dissuading it.  I think there's NO coincidence to the fact that it's using a university machine over the Thanksgiving holiday here in the states.

  • Nov 23 07:52:12
  • Nov 23 08:17:54
  • Nov 23 08:44:44
  • Nov 23 09:09:52
  • Nov 23 09:33:42
  • Nov 23 09:56:53
  • Nov 23 10:19:43 *
  • Nov 23 10:43:25 *
  • Nov 23 11:06:58 *
  • Nov 23 11:30:23 *
  • Nov 23 11:52:29*

* - connection blocked from hosts.deny

Stats so far:
# connection attempts: 11
Avg between attempts: 23:59
Min between attempts: 22:06
Max between attempts: 26:50
7  General / Gaming / Re: Uplink on: November 23, 2007, 09:03:47 am
Yeah, definitely not realistic, but it has that "gee, it's what Hollywood sees hacking as" feel.  The timer does give you a great rush.
8  General / General / Support / Re: Weird request in my server log on: November 23, 2007, 09:02:04 am
Got another one.  Three hits so far this morning, one at 7:52, one at 8:18, and one at 8:45.
Code:
Nov 23 08:44:44 redking sshd[17649]: Bad protocol version identification 'GET
http://www.microsoft.com/ HTTP/1.0' from 199.8.89.120

Nmap results:
Code:
Interesting ports on esther.huntington.edu (199.8.89.120):
25/tcp  open   smtp
53/tcp  open   domain  ISC Bind 8.4.4
80/tcp  open   http    Microsoft IIS webserver 6.0
443/tcp closed https

Web is passworded.  SMTP doesn't appear to accept standard commands.  Entering HELP or HELO gets me "503 Not Implement."  Then it disconnects.  Server appears to be secure other than whatever port scanning it is doing.  Since this one appears to be a secure university IIS machine, I'm not sure what's going on anymore.  I could see Chinese students aiming for the low hanging fruit of underutilized DNS machines, but this machine seems like it'd be more of a tough nut to crack.

After some more Googling, I've seen people trying to use a web request as a buffer overflow to get an SSH, but since I don't see why anyone would think I'd be running ssh on that port, I'm not sure that makes sense.  The other possibility is that this is some bot network, and once it found my port running ssh, it passed my IP/port on to the botnet, and now I'm going to be getting probed from all over.  If I see more machines start knocking, it may be time to shift ports.
9  General / Gaming / Uplink on: November 20, 2007, 10:47:38 am
It's old, but a) seeing as it's the spiritual successor to Activision's Hacker, and b) it runs on Linux, I figured it was worth a post.

Check out Uplink.  I've wasted more than a few nights playing.
10  General / General / Support / Re: Weird request in my server log on: November 19, 2007, 04:14:26 pm
You're right...most standard hacks hit the normal ports.  If they're attacking the web, you see it on port 80.  If they're attacking SSH, it's 22.  This is the first time I've seen anything other than a SSH request on that port.

That's what I don't get.  It seems like it would take too much time to comb all of those higher non-standard ports.  So, that leads me to believe a) it was a mistake in their code, b) it was a mistake in their data (like my IP was a typo or something), or c) something else nonstandard runs on that port.  I guess c is most likely...it's probably just luck, and they tried my machine to see if something was running there.  If it was a common thing, I'd expect to have seen more GET's on that port, so it's probably some thing custom and I just came up on a warprobe or something.
11  General / General / Support / Re: Username being used more and more on: November 19, 2007, 03:44:52 pm
Try thinking of one that's 7 letters...then you can see if it's available for your cell phone #/
12  General / General / Support / Re: What are you listening to now? on: November 19, 2007, 02:53:37 pm
Toes in the Sand on Proton right now.  Switching jobs in just over a week, so all my MP3's have been scrubbed from work computer.  It's 'net radio for me until the next place.
13  General / General / Support / Re: Weird request in my server log on: November 19, 2007, 02:45:14 pm
Just curious but was it the fact they where trying to get through a SSH tunnel they could not get access? Huh

Yeah, that was a red flag.  I run my own server for giggles.  Nothing serious.  But I had a TON of brute force hack attempts on my server.  We even got hacked a few times at work (we're small, I help out doing sysadmin there as well) because of brute force attacks & a weak password.

Anyway, so one of the countermeasures I took was to move my SSH port WAY up into the nonstandard port range.  Since I've done that, my hack attempts (at least those...I still get a lot of web overflow attempts) have dropped off to almost 0.  I'd say I'm lucky if I get 3 unknown connections a year now.

So, the fact that a) it was a GET request on something nowhere NEAR a standard web port raised flag #1, and b) the fact that it was for www.google.com raised flag #2.

Oh, and this showed up on Slashdot today.  Made me wonder if it was something like this.

http://slashdot.org/article.pl?sid=07/11/18/1824230

14  General / General / Support / Re: Weird request in my server log on: November 15, 2007, 09:17:40 am
Well, if it's something that altruistic, there's no way I'm gonna do anything more.  Still confused as to how a web request got routed to a semi-random port on my machine.  Perhaps their tunneling software isn't quite beta.

Either way, that's interesting to think about.  Have you actually seen such exploits in the wild?
15  General / General / Support / Re: Username being used more and more on: November 14, 2007, 03:24:17 pm
Wow.  Neo is popular?  Next you're going to say that it's hard to get usernames like "Count Zero" and "Crash Override." Wink

Hey, I've been using Flynn since 1985 on BBS's and such, and I had to change because there were a zillion of them.  Come up with something unique...it's easier that way.
Pages: [1] 2
Powered by EzPortal
eXTReMe Tracker
Security Forum
Bookmark this site! | Upgrade This Forum
SMF For Free - Create your own Forum


Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.051 seconds with 17 queries.