This topic is 2 pages long:   1  2  |
Author Topic:   please
KONG
Member
posted January 27, 2002 11:29 AM            
this has nothing to do with tm. but it seems someone is adament about trying to break into my computer that i am running my site on. i dont think it is anyone here, but if it doesn't stop soon i am gonna contact their isp with the info i have. been goin on for days now.

and if that person is reading this, there is NOTHING on that machine except some webpages, so it's not worth the trouble.

[This message has been edited by KONG (edited January 27, 2002).]

IP:

Kevlar
Member
posted January 28, 2002 11:20 AM            
I have a couple little utilites that might help you ID the person.

But first off, are you sure its not Nimbda/CodeRed? If your box is on the web you are getting hit all day everyday by these. They attack Linux/Unix and Windows.

Check your web logs for blocks of code that look like this below. I just copied it from my web logs at work, I've removed any actual IP references, but today alone I have had 484 Nimbda/CodeRed of 691 hits on just one of the web servers. They came from 11 different IP addresses. (11 infected computers.)

This is what it looks like, Note: The sample below is several lines but one single attack. About 20 lines per attack. Notice the code 404 (not found) and 500 (Access denied). That's because I have the latest patches installed. If you ever see a code 200... You're infected!

Your thinking I have a firewall so I'm ok. Wrong, a web server service creates a "peep-hole" so to speak, into your computer. Default port 80, bub, opened to all for unauthenticated inbound access or annonymous access.
http://www.tm-central.com/news/samplenimbda.txt

PS I also have a utility to check your own ip to see if you are vulnerable to Nimbda. (Nimbda Scanner and a CodeRed scanner)

------------------
TM-Central.com

IP:

guido 1
Member
posted January 28, 2002 07:11 PM         
won't black ice defender id them ??? of course there are way's to surf annonymously . i don't but a black hat would .

------------------
Trying is the first step towards failure ... Guido the mercy killer .

IP:

KONG
Member
posted January 28, 2002 07:54 PM            
Actually, i think the code red worm only infects NT running IIs. . I have the IP and DNS information on the person I also ran a trace so I know where they are. (general area). I reeallly would like to post it here, but it would probably be a bad idea. just figured that maybe they would see it and get some smarts

IP:

-DNX-Ni
Member
posted January 28, 2002 08:06 PM            
Actually Black Ice is not a great firewall for protection.. not alone!! It's good for detecting and preventing minor intrusions on your system but for safety's sake, a fairly acceptable amount of good protection is 3 good firewalls!

The best way for someone to obtain your IP no is thro browsing or communicationg with someone using a messenger, especially ICQ.

Ther are good progs you can download which will help to trace the IP no, if you've caught it on your firewall, which will display the person's ISP also and the address.
Black Ice with Zonealarm is a good combo and, if you know where to look, both are free!

------------------
Feck it... Light Speed!!!!

IP:

-DNX-Ni
Member
posted January 28, 2002 08:10 PM            
btw, Kong.. Code Red affected NT and Windows 2000 as a conclusion to a few weeks worth of Chinese hackers overloading Microsoft with masses amounts of traffic and leaving that virus dormant for 2 weeks!

what some people go to...!

------------------
Feck it... Light Speed!!!!

IP:

Kevlar
Member
posted January 28, 2002 09:28 PM            
Code Red does only ''infect'' NT based system. But Nimbda crawls through open guest shares on all windows version and unix. If you are running 9x or any non NT based then make sure you have file and print sharing turned off. That's why I suggested the nimbda scanner. If I'm not mistaken XP is NT based.

But the point I was making is that, it may only ''infect'' that system but, as it attempts to infect, it will show up as a hack attempt on *any* machine.

All I was showing above, was that if the activity shows up as a scripted type buffer overrun then it may not be an individual trying to get in but an infected computer scanning ip addresses and trying each buffer overrun. But your firewall may not be set for detailed activity and it may only tell you someone attempted to get in at this address on this port.

So if that IS the case, a worm scan, then all you have is the IP and info on an infected machine. I have been there and all you can do is notify them thru their Arin database web address (whois) that they are infected, or just block their ip address with a firewall rule. Then the next infected machine hits you, so after a while you just make sure your security vulnerabilities are patched. Nt or not.

If it IS an individual trying to get in. Send me the IP and more than likely I can give you more than just his domain. I am not a hacker by no means, but in my business I have to know what is being used against me.

You may be using a webserver service that is not vulnerable to these worms but, that may be what's showing up in your logs or when your firewall goes off. A port attack is a port attack on any platform. We're all using the same type protocols, just about. And thats the medium for the attack. It's not until after the scan is complete that the worm finds out if its the right platform or not.

The only way to really stop that would be to get a firewall with stealth capability. And there is a way around that but, these mentioned worms don't get around it, yet. But its only a matter of time.

[This message has been edited by Kevlar (edited January 28, 2002).]

IP:

KONG
Member
posted January 28, 2002 09:38 PM            
yes, i hear ya. and i did have infected machines try to connect, but they where stopped(firewall can tell)code red, sub seven, whatever.thanks for the info tho. it seems very interesting that things have gotten quiet since my last post. haven't gotten 1 attack since then

IP:

Kevlar
Member
posted January 28, 2002 10:42 PM            
Kong, did your site get defaced or did you puposely put up a map thumbnail that says, "New Map DM Chigger.. IT STINKS!!!"

Just wondering, it looked odd. http://kong.kicks-ass.org/

IP:

KONG
Member
posted January 28, 2002 10:44 PM            
no, i did it. and it does stink.LOL

IP:

Kevlar
Member
posted January 28, 2002 10:48 PM            
O... k...

IP:

Rex R
Member
posted January 29, 2002 03:05 AM            
must be a new feature on some computers, smell o'vision

IP:

guido 1
Member
posted January 29, 2002 06:43 PM         
i tried black ice , but it was a 30 day trial i think . i am using zone alarm and works well . BTW on the last cd i got with maximum pc , is a program called tweak-xp and is for xp only , has some nice registry tweaks . i really like the interface .

------------------
Trying is the first step towards failure ... Guido the mercy killer .

IP:

The Weatherman
Member
posted January 29, 2002 06:51 PM         
I am the defacto-administrator for my lab group and I have been trying to tighten up security. I have file and print shares on all of the machines, because we all share a printer and some files. I have zone alarm running on all of em and the networked computers designated as "local", and secrity setting at medium for local, High for internet - am I safe? Ideas?

IP:

Kevlar
Member
posted January 29, 2002 10:16 PM            
Well I have 3 dedicated web servers at work. And I have been defaced a long time ago by the sysadmin worm, another Chinese care package. It found a new (at that time)vulnerability. And our brand new corporate firewall did not stop it. Because, as I was trying to stress your firewall allows anonymous traffic in and out, on your web port, usually 80. So your firewall in this scenario is beside the point, black ice, zone alarm, it doesn't matter.

Because your firewall is not going to stop or warn you of an attacker on your web port. That's why I gave an example of the web logs above. Because that's the only way to check for bad activity on your web port. Every couple days you look over the logs for suspicious activity and if you find it you first passively then aggressively scan that IP address to see what's up. And I don't mean just traceroute and ping. The good thing is that port 80 only accepts HTTP headers, so the best they can hope to do is commit a buffer overrun. if you have iis or even appache or some other 3rd party server you need to keep the patchs up to date and reapplied after a major system change.

As I was saying above, I was not trying to tell Kong he was vulnerable to a worm attack. Just that a worm attack might look like a real human is attacking when that may not be the case.

And since Kong's attacker stopped attacking him anyway, I did not even bring up that nimbda's port scan will not show up as a Trojan port alert because it hits the one port a firewall isn't blocking, usually 80. I am assuming that Kong's attacker used that port, or his current http port whatever that may be.

Because if his attacker used any other port besides that, then he really does not have a problem anyway because if your going to use a machine as dedicated web server then the first rule is to block all unused ports. Then go into the registry and disable remote administration of that box, remote registry access, file system access, cd-rom drive, floppy, etc. I'm assuming they teach you all that in college.

If you are running file and print sharing on a regular workstation or server, as long as you have a firewall setup correctly your ok. If you have an un-password protected share on that same computer, your asking for it. Ppl have it in there heads that only ppl behind there firewall can see their shares.

Click here to see more info. As seen remotely. I first did a passive ip range scan to find non-stealthed ip's. Then an aggressive to reveal more. Bear in mind it is sometimes tough to completely stealth a dedicated web server's ip. Because it will return a http header request by default, thus revealing itself. http://www.tm-central.com/news/ipscan.jpg
This looks to be a college or school computer. Notice the umpteen folders which I can browse at will from my computer. WM, You may want to check your labs shares from outside your firewall. Just a suggestion.

Sorry... nother book, I know.

IP:

The Weatherman
Member
posted January 29, 2002 11:52 PM         
What external scanners do you reccomend? I use Shields up, DSL Reports, and the Symantec, but they all seem to give less dat then what you have shown. How dangerous are print shares? they are paswword prtected by win2k in that only users set up on the print server can see them (I think) . Also, what do you recommend for FTP servers, Remote controls (i,e, PCAnyware) , and game servers?

IP:

Kevlar
Member
posted January 30, 2002 12:17 AM            
Print shares under Win 2k are actually secure in that you have to be set as a Power User to get access to them. Unlike under NT you only had to be a regular user. And if you have Win2k then your shared folders are password protected by default. It uses NT authentication to protect open shares.

There is a vulnerability with Win2k and the default IIS virtual printer folder. Under IIS in the control panel, if you have IIS installed. It is installed on Win2k server by default but not on worksation. If so I recommend removing the printer virtual directory along with the admin samples virtual folder and IIShelp virtual directy. All of these have administrative vbscripts that if access is gained by overrunning that virtual printer buffer, one could run these potentially harmfull scripts.

As far as external scanners go, I use a corporate, mega expensive one that is licensed per seat, but I will send you some info one some cheaper ones.

IP:

Paranor
Member
posted January 30, 2002 12:37 AM            
Kevlar, I would like to know what you use for scannes. I'm looking at some myself for work.

And what program did you use to get that list? I use NetScanTools Pro but your list looks more organized.

[This message has been edited by Paranor (edited January 30, 2002).]

IP:

guido 1
Member
posted January 30, 2002 12:43 AM         
since there was no exploitation the firewall must be doing the job . in xp makesure to disable plug n play which is on by default , it's easy with unplug n pray. i run zone alarm in high security mode for internet , and came through port probes as full stealth . which simply means that my pc gave no response to any port probes , and was therefore not seen , as if there were no computer at the ip address being sniffed .

------------------
Trying is the first step towards failure ... Guido the mercy killer .

IP:

KONG
Member
posted February 10, 2002 10:14 PM            
bump

IP:

Kevlar
Member
posted February 11, 2002 11:24 PM            
In case some of you BlackIce firewall users haven't heard. Patch available.

BLACKICE FIREWALL SECURITY FLAW:
http://www.pcworld.com/news/article/0,aid,83463,tk,dn021102X,00.asp

------------------
TM-Central.com

IP:

The Weatherman
Member
posted February 12, 2002 12:15 AM         
Are you still getting hit, K?

IP:

KONG
Member
posted February 17, 2002 08:29 PM            
well happy b-day to me.
someone is sending me alot of presents.
hee hee
as my firewall logs will show

IP:

KONG
Member
posted February 17, 2002 08:44 PM            
like lambs to the slaughter

IP:

KONG
Member
posted February 17, 2002 10:45 PM            
Well it seems our little hacker
has been quite busy today.
As you may have noticed, my site has been down for a while.

not because he hacked it, I just shut it down to be safe.

Wonder who he is?

Quite the master hacker, broad scans, spoofing IP's left and right.

I dont have to turn him in, he is burrying himself.

since I have only been logging onto this board since it started, he must be getting my IP from here?

wonder how?

Remember that post about my co-worker?
the FBI just showed at his house one bright shinny morn?

Hee Hee, who's gonna be formatting there hard drive now?
YOU IDIOT

IP:

This topic is 2 pages long:   1  2