Nabble - Incidents

Replicating the Gonzalez Cyber Attacks through Penetration Testing

2009-11-20T16:07:11Z

--------------------------------------------------------------------------------
YOU'RE INVITED: IT SECURITY ON DEMAND WEBCAST

"Replicating the Gonzalez Cyber Attacks through Penetration Testing"
Register: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez
---------------------------------------------------------------------------------

Recently, we saw the indictment of cybercrime kingpin Albert Gonzalez, one of the accused masterminds behind high-profile data breaches at Heartland Payment Systems, Hannaford Bros. Supermarkets, 7-Eleven, and TJX. Next week, Core Security Technologies will present a hands-on look at the attacks Gonzalez and his co-conspirators are believed to have used in breaching these organizations.

Leveraging the actual indictment document as a guide, Core Security senior product manager Alex Horan will use CORE IMPACT Pro penetration testing software to demonstrate the techniques by which Gonzales allegedly stole millions of credit card numbers* - showing you how to identify IT exposures in your own environment before cybercriminals do.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

During the webcast, you'll see a step-by-step depiction of an attack similar to that described in the Gonzalez indictment, including the following critical stages:

* the initial web application compromise via SQL Injection
* the use of a well-known backend database command to make the attacks even
* more invasive
* the planting of malware on the backend database server
* the collection and transmission of credit card transactions to the
* attackers

Through the demonstration, you'll also learn how commercial-grade penetration testing software enables you to see your IT systems as an attacker would -- not only by determining if the kinds of issues that Gonzalez reportedly leveraged are present in your environment, but also by ...

* assessing how deployed defenses react to specific threats
* revealing what systems and data would be exposed by a breach
* depicting how chains of vulnerabilities open paths to mission-critical
* systems and information
* providing actionable data for immediately mitigating critical exposures
* repeating tests to ensure the effectiveness of remediation efforts

This webcast is ideal for anyone interested in proactively assessing their security posture against real-world cyber threats.

> Register here: http://www.coresecurity.com/Form/generic/campaign/SecurityFocusGonzalez

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

CanSecWest 2010 CALL FOR PAPERS (deadline Nov 30, conf. Mar22-26) and PacSec (Nov 4/5) Selections

2009-10-16T15:53:46Z

We extend our apologies if you are inconvenienced by multiple copies of this messages.

We would like to announce the PacSec 2009 Paper Selections, and
the opening of the 2010 CanSecWest Call For Papers. Given
the proximity of the Winter Olympics in Vancouver one month
before the conference, we would advise all planning to attend
to make travel preparations well in advance for next year...

PacSec 2009 Presentations

Keynote Presentation November 4: Mitsugu Okatani, National Information Security Center / Ministry of Defense / Japan Air Self-Defense Force
Keynote Presentation November 5: Hideaki Kobayashi, Information Technology Promotion Agency
Virtualisation security and the Intel privilege model - Tavis Ormandy & Julien Tinnes, Google
Silicon Chips: No More Secrets - Karsten Nohl
Filter Resistant Code Injection on ARM - Yves Younan, University of Leuven
iPhone SMS Fuzzing and Exploitation - Charlie Miller, Independent Security Evaluators
The Microsoft View of the 2008 Threat Landscape - Tony Lee, Microsoft
Cloud Defense in the Post-BotWar Era - Ikuo Takahashi
The Android Security Story: Challenges and Solutions for Secure Open Systems - Rich Cannings & Alex Stamos, Google, iSec Partners
Stealthy Rootkit : How malware fools live memory forensics - Tsukasa Ooi, Livegrid
Defending a Social Network - Alex Rice, Facebook
Museum of API Obfuscation on Win32 - Masaki Suenaga, Symantec
!exploitable and Effective Fuzzing Strategies as a Regular Part of Test - Jason Shirk, Microsoft
Analyzing Word and Excel Document Encryption - Eric Filiol, ESIEA - Operational cryptology and Virology Lab
English Dojo: Auditing Java Security, Marc Schoenefeld
Japanese Dojo: Assembler Programming and Reverse Engineering Malware, Yuji Ukai, fourteenforty

Pacsec will be held on November 4 and 5th, in Aoyama, Tokyo.

CanSecWest 2010 CALL FOR PAPERS

VANCOUVER, Canada -- The eleventh annual CanSecWest applied
technical security conference - where the eminent figures in
the international security industry will get together share
best practices and technology - will be held in downtown
Vancouver at the the Sheraton Wall Centre on March 22-26,
2010. The most significant new discoveries about computer
network hack attacks and defenses, commercial security
solutions, and pragmatic real world security experience will
be presented in a series of informative tutorials.

The CanSecWest meeting provides international researchers a
relaxed, comfortable environment to learn from informative
tutorials on key developments in security technology, and
collaborate and socialize with their peers in one of the
world's most scenic cities - a short drive away from one of
North America's top skiing areas.

The CanSecWest conference will also feature the availability
of the Security Masters Dojo expert network security sensei
instructors, and their advanced, and intermediate, hands-on
training courses - featuring small class sizes and practical
application excercises to maximize information transfer.

We would like to announce the opportunity to submit papers,
and/or lightning talk proposals for selection by the
CanSecWest technical review committee. This year we will be
doing one hour talks, and some shorter talk sessions.

Please make your paper proposal submissions before November
30th, 2009.

Some invited papers have been confirmed, but a limited number
of speaking slots are still available. The conference is
responsible for travel and accomodations for the speakers. If
you have a proposal for a tutorial session then please make
your submission using our new online form, available at
https://cansecwest.com/submissions/. If the on-line form is
not available you can alternatively email a synopsis of the
material and your biography, papers and, speaking background
to secwest09 [at] cansecwest.com . Only slides will be needed
for the March paper deadline, full text does not have to be
submitted - but will be accepted if available. This year we
will be opening up the presentation guidelines to include
talks not in English which we will offer to translate for
the speaker if they are not a native English speaker.

The CanSecWest 2010 conference consists of tutorials on
technical details about current issues, innovative techniques
and best practices in the information security realm. The
audiences are a multi-national mix of professionals involved
on a daily basis with security work: security product
vendors, programmers, security officers, and network
administrators. We give preference to technical details and
new education for a technical audience.

The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while educating
and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and
education instead of product pitches. Some commercial content
is tolerated, but it needs to be backed up by a technical
presenter - either giving a valuable tutorial and best
practices instruction or detailing significant new technology
in the products.

Paper proposals should consist of the following information:

1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one paragraph
description.
6. Reason why this material is innovative or significant or
an important tutorial.
7. Optionally, any samples of prepared material or outlines
ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where
this material has been or will be published/submitted.
11. If you have multiple speakers, please outline why each
presenter is necessary and what each is presenting.

Please include the plain text version of this information in
your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest09 [at]
cansecwest.com or use our on-line submissions form at
https://cansecwest.com/submissions/ to be considered for
placement on the speaker roster, or have your lightning talk
scheduled. If you contact anyone else at our organization
please ensure you also cc the submission address with your
proposal or use the on-line submissions system or else it may
be omitted from the review process.

thanks,
--dr

P.S. please accept my apologies if your submission feedback
hasn't arrived yet from PacSec (but no news is good news for
a few which will be invited to Vancouver ;-).

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
Tokyo, Japan November 4/5 2009 http://pacsec.jp
Vancouver, Canada March 22-26 2010 http://cansecwest.com
Amsterdam, Netherlands, June 16/17 2010 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194

Workshop on the Analysis of System Logs (WASL) 2009

2009-06-16T08:43:04Z

Workshop on the Analysis of System Logs (WASL) 2009
http://www.systemloganalysis.com Call for Papers

===============================
October 14, 2009
Big Sky, MT
(at SOSP)
===============================

FULL PAPER SUBMISSION: Monday, June 29th, 2009
AUTHOR NOTIFICATION: Monday, July 27, 2009
FINAL PAPERS DUE: Monday, September 14, 2009
--------------------------------------------------------------------------

System logs contain a wide variety of information about system status
and health,
including events from various applications, daemons and drivers, as well
as sampled
information such as resource utilization statistics. As such, these logs
represent a
rich source of information for the analysis and diagnosis of system
problems and
prediction of future system events. However, their lack of organization
and the general
lack of semantic consistency between information from various software
and hardware
vendors means that most of this information content is wasted. Indeed,
today's
most popular log analysis technique is to use regular expressions to
either detect
events of interest or to filter the log so that a human operator can
examine it manually.
Clearly, this captures only a fraction of the information available in
these logs and
does not scale to the large systems common in business and
supercomputing environments.

This workshop will focus on novel techniques for extracting
operationally useful
information from existing logs and methods to improve the information
content of future
logs. Topics include but are not limited to:
o Reports on publicly available sources of sample log data.
o Log anonymization
o Log feature detection and extraction
o Prediction of malfunction or misuse based on log data
o Statistical techniques to characterize log data
o Applications of Natural-Language Processing (NLP) to logs
o Scalable log compression
o Log comparison techniques
o Methods to enhance astandardize log semantics
o System diagnostic techniques
o Log visualization
o Analysis of services (problem ticket) logs
o Applications of log analysis to system administration

Papers limited to 6 2-column pages using >=10pt font.

Workshop Chair:
Greg Bronevetsky (Lawrence Livermore National Laboratory)
greg@...

Program Committee:
Jon Stearley, Sandia National Laboratory
Bianca Schroeder, University of Toronto
Sébastien Tricaud, INL
Sapan Bhatia, Princeton University
Risto Vaarandi, CCD CoE
Jim Jansen, Penn State University
Wei Xu, University of California, Berkeley
Anton Chuvakin, Qualys
Hugh Njemanze, ArcSight
Kara Nance, University of Alaska, Fairbanks
Raffael Marty, PixlCloud

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

increased Backdoor.Coreflood infections

2009-05-29T08:58:23Z

Is anyone else seeing an increasing in Backdoor.Coreflood
infections on their network? I have not yet been able to pinpoint
the infection vector. Has anyone seen coreflood being dropped by a
specific set of web pages?

Cheers,
Tim

--
Turn life into a beach with a new sandbox. Click now!
http://tagline.hushmail.com/fc/BLSrjkqcDkOyUKy80K9RrJYxpItdUWM6X1cJQkugbThiS5kVxVFxdk68zuQ/

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009

2009-05-06T15:37:17Z

EUSecWest 2009 Speakers

Efficient UAK Recovery attacks against DECT
- Ralf-Philipp Weinmann, University of Luxembourg
A year in the life of an Adobe Flash security researcher
- Peleus Uhley, Adobe
Pwning your grandmother's iPhone
- Charley Miller, Independent Security Evaluators
Post exploitation techniques on OSX and Iphone and other TBA matters.
- Vincent Iozzo,Zynamics
STOP!! Objective-C Run-TIME.
- nemo
Exploiting Delphi/Pascal
- Ilja Van Sprundel, IOActive
PCI bus based operating system attack and protections
- Christophe Devine & Guillaume Vissian, Thales
Thoughts about Trusted Computing
- Joanna Rutkowska, Invisible Things Lab
Nice NIC you got there... does it come with an SSH daemon?
- Arrigo Trulzi
Evolving Microsoft Exploit Mitigations
- Tim Burrell & Peter Beck, Microsoft
Malware Case Study: the ZeuS evolution
- Vicente Diaz, S21Sec
Writing better XSS payloads
- Alex Kouzemtchenko, SIFT
Exploiting Firefox Extensions
-Roberto Suggi Liverani & Nick Freeman, Security-Assessment.com
Stored Value Gift Cards, Magstripes Revisited
- Adrian Pastor, GEUSecWest 2009 (May27/28) London Agenda and PacSec 2009
(Nov 4/5) Tokyo CFP deadline: June 1 2009nucitizen, Corsaire
Advanced SQL Injection to operating system control
- Bernardo Damele Assumpcao Guimaraes, Portcullis
Cloning Mifare Classic
- Nicolas Courtois, University of London
Rootkits on Windows Mobile/Embedded
- Petr Matousek, Coseinc
EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5) Tokyo CFP
deadline: June 1 2009

PacSec 2009 CALL FOR PAPERS

World Security Pros To Converge on Japan

TOKYO, Japan -- To address the increasing importance of information
security in Japan, the best known figures in the international
security industry will get together with leading Japanese researchers
to share best practices EUSecWest 2009 (May27/28) London Agenda and PacSec
2009 (Nov 4/5) Tokyo CFP deadline: June 1 2009and technology. The most
significant new
discoveries about computer network hack attacks will be presented at
the seventh annual PacSec conference to be discussed.

The PacSec meeting provides an opportunity for foreign specialists to
be exposed to Japanese innovation and markets and collaborate on
practical solutions to computer security issues. In an informal
setting with a mixture of material bilingually translated in both
English and Japanese the eminent technologists can socialize and
attend training sessions.

Announcing the opportunity to submit papers for the PacSec 2009
network security training conference. The conference will be held
November 4/5th in Tokyo. The conference focuses on emerging
information security tutorials - it is a bridge between the
international and Japanese information security technology communities..

Please make your paper proposal submissions before June 1st, 2009.
Slides for the papers must be submitted for translation by October 1,
2009 (Which, oh so rarely, happens we are going to start asking for
them earlier :-P --dr).

Some invited papers have been confirmed, but a limited number of
speaking slots are still available. The conference is responsible for
travel and accomodations for the speakers. If you have a proposal for
a tutorial session then please email a synopsis of the material and
your biography, papers and, speaking background to . Tutorials are
one hour in length, but with simultaneous translation should be
approximately 45 minutes in English, or Japanese. Only slides will be
needed for the October paper deadline, full text does not have to be
submitted.EUSecWest 2009 (May27/28) London Agenda and PacSec 2009 (Nov 4/5)
Tokyo CFP deadline: June 1 2009

The PacSec conference consists of tutorials on technical details about
current issues, innovative techniques and best practices in the
information security realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security work: security
product vendors, programmers, security officers, and network
administrators. We give preference to technical details and education
for a technical audience.

The conference itself is a single track series of presentations in a
lecture theater environment. The presentations offer speakers the
opportunity to showcase on-going research and collaborate with peers
while educating and highlighting advancements in security products and
techniques. The focus is on innovation, tutorials, and education
instead of product pitches. Some commercial content is tolerated, but
it needs to be backed up by a technical presenter - either giving a
valuable tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following information:

1) Presenter, and geographical location (country of origin/passport)
and contact info (e-mail, postal address, phone, fax).
2) Employer and/or affiliations.
3) Brief biography, list of publications and papers.
4) Any significant presentation and educational experience/background.
5) Topic synopsis, Proposed paper title, and a one paragraph
description.
6) Reason why this material is innovative or significant or an
important tutorial.
7. Optionally, any samples of prepared material or outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences where this
material has been or will be published/submitted.

Please include the plain text version of this information in your
email as well as any file, pdf, sxw, ppt, or html attachments.

Please forward the above information to to be considered for
placement on the speaker roster.

cheers,
--dr

--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
Tokyo, Japan November 4/5 2009 http://pacsec.jp
Vancouver, Canada March 22-26 2010 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

EUSecWest 2009 CFP (May 27/28, Deadline April 7 2009)

2009-04-01T14:39:35Z

Call For Papers

The EUSecWest 2009 CFP is now open.

Deadline is April 7th, 2009.

EUSecWest CALL FOR PAPERS

LONDON, U.K. -- The third annual EUSecWest applied
technical security conference - where the eminent figures
in the international security industry will get together
share best practices and technology - will be held in
downtown London at the Sound Club in Leicester Square
on May 27/28, 2009. The most significant new discoveries
about computer network hack attacks and defenses,
commercial security solutions, and pragmatic real world
security experience will be presented in a series of
informative tutorials.

The EUSecWest meeting provides international researchers
a relaxed, comfortable environment to learn from
informative tutorials on key developments in security
technology, and collaborate and socialize with their peers
in one of the world's most most important technology
hubs and scenic cities. The timing of the conference
allows international travelers to travel to Berlin for
FX's Ph-Neutral on the weekend, and Rennes the
following week for SSTIC.

We would like to announce the opportunity to submit
papers, and/or lightning talk proposals for selection by
the EUSecWest technical review committee. This year we
will be doing one hour talks, and some shorter talk
sessions.

Please make your paper proposal submissions before
April 7th, 2009.

Some invited papers have been confirmed, but a limited
number of speaking slots are still available. The
conference is responsible for travel and accommodations for
the speaker (one speaker airfare and one room). If you
have a proposal for a tutorial session then please email
a synopsis of the material and your biography, papers
and, speaking background to secwest09 [at] eusecwest.com .
Only slides will be needed for the paper deadline, full text
does not have to be submitted - but will be accepted if
available.

The EUSecWest 2009 conference consists of tutorials on
technical details about current issues, innovative
techniques and best practices in the information security
realm. The audiences are a multi-national mix of
professionals involved on a daily basis with security
work: security product vendors, programmers, security
officers, and network administrators. We give preference
to technical details and new education for a technical
audience.

The conference itself is a single track series of
presentations in a lecture theater environment. The
presentations offer speakers the opportunity to showcase
on-going research and collaborate with peers while
educating and highlighting advancements in security
products and techniques. The focus is on innovation,
tutorials, and education instead of product pitches. Some
commercial content is tolerated, but it needs to be backed
up by a technical presenter - either giving a valuable
tutorial and best practices instruction or detailing
significant new technology in the products.

Paper proposals should consist of the following
information:
1. Presenter, and geographical location (country of
origin/passport) and contact info (e-mail, postal
address, phone, fax).
2. Employer and/or affiliations.
3. Brief biography, list of publications and papers.
4. Any significant presentation and educational
experience/background.
5. Topic synopsis, Proposed paper title, and a one
paragraph description.
6. Reason why this material is innovative or significant
or an important tutorial.
7. Optionally, any samples of prepared material or
outlines ready.
8. Will you have full text available or only slides?
9. Language of preference for submission.
10. Please list any other publications or conferences
where this material has been or will be
published/submitted.

Please include the plain text version of this information
in your email as well as any file, pdf, sxw, ppt, or html
attachments.

Please forward the above information to secwest09 [at]
eusecwest.com to be considered for placement on the
speaker roster, or have your lightning talk scheduled. If
you contact anyone else at our organization please ensure
you also cc the submission address with your proposal or
it may be omitted from the review process.

cheers,
--dr
--
World Security Pros. Cutting Edge Training, Tools, and Techniques
London, U.K. May 27/28 2009 http://eusecwest.com
pgpkey http://dragos.com/ kyxpgp

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: incidents from history

2009-01-21T13:48:58Z

Flavio Silva wrote:
>
> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm.

As far as "greatest" reported incidents go, I regard this event to be
high caliber:

http://en.wikipedia.org/wiki/Greek_telephone_tapping_case_2004-2005

http://www.spectrum.ieee.org/jul07/5280

As well as this report:

http://www.dailymail.co.uk/news/article-509186/CIA-launches-hunt-international-hackers-threatening-hold-cities-ransom-shutting-power.html

--Jason

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Videos from HITBSecConf2008 - Malaysia released!

2009-01-20T14:16:04Z

The videos from HITBSecConf2008 - Malaysia are now available for download!

Day 1
=====

http://thepiratebay.org/torrent/4654588/HITBSecConf2008_-_Malaysia_Videos___Day_1

Keynote Address 1: The Art of Click-Jacking - Jeremiah Grossman
Keynote Address 2: Cyberwar is Bullshit - Marcus Ranum

Presentations:

- Delivering Identity Management 2.0 by Leveraging OPSS
- Bluepilling the Xen Hypervisor
- Pass the Hash Toolkit for Windows
- Internet Explorer 8 - Trustworthy Engineering and Browsing
- Full Process Reconsitution from Memory
- Hacking Internet Kiosks
- Analysis and Visualization of Common Packers
- A Fox in the Hen House - UPnP IGD
- MoocherHunting
- Browser Exploits: A New Model for Browser Security
- Time for a Free Hardware Foundation?
- Mac OS Xploitation
- Hacking a Bird in The Sky 2.0
- How the Leopard Hides His Spots - OS X Anti-Forensics Techniques

Day 2
=====

http://thepiratebay.org/torrent/4654974/HITBSecConf2008_-_Malaysia_Videos___Day_2

Keynote Address 3: Dissolving an Industry as a Hobby - THE PIRATE BAY

Presentations:

- Pushing the Camel Through the Eye of a Needle
- An Effective Methodology to Enable Security Evaluation at RTL Level
- Remote Code Execution Through Intel CPU Bugs
- Next Generation Reverse Shell
- Build Your Own Password Cracker with a Disassembler and VM Magic
- Decompilers and Beyond
- Cracking into Embedded Devices and Beyond!
- Client-side Security
- Top 10 Web 2.0 Attacks

===

On a related note, the registration for HITBSecConf2009 - Dubai (20th -
23rd April) is now open!

http://conference.hitb.org/hitbsecconf2009dubai/

The Call for Papers (CFP) for HITBSecConf2009 - Malaysia (October 5th -
8th) will open in March 2009.

A belated Happy New Year from all of us at Hack in The Box and may all
your exploits result in root shell! :)

The HITB Team.

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: incidents from history

2008-12-01T17:39:49Z

Hi,

> Another classic would be Mitnick vs Shimomura - http://www.gulker.com/ra/hack/tsattack.html

By the way, this Shimomura-san's father got the Norbel prize this
year. Congratulations!

moto kawasaki <moto@...>

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: incidents from history

2008-12-01T13:02:36Z

http://www.sans.org/resources/idfaq/solar_sunrise.php

You are probably referencing the "Solar Sunrise" case.

In February 1998, hackers launched an attack against the Pentagon and
MIT in what the Department of Defense called "the most organized and
systematic attack to date."

Tony Maupin

On Sat, Nov 29, 2008 at 12:48 PM, Flavio Silva <flavioabs@...> wrote:

> Hi all!
>
> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm. Some time ago I read
> something about an incident called The Rising Sun, but now I'm not
> sure about this name. It was a supposed intrusion in some MIT lab,
> Harvard University, and some military facilities. Probably it was
> executed by terrorists. I want to confirm all this.
>
> Regards
> --
> Flavio A. Braga da Silva
> Informatics Department
> State University of Maringá (UEM)
>
> ------------------------------------------------------------------------
> This list is sponsored by: Black Hat USA
>
> Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
> Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
> Network with 4,000 delegates from 50 nations.
> Visit product displays by 30 top sponsors in a relaxed setting.
>
> www.blackhat.com
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: incidents from history

2008-12-01T12:51:48Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 29 Nov 2008, Flavio Silva wrote:

> I want to know if someone can name the greatest incident of the computer
> history, but not the Morris Worm. Some time ago I read something about
> an incident called The Rising Sun, but now I'm not sure about this name.
> It was a supposed intrusion in some MIT lab, Harvard University, and
> some military facilities. Probably it was executed by terrorists. I want
> to confirm all this.

I'd have to say that, in terms of claimed monetary and operational losses,
Nimda and Code Red qualify, as do the Melissa, ILoveYou and Sircam
automated intrusion agents. However, no real connection to any terrorist
organization has been (nor can be) made with respect to these attacks.

As for any "Rising Sun" incident, I cannot recall anything remotely
approximating the scenario described. Of course, we're now seeing a
wholesale prohibition on thumb drives across the DoD and NASA, it seems
that serious enough incidents have occurred to warrant an update in
policies and procedures.

On the topic of "cyber-terrorists," I've spoken my mind on that issue over
six years ago in a keynote I gave at Toorcon[*].

- -Jay

* http://www.treachery.net/articles_papers/tutorials/the_myth_of_cyber-terrorism/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFJNE5lIu2Fkdy0GOwRAjjdAJsFP2050P7e8SIrwz+z3ru1c3l2MgCgmyNk
GDUH9RLlYVMXiuqmjK6bJG0=
=vl0g
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

RE: incidents from history

2008-12-01T12:36:36Z

Never heard of that one. Sounds great for a movie plot, though - it has computers, the MIT, the military, terrorists. You just need to add some romance, guns and a couple mentions to the economy and will touch on every issue that's on the front page of all papers in the world these days ;)

Another classic would be Mitnick vs Shimomura - http://www.gulker.com/ra/hack/tsattack.html

> -----Original Message-----
> From: Flavio Silva [mailto:flavioabs@...]
> Sent: Saturday, November 29, 2008 1:48 PM
> To: incidents@...
> Subject: incidents from history
>
> Hi all!
>
> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm. Some time ago I read
> something about an incident called The Rising Sun, but now I'm not
> sure about this name. It was a supposed intrusion in some MIT lab,
> Harvard University, and some military facilities. Probably it was
> executed by terrorists. I want to confirm all this.
>
> Regards
> --
> Flavio A. Braga da Silva
> Informatics Department
> State University of Maringá (UEM)
>
> --------------------------------------------------------------
> ----------
> This list is sponsored by: Black Hat USA
>
> Attend Black Hat USA, August 2-7 in Las Vegas, the world's
> premier technical event for ICT security experts.
> Featuring 40 hands-on training courses and 80 Briefings
> presentations with lots of new content and new tools.
> Network with 4,000 delegates from 50 nations.
> Visit product displays by 30 top sponsors in a relaxed setting.
>
> www.blackhat.com
> --------------------------------------------------------------
> ----------
>
>

Re: incidents from history

2008-12-01T12:34:21Z

How about Sarah palin's email being put up on display?

Note: someone had to bring this one up.

Sent from my iPhone

On Nov 29, 2008, at 10:48 AM, "Flavio Silva" <flavioabs@...>
wrote:

> Hi all!
>
> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm. Some time ago I read
> something about an incident called The Rising Sun, but now I'm not
> sure about this name. It was a supposed intrusion in some MIT lab,
> Harvard University, and some military facilities. Probably it was
> executed by terrorists. I want to confirm all this.
>
> Regards
> --
> Flavio A. Braga da Silva
> Informatics Department
> State University of Maringá (UEM)
>
> ---
> ---------------------------------------------------------------------
> This list is sponsored by: Black Hat USA
>
> Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier
> technical event for ICT security experts.
> Featuring 40 hands-on training courses and 80 Briefings
> presentations with lots of new content and new tools.
> Network with 4,000 delegates from 50 nations.
> Visit product displays by 30 top sponsors in a relaxed setting.
>
> www.blackhat.com
> ---
> ---------------------------------------------------------------------
>

Re: incidents Digest 1 Dec 2008 20:41:14 -0000 Issue 920

2008-12-01T12:28:07Z

On Mon, Dec 1, 2008 at 12:41 PM,
<incidents-digest-help@...> wrote:

> ---------- Forwarded message ----------
> From: "Flavio Silva" <flavioabs@...>
> To: incidents@...
> Date: Sat, 29 Nov 2008 16:48:22 -0200
> Subject: incidents from history
> Hi all!
>
> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm. Some time ago I read
> something about an incident called The Rising Sun, but now I'm not
> sure about this name. It was a supposed intrusion in some MIT lab,
> Harvard University, and some military facilities. Probably it was
> executed by terrorists. I want to confirm all this.
>
> Regards
> --
> Flavio A. Braga da Silva
> Informatics Department
> State University of Maringá (UEM)

Perhaps you are referring to "Solar Sunrise"...
--
Kristian Erik Hermansen
Shelley Winters - "Whenever you want to marry someone, go have lunch
with his ex-wife."

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

RE: incidents from history

2008-12-01T12:22:31Z

> I want to know if someone can name the greatest incident of the
> computer history, but not the Morris Worm.

this one gets my vote.

http://www.allbusiness.com/technology/software-services-applications-interne
t/6980002-1.html

Geo.

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

incidents from history

2008-11-29T10:48:22Z

Hi all!

I want to know if someone can name the greatest incident of the
computer history, but not the Morris Worm. Some time ago I read
something about an incident called The Rising Sun, but now I'm not
sure about this name. It was a supposed intrusion in some MIT lab,
Harvard University, and some military facilities. Probably it was
executed by terrorists. I want to confirm all this.

Regards
--
Flavio A. Braga da Silva
Informatics Department
State University of Maringá (UEM)

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: Ssh break that claims it was me?

2008-10-27T09:45:38Z

On Monday 27 October 2008 06:22:05 pm you wrote:
> Just for my enthusiasm, were you using a password or a key?
Thanks all for replies, i was using password. The info i got from client is
that he doesnt really have/understand logs to prove anything :) They just
guessed it could be me,because i'm the only person who can use command line
there :) They deleted my account from server so i cant check anything. I told
him to check the history and other things you told me. Let see what results
we will have ,it is very difficult to work with people who dont know anything
about their systems.

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

RE: Ssh break that claims it was me?

2008-10-27T08:21:28Z

Just as a matter of comment.
I absolutely agree with Kevin on this, especially as one may propose that the damage caused, may not necessarily be the "unknown hacker"'s deed, but a system administrator fault or error, and eventually a result of his/her "pushing the blame to someone else" attempt. In other words, "the butler" who deed this, may not necessarily be a stranger to this organization.

On the other hand, correct me if I am wrong, but as far as I know, it is quite hard to convince federal law enforcements to deal with cyber crimes even in United States. (not talking of other countries)
Usually theese investigations take a huge time to start, and enormous efforts to complete with anykind of result. No results guaranteed of course, especially in the light of law officials not being really keen on dealing with cyber crimes. (According to Larry from Spamhaus, 70% of FBI agents are on anti-terrorism cases after 9/11, so I guess you are left with 30% of them on other cases, including cyber crime)
This may be a contra argument to Kevin, but it is surely worth to try, you don't lose anything and of course by this you may show the client that you are also interested in investigating the case.

Regards and good luck!
Vik

-----Original Message-----
From: Kevin Wilcox [mailto:kevin.wilcox@...]
Sent: Monday, October 27, 2008 4:28 PM
To: viktor.larionov@...
Cc: makkalot@...; incidents@...
Subject: Re: Ssh break that claims it was me?

2008/10/27 Viktor Larionov <viktor.larionov@...>:

> And of course first of all check that it was really your user who did that. (if the .bash_history file under your home directory is valid, you can easily see all the commands your user has executed for the past time)

I would go the opposite route with regards to the .bash_history and
logging into the machine again. I would immediately go to a solicitor
and the authorities with the email from your client and have the
server seized - once it is in control of the authorities, and the
sooner the better, I would let their auditors and technicians do the
forensics work.

Why would I take that approach? Because if you log in to the machine
now to start providing log-based evidence then it can be shown that
you were on the machine previously, some stuff got deleted, you were
sent an email about it, you logged in again and could have been
modifying logs/timestamps/etc to cover your tracks. It's usually
better to get trusted law enforcement agencies involved very early so
that *they* can be the ones to do the audit on the machine, not the
accused party.

This is, of course, based off of my understanding of my local, state
and federal law, specific to the United States. You may be in an area
where the laws are completely different. In either event I would
consult a local legal expert.

My humble opinion.

kmw

--
Far better is it to dare mighty things, to win glorious triumphs, even
if checkered by failure, than to take rank with those poor spirits who
neither enjoy much nor suffer much, because they live in the gray
twilight that knows not victory or defeat.

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

RE: Ssh break that claims it was me?

2008-10-27T06:35:03Z

Hi!

Well I would start from simply talking to the client and checking the IP adresses from where the access was granted.
I'd bet my pants that the IP-adress is a chinese socks proxy or smth. like this.

And of course first of all check that it was really your user who did that. (if the .bash_history file under your home directory is valid, you can easily see all the commands your user has executed for the past time)

And of course logs, logs and once again logs, you will definetly find a way of prooving this by just carefully examining the auth logs, .bash_history file, cvs logs, etc.
If it's the CVS repo what was deleted, and a busy CVS repo then by means of CVS error logs you can definetly determine the time when it was done. Etc.

regards,
Vik

---
Viktor Larionov
snr. system administrator
R&D team
Salva Kindlustuse AS
Prnu mnt. 16
10141 Tallinn
ESTONIA
tel: (+372) 683 0636, (+372) 680 0500
fax: (+372) 680 0501
gsm: (+372) 5668 6811
viktor.larionov@...

------------
MOTD: Dream Big. Think the impossible. If you can dream it - you can create it.

-----Original Message-----
From: makkalot@... [mailto:makkalot@...]
Sent: Monday, October 27, 2008 1:20 PM
To: incidents@...
Subject: Ssh break that claims it was me?

Hi all i dont know if it is the right place to write that but didnt know what
to do...
The case is as follow :
I'm a freelancer programmer and work for other people from distance,therefore
they give me ssh access to their servers and i fix their stuff. After a few
days ago i was hired to fix some django/apache stuff in a server. I fixed all
the stuff and got my money.Ok that was the story part here is the message i
got from client today :
"
I know you deleted the svn repo and also trac...
I don't know why you chose to go in that route... very bad
if you were not happy about something you could have
asked for more money... we could have worked together
to resolve anything... in any case.. I will report this to RAC
form the system logs and we will go from there...
I still don't know why you did this!!!! "

Ok obviously i didnt do that, becaus i dont have any reason to do so. Is there
a way i can prove it wasnt me ? Some fingerprint ssh values? Please any help
is appreciated, thanks in advance ...

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Ssh break that claims it was me?

2008-10-27T04:19:50Z

Hi all i dont know if it is the right place to write that but didnt know what
to do...
The case is as follow :
I'm a freelancer programmer and work for other people from distance,therefore
they give me ssh access to their servers and i fix their stuff. After a few
days ago i was hired to fix some django/apache stuff in a server. I fixed all
the stuff and got my money.Ok that was the story part here is the message i
got from client today :
"
I know you deleted the svn repo and also trac...
I don't know why you chose to go in that route... very bad
if you were not happy about something you could have
asked for more money... we could have worked together
to resolve anything... in any case.. I will report this to RAC
form the system logs and we will go from there...
I still don't know why you did this!!!! "

Ok obviously i didnt do that, becaus i dont have any reason to do so. Is there
a way i can prove it wasnt me ? Some fingerprint ssh values? Please any help
is appreciated, thanks in advance ...

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Anyone has a sample of http://abc.verynx.cn/w.js ?

2008-08-01T13:37:56Z

Hi,

my website was attacked recently by the SQL injection worm, trying
to inject a reference to JS code into my pages. I did analyze it a bit
and today I'm writing a document for my friends and colleagues,
describing details of that. Unfortunately I have not saved a sample of
http://abc.verynx.cn/w.js. I do have all other files, but not the
first one that hits client's browser.

Taking a long shot here - does anyone have a copy of that JS in
their private collection?

Thank you

Jirka

------------------------------------------------------------------------
This list is sponsored by: Black Hat USA

Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in a relaxed setting.

www.blackhat.com
------------------------------------------------------------------------

Re: Unusual entry in Apache logs

2008-05-30T13:35:11Z

Rob Thomas <robt@...> wrote:

>> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"
>
>This IP has been sending spam since at least 2008-04-24 15:34:38 UTC.
>It's also been scanning for the typical proxy ports lately (most
>recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080,
>and TCP 80. I suspect this is what it was doing when it visited your
>server. Possibly it's a bot.

Thanks Rob, and to all the others -- not few in number -- who wrote on
and off the list with ideas and links.

I have seen some CONNECT attempts in my logs, trying to make contact
with remote mail servers, but had never made the connection myself
between them and the "\x05\x01" entries. It does seem that someone
is looking for open proxies, as all but all of you indicated.

Our website is a simple one, and I have *everything* turned off that
isn't being used. Proxies are completely disabled and I don't allow
the CONNECT verb, among others. It looks like my ( paranoid )
policies are paying off.

Thanks again to all.

Best regards,

Neil Dickey, Ph.D.
email: neil@...
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115

Re: Unusual entry in Apache logs

2008-05-30T13:21:05Z

On May 30, 2008, at 1:59 PM, Rob Thomas wrote:

> Hi, Neil.
>
>> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501
>> 3100 "-" "-"
>
> This IP has been sending spam since at least 2008-04-24 15:34:38
> UTC. It's also been scanning for the typical proxy ports lately
> (most recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128,
> TCP 1080, and TCP 80. I suspect this is what it was doing when it
> visited your server. Possibly it's a bot.

It's almost definitely looking for a proxy server - a SOCKS 5 connect
attempt will start with the characters 0x05 0x01, followed by a 0x00
which I believe Apache interprets as the end of the request.

The SOCKS request is formed as follows:

+----+-----+-------+------+----------+----------+
|VER | CMD | RSV | ATYP | DST.ADDR | DST.PORT |
+----+-----+-------+------+----------+----------+
| 1 | 1 | X'00' | 1 | Variable | 2 |
+----+-----+-------+------+----------+----------+

Where:

o VER protocol version: X'05'
o CMD
o CONNECT X'01'
-- Kevin

Re: Unusual entry in Apache logs

2008-05-30T11:59:35Z

Hi, Neil.

> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"

This IP has been sending spam since at least 2008-04-24 15:34:38 UTC.
It's also been scanning for the typical proxy ports lately (most
recently 2008-05-29 02:34:16 UTC), e.g. TCP 8080, TCP 3128, TCP 1080,
and TCP 80. I suspect this is what it was doing when it visited your
server. Possibly it's a bot.

Thanks,
Rob.
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/

Re: Unusual entry in Apache logs

2008-05-30T09:10:23Z

If you don't mind can you tell us your apache version. I once managed
to reproduced the same result with apache 2.0 but with 2.2 it's not
working.

Kosala

On Fri, May 30, 2008 at 12:54 AM, Neil Dickey <neil@...> wrote:

>
> I have of late seen a few entries such as this ...
>
> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"
>
> ... in my Apache webserver logs. They are the only entry in
> the log for the particular source IP; that is, they don't
> represent an anomaly in an otherwise normal session. Such
> entries record the only contact made by the source IP.
>
> GOOGLE hasn't told me anything interesting; does anyone know
> what this is?
>
> Many thanks for any ideas.
>
> Best regards,
>
> Neil Dickey, Ph.D.
> email: neil@...
> Research Associate/Sysop
> Geology Department
> Northern Illinois University
> DeKalb, Illinois, U.S.A.
> 60115
>

--
Kosala
--------------------------------------------
Disclaimer: Views expressed in this mail are my personal views and
they would not reflect views of the employer.
--------------------------------------------
blog.kosala.net
www.linux.lk/~kosala/
www.kosala.net

Re: Unusual entry in Apache logs

2008-05-30T06:46:42Z

Probably a socks proxy scan.

<- snip ->
I have of late seen a few entries such as this ...

125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"

... in my Apache webserver logs. They are the only entry in
the log for the particular source IP; that is, they don't
represent an anomaly in an otherwise normal session. Such
entries record the only contact made by the source IP.

GOOGLE hasn't told me anything interesting; does anyone know
what this is?

Many thanks for any ideas.

Best regards,

Neil Dickey, Ph.D.
email: neil (at) geol.niu (dot) edu [email concealed]
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115

Re: Unusual entry in Apache logs

2008-05-29T16:50:27Z

Also found this

http://lists.sans.org/pipermail/list/2003-March/007209.html

and this

http://www.derkeiler.com/Newsgroups/comp.os.linux.security/2003-04/0281.html

which led to this

http://www.kb.cert.org/vuls/id/150227

On Thu, May 29, 2008 at 7:45 PM, Jonathan Adams <keirre.adams@...> wrote:

> Neil,
>
> take a look at this:
>
> http://www.honeynet.org/scans/scan31/sol/
>
> On Thu, May 29, 2008 at 5:54 PM, Neil Dickey <neil@...> wrote:
>>
>> I have of late seen a few entries such as this ...
>>
>> 125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"
>>
>> ... in my Apache webserver logs. They are the only entry in
>> the log for the particular source IP; that is, they don't
>> represent an anomaly in an otherwise normal session. Such
>> entries record the only contact made by the source IP.
>>
>> GOOGLE hasn't told me anything interesting; does anyone know
>> what this is?
>>
>> Many thanks for any ideas.
>>
>> Best regards,
>>
>> Neil Dickey, Ph.D.
>> email: neil@...
>> Research Associate/Sysop
>> Geology Department
>> Northern Illinois University
>> DeKalb, Illinois, U.S.A.
>> 60115
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams@...
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

--
___________________________
Jon Adams

web: http://www.scis.nova.edu/~jonaadam
mail: keirre.adams@...
---------------------------------------------

"Strength does not come from physical capacity. It comes from an
indomitable will." -
Mohandas Gandhi

Re: Unusual entry in Apache logs

2008-05-29T16:45:38Z

Neil,

take a look at this:

http://www.honeynet.org/scans/scan31/sol/

On Thu, May 29, 2008 at 5:54 PM, Neil Dickey <neil@...> wrote:

Unusual entry in Apache logs

2008-05-29T14:54:40Z

I have of late seen a few entries such as this ...

125.224.192.192 - - [29/May/2008:09:15:34 -0500] "\x05\x01" 501 3100 "-" "-"

... in my Apache webserver logs. They are the only entry in
the log for the particular source IP; that is, they don't
represent an anomaly in an otherwise normal session. Such
entries record the only contact made by the source IP.

GOOGLE hasn't told me anything interesting; does anyone know
what this is?

Many thanks for any ideas.

Best regards,

Neil Dickey, Ph.D.
email: neil@...
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois, U.S.A.
60115

Re: [Pinguzilla] Weird Traffic

2008-05-29T04:52:27Z

Leon,

thx. Ill run the ntop when I get back home again. On the plus side,
the traffic is down today (I didnt get the automated threshold alert),
this happened the last time I added in FW rules, and by the next day I
had twice as much traffic as before I applied the new rules 1.3GB to
2.57 GB.

There is nothing in the syslog except the usual stuff

I did a find on the filesystem for files 5MB and over, came back
with nothing except a couple of log files and other expected stuff.

I still believe that some of the proxy requests are getting through,
the great majority of the real traffic in my tcpdump was HTTP... but I
think the data may be useless because that data was captured on a day
when I wasn't getting flooded. Will have to wait to see if/when the
problem returns and run another tcpdump session. Problem is compounded
by the fact that the server doesnt have X, so I'll need to copy off
the tcpdump output somewhere to analyze it - wasn't a problem
yesterday because it was only a couple of dozen MB.

I do need to run a rootkit detection tool on the box, it couldn't
hurt, Ill do that anyway, in the meantime I'll wait and see if the
traffic comes back up.

--J

On 5/29/08, Leon Ward <seclists@...> wrote:

> What was the result of ntop? protocol breakdowns, top IP SRC/DST etc.
> Does syslog point you to anything suspicious?
> chkrootkit ?
> What do you use to audit your Apache logs? Does that show up anything
> interesting (hosting a large file for download maybe).
>
> Without physical access, it's hard to trust the output of tools you install.
>
> -Leon
>
>
>
> On 28 May 2008, at 10:20, Jonathan Adams wrote:
>
> > John,
> >
> > I am running late for my real job :) but when i come back Ill run
> > some more test and post the results.
> >
> > BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> > or ftp traffic... something is proxying through my box...
> >
> > Im sure of it
> >
> > On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:
> >
> > >
> > > Jonathan,
> > >
> > > I'd be curious to get a copy of the list of networks that you're seeing
> this
> > > traffic from. I work for a large managed security service provider and I
> > > could cross reference these networks against data that we're seeing from
> our
> > > corporate customers.
> > >
> > > Regards,
> > > -john
> > >
> > >
> > > On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
> > >
> > >
> > > > All,
> > > >
> > > > I have a leased server I use to host some websites and for the past
> > > > week I have been getting traffic warnings. The server has been
> > > > transferring > 1GB of data per day, which is unusually high,
> > > > especially since I moved my mail to Google Apps. I have noticed a
> > > > ridiculous amount of attempted proxying attemptes in my logs, but I do
> > > > not have mod proxy turned on. I suspect my server is on some list. I
> > > > firewalled off a large number of subnets from China and my traffic
> > > > dropped for a few days, then this morning, 2735MB transferred in 24
> > > > hrs.
> > > >
> > > > As of right now, I am planning to blackhole all China traffic, since
> > > > thats where most of this is comming from, along with the occasional
> > > > traffic from France and other places in Eur. Is this common? If so
> > > > are there any other remedies?
> > > >
> > > > --
> > > >
> > > > "Strength does not come from physical capacity. It comes from an
> > > > indomitable will." -
> > > > Mohandas Gandhi
> > > >
> > > > _______________________________________________
> > > > Pinguzilla mailing list
> > > > Pinguzilla@...
> > > > http://www.as220.org/mailman/listinfo/pinguzilla
> > > >
> > > >
> > >
> > >
> > >
> >
> >
> >
> > --
> > ___________________________
> > Jon Adams
> >
> > web: http://www.scis.nova.edu/~jonaadam
> > mail: keirre.adams@...
> > ---------------------------------------------
> >
> > "Strength does not come from physical capacity. It comes from an
> > indomitable will." -
> > Mohandas Gandhi
> >
> >
>
>

R: [Pinguzilla] Weird Traffic

2008-05-29T01:47:45Z

Definitely an outbound connection

value="52FC3B9C" showvalue="82.252.59.156" /> <field name="dst" longname="Destination address" size="4" pos="30"

On most firewall I know, applying a rule does not interrupt an active session.
I'd first reset all sessions, and then recheck firewall rules are correctly applied.
Next, change firewall/filtering tecnology.

Ivan Brunello

-----Messaggio originale-----
Da: Jonathan Adams [mailto:keirre.adams@...]
Inviato: mercoledì 28 maggio 2008 23.16
A: John Duksta
Cc: incidents@...
Oggetto: Re: [Pinguzilla] Weird Traffic

Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only got a few probes today... apparently the FW rules shut down most of the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from 82.0.0.0/8 to any 07800 deny log ip from any to 82.0.0.0/8

yet the TCP dump shows this:

<pdml>
<packet>
<proto name="geninfo" longname="General information" pos="0" size="66"> <field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
size="66"/>
</proto>
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14"> <field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A (Unicast address, vendor code not available)" showmap="code not available" /> <field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC (Unicast address, vendor code not available)" showmap="code not available" /> <field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" /> </proto> <proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" /> <field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" /> <field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" > <field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." /> <field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." /> <field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." /> <field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
/>
</field>
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="82.252.59.156" /> <field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="66.36.246.198" /> </proto> <proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" /> <field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
/>
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" /> <field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." /> <field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." /> <field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." /> <field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." /> <field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." /> <field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" /> </field> <field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" > <field name="mss" longname="Maximum Segment Size" size="4" pos="54" > <field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" /> <field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" /> </field> <field name="noperation" longname="No Operation" size="1" pos="58" > <field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" /> </field> <field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" > <field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" /> <field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="62" > <field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" /> </field> <field name="noperation" longname="No Operation" size="1" pos="63" > <field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" /> </field> <field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" > <field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" /> <field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />
</field>
</field>
</proto>
</packet></pdml>

On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams@...> wrote:

> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're
>> seeing this traffic from. I work for a large managed security service
>> provider and I could cross reference these networks against data that
>> we're seeing from our corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but I
>>> do not have mod proxy turned on. I suspect my server is on some
>>> list. I firewalled off a large number of subnets from China and my
>>> traffic dropped for a few days, then this morning, 2735MB
>>> transferred in 24 hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic,
>>> since thats where most of this is comming from, along with the
>>> occasional traffic from France and other places in Eur. Is this
>>> common? If so are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." - Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla@...
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams@...
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." - Mohandas Gandhi
>

Re: [Pinguzilla] Weird Traffic

2008-05-29T01:15:25Z

What was the result of ntop? protocol breakdowns, top IP SRC/DST etc.
Does syslog point you to anything suspicious?
chkrootkit ?
What do you use to audit your Apache logs? Does that show up anything
interesting (hosting a large file for download maybe).

Without physical access, it's hard to trust the output of tools you
install.

-Leon

On 28 May 2008, at 10:20, Jonathan Adams wrote:

> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're
>> seeing this
>> traffic from. I work for a large managed security service provider
>> and I
>> could cross reference these networks against data that we're seeing
>> from our
>> corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but
>>> I do
>>> not have mod proxy turned on. I suspect my server is on some
>>> list. I
>>> firewalled off a large number of subnets from China and my traffic
>>> dropped for a few days, then this morning, 2735MB transferred in 24
>>> hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic, since
>>> thats where most of this is comming from, along with the occasional
>>> traffic from France and other places in Eur. Is this common? If so
>>> are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." -
>>> Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla@...
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams@...
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

Re: [Pinguzilla] Weird Traffic

2008-05-28T14:16:15Z

Well... I got the results of an 11hr TCPDUMP run.. and it shows...
NOTHING.. a couple of probes, lots of network traffic (router
messages, ARP requests, Windows NETBIOS noise from my ISP's lan) only
got a few probes today... apparently the FW rules shut down most of
the traffic for now.

What is weird is this: my ipfw has this

07700 deny log ip from 82.0.0.0/8 to any
07800 deny log ip from any to 82.0.0.0/8

yet the TCP dump shows this:

<pdml>
<packet>
<proto name="geninfo" longname="General information" pos="0" size="66">
<field name="num" longname="Number" showvalue="117" value="117"
pos="0" size="66"/>
<field name="linklayer" longname="Link Layer" showvalue="1" value="1"
showmap="Ethernet" pos="0" size="66"/>
<field name="len" longname="Packet Length" showvalue="66" value="66"
pos="0" size="66"/>
<field name="caplen" longname="Captured Length" showvalue="66"
value="66" pos="0" size="66"/>
<field name="timestamp" longname="Captured Time"
showvalue="09:44:09.621223" value="1211982249.621223" pos="0"
size="66"/>
</proto>
<proto name="ethernet" longname="Ethernet 802.3" pos="0" size="14">
<field name="dst" longname="MAC Destination" size="6" pos="0"
value="000D6103491A" showvalue="000D61-03491A" showdtl="000D61-03491A
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="src" longname="MAC Source" size="6" pos="6"
value="00D00247B3FC" showvalue="00D002-47B3FC" showdtl="00D002-47B3FC
(Unicast address, vendor code not available)" showmap="code not
available" />
<field name="type" longname="Ethertype - Length" size="2" pos="12"
value="0800" showvalue="2048" showdtl="0x0800 (Ethertype)" />
</proto>
<proto name="ip" longname="IPv4 (Internet Protocol version 4)"
pos="14" size="20">
<field name="ver" longname="Version" size="1" pos="14" value="45"
mask="f0" showvalue="4" />
<field name="hlen" longname="Header length" size="1" pos="14"
value="45" mask="0f" showvalue="5" showdtl="20 (field value = 5)" />
<field name="tos" longname="Type of service" size="1" pos="15"
value="00" showvalue="0x00" />
<field name="tlen" longname="Total length" size="2" pos="16"
value="0034" showvalue="52" />
<field name="identification" longname="Identification" size="2"
pos="18" value="3612" showvalue="13842" />
<field name="ffo" longname="Flags and Fragment offset" size="2" pos="20" >
<field name="unused" longname="Unused" size="2" pos="20" value="4000"
mask="8000" showvalue="0b0..............." />
<field name="df" longname="Don't fragment" size="2" pos="20"
value="4000" mask="4000" showvalue="0b.1.............." />
<field name="mf" longname="More fragments" size="2" pos="20"
value="4000" mask="2000" showvalue="0b..0............." />
<field name="foffset" longname="Fragment offset" size="2" pos="20"
value="4000" mask="1fff" showvalue="0" showdtl="0 (field value = 0)"
/>
</field>
<field name="ttl" longname="Time to live" size="1" pos="22" value="38"
showvalue="56" />
<field name="nextp" longname="Next protocol" size="1" pos="23"
value="06" showvalue="6" />
<field name="hchecksum" longname="Header Checksum" size="2" pos="24"
value="452F" showvalue="0x452F" />
<field name="src" longname="Source address" size="4" pos="26"
value="52FC3B9C" showvalue="82.252.59.156" />
<field name="dst" longname="Destination address" size="4" pos="30"
value="4224F6C6" showvalue="66.36.246.198" />
</proto>
<proto name="tcp" longname="TCP (Transmission Control Protocol)"
pos="34" size="32">
<field name="sport" longname="Source port" size="2" pos="34"
value="0D7D" showvalue="3453" />
<field name="dport" longname="Destination port" size="2" pos="36"
value="0050" showvalue="80" />
<field name="seq" longname="Sequence number" size="4" pos="38"
value="B20A5764" showvalue="2987022180" />
<field name="ack" longname="Acknowledgement Number" size="4" pos="42"
value="00000000" showvalue="0" />
<field name="hlen" longname="Header length" size="2" pos="46"
value="8002" mask="f000" showvalue="8" showdtl="32 (field value = 8)"
/>
<field name="res" longname="Reserved (must be zero)" size="2" pos="46"
value="8002" mask="0fc0" showvalue="0x0000" />
<field name="flags" longname="Flags" size="2" pos="46" value="8002"
mask="003f" showvalue="0x0002" >
<field name="urg" longname="Urgent pointer" size="2" pos="46"
value="8002" mask="0020" showvalue="0b..........0....." />
<field name="ackf" longname="Ack valid" size="2" pos="46" value="8002"
mask="0010" showvalue="0b...........0...." />
<field name="push" longname="Push requested" size="2" pos="46"
value="8002" mask="0008" showvalue="0b............0..." />
<field name="rst" longname="Reset requested" size="2" pos="46"
value="8002" mask="0004" showvalue="0b.............0.." />
<field name="syn" longname="Syn requested" size="2" pos="46"
value="8002" mask="0002" showvalue="0b..............1." />
<field name="fin" longname="Fin requested" size="2" pos="46"
value="8002" mask="0001" showvalue="0b...............0" />
</field>
<field name="win" longname="Window size" size="2" pos="48"
value="FFFF" showvalue="65535" />
<field name="crc" longname="Checksum" size="2" pos="50" value="9085"
showvalue="0x9085" />
<field name="urg" longname="Urgent Pointer" size="2" pos="52"
value="0000" showvalue="0x0000" />
<field name="options" longname="TCP Options" size="12" pos="54" >
<field name="mss" longname="Maximum Segment Size" size="4" pos="54" >
<field name="type" longname="Type" size="1" pos="54" value="02" showvalue="2" />
<field name="length" longname="Option length" size="1" pos="55"
value="04" showvalue="4" />
<field name="maxssize" longname="Maximum Segment Size" size="2"
pos="56" value="0584" showvalue="1412" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="58" >
<field name="type" longname="Type" size="1" pos="58" value="01" showvalue="1" />
</field>
<field name="winscale" longname="TCP Windows Scale Option" size="3" pos="59" >
<field name="type" longname="Type" size="1" pos="59" value="03" showvalue="3" />
<field name="length" longname="Option Length" size="1" pos="60"
value="03" showvalue="3" />
<field name="shift.cnt" longname="Shift Count" size="1" pos="61"
value="04" showvalue="4" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="62" >
<field name="type" longname="Type" size="1" pos="62" value="01" showvalue="1" />
</field>
<field name="noperation" longname="No Operation" size="1" pos="63" >
<field name="type" longname="Type" size="1" pos="63" value="01" showvalue="1" />
</field>
<field name="sackpermitted" longname="Sack-Permitted Option" size="2" pos="64" >
<field name="type" longname="Type" size="1" pos="64" value="04" showvalue="4" />
<field name="length" longname="Option Length" size="1" pos="65"
value="02" showvalue="2" />
</field>
</field>
</proto>
</packet></pdml>

On Wed, May 28, 2008 at 5:20 AM, Jonathan Adams <keirre.adams@...> wrote:

> John,
>
> I am running late for my real job :) but when i come back Ill run
> some more test and post the results.
>
> BTW, 1.5 GB transferred yesterday. there is no way this is valid web
> or ftp traffic... something is proxying through my box...
>
> Im sure of it
>
> On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:
>>
>> Jonathan,
>>
>> I'd be curious to get a copy of the list of networks that you're seeing this
>> traffic from. I work for a large managed security service provider and I
>> could cross reference these networks against data that we're seeing from our
>> corporate customers.
>>
>> Regards,
>> -john
>>
>>
>> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>>
>>> All,
>>>
>>> I have a leased server I use to host some websites and for the past
>>> week I have been getting traffic warnings. The server has been
>>> transferring > 1GB of data per day, which is unusually high,
>>> especially since I moved my mail to Google Apps. I have noticed a
>>> ridiculous amount of attempted proxying attemptes in my logs, but I do
>>> not have mod proxy turned on. I suspect my server is on some list. I
>>> firewalled off a large number of subnets from China and my traffic
>>> dropped for a few days, then this morning, 2735MB transferred in 24
>>> hrs.
>>>
>>> As of right now, I am planning to blackhole all China traffic, since
>>> thats where most of this is comming from, along with the occasional
>>> traffic from France and other places in Eur. Is this common? If so
>>> are there any other remedies?
>>>
>>> --
>>>
>>> "Strength does not come from physical capacity. It comes from an
>>> indomitable will." -
>>> Mohandas Gandhi
>>>
>>> _______________________________________________
>>> Pinguzilla mailing list
>>> Pinguzilla@...
>>> http://www.as220.org/mailman/listinfo/pinguzilla
>>>
>>
>>
>
>
>
> --
> ___________________________
> Jon Adams
>
> web: http://www.scis.nova.edu/~jonaadam
> mail: keirre.adams@...
> ---------------------------------------------
>
> "Strength does not come from physical capacity. It comes from an
> indomitable will." -
> Mohandas Gandhi
>

Re: [Pinguzilla] Weird Traffic

2008-05-28T02:20:46Z

John,

I am running late for my real job :) but when i come back Ill run
some more test and post the results.

BTW, 1.5 GB transferred yesterday. there is no way this is valid web
or ftp traffic... something is proxying through my box...

Im sure of it

On Tue, May 27, 2008 at 11:06 PM, John Duksta <john@...> wrote:

>
> Jonathan,
>
> I'd be curious to get a copy of the list of networks that you're seeing this
> traffic from. I work for a large managed security service provider and I
> could cross reference these networks against data that we're seeing from our
> corporate customers.
>
> Regards,
> -john
>
>
> On May 27, 2008, at 7:59 AM, Jonathan Adams wrote:
>
>> All,
>>
>> I have a leased server I use to host some websites and for the past
>> week I have been getting traffic warnings. The server has been
>> transferring > 1GB of data per day, which is unusually high,
>> especially since I moved my mail to Google Apps. I have noticed a
>> ridiculous amount of attempted proxying attemptes in my logs, but I do
>> not have mod proxy turned on. I suspect my server is on some list. I
>> firewalled off a large number of subnets from China and my traffic
>> dropped for a few days, then this morning, 2735MB transferred in 24
>> hrs.
>>
>> As of right now, I am planning to blackhole all China traffic, since
>> thats where most of this is comming from, along with the occasional
>> traffic from France and other places in Eur. Is this common? If so
>> are there any other remedies?
>>
>> --
>>
>> "Strength does not come from physical capacity. It comes from an
>> indomitable will." -
>> Mohandas Gandhi
>>
>> _______________________________________________
>> Pinguzilla mailing list
>> Pinguzilla@...
>> http://www.as220.org/mailman/listinfo/pinguzilla
>>
>
>

Re: Weird Traffic

2008-05-28T02:18:44Z

Im on freeBSD, netstat doesnt like the -p without a parameter [protocol]

im familiar with pstree and lsof.. there's still no smoking guns

On Tue, May 27, 2008 at 5:31 PM, Michael Loftis <mloftis@...> wrote:

> if on linux -- the latter requires psmisc (or your dists equivalent)
> installed....
> netstat -anlp
> pstree -cuap
>
> lsof is another very useful utility.
>
> nmap can only look for open listening and *responding* ports. netstat -anlp
> will show you whats open in the kernel, assuming you've not been rooted.
>
> --On May 27, 2008 2:48:00 PM -0400 Jonathan Adams <keirre.adams@...>
> wrote:
>
>> I've not found the source of the majority of the data, but I have
>> found a huge amount of weird requests in my apache log, and I'm fairly
>> certain its http traffic... I may cron of a protocol analysis tool
>> tonite to see if I can find more. I've run nmap scans, but stupidly
>> have not used the udp scan as someone else posted... nothing amiss in
>> the process list...
>>
>> Theres no changes to my httpd.conf, and I dont see a big hit in my
>> disk space... dunno... it is a mystery. I'll do some more analysis
>> and if I find anything Ill post it to the list
>>
>> On 5/27/08, Pope <elpope@...> wrote:
>>>
>>> Hey Jonathan,
>>>
>>> It might sound obvious, but exactly WHAT KIND OF TRAFFIC is being moved?
>>>
>>> I mean, if it's just HTTP traffic, and you've transferred 2.7 GB in one
>>> day, you should start thinking about what you are hosting. Sounds to me
>>> like someone planted a file server in there without you noticing; could
>>> be?
>>>
>>> Find the content being transferred (warez, movies, porn... you can bet)
>>> and remove it. End of the problem.
>>>
>>> Regards
>>>
>>>
>>> On Tue, May 27, 2008 at 1:59 PM, Jonathan Adams <keirre.adams@...>
>>> wrote:
>>> > All,
>>> >
>>> > I have a leased server I use to host some websites and for the past
>>> > week I have been getting traffic warnings. The server has been
>>> > transferring > 1GB of data per day, which is unusually high,
>>> > especially since I moved my mail to Google Apps. I have noticed a
>>> > ridiculous amount of attempted proxying attemptes in my logs, but I do
>>> > not have mod proxy turned on. I suspect my server is on some list. I
>>> > firewalled off a large number of subnets from China and my traffic
>>> > dropped for a few days, then this morning, 2735MB transferred in 24
>>> > hrs.
>>> >
>>> > As of right now, I am planning to blackhole all China traffic, since
>>> > thats where most of this is comming from, along with the occasional
>>> > traffic from France and other places in Eur. Is this common? If so
>>> > are there any other remedies?
>>> >
>>> > --
>>> >
>>> > "Strength does not come from physical capacity. It comes from an
>>> > indomitable will." -
>>> > Mohandas Gandhi
>>> >
>>>
>>>
>>>
>>> --
>>> Pope
>>> elpope # gmail · com
>>>
>>> "You have been down there, Neo. You know that road. You know exactly
>>> where it ends. And I know that's not where you want to be." [Trinity @
>>> Matrix]
>
>
>
> --
> "Genius might be described as a supreme capacity for getting its possessors
> into trouble of all kinds."
> -- Samuel Butler
>