Page 1 of 4 123 ... LastLast
Results 1 to 10 of 34

Thread: 1 kiddiot down - several hundred thousand to go!

  1. #1
    Senior Member
    Join Date
    Apr 2002
    Posts
    324

    Network Intrusions

    This is an impromptu tutorial on tracing skiddiots - because I just found one in our logs:

    ClientHost LogTime Service Machine
    -------------------------------------------------------------------------------
    199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERV

    ServerIP Target Parameters
    ----------------------------------------------------------------------------
    xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir
    I'm sure we all recoginse the cook-book directory traversal explot attempted here (which failed btw). So it's a kiddiot. Let's take a quick trip to www.samspade.org :

    Trying whois -h whois.arin.net 199.111.104.201
    VERnet (NETBLK-VERNET-CIDR1)
    University of Virginia
    Academic Computing Center
    Gilmer Hall
    Charlottesville, VA 22901
    US

    Netname: NETBLK-VERNET-CIDR1
    Netblock: 199.111.0.0 - 199.111.255.255
    Maintainer: VER

    Coordinator:
    Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU
    (804) 924-0616

    Domain System inverse mapping provided by:

    UVAARPA.VIRGINIA.EDU 128.143.2.7
    JUNO.ACC.VIRGINIA.EDU 128.143.22.119

    Record last updated on 05-Apr-1994.
    Database last updated on 14-Jun-2002 20:01:02 EDT.
    So the kiddiot is (probably) a student at University of Virginia. A nasty letter to the Netblock administartor will mean that's one kiddiot who's in for a nasty shock monday morning Word Up - and the word was 'busted'.

    Hi --

    You are listed as the admin contact for the Netblock: 199.111.0.0 - 199.111.255.255

    University of Virginia
    Academic Computing Center
    Gilmer Hall
    Charlottesville, VA 22901


    We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line.

    I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be 'l33t' - perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism.

    Regards,
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    lol, good work. This is exactly what all of you should do when something like this happens: don't retaliate with DoS or something, just turn them in. It does so much more damage, hehe.

  3. #3
    Senior Member
    Join Date
    Dec 2001
    Posts
    119
    Nice post ntsa. You can also view this approach as keeping the arcane knowledge to the select few smart enough, who already know it, or, who are more intelligent than to do crap like this.

  4. #4
    Senior Member
    Join Date
    May 2002
    Posts
    168
    i'm gonna try that, sounds like fun =) I get attempted "hack-ins" all the time so it should be fun to get them back in a legal way. lol
    \"Why is the bomb always gettin\' the last word?\" - Will Smith - Lost & Found (2005)

  5. #5
    Junior Member
    Join Date
    Dec 2001
    Posts
    29
    I was just wondering if you had got a response the netblock admin about this and what they had to say about it?

  6. #6
    Junior Member
    Join Date
    May 2002
    Posts
    15
    so let me get this straight...
    everytime my zone alarm/visualzone report alerts me to someone trying to scan my box or something like that i can report them....??
    i would be a busy guy i think..

  7. #7
    Senior Member
    Join Date
    Nov 2001
    Location
    Ireland
    Posts
    734
    Cool tutorial ntsa!

  8. #8
    turning someone in is good but how do you get them kicked if they are just some pre-pubescant sub7 user sitting behind his comp and Dos-ing random sites can you screw them just because they tried to ping flood you?

  9. #9
    Senior Member
    Join Date
    May 2002
    Posts
    450
    Isn't this an attack from some Nimda/Code Red infected MS server ??? I get hundreds of these a month .... sorted the problem with mod_antihak for Apache .... adds the infected servers IP to iptables and blocks them at the first attempt .... saves filling the logs with this stuff.

    Check it out at ..

    http://apantihak.sourceforge.net/

    this Apache module actually came rolled up in the lasted Mandrake Linux release.

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    324
    Another gem from my log file --

    Has anyone seen any advisory relating to an attack against ADSAdClient31.dll? I don't have this .dll (I wrote my own banner software ) and I have never seen it in the wild. Parameters of the GET request passed to the (non-existant) .dll were:
    GetAd?PG=HOTBOS?SC=LG?HM=04514b47584b101e551e3b4719110440696909163a4513244c125b515f5244194149616d?LOC=I?TF=adframe?PUID=00014C60E6AC87BE?UC=1
    Does this look like an attempted buffer-overflow attempt to anyone? Am I now dealing with someone a bit more serious or is this another cook-book expoit that I'm unaware of? Opinions? Only one hit in the log so I guess this attempt wasn't up close and personal - so it was probably some sort of vulnerability scanner iterating through an IP range.

    IP origonates in Germany - Any ideas before I turn him in?
    \"I may not agree with what you say, but I will defend to the death your right to say it.\"
    Sir Winston Churchill.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •