-
June 15th, 2002, 07:10 PM
#1
Network Intrusions
This is an impromptu tutorial on tracing skiddiots - because I just found one in our logs:
ClientHost LogTime Service Machine
-------------------------------------------------------------------------------
199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERV
ServerIP Target Parameters
----------------------------------------------------------------------------
xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir
I'm sure we all recoginse the cook-book directory traversal explot attempted here (which failed btw). So it's a kiddiot. Let's take a quick trip to www.samspade.org :
Trying whois -h whois.arin.net 199.111.104.201
VERnet (NETBLK-VERNET-CIDR1)
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
US
Netname: NETBLK-VERNET-CIDR1
Netblock: 199.111.0.0 - 199.111.255.255
Maintainer: VER
Coordinator:
Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU
(804) 924-0616
Domain System inverse mapping provided by:
UVAARPA.VIRGINIA.EDU 128.143.2.7
JUNO.ACC.VIRGINIA.EDU 128.143.22.119
Record last updated on 05-Apr-1994.
Database last updated on 14-Jun-2002 20:01:02 EDT.
So the kiddiot is (probably) a student at University of Virginia. A nasty letter to the Netblock administartor will mean that's one kiddiot who's in for a nasty shock monday morning Word Up - and the word was 'busted'.
Hi --
You are listed as the admin contact for the Netblock: 199.111.0.0 - 199.111.255.255
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line.
I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be 'l33t' - perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism.
Regards,
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
-
June 15th, 2002, 07:15 PM
#2
lol, good work. This is exactly what all of you should do when something like this happens: don't retaliate with DoS or something, just turn them in. It does so much more damage, hehe.
-
June 15th, 2002, 07:21 PM
#3
Senior Member
Nice post ntsa. You can also view this approach as keeping the arcane knowledge to the select few smart enough, who already know it, or, who are more intelligent than to do crap like this.
-
June 15th, 2002, 08:37 PM
#4
Senior Member
i'm gonna try that, sounds like fun =) I get attempted "hack-ins" all the time so it should be fun to get them back in a legal way. lol
\"Why is the bomb always gettin\' the last word?\" - Will Smith - Lost & Found (2005)
-
June 15th, 2002, 08:40 PM
#5
Junior Member
I was just wondering if you had got a response the netblock admin about this and what they had to say about it?
-
June 15th, 2002, 09:00 PM
#6
Junior Member
so let me get this straight...
everytime my zone alarm/visualzone report alerts me to someone trying to scan my box or something like that i can report them....??
i would be a busy guy i think..
-
June 15th, 2002, 09:12 PM
#7
Cool tutorial ntsa!
-
June 15th, 2002, 09:15 PM
#8
turning someone in is good but how do you get them kicked if they are just some pre-pubescant sub7 user sitting behind his comp and Dos-ing random sites can you screw them just because they tried to ping flood you?
-
June 15th, 2002, 10:31 PM
#9
Isn't this an attack from some Nimda/Code Red infected MS server ??? I get hundreds of these a month .... sorted the problem with mod_antihak for Apache .... adds the infected servers IP to iptables and blocks them at the first attempt .... saves filling the logs with this stuff.
Check it out at ..
http://apantihak.sourceforge.net/
this Apache module actually came rolled up in the lasted Mandrake Linux release.
-
June 16th, 2002, 04:10 AM
#10
Another gem from my log file --
Has anyone seen any advisory relating to an attack against ADSAdClient31.dll? I don't have this .dll (I wrote my own banner software ) and I have never seen it in the wild. Parameters of the GET request passed to the (non-existant) .dll were:
GetAd?PG=HOTBOS?SC=LG?HM=04514b47584b101e551e3b4719110440696909163a4513244c125b515f5244194149616d?LOC=I?TF=adframe?PUID=00014C60E6AC87BE?UC=1
Does this look like an attempted buffer-overflow attempt to anyone? Am I now dealing with someone a bit more serious or is this another cook-book expoit that I'm unaware of? Opinions? Only one hit in the log so I guess this attempt wasn't up close and personal - so it was probably some sort of vulnerability scanner iterating through an IP range.
IP origonates in Germany - Any ideas before I turn him in?
\"I may not agree with what you say, but I will defend to the death your right to say it.\"
Sir Winston Churchill.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|