-
March 8th, 2005, 04:03 PM
#1
Junior Member
Linux Server Break-In Challenge
Saw this one on Slashdot and thought some on here might be interested. Linux Break-In Challenge
Am I the only one that is too paranoid (or ethical) to do any of these? I'm always afraid that if I'm successful men in sunglasses and black suits will show up at my house...
\"I would like to electrocute everyone who uses the word \"fair\" in connection with income tax policies.\"
- William F. Buckley Jr.
-
March 8th, 2005, 09:43 PM
#2
There's nothing unethical about it, as far as I can see. But IMHO what self respecting hacker is going to give away his best kept secrets to root a box that has nothing on it, and then gets to recieve nothing for his troubles. I mean really, why would I go to the trouble of breaking in to a house that was built expressly for that purpose to get a handshake when I can break in to the house next door that a big plasma TV still inside the box?
Duh, george. Some people.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
March 8th, 2005, 10:29 PM
#3
Because a TV is to hard to move out of the house without getting caught.
Any good thief knows that when you get in you go right for the silver, the jewelry, any computers, paintings, and if it's me, the medicine drawer.
And if you're a real dick like my friend, you steal the batteries out of the remote controls of everything int he house so they all have to get up to change the channel. You'd be shocked how long people go without batteries because they are to lazy to go to the store.
-
March 9th, 2005, 12:29 AM
#4
Hrmm.. this was brought up in my CISSP class by one of the students so while they were doing their quiz I decided to do some poking. Visit here for the details. These are my results so far:
Linuxense.com whois
Registrant:
Linuxense Information Systems (Pvt) Ltd (SIFADMOEFD)
TC 16/1623, Lalitha Mandir
Thycaud P.O.
Trivandrum, Kerala 695014
IN
Domain Name: LINUXENSE.COM
Administrative Contact:
Linuxense Information Systems (Pvt) Ltd (QYUWMZODBO) akz@linuxense.com
TC 16/1623, Lalitha Mandir
Thycaud P.O.
Trivandrum, Kerala 695014
IN
+91 471 23 24341
Technical Contact:
Network Solutions, LLC. (HOST-ORG) customerservice@networksolutions.com
13200 Woodland Park Drive
Herndon, VA 20171-3025
US
1-888-642-9675 fax: 571-434-4620
Record expires on 19-Feb-2006.
Record created on 19-Feb-2002.
Bulk whois optout: Y
Database last updated on 8-Mar-2005 18:28:24 EST.
Domain servers in listed order:
NS03.LINUXENSE.COM 69.44.61.248
NS02.LINUXENSE.COM 69.44.156.16
Off of their website the IP is listed as http://202.88.234.250/ . The WHOIS below shows the server as being in India. The Placeholder page suggests they are using a default install of Debian with Apache 1.3.31 (404 error page shows this up). Navigate into the Icons directory (http://202.88.234.250/icons) shows the various icons but navigating beyond the root of the web server isn't possible at this point. Telnet to 25, 23, 21 proved useless but 22 brought up some details: SSH-2.0-OpenSSH_3.8.1p1 Debian 1:3.8.1p1-4.1
inetnum: 202.88.224.0 - 202.88.239.255
netname: ASIANET
descr: Asianet is a ISP providing access through Cable.
country: IN
admin-c: PS104-AP
tech-c: PS104-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-IN-ASIANET
changed: hm-changed@apnic.net 20020710
status: ALLOCATED PORTABLE
source: APNIC
person: Praveen Shrikhande
address: Karimpanal Arcade, 3rd Floor
address: East Fort
address: Thiruvananthapuram - 695023
address: Kerala, India
country: IN
phone: +91-471-575353
fax-no: +91-471-575454
e-mail: praveen@asianetindia.com
nic-hdl: PS104-AP
mnt-by: MAINT-NEW
changed: sysadmin@asianetindia.com 20020704
source: APNIC
-
March 9th, 2005, 12:41 AM
#5
I think KorpDeath said it all.
ZT3000
Beta tester of "0"s and "1"s"
-
March 9th, 2005, 05:44 AM
#6
Junior Member
scan results
I ran nmap just for the hell of it. One surprising thing is the sheer amount of ports apparently open. My first instinct was that these aren't even real services running but some kind of decoy. Thoughts?
Also, the webpage says there is no firewall in front of the box, but something appears to catching the scan (due to all the timing corrections done by nmap.) ...or am I way off about that?
----
Host 202.88.234.250 appears to be up ... good.
Interesting ports on 202.88.234.250:
(The 1559 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
7/tcp open echo?
9/tcp open discard?
13/tcp open daytime
18/tcp filtered msp
19/tcp filtered chargen
22/tcp open ssh?
25/tcp open smtp?
27/tcp filtered nsw-fe
33/tcp filtered dsp
37/tcp open time
80/tcp open http?
111/tcp open rpcbind?
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
162/tcp filtered snmptrap
175/tcp filtered vmnet
176/tcp filtered genrad-mux
184/tcp filtered ocserver
197/tcp filtered dls
198/tcp filtered dls-mon
206/tcp filtered at-zis
227/tcp filtered unknown
246/tcp filtered dsp3270
262/tcp filtered arcisdms
265/tcp filtered maybeFW1
305/tcp filtered unknown
314/tcp filtered opalis-robot
359/tcp filtered tenebris_nts
380/tcp filtered is99s
385/tcp filtered ibm-app
392/tcp filtered synotics-broker
396/tcp filtered netware-ip
437/tcp filtered comscm
445/tcp filtered microsoft-ds
477/tcp filtered ss7ns
488/tcp filtered gss-http
494/tcp filtered pov-ray
504/tcp filtered citadel
511/tcp filtered passgo
520/tcp filtered efs
553/tcp filtered pirp
566/tcp filtered streettalk
581/tcp filtered bdp
609/tcp filtered npmp-trap
626/tcp filtered unknown
653/tcp filtered unknown
654/tcp filtered unknown
660/tcp filtered mac-srvr-admin
697/tcp filtered unknown
704/tcp filtered elcsd
731/tcp filtered netviewdm3
735/tcp filtered unknown
740/tcp filtered netcp
743/tcp filtered unknown
756/tcp filtered unknown
789/tcp filtered unknown
806/tcp filtered unknown
822/tcp filtered unknown
847/tcp filtered unknown
856/tcp filtered unknown
879/tcp filtered unknown
905/tcp filtered unknown
935/tcp filtered unknown
941/tcp filtered unknown
976/tcp filtered unknown
977/tcp filtered unknown
990/tcp filtered ftps
1003/tcp filtered unknown
1027/tcp filtered IIS
1040/tcp filtered netsaint
1080/tcp filtered socks
1214/tcp filtered fasttrack
1351/tcp filtered equationbuilder
1363/tcp filtered ndm-requester
1371/tcp filtered fc-cli
1405/tcp filtered ibm-res
1422/tcp filtered autodesk-lm
1430/tcp filtered tpdu
1435/tcp filtered ibm-cics
1457/tcp filtered valisys-lm
1464/tcp filtered msl_lmd
1496/tcp filtered liberty-lm
1542/tcp filtered gridgen-elmd
1544/tcp filtered aspeclmd
1651/tcp filtered shiva_confsrvr
1720/tcp filtered H.323/Q.931
2011/tcp filtered raid-cc
2105/tcp filtered eklogin
3128/tcp filtered squid-http
3264/tcp filtered ccmail
4480/tcp filtered proxy-plus
5301/tcp filtered hacl-gs
5432/tcp open postgres?
5801/tcp filtered vnc-http-1
6007/tcp filtered X11:7
6588/tcp filtered analogx
8081/tcp filtered blackice-icecap
13706/tcp filtered VeritasNetbackup
32770/tcp filtered sometimes-rpc3
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port5432-TCP:V=3.70%D=3/8%Time=422E6E97%P=powerpc-apple-darwin7.5.0%r(S
SF:MBProgNeg,85,"E\0\0\0\x84SFATAL\0C0A000\0Munsupported\x20frontend\x20pr
SFtocol\x2065363\.19778:\x20server\x20supports\x201\.0\x20to\x203\.0\0Fp
SFstmaster\.c\0L1293\0RProcessStartupPacket\0\0");
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=3.70%P=powerpc-apple-darwin7.5.0%D=3/8%Time=422E6F3D%O=7%C=1)
T1(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=N)
T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Nmap run completed -- 1 IP address (1 host up) scanned in 3961.847 seconds
-
March 9th, 2005, 06:36 AM
#7
I wonder if your nmap scan is reporting stuff from their network equipment in front of the box...that would explain all those 'ports' or 'services', depending on the scan flags used, etc.
"Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
"...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore
-
March 9th, 2005, 08:17 AM
#8
Junior Member
I believe all I did was, nmap -sS -v -O -sV. TCP SYN, TCP/ICMP pings, with version and OS detection...
-
March 9th, 2005, 11:02 AM
#9
I wonder if your nmap scan is reporting stuff from their network equipment in front of the box...that would explain all those 'ports' or 'services', depending on the scan flags used, etc.
One way to find out is to telnet to each of those services. I know I can connected and get a response from all the open ports above except 25. That one closes connections (probably to avoid SMTP Open Relay issues but may mean Sendmail is still running).
-
March 10th, 2005, 02:38 AM
#10
Well ! ... I've got a password prompt when i tried an rlogin to the address. We too share the same ISP, asianet !. Maybe give them a call and try out some social engineering.
Cheers
PaCketThirst
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|