Security Basics mailing list archives

RE: Company Firewall's IP Address

From: "Michael S Hines" <mshines () purdue edu>
Date: Tue, 12 Nov 2002 19:32:09 -0500

A little digging with our friend Sam Spade shows us the following ----

The Domain registration shows the following:

Registrant:
BONZI Software (BONZI-DOM)
   P.O. Box 1222
   San Luis Obispo
   CA,93406
   US

   Domain Name: BONZI.COM

   Administrative Contact, Technical Contact:
      Administrator  (ADM649-ORG)  admin () BONZI COM
      BONZI Software
      P.O. Box 1222
      San Luis Obispo, CA 93406
      US
      (805) 546-1955
      Fax- (805) 546-1956

   Record expires on 15-Sep-2009.
   Record created on 14-Sep-1995.
   Database last updated on 12-Nov-2002 19:08:29 EST.

   Domain servers in listed order:

   AUTH00.NS.UU.NET             198.6.1.65
   AUTH61.NS.UU.NET             198.6.1.182
-----------
it returns an IP address of 63.68.55.189
-----------
pings to it this evening at 7:10 pm are failing...  it may have been taken
down.
-----------
Bonzi owns a block of addresses - a subset of UUNET's addresses, as noted

11/12/02 19:11:27 IP block www.bonzi.com
Trying 63.68.55.189 at ARIN
Trying 63.68.55 at ARIN
UUNET Technologies, Inc. UUNET63 (NET-63-64-0-0-1)
                                  63.64.0.0 - 63.127.255.255
Bonzi Software UU-63-68-54 (NET-63-68-54-0-1)
                                  63.68.54.0 - 63.68.55.255
----------
a web inquiry shows the following:
11/12/02 19:14:18 Browsing http://www.bonzi.com/
Fetching http://www.bonzi.com/ ...
GET / HTTP/1.1 Host: www.bonzi.com Connection: close User-Agent: Sam Spade
1.14  HTTP/1.1 302 Object Moved Location:
http://www.bonzi.com/bonziportal/index.asp Server: Microsoft-IIS/5.0
Content-Type: text/html Connection: close Content-Length: 165
<head><title>Document Moved</title></head>
----------
Sam Spade can be your friend - check it out at
http://samspade.org/ssw/dl.html

You'll have to draw your own conclusions.

If you're on the Internet (and not behind a proxy) then you ARE advertising
your IP addresses.  Sounds like yours may have been found by a random
scanner.  The good news is that it appears your firewall worked, your
internal address was not disclosed.  And you wisely posted using a public
e-mail service (not your internal network id).  Only problem was Yahoo
displayed the IP address of the Webmail poster in the message header - it
was posted by the host IP 63.163.99.130.  The lookup on that is left as an
exercise for the reader...

All of the above information is in the public domain and readily available
using one or more of the tools that should be in an auditors toolbox.

msh
---------------------------------------------------------
Michael S Hines                | Phone 765-494-5875
Purdue University              | FAX   765-496-1380
Information Technology@Purdue  | Email mshines () purdue edu
OS/390 Systems Programmer      | Certifications:
401 S Grant St                 |    CIA, CISA, CFE, CDP
West Lafayette, IN 47907-2024  |


-----Original Message-----
From: owner-cisaca-l () purdue edu [mailto:owner-cisaca-l () purdue edu]On
Behalf Of tony tony
Sent: Tuesday, November 12, 2002 5:09 PM
To: security-basics () securityfocus com; Cisaca
Subject: Company Firewall's IP Address


I was doing security research on the internet at work yesterday....when all
of
a sudden I got a pop up advertisement that stated that I was broadcasting my
IP
address to the entire internet.  It then showed a screen with my IP address
which was the the external IP interface of one of our companies firewalls.

It just bothers me that someone would be able to determine the IP address of
our firewall that easily.  It seems to me that our firewall should operate
in a
more stealth mode.  Our firewall administrator said it is not technically
possible to do this.  What is your take?I am not a checkpoint firewall
guruso
I do not know.   All I know is that if I was a hacker, I would love to
hammer
away on an ip address that represented a firewall.

Click on the following to learn more about this pop up site.

http://www.bonzi.com/internetalert/ia99m.asp


__________________________________________________
Do you Yahoo!?
U2 on LAUNCH - Exclusive greatest hits videos
http://launch.yahoo.com/u2

Current thread:

Company Firewall's IP Address tony tony (Nov 13)
- RE: Company Firewall's IP Address Michael S Hines (Nov 13)
- Re: Company Firewall's IP Address Edward N Schofield (Nov 13)
  - RE: Company Firewall's IP Address Vince Hillier (Nov 15)
- RE: Company Firewall's IP Address Vince Hillier (Nov 14)
- Re: Company Firewall's IP Address Eric Balsa (Nov 14)
- Re: Company Firewall's IP Address Mike Dresser (Nov 14)
- RE: Company Firewall's IP Address Bill Lavalette (Nov 14)
- Re: Company Firewall's IP Address David J. Bianco (Nov 14)
  - Re: Company Firewall's IP Address Bill Hamel (Nov 16)
- Re: Company Firewall's IP Address Igor' Spivak (Nov 14)
- Re: Company Firewall's IP Address John Jasen (Nov 15)

(Thread continues...)