Security Incidents mailing list archives
No Idea
From: cn-liu () USA NET (CN)
Date: Tue, 25 Jan 2000 08:54:57 CST
Hello! Gurus, I have been visiting a web site(a BBS?) where people can post messages discussing topics. A hacker did not agree with another poster's point of view. He threatened that poster that he would destory his machine if he did not stop posting. But that poster ignored the warning. One day, that hacker posted a messages saying that he had sent a "something" to that victim, and he should be able to see an icon on his Windows95/98 and his disk would be formatted within 10 minutes. Whether or not that victim's disk was formatted by that virus, I have not seen any more posting from that victim since then. Later I posted a message to that site showing people how to protect from that hacker's attack as follows: * The web master should adjust his server software and stop displaying every poster's IP address because the hacker saw and took it as a path of attack. * For dialup Internet users, just disconnect the line from Internet immediately after postings. And then re-connect the line back. Then, the poster's IP address would differ from the one when he was posting. * For non-Microsoft OS users, just ignore that hacker's threats. * If a PC is attacked, at worst, resetting EPROM can still rescue it back. There is no need to throw it way as told by that hacker. * If the victim wanted, he could present the hacker's IP address shown on the site to the court and he would be put behind the bar. The next day, the hacker posted another message to the site in response to my "receipe": * He actually, in contrast to the way I thought, does not acquire posters' IP addresses by viewing the posted messages displayed by the web server. He has special channel(s)! Besides, the IP addresses shown along with his messages on the web site were fake. * He can virtually break any OS, and the tricks he uses do not differ much. * His virus can reside in "virtual memory" and can still survive with disk replaced and he has knowledge of backdoor viruses such as trojan. Here are my questions: * How did the hacker acquire posters' IP addresses without viewing the pages sent by web server? * How can a host with spoofed IP address post messages to web sites? I thought the pages sent by httpd can not reach the hacker's host at all. The effect would be that the hacker could not see any web page in the first place because the packets sent from any httpd would lose their way when they start their journey from the web site. This was because, I thought, routers between the two hosts would forward the packets to wrong places since "destination IP address" in the to-be-sent packets were incorrect (spoofed). * Is it possible to trace a spoofed IP address and acquire its real one? * How did the hacker aggressively send virus to victims without the victim's involvement - only by knowing the victim's IP address? This trick has a great deal of differences from those patterns of activities such as victims' downloading files! * Because the victim had been explicitly threatened before vanishing, I would assume that the victim was not so stupid as to lauch the virus when he saw any suspious program sent to his Windows. So what confuses me is: how did the attacker launch (i.e. activate, run, or execute) the virus residing in a victim's Windows - only by knowing the victim's IP address? * The hacker claimed that he can do the same to Mac or Unix as he had just done to Windows and all what he needs are a few efforts. Is that true? Regards, LCN ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Current thread:
- I was scaned, (continued)
- I was scaned C. (Jan 20)
- Re: I was scaned Robert Graham (Jan 22)
- Re: I was scaned Jose Nazario (Jan 23)
- Re: I was scaned Gene Harris (Jan 23)
- Re: I was scaned Keith Owens (Jan 24)
- Got scaned again C. (Jan 24)
- ? C. (Jan 24)
- Re: ? Mike Tancsa (Jan 24)
- Re: ? Brock Sides (Jan 24)
- Re: unapproved AXFR Russell Fulton (Jan 24)
- No Idea CN (Jan 25)
- PC Anywhere client seems to probe class C of connected networks Troy Ablan (Jan 25)
- Re: PC Anywhere client seems to probe class C of connected networks Steve Ellermann (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Paul L Schmehl (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)