Security Incidents mailing list archives
Re: No Idea
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 25 Jan 2000 17:56:16 -0800
* The web master should adjust his server software and stop displaying
every
poster's IP address because the hacker saw and took it as a path of attack.
This is indeed a privacy risk; however, it is so common, I'm not sure what you'd do about it. For example, if you examine the headers of this e-mail, you could use that to discover roughly what IP address I'm coming from. (Though, I do forge part of the information).
* For dialup Internet users, just disconnect the line from Internet immediately after postings. And then re-connect the line back. Then, the poster's IP address would differ from the one when he was posting.
This doesn't quite solve the problem, especially for DSL or cable-modem users. When you dial up, you'll usually get an IP address close to the one you had before.
* For non-Microsoft OS users, just ignore that hacker's threats.
I'm not quite sure why you'd say that. Win9x comes with a pitiful amount of network services, whereas the average Linux box I find on the net has everything turned on, and is vulnerable to some sort of hack against Linuxconf, IMAP, POP, etc. Heck, a large enough number of machines allow me to connect to X Windows and spy on keystrokes. True, Win9x users are more ignorant of security concerns, but there is a reason why port 111 (RPC), port 21 (Telnet), etc. probes are so common. The only systems that you can safely ignore such threats are Windows CE, PalmPilots, and Macintoshes.
* If a PC is attacked, at worst, resetting EPROM can still rescue it back. There is no need to throw it way as told by that hacker.
You are confused between the BIOS settings held in NVRAM and the BIOS itself held in the EEPROM. Recovering from a corrupted EEPROM can be tricky and probably is beyond the capability of most users.
* If the victim wanted, he could present the hacker's IP address shown on
the
site to the court and he would be put behind the bar.
Not really. The easiest defense is for the hacker to install SOCKS on his/her machine and claim complete innocence (no officer, some hacker was just using my machine; I'm a victim too).
The next day, the hacker posted another message to the site in response to
my
"receipe": * He can virtually break any OS, and the tricks he uses do not differ much.
This is, of course, simple boasting. What is means is simply that he is a script kiddy who has learned how to use lots of scripts. Trust me: anybody who actually figures out how computers really work spend their energy making $$$ rather than responding to primate dominance games on BBSs/chatrooms.
* His virus can reside in "virtual memory" and can still survive with disk replaced and he has knowledge of backdoor viruses such as trojan.
This is not true. What he really means is that he can reset some of the CMOS NVRAM (non-volatile RAM) settings.
* How did the hacker acquire posters' IP addresses without viewing the
pages
sent by web server?
Lots of ways, but it really depends upon the nature of the BBS. A classic way is to post HTML with a tag like <img src="http://mysite.example.com/foo.gif"> that points back to your site. Lots of BBSs cleanse HTML tags for this purpose.
* How can a host with spoofed IP address post messages to web sites?
The word "spoof" has a specialized meaning: the person in question isn't "spoofing" his IP address, but has instead hijacked somebody else's machine to post from. For more info on spoofing, check out: http://www.robertgraham.com/pubs/hacking-dict.html#spoof
* Is it possible to trace a spoofed IP address and acquire its real one?
No. You can act like a private eye and track him down (i.e. contact the victim with the hijacked machine in order to monitor where the hacker really comes from), but there is no easy way to do it.
* How did the hacker aggressively send virus to victims without the
victim's
involvement - only by knowing the victim's IP address? This trick has a
great
deal of differences from those patterns of activities such as victims' downloading files!
The standard way is that people have "File and Print Sharing" enabled. This will allow me to connect to the victim and install a trojan horse in that person's startup folder. The next time the victim reboots, poof, they're infected. In other words, the victim unknowingly had converted his machine into a file server that allows anybody in the word access. However, my bet is that this clueless person had accidentally compromised himself with a remote access trojan a long time ago and that the hacker had simply scanned the machine and found the existing trojan.
* Because the victim had been explicitly threatened before vanishing, I
would
assume that the victim was not so stupid as to lauch the virus when he saw
any
suspious program sent to his Windows. So what confuses me is: how did the attacker launch (i.e. activate, run, or execute) the virus residing in a victim's Windows - only by knowing the victim's IP address?
Same question as above. BTW, you have a misconception as to the difference between a "virus" and a "trojan". You may want to check out the reference: http://www.robertgraham.com/pubs/hacking-dict.html#virus http://www.robertgraham.com/pubs/hacking-dict.html#trojan http://www.robertgraham.com/pubs/hacking-dict.html#rat
* The hacker claimed that he can do the same to Mac or Unix as he had just done to Windows and all what he needs are a few efforts. Is that true?
yes/no, it doesn't matter. Imagine that the hacker is some kid who has learned a couple of magic tricks. You, another kid, do not know how the tricks are done and are very impressed by them. This "hacker" you are talking about is not some wizard, but is instead some script kiddy who knows barely more than you do.
Current thread:
- Re: PC Anywhere client seems to probe class C of connected networks, (continued)
- Re: PC Anywhere client seems to probe class C of connected networks Paul L Schmehl (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)
- Re: port 768 Robert Graham (Jan 27)