Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: No Idea

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Tue, 25 Jan 2000 17:56:16 -0800


* The web master should adjust his server software and stop displaying

every

poster's IP address because the hacker saw and took it as a path of attack.


This is indeed a privacy risk; however, it is so common, I'm not sure what
you'd do about it. For example, if you examine the headers of this e-mail,
you could use that to discover roughly what IP address I'm coming from.
(Though, I do forge part of the information).


* For dialup Internet users, just disconnect the line from Internet
immediately after postings. And then re-connect the line back. Then, the
poster's IP address would differ from the one when he was posting.


This doesn't quite solve the problem, especially for DSL or cable-modem
users. When you dial up, you'll usually get an IP address close to the one
you had before.


* For non-Microsoft OS users, just ignore that hacker's threats.


I'm not quite sure why you'd say that. Win9x comes with a pitiful amount of
network services, whereas the average Linux box I find on the net has
everything turned on, and is vulnerable to some sort of hack against
Linuxconf, IMAP, POP, etc. Heck, a large enough number of machines allow me
to connect to X Windows and spy on keystrokes. True, Win9x users are more
ignorant of security concerns, but there is a reason why port 111 (RPC),
port 21 (Telnet), etc. probes are so common. The only systems that you can
safely ignore such threats are Windows CE, PalmPilots, and Macintoshes.


* If a PC is attacked, at worst, resetting EPROM can still rescue it back.
There is no need to throw it way as told by that hacker.


You are confused between the BIOS settings held in NVRAM and the BIOS itself
held in the EEPROM. Recovering from a corrupted EEPROM can be tricky and
probably is beyond the capability of most users.


* If the victim wanted, he could present the hacker's IP address shown on

the

site to the court and he would be put behind the bar.


Not really. The easiest defense is for the hacker to install SOCKS on
his/her machine and claim complete innocence (no officer, some hacker was
just using my machine; I'm a victim too).


The next day, the hacker posted another message to the site in response to

my

"receipe":
* He can virtually break any OS, and the tricks he uses do not differ much.


This is, of course, simple boasting. What is means is simply that he is a
script kiddy who has learned how to use lots of scripts. Trust me: anybody
who actually figures out how computers really work spend their energy making
$$$ rather than responding to primate dominance games on BBSs/chatrooms.


* His virus can reside in "virtual memory" and can still survive with disk
replaced and he has knowledge of backdoor viruses such as trojan.


This is not true. What he really means is that he can reset some of the CMOS
NVRAM (non-volatile RAM) settings.


* How did the hacker acquire posters' IP addresses without viewing the

pages

sent by web server?


Lots of ways, but it really depends upon the nature of the BBS. A classic
way is to post HTML with a tag like <img
src="http://mysite.example.com/foo.gif";> that points back to your site. Lots
of BBSs cleanse HTML tags for this purpose.


* How can a host with spoofed IP address post messages to web sites?


The word "spoof" has a specialized meaning: the person in question isn't
"spoofing" his IP address, but has instead hijacked somebody else's machine
to post from. For more info on spoofing, check out:
http://www.robertgraham.com/pubs/hacking-dict.html#spoof


* Is it possible to trace a spoofed IP address and acquire its real one?


No. You can act like a private eye and track him down (i.e. contact the
victim with the hijacked machine in order to monitor where the hacker really
comes from), but there is no easy way to do it.


* How did the hacker aggressively send virus to victims without the

victim's

involvement - only by knowing the victim's IP address? This trick has a

great

deal of differences from those patterns of activities such as victims'
downloading files!


The standard way is that people have "File and Print Sharing" enabled. This
will allow me to connect to the victim and install a trojan horse in that
person's startup folder. The next time the victim reboots, poof, they're
infected. In other words, the victim unknowingly had converted his machine
into a file server that allows anybody in the word access. However, my bet
is that this clueless person had accidentally compromised himself with a
remote access trojan a long time ago and that the hacker had simply scanned
the machine and found the existing trojan.


* Because the victim had been explicitly threatened before vanishing, I

would

assume that the victim was not so stupid as to lauch the virus when he saw

any

suspious program sent to his Windows. So what confuses me is: how did the
attacker launch (i.e. activate, run, or execute) the virus residing in a
victim's Windows - only by knowing the victim's IP address?


Same question as above. BTW, you have a misconception as to the difference
between a "virus" and a "trojan". You may want to check out the reference:
http://www.robertgraham.com/pubs/hacking-dict.html#virus
http://www.robertgraham.com/pubs/hacking-dict.html#trojan
http://www.robertgraham.com/pubs/hacking-dict.html#rat


* The hacker claimed that he can do the same to Mac or Unix as he had just
done to Windows and all what he needs are a few efforts. Is that true?


yes/no, it doesn't matter. Imagine that the hacker is some kid who has
learned a couple of magic tricks. You, another kid, do not know how the
tricks are done and are very impressed by them. This "hacker" you are
talking about is not some wizard, but is instead some script kiddy who knows
barely more than you do.
Previous By Date Next
Previous By Thread Next

Current thread: