Security Incidents mailing list archives
Re: No Idea
From: pauls () UTDALLAS EDU (Paul L Schmehl)
Date: Tue, 25 Jan 2000 16:57:53 -0600
Good grief! --On 1/25/00, 8:54 AM +0000 CN <cn-liu () USA NET> wrote:
Hello! Gurus, I have been visiting a web site(a BBS?) where people can post messages discussing topics. A hacker did not agree with another poster's point of view. He threatened that poster that he would destory his machine if he did not stop posting. But that poster ignored the warning. One day, that hacker posted a messages saying that he had sent a "something" to that victim, and he should be able to see an icon on his Windows95/98 and his disk would be formatted within 10 minutes. Whether or not that victim's disk was formatted by that virus, I have not seen any more posting from that victim since then.
Which could merely mean he got spooked or he's on vacation or he quit the BBS in fear or a million things other than the hacker's threat can true. And BTW, he's not a hacker, he's a script kiddie. [snip]
The next day, the hacker posted another message to the site in response to my "receipe": * He actually, in contrast to the way I thought, does not acquire posters' IP addresses by viewing the posted messages displayed by the web server. He has special channel(s)!
Yeah, the boogie man gives him the IP address.
Besides, the IP addresses shown along with his messages on the web site were fake.
So he says.
* He can virtually break any OS, and the tricks he uses do not differ much.
So he says.
* His virus can reside in "virtual memory" and can still survive with disk replaced and he has knowledge of backdoor viruses such as trojan.
OH BULL! NOTHING survives in virtual memory when you shut down a machine. This alone makes *everything* he said suspect.
Here are my questions: * How did the hacker acquire posters' IP addresses without viewing the pages sent by web server?
He could have broken in to the site that hosts the bb and he's reading their logs. I've seen plenty of sites where this is possible simply by using a web browser to view pages that should not be world-readable, but are.
* How can a host with spoofed IP address post messages to web sites? I thought the pages sent by httpd can not reach the hacker's host at all. The effect would be that the hacker could not see any web page in the first place because the packets sent from any httpd would lose their way when they start their journey from the web site. This was because, I thought, routers between the two hosts would forward the packets to wrong places since "destination IP address" in the to-be-sent packets were incorrect (spoofed).
He would have to very good, and this guy doesn't sound like he is.
* Is it possible to trace a spoofed IP address and acquire its real one? * How did the hacker aggressively send virus to victims without the victim's involvement - only by knowing the victim's IP address? This trick has a great deal of differences from those patterns of activities such as victims' downloading files!
He couldn't. He would have to make some assumptions about the victim's username and domain and send it by email.
* Because the victim had been explicitly threatened before vanishing, I would assume that the victim was not so stupid as to lauch the virus when he saw any suspious program sent to his Windows. So what confuses me is: how did the attacker launch (i.e. activate, run, or execute) the virus residing in a victim's Windows - only by knowing the victim's IP address?
Can't be done.
* The hacker claimed that he can do the same to Mac or Unix as he had just done to Windows and all what he needs are a few efforts. Is that true?
Yeah, right!.
Regards, LCN ____________________________________________________________________ Get free email and a permanent address at http://www.netaddress.com/?N=1
Paul L. Schmehl, pauls () utdallas edu Technical Support Services Manager The University of Texas at Dallas
Current thread:
- Re: PC Anywhere client seems to probe class C of connected networks, (continued)
- Re: PC Anywhere client seems to probe class C of connected networks Steve Ellermann (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Paul L Schmehl (Jan 26)
- Re: PC Anywhere client seems to probe class C of connected networks Jose Nazario (Jan 26)
- Anti-Death Penalty Robert Graham (Jan 26)
- Re: Anti-Death Penalty Derek Moeller (Jan 28)
- Re: Anti-Death Penalty Robert Graham (Jan 28)
- BOGUS.IvCD File Jonathan A. Zdziarski (Jan 26)
- Re: BOGUS.IvCD File Vanja Hrustic (Jan 27)
- Re: PC Anywhere client seems to probe class C of connected networks Robert Graham (Jan 26)
- Probes to tcp 2766 ('System V Listner') Russell Fulton (Jan 26)
- Re: No Idea Paul L Schmehl (Jan 25)
- Re: No Idea Robert Graham (Jan 25)
- Possible Probe = Possible Malfunction Ron Gula (Jan 25)
- Possible attemt at hacking? Geir A. Bjune (Jan 25)
- Re: Possible attemt at hacking? Brendan Grieve (Jan 27)
- Re: ? Adam Boileau (Jan 25)
- Korea (was RE: ?) Fernando Cardoso (Jan 26)
- Strange DNS/TCP activity Pavel Kankovsky (Jan 26)
- Re: Strange DNS/TCP activity Asmodeus (Jan 27)
- Re: Strange DNS/TCP activity Roy Pait (Jan 27)
- port 768 Guido A.J. Stevens (Jan 27)