Re: No Idea

[pauls () UTDALLAS EDU (Paul L Schmehl)]

Good grief!

--On 1/25/00, 8:54 AM +0000 CN <cn-liu () USA NET> wrote:

> Hello! Gurus,
>
> I have been visiting a web site(a BBS?) where people can post messages
> discussing topics.
>
> A hacker did not agree with another poster's point of view. He threatened
> that poster that he would destory his machine if he did not stop posting.
> But that poster ignored the warning.
>
> One day, that hacker posted a messages saying that he had sent a
> "something" to that victim, and he should be able to see an icon on his
> Windows95/98 and his disk would be formatted within 10 minutes. Whether
> or not that victim's disk was formatted by that virus, I have not seen
> any more posting from that victim since then.

Which could merely mean he got spooked or he's on vacation or he quit the
BBS in fear or a million things other than the hacker's threat can true.

And BTW, he's not a hacker, he's a script kiddie.

[snip]

> The next day, the hacker posted another message to the site in response
> to my "receipe":
>
> * He actually, in contrast to the way I thought, does not acquire
> posters' IP addresses by viewing the posted messages displayed by the web
> server. He has special channel(s)!

Yeah, the boogie man gives him the IP address.

> Besides, the IP addresses shown along
> with his messages on the web site were fake.

So he says.
> * He can virtually break any OS, and the tricks he uses do not differ
> much.

So he says.
> * His virus can reside in "virtual memory" and can still survive with disk
> replaced and he has knowledge of backdoor viruses such as trojan.

OH BULL!  NOTHING survives in virtual memory when you shut down a machine.
This alone makes *everything* he said suspect.
> Here are my questions:
>
> * How did the hacker acquire posters' IP addresses without viewing the
> pages sent by web server?

He could have broken in to the site that hosts the bb and he's reading
their logs.  I've seen plenty of sites where this is possible simply by
using a web browser to view pages that should not be world-readable, but
are.
> * How can a host with spoofed IP address post messages to web sites? I
> thought the pages sent by httpd can not reach the hacker's host at all.
> The effect would be that the hacker could not see any web page in the
> first place because the packets sent from any httpd would lose their way
> when they start their journey from the web site. This was because, I
> thought, routers between the two hosts would forward the packets to wrong
> places since "destination IP address" in the to-be-sent packets were
> incorrect (spoofed).

He would have to very good, and this guy doesn't sound like he is.
> * Is it possible to trace a spoofed IP address and acquire its real one?
>
> * How did the hacker aggressively send virus to victims without the
> victim's involvement - only by knowing the victim's IP address? This
> trick has a great deal of differences from those patterns of activities
> such as victims' downloading files!

He couldn't.  He would have to make some assumptions about the victim's
username and domain and send it by email.
> * Because the victim had been explicitly threatened before vanishing, I
> would assume that the victim was not so stupid as to lauch the virus when
> he saw any suspious program sent to his Windows. So what confuses me is:
> how did the attacker launch (i.e. activate, run, or execute) the virus
> residing in a victim's Windows - only by knowing the victim's IP address?

Can't be done.
> * The hacker claimed that he can do the same to Mac or Unix as he had just
> done to Windows and all what he needs are a few efforts. Is that true?

Yeah, right!.
> Regards,
>
> LCN
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1

Paul L. Schmehl, pauls () utdallas edu
Technical Support Services Manager
The University of Texas at Dallas