Re: SOCKs Hack? and not the ones you put onto your feet.

[Ryan Russell <ryan () SECURITYFOCUS COM>]

On Tue, 19 Sep 2000, Robert Wright wrote:

> forget) any how on SOCK we had a external connection. My network
> administrator noticed this, and didnt think it was a good thing and started
> up a network monitoring program, he captured all the packets involved with
> this server. We tried to stop the service however it wouldnt let us. My
> network administrator tryed to check the logs however there wernt any! This
> however we think might have been to the prior network admins poor
> configuration. He configured the table as there is no external NIC. Our
> external NIC is in the lan table. IE no packet filtering. We examined the
> packets (best we could) and all we really saw was TCP http requests, and DNS
> requests. There were a few NetBios request however they were denied. We do
> have this guys IP and such however if theres nothing really wrong im not
> going to email his provider. I hope this will provide information enough
> that someone can help me out. I am currently browsing all of the security
> news groups and websites.

You don't actually ask a question that I can see in there... let me make
up a couple.  Did you get hacked?  Quite possibly... if you did indeed get
a packet capture of it, someone can probably tell you for sure.  Can you
put the capture file up on a web server somewhere, and send the list the
URL?  Were you hackable?  If I'm reading you correctly, that your external
interface had no filtering, then yes, you were probably easily
hackable.  What service pack are you running?  Also note that an attacker
can essentially have a command prompt via HTTP by using things like the
RDS hole.  We'd have to see the packet logs to know for sure.

                                        Ryan