So hold on.. the person who did this, was an ex-employee who already had access to their systems?
On Sun, Apr 17, 2011 at 2:28 PM, Benji <m...@b3nji.com> wrote: > Interesting, as @reversemode on twitter has pointed out > > 74.50.135.51 is the ip for the scada system as pointed out, and found by > SHODAN > > http://www.shodanhq.com/?q=Ft.+Sumner+SCADA > > Not the 160.x.x.x IP as indicated in the original email. > > On Sun, Apr 17, 2011 at 12:41 PM, Benji <m...@b3nji.com> wrote: > >> so wait? Let me humor you.. >> >> >> SSH was running and publically accessible so it was actually legal for me >> to login to <something>,gov, as if they didnt want me to connect it wouldnt >> be a publically accessible service? >> >> >> On Sun, Apr 17, 2011 at 12:39 PM, Jeffrey Walton <noloa...@gmail.com>wrote: >> >>> > so how long do you give yourself before you're in prison? >>> lol.... >>> >>> To pay devil's advocate here: FPL placed those hosts on a public >>> internet. In addition, FPL also configured the hosts to advertise services. >>> If FPL did not want the services accessed, the company would have removed >>> the hosts from the public internet, shut down the services, or used leased >>> [private] lines. Where's the leap to a criminal offense? >>> >>> Jeff >>> >>> On Sun, Apr 17, 2011 at 6:29 AM, Benji <m...@b3nji.com> wrote: >>> >>>> so how long do you give yourself before you're in prison? >>>> >>>> On Sat, Apr 16, 2011 at 4:22 PM, Bgr R <bgr_24...@yahoo.com> wrote: >>>> >>>>> Here comes my revenge for illegitimate firing from Florida Power & >>>>> Light Company (FPL) >>>>> ... ain't nothing you can do with it, since your electricity is >>>>> turned off !!! >>>>> >>>>> Secure you SCADA better! Leaked files are attached ... >>>>> >>>>> 1) http://img838.imageshack.us/i/49986845.png/ >>>>> 2) http://img718.imageshack.us/i/24380855.png/ >>>>> 3) http://img24.imageshack.us/i/58868342.png/ >>>>> 4) http://img228.imageshack.us/i/85258364.png/ >>>>> 5) http://img163.imageshack.us/i/90736853.png/ >>>>> 6) http://img217.imageshack.us/i/55439027.png/ >>>>> 7) http://img40.imageshack.us/i/87526089.png/ >>>>> 8) http://img864.imageshack.us/i/94061747.png/ >>>>> ------------------------------------------------------------ >>>>> >>>>> 161.154.232.65 >>>>> >>>>> HTTP/1.0 401 Unauthorized >>>>> Date: Sat, 05 Feb 2011 23:43:13 GMT >>>>> Server: VTS 9.0.05 >>>>> Content-Type: text/html >>>>> Content-Length: 622 >>>>> Cache-Control: no-cache >>>>> WWW-Authenticate: Basic realm="Ft. Sumner SCADA" >>>>> Cache-control: no-cache="set-cookie" >>>>> Cache-control: private >>>>> Set-Cookie: VTS=9.0005;Version=1;Path=/ >>>>> Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner >>>>> SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a >>>>> Set-Cookie: >>>>> SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c.. >>>>> >>>>> NetRange: 161.154.0.0 - 161.154.255.255 >>>>> CIDR: 161.154.0.0/16 >>>>> OriginAS: >>>>> NetName: FPL2 >>>>> NetHandle: NET-161-154-0-0-1 >>>>> Parent: NET-161-0-0-0-0 >>>>> NetType: Direct Assignment >>>>> RegDate: 1992-12-17 >>>>> Updated: 2008-10-10 >>>>> Ref: http://whois.arin.net/rest/net/NET-161-154-0-0-1 >>>>> >>>>> OrgName: Florida Power & Light Company >>>>> OrgId: FFPL-1 >>>>> Address: 700 Universe Blvd >>>>> Address: P.O. Box 14000 >>>>> City: Juno Beach >>>>> StateProv: FL >>>>> PostalCode: 33408-0420 >>>>> Country: US >>>>> RegDate: 1997-06-03 >>>>> Updated: 2007-06-29 >>>>> Ref: http://whois.arin.net/rest/org/FFPL-1 >>>>> >>>>> OrgAbuseHandle: INFOR40-ARIN >>>>> OrgAbuseName: Information Security >>>>> OrgAbusePhone: +1-305-552-3727 >>>>> OrgAbuseEmail: information_secur...@fpl.com >>>>> OrgAbuseRef: http://whois.arin.net/rest/poc/INFOR40-ARIN >>>>> >>>>> OrgTechHandle: DHE37-ARIN >>>>> OrgTechName: Hertzog, Dean >>>>> OrgTechPhone: +1-305-552-4080 >>>>> OrgTechEmail: fpl...@fpl.com >>>>> OrgTechRef: http://whois.arin.net/rest/poc/DHE37-ARIN >>>>> >>>>> OrgNOCHandle: DHE37-ARIN >>>>> OrgNOCName: Hertzog, Dean >>>>> OrgNOCPhone: +1-305-552-4080 >>>>> OrgNOCEmail: fpl...@fpl.com >>>>> OrgNOCRef: http://whois.arin.net/rest/poc/DHE37-ARIN >>>>> >>>>> >>>>> ------------------------------------------------------------------------------- >>>>> Configuration file from the central Cisco Router and Security Device >>>>> Manager: 161.154.232.2 (FPL - FFPL-1) >>>>> >>>>> Building configuration... >>>>> >>>>> Current configuration : 8467 bytes >>>>> ! >>>>> ! Last configuration change at 18:01:57 UTC Mon Oct 25 2010 by ro5810 >>>>> ! NVRAM config last updated at 18:01:59 UTC Mon Oct 25 2010 by ro5810 >>>>> ! >>>>> version 12.2 >>>>> no service pad >>>>> service timestamps debug datetime localtime >>>>> service timestamps log datetime localtime >>>>> service password-encryption >>>>> service udp-small-servers >>>>> service tcp-small-servers >>>>> ! >>>>> hostname cpr622i00bct >>>>> ! >>>>> logging buffered 65000 debugging >>>>> logging rate-limit all 10 except critical >>>>> enable secret 5 $1$7uN5$Ok9fYku/HC/KNqWQkHoWP. >>>>> ! >>>>> aaa new-model >>>>> aaa authentication login default group tacacs+ enable >>>>> aaa authentication enable default group tacacs+ enable >>>>> aaa authorization exec default group tacacs+ none >>>>> aaa accounting exec default start-stop group tacacs+ >>>>> aaa accounting commands 15 default start-stop group tacacs+ >>>>> ! >>>>> aaa session-id common >>>>> ip subnet-zero >>>>> no ip source-route >>>>> ip routing >>>>> ! >>>>> no ip domain-lookup >>>>> ip host cs00noc 172.16.0.132 >>>>> ip host cs01noc 172.16.0.133 >>>>> ip host cs00noc-pub 209.215.34.12 >>>>> ip host cs01noc-pub 209.215.34.11 >>>>> ip name-server 205.152.132.23 >>>>> ip name-server 205.152.144.23 >>>>> vtp domain Core >>>>> vtp mode transparent >>>>> ! >>>>> mls qos >>>>> no mpls traffic-eng auto-bw timers frequency 0 >>>>> ! >>>>> ! >>>>> no file verify auto >>>>> spanning-tree mode pvst >>>>> spanning-tree extend system-id >>>>> ! >>>>> ! >>>>> ! >>>>> vlan internal allocation policy ascending >>>>> ! >>>>> vlan 1578 >>>>> name FPL >>>>> ! >>>>> policy-map SHAPER1 >>>>> class class-default >>>>> shape average 250000000 >>>>> ! >>>>> ! >>>>> ! >>>>> interface FastEthernet1/0/1 >>>>> ! >>>>> interface FastEthernet1/0/2 >>>>> ! >>>>> interface FastEthernet1/0/3 >>>>> ! >>>>> interface FastEthernet1/0/4 >>>>> ! >>>>> interface FastEthernet1/0/5 >>>>> ! >>>>> interface FastEthernet1/0/6 >>>>> ! >>>>> interface FastEthernet1/0/7 >>>>> ! >>>>> interface FastEthernet1/0/8 >>>>> ! >>>>> interface FastEthernet1/0/9 >>>>> ! >>>>> interface FastEthernet1/0/10 >>>>> ! >>>>> interface FastEthernet1/0/11 >>>>> ! >>>>> interface FastEthernet1/0/12 >>>>> ! >>>>> interface FastEthernet1/0/13 >>>>> ! >>>>> interface FastEthernet1/0/14 >>>>> ! >>>>> interface FastEthernet1/0/15 >>>>> ! >>>>> interface FastEthernet1/0/16 >>>>> ! >>>>> interface FastEthernet1/0/17 >>>>> ! >>>>> interface FastEthernet1/0/18 >>>>> ! >>>>> interface FastEthernet1/0/19 >>>>> ! >>>>> interface FastEthernet1/0/20 >>>>> ! >>>>> interface FastEthernet1/0/21 >>>>> ! >>>>> interface FastEthernet1/0/22 >>>>> ! >>>>> interface FastEthernet1/0/23 >>>>> ! >>>>> interface FastEthernet1/0/24 >>>>> ! >>>>> interface GigabitEthernet1/0/1 >>>>> ! >>>>> interface GigabitEthernet1/0/2 >>>>> ! >>>>> interface GigabitEthernet1/1/1 >>>>> switchport trunk allowed vlan 1578 >>>>> switchport mode trunk >>>>> switchport nonegotiate >>>>> ip access-group 112 in >>>>> service-policy output SHAPER1 >>>>> load-interval 30 >>>>> speed nonegotiate >>>>> ! >>>>> interface GigabitEthernet1/1/2 >>>>> no switchport >>>>> ip address 161.154.232.2 255.255.255.0 >>>>> ip access-group 115 in >>>>> load-interval 30 >>>>> keepalive 10 >>>>> speed nonegotiate >>>>> mls qos trust dscp >>>>> no cdp enable >>>>> no clns route-cache >>>>> hold-queue 100 in >>>>> hold-queue 100 out >>>>> ! >>>>> interface Vlan1 >>>>> no ip address >>>>> shutdown >>>>> ! >>>>> interface Vlan1578 >>>>> ip address 65.14.117.30 255.255.255.252 >>>>> load-interval 30 >>>>> no clns route-cache >>>>> ! >>>>> ip classless >>>>> ip route 0.0.0.0 0.0.0.0 65.14.117.29 >>>>> ip route 155.109.5.0 255.255.255.0 161.154.232.1 >>>>> ip route 155.109.19.0 255.255.255.0 161.154.232.1 >>>>> ip route 155.109.29.0 255.255.255.0 161.154.232.1 >>>>> ip route 155.109.29.204 255.255.255.255 65.14.117.29 >>>>> ip route 155.109.29.214 255.255.255.255 65.14.117.29 >>>>> ip route 155.109.66.0 255.255.255.0 161.154.232.1 >>>>> ip route 155.109.88.0 255.255.255.0 161.154.232.1 >>>>> ip route 155.109.95.0 255.255.255.0 161.154.232.1 >>>>> ip route 161.154.0.0 255.255.0.0 161.154.232.1 >>>>> ip route 170.55.0.0 255.255.0.0 161.154.232.1 >>>>> ip route 204.238.236.0 255.255.255.0 161.154.232.1 >>>>> no ip http server >>>>> ip http secure-server >>>>> ! >>>>> ! >>>>> ! >>>>> access-list 98 permit 205.152.144.226 >>>>> access-list 98 permit 205.152.132.250 >>>>> access-list 98 permit 205.152.132.226 >>>>> access-list 98 permit 205.152.144.250 >>>>> access-list 98 permit 205.152.144.165 >>>>> access-list 98 permit 205.152.37.19 >>>>> access-list 98 permit 205.152.37.20 >>>>> access-list 98 permit 205.152.144.163 >>>>> access-list 98 permit 205.152.37.26 >>>>> access-list 98 permit 205.152.37.27 >>>>> access-list 98 permit 205.152.132.163 >>>>> access-list 98 permit 205.152.132.165 >>>>> access-list 98 permit 205.152.37.250 >>>>> access-list 98 permit 205.152.37.226 >>>>> access-list 98 permit 205.152.132.27 >>>>> access-list 98 permit 205.152.132.26 >>>>> access-list 98 permit 205.152.144.20 >>>>> access-list 98 permit 205.152.37.163 >>>>> access-list 98 permit 205.152.37.165 >>>>> access-list 98 permit 205.152.144.19 >>>>> access-list 98 permit 205.152.144.27 >>>>> access-list 98 permit 205.152.144.26 >>>>> access-list 98 permit 139.76.53.0 0.0.0.255 >>>>> access-list 98 permit 139.76.68.0 0.0.3.255 >>>>> access-list 98 permit 139.76.88.0 0.0.1.255 >>>>> access-list 98 permit 139.76.228.0 0.0.3.255 >>>>> access-list 98 permit 139.76.240.0 0.0.1.255 >>>>> access-list 98 permit 172.16.0.0 0.0.1.255 >>>>> access-list 98 permit 205.152.6.0 0.0.0.255 >>>>> access-list 98 permit 205.152.66.0 0.0.0.255 >>>>> access-list 98 permit 205.152.204.0 0.0.0.255 >>>>> access-list 99 permit 68.153.6.0 0.0.1.255 >>>>> access-list 99 permit 172.16.0.0 0.0.1.255 >>>>> access-list 99 permit 139.76.53.0 0.0.0.255 >>>>> access-list 99 permit 139.76.68.0 0.0.3.255 >>>>> access-list 99 permit 139.76.88.0 0.0.1.255 >>>>> access-list 99 permit 139.76.228.0 0.0.3.255 >>>>> access-list 99 permit 139.76.240.0 0.0.1.255 >>>>> access-list 99 permit 205.152.6.0 0.0.0.255 >>>>> access-list 111 permit ip 65.14.117.28 0.0.0.3 any >>>>> access-list 111 permit ip 74.175.105.64 0.0.0.31 any >>>>> access-list 111 permit ip 205.152.17.0 0.0.0.255 any >>>>> access-list 111 permit ip 155.109.0.0 0.0.255.255 any >>>>> access-list 111 permit ip 161.154.0.0 0.0.255.255 any >>>>> access-list 111 permit ip 205.152.161.0 0.0.0.255 any >>>>> access-list 111 permit ip 204.238.236.0 0.0.0.255 any >>>>> access-list 111 permit ip 170.55.0.0 0.0.255.255 any >>>>> access-list 112 deny ip 204.0.0.0 0.0.255.255 any >>>>> access-list 112 deny ip 204.1.0.0 0.0.255.255 any >>>>> access-list 112 deny ip 204.3.0.0 0.0.255.255 any >>>>> access-list 112 deny ip 69.22.0.0 0.0.192.255 any >>>>> access-list 112 permit ip any any >>>>> access-list 115 deny 53 any any >>>>> access-list 115 deny 55 any any >>>>> access-list 115 deny 77 any any >>>>> access-list 115 deny pim any any >>>>> access-list 115 permit ip any any >>>>> no cdp run >>>>> snmp-server community Ty#Qr53b RO 98 >>>>> snmp-server community R5t3bF5c RW 98 >>>>> tacacs-server host 172.16.0.132 >>>>> tacacs-server host 209.215.34.12 >>>>> tacacs-server host 172.16.0.133 >>>>> tacacs-server host 209.215.34.11 >>>>> tacacs-server timeout 10 >>>>> tacacs-server directed-request >>>>> tacacs-server key 7 010703174F >>>>> ! >>>>> radius-server source-ports 1645-1646 >>>>> ! >>>>> control-plane >>>>> ! >>>>> banner motd ^CC >>>>> ###################################################################### >>>>> # # >>>>> # ***PRIVATE/PROPRIETARY*** # >>>>> # # >>>>> # ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF BELLSOUTH # >>>>> # SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL # >>>>> # PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING # >>>>> # DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS. # >>>>> # # >>>>> # BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM # >>>>> # ACCESS/USAGE. # >>>>> # # >>>>> # # >>>>> ###################################################################### >>>>> # # >>>>> # <VERSION TEMPLATE DATE@TIME> # >>>>> ###################################################################### >>>>> ^C >>>>> privilege exec level 1 traceroute >>>>> privilege exec level 1 ping >>>>> privilege exec level 1 terminal monitor >>>>> privilege exec level 1 terminal >>>>> privilege exec level 1 show line >>>>> privilege exec level 1 show snmp >>>>> privilege exec level 1 show arp >>>>> privilege exec level 1 show accounting >>>>> privilege exec level 1 show service-module >>>>> privilege exec level 1 show version >>>>> privilege exec level 1 show reload >>>>> privilege exec level 1 show debugging >>>>> privilege exec level 1 show controllers >>>>> privilege exec level 1 show users >>>>> privilege exec level 1 show sessions >>>>> privilege exec level 1 show access-lists >>>>> privilege exec level 1 show privilege >>>>> privilege exec level 1 show interfaces >>>>> privilege exec level 1 show startup-config >>>>> privilege exec level 1 show >>>>> privilege exec level 1 clear line >>>>> privilege exec level 1 clear counters >>>>> privilege exec level 1 clear >>>>> ! >>>>> line con 0 >>>>> exec-timeout 5 30 >>>>> password 7 070C285F4D06 >>>>> line vty 0 4 >>>>> access-class 99 in >>>>> exec-timeout 30 0 >>>>> password 7 03075218050061 >>>>> line vty 5 15 >>>>> access-class 99 in >>>>> exec-timeout 30 0 >>>>> password 7 03075218050061 >>>>> ! >>>>> end >>>>> >>>>> ---------------------------------------------------- >>>>> Fort Sumner wind turbines: >>>>> http://www.flickr.com/photos/30325073@N02/4113855086/ >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/