Re: Server IDS?
Well first of all you need to know that tripwire, AFAIK, is only a binary verification tool not a IDS. Some thing like snort is a Network Intrusion Dection system... and i think that snort does have a release for NT/2k HTH Craig On Mon, Feb 04, 2002 at 12:05:06PM -0500, jason wrote: > Does anyone know of any server level IDS products, such as tripwire, that > exist for NT/2000? > > Thanks, > Jason
Re: spam
actually. i am running a email server.. just not the "normal" email server. I run postfix.. and you are right about the scanning.. i would have thought that my school's "security" team would stop that on there subnets.. but then they do not really care about the student computers. and my logs do show a connection.. just that they lost connection after the DATA command was issued.. and my logs show noting being sent out.. my guess is someone trolling with a "sploiter" or like you said a spammer trying to get a new relay. thanks for you 0.02 Craig On Wed, Feb 06, 2002 at 12:24:17PM -0500, Mike Gilles wrote: > A lot of times "spammers" will just do some whole scale scanning for email > servers vulnerable to mail relaying. And then take the results to bounce > their porn spam or vinyl siding advertisement off those unsuspecting hosts.. > which if traced back leads to the relayed mail server not the spammer. > Anyway, I'm probably not telling you anything new... Just thought it might > a relaying test as part of a scan (any other hosts hit as a scan would do?), > since your not running a mail server the communication was rejected. Thus > no worries. The blocking of the IP could have limited effectiveness, who > knows if the IP was the spammer or a compromised host. Oh well, just my 2 > cents! > > -MG > > Some Security Guy > > -Original Message- > From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, February 06, 2002 2:30 AM > To: [EMAIL PROTECTED] > Cc: security-basics > Subject: Re: spam > > > Well the only fire wall i have is the ipfileters that come with FreeBSD. > and i dont use sendmail.. so im not worried about that.. i though that was > what > someone was doing.. i just went ahead and denied them in my firewall. > > any other suggestions? > thanks > Craig > > > On Wed, Feb 06, 2002 at 07:27:11AM +, [EMAIL PROTECTED] wrote: > > Hi Craig > > > > It looks like some has telnet'ed to port 25 on your mail-server. what > > firewall do you use ? > > > > > > Kind regards > > > > Jude Naidoo > > Internet Analyst > > GSK Internet/Intranet Operations > > x784 6740 > > +44 1279 64 6740 > > > > > > > > > > > > > > "Craig Van Tassle" <[EMAIL PROTECTED]> > > > > 05-Feb-2002 06:57 > > > > > > > > > > To: security-basics > > > > cc: > > Subject:spam > > > > > > I was wondering if any one knows if people (spammers) watch the security > > focus mailing lists to get peoples email addys? over the last couple of > > months i have been getting sporaticaly spam emails.. > > and i also noticed some funy things from my mail logs.. > > > > Feb 3 23:16:53 postfix/smtpd[33997]: lost connection after DATA from > > unknown[209.149.145.250] > > Feb 3 23:16:53 postfix/smtpd[33997]: disconnect from > > unknown[209.149.145.250] > > Feb 3 23:16:53 postfix/cleanup[33998]: 846CD3F1A: > > message-id=<[EMAIL PROTECTED]> > > > > does that mean that someone have been trying to get in though my email > > server or if they are just useing me as remailer? > > > > thanks > > > > > >
Re: spam
Well the only fire wall i have is the ipfileters that come with FreeBSD. and i dont use sendmail.. so im not worried about that.. i though that was what someone was doing.. i just went ahead and denied them in my firewall. any other suggestions? thanks Craig On Wed, Feb 06, 2002 at 07:27:11AM +, [EMAIL PROTECTED] wrote: > Hi Craig > > It looks like some has telnet'ed to port 25 on your mail-server. what > firewall do you use ? > > > Kind regards > > Jude Naidoo > Internet Analyst > GSK Internet/Intranet Operations > x784 6740 > +44 1279 64 6740 > > > > > > > "Craig Van Tassle" <[EMAIL PROTECTED]> > > 05-Feb-2002 06:57 > > > > > To: security-basics > > cc: > Subject:spam > > > I was wondering if any one knows if people (spammers) watch the security > focus mailing lists to get peoples email addys? over the last couple of > months i have been getting sporaticaly spam emails.. > and i also noticed some funy things from my mail logs.. > > Feb 3 23:16:53 postfix/smtpd[33997]: lost connection after DATA from > unknown[209.149.145.250] > Feb 3 23:16:53 postfix/smtpd[33997]: disconnect from > unknown[209.149.145.250] > Feb 3 23:16:53 postfix/cleanup[33998]: 846CD3F1A: > message-id=<[EMAIL PROTECTED]> > > does that mean that someone have been trying to get in though my email > server or if they are just useing me as remailer? > > thanks > > >
spam
I was wondering if any one knows if people (spammers) watch the security focus mailing lists to get peoples email addys? over the last couple of months i have been getting sporaticaly spam emails.. and i also noticed some funy things from my mail logs.. Feb 3 23:16:53 postfix/smtpd[33997]: lost connection after DATA from unknown[209.149.145.250] Feb 3 23:16:53 postfix/smtpd[33997]: disconnect from unknown[209.149.145.250] Feb 3 23:16:53 postfix/cleanup[33998]: 846CD3F1A: message-id=<[EMAIL PROTECTED]> does that mean that someone have been trying to get in though my email server or if they are just useing me as remailer? thanks
Re: a few basic simple questions
Well one way to find out if you computer has a torjan is to get a known good clean copy of netstat and useit to show ALL internet connections and listening prots, one way you can protect your self is to make sure you dont open up any attacments from any where with out at the very least knowing that the person sent the attachment to you and makeing sure that its been scanned my a good AV program.. Most of the AV programs will detect and remove most well known trojans. From what you are saying about ZA and the updates it could be a virus or a trojan or just a plain old hack or someone playing with you via NetBIOS... or.. or .. or.. get the idea. ;) One whay i have found to avoide a lot of hack attempts is to use non-standard softwear and is not out there all over the place like Outlook. I used Eudora.. and i never used IE (I would have deleted it totaly if i could but too bad its part of the heart of windows) and verious other things.. If you cant get auto-updater to work you can go the the MS web-site and download them manualy and in stall them manualy.. but if you know you have been hacked i would recomend that you save only TEXT files (not even *.doc files as they have formating stuff in there that could be used to attack you system) and do a fresh install. HTH Craig On Tue, Jan 29, 2002 at 09:03:41PM -, Enquiries wrote: > Dear Group > > How do you know when you are infected by a trojan or someone has control of > your pc from a backdoor? > > Is it when your windows update's always continuously refuse to update from > the microsoft site, including the ever popular critical updates to patch > security holes? > When trying to update IE from microsoft it does not work? > When you discover every so often that the hard drive when wiped clean > suddenly becomes a 1gb hard drive instead of a 20 gb hard drive - has > happened several times to me? > when the firewalls (zonealarm) every so often is disabled while surfing? > Other strange happenings... > > How does one detect what the problem is and cure it, especially when you are > a beginner? If using a trojan to fight a trojan to cure the problem how > does you know which ones to trust, as I have found there seems to be a lot > of programmes out there saying they can find this that and the other but > what if it is something really specialised? > > Thaque > > > msg03343/pgp0.pgp Description: PGP signature
Re: loopback device
I found out that the -p is not the port. And i agree with the thought of giveing advice on this list that is why i mostly stay quiet until i know something or i have a question that im not sure of. Thanks for both of your responses Leon. You have been very helpfull in my endevors to secure my box Craig On Mon, Jan 21, 2002 at 01:08:13PM -0500, leon wrote: > That is not true. P stands for proto not port. > > -p proto Shows connections for the protocol specified by proto; > proto > may be any of: TCP, UDP, TCPv6, or UDPv6. If used with > the -s > option to display per-protocol statistics, proto may be > any of: > IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. > > It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE > LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. > > Cheers, > > Leon > > -Original Message- > From: shawn merdinger [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 18, 2002 8:45 PM > Cc: Craig Van Tassle; secuirty-basics > Subject: Re: loopback device > > Also, try the following: > > netstat -anp > > The p option displays the program bound to that socket/port. > > >From the looks of your snort log, it did not *appear* to be a > >loopback > address. > > -scm > > > > On 15-Jan-2002 Craig Van Tassle wrote: > > > My loop back is supposed to be 127.0.0.1.. at least that is what > > > my ifconfig shows me.. and i have no idea what program is > > > running on that port. Do you think that i could have a possible > > > intrusin? > > > > > > Thanks > > > Craig > > > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > > >> No, you can't bypass the firewall using the loopback interface. > > >> Whats interesting though is the IP address they're using... > > >> usually loopback is 127.0.0.1 and the port number, 5460 isn't > > >> assigned to anyone so what program is running? > > >> > > >> -Original Message- > > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > > >> Sent: Monday, January 14, 2002 8:48 AM > > >> To: secuirty-basics > > >> Subject: loopback device > > >> > > >> > > >> Is it possible for someone over a network to use my loopback to > > >> by pass my firewall? If so what can i do to mitigate the > > >> problem and how damageing can it be? > > >> > > >> The reason im asking is my Snort sytem is showing badd loopback > > >> traffic.. thanks > > >> > > >> here is a snipit from my snort logs. > > >> > > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > > >> [Classification: Potentially Bad Traffic] [Priority: 2] > > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > > >> **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > > >> > > >> Thanks > > >> Craig > > >> > > >> > > > > - -- > > Phillip O'Donnell > > Software Engineer, Esphion Limited > > [EMAIL PROTECTED] > > > > > > -BEGIN PGP SIGNATURE- > > Version: PGP 6.5.1i > > > > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g > > Ky+CD/KuL2KCESveLJw30Gb1 > > =VjXg > > -END PGP SIGNATURE- > > > > >
Re: loopback device
Ahh that was the problem.. linux and BSD use different versions of netstat and i didnt think of that when i was positing to the list. BTW Im using FreeBSD just thought you should know. Sorry for all the confusion. this just goes for to show how similar yet different versions of OS's use slightley different things. Craig On Mon, Jan 21, 2002 at 01:51:05PM -0600, shawn merdinger wrote: > Some of the confusion may be coming from the OSs. I was assuming Linux. > > version: > > cartago:/home/shawn# netstat -V > net-tools 1.60 > netstat 1.42 (2001-04-15) > Fred Baumgarten, Alan Cox, Bernd Eckenfels, Phil Blundell, Tuan Hoang and > others > +NEW_ADDRT +RTF_IRTT +RTF_REJECT +FW_MASQUERADE +I18N > AF: (inet) +UNIX +INET +INET6 +IPX +AX25 +NETROM +X25 +ATALK +ECONET +ROSE > HW: +ETHER +ARC +SLIP +PPP +TUNNEL +TR +AX25 +NETROM +X25 +FR +ROSE +ASH > +SIT +FDDI +HIPPI +HDLC/LAPB > > Windows netstat -p is for the protocol. > > heh heh...I'm sure we'll get through this one way or another. :) > > -scm > > > On Mon, 21 Jan 2002, Craig Van Tassle wrote: > > > > > Scm I have looked up the netstat man page. > > > > -f address_family, -p protocol > >Limit display to those records of the specified address_family or a > >single protocol. The following address families and protocols are > >recognized: > > > > If that is what it says on your system then we are using 2 different versions of > > netstat. The -p option as you can see is the protocol not the program binded to >the socket. > > I have found that the lsof program actually was much better for tracking down what >(as it turned out to be noting just grabbed by my firewall and snort system) > > was using that port and addy on my computer. > > > > Thanks for the information. > > > > Criag > > > > On Mon, Jan 21, 2002 at 01:34:02PM -0600, shawn merdinger wrote: > > > Without resorting to a flame, the "p" option stands for the following: > > > > > > -p, --programs display PID/Program name for sockets > > > > > > So, it's the program that is bound to the socket. > > > > > > -scm > > > > > > > > > On Mon, 21 Jan 2002, leon wrote: > > > > > > > -BEGIN PGP SIGNED MESSAGE- > > > > Hash: SHA1 > > > > > > > > That is not true. P stands for proto not port. > > > > > > > > - -p proto Shows connections for the protocol specified by proto; > > > > proto > > > > may be any of: TCP, UDP, TCPv6, or UDPv6. If used with > > > > the -s > > > > option to display per-protocol statistics, proto may be > > > > any of: > > > > IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. > > > > > > > > It has nothing to do with ports. Please DO NOT GIVE ADVICE ON THE > > > > LIST IF YOU ARE NOT SURE OF WHAT YOU ARE SAYING. > > > > > > > > Cheers, > > > > > > > > Leon > > > > > > > > - -Original Message- > > > > From: shawn merdinger [mailto:[EMAIL PROTECTED]] > > > > Sent: Friday, January 18, 2002 8:45 PM > > > > Cc: Craig Van Tassle; secuirty-basics > > > > Subject: Re: loopback device > > > > > > > > Also, try the following: > > > > > > > > netstat -anp > > > > > > > > The p option displays the program bound to that socket/port. > > > > > > > > >From the looks of your snort log, it did not *appear* to be a > > > > >loopback > > > > address. > > > > > > > > - -scm > > > > > > > > > > > > > On 15-Jan-2002 Craig Van Tassle wrote: > > > > > > My loop back is supposed to be 127.0.0.1.. at least that is what > > > > > > my ifconfig shows me.. and i have no idea what program is > > > > > > running on that port. Do you think that i could have a possible > > > > > > intrusin? > > > > > > > > > > > > Thanks > > > > > > Craig > > > > > > > > > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > > > > > >> No, you can't bypass the firewall using the loopback interface. > > > > > >> Whats interesting though is the IP address they're using... > > > > > >> us
wierd snort logs
Im getting some alerts from a ip that we all know and love. Security Focus. Has any one gotten the same results or has any ides on why this would be happening? Thnaks Craig P.S. here is the output from my snort logs [**] ATTACK RESPONSES id check returned root [**] 01/18-04:21:58.569692 66.38.151.27:53886 -> x.x.x.x:25 TCP TTL:42 TOS:0x0 ID:57084 IpLen:20 DgmLen:1500 DF ***A Seq: 0x8F3CCC0C Ack: 0xA7DB1015 Win: 0x16D0 TcpLen: 32 TCP Options (3) => NOP NOP TS: 669129608 27111348 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ msg03091/pgp0.pgp Description: PGP signature
Re: loopback device
Ok The port was a typeo. but do you think that my computer could be compromised or this could just be a mis-configuration on my computer or a atempt at a hack?How is it that my computer is catcheing this loopback traffic? could someone be bouncing off my computer or what? Thanks Craig On Thu, Jan 17, 2002 at 02:11:15PM -0500, leon wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > What do you mean by what program is running on this port? I am not > sure if you consider the loop back address a port as much as what it > is (ie; a loopback address). I don't know if you can bind running > process to the loopback addy. Even if you possibly could, an > attacker never would because you would be unable to route traffic to > it. > > HTH, > > Leon > > - -Original Message- > From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, January 15, 2002 2:35 PM > To: secuirty-basics > Subject: Re: loopback device > > My loop back is supposed to be 127.0.0.1.. at least that is what my > ifconfig shows me.. and i have no idea what program is running on > that port. > Do you think that i could have a possible intrusin? > > Thanks > Craig > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > > No, you can't bypass the firewall using the loopback interface. > > Whats interesting though is the IP address they're using... usually > > loopback is 127.0.0.1 and the port number, 5460 isn't assigned to > > anyone so what program is running? > > > > -Original Message- > > From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > > Sent: Monday, January 14, 2002 8:48 AM > > To: secuirty-basics > > Subject: loopback device > > > > > > Is it possible for someone over a network to use my loopback to by > > pass my firewall? If so what can i do to mitigate the problem and > > how damageing can it be? > > > > The reason im asking is my Snort sytem is showing badd loopback > > traffic.. thanks > > > > here is a snipit from my snort logs. > > > > [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > > [Classification: Potentially Bad Traffic] [Priority: 2] > > 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > > TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > > **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > > > > Thanks > > Craig > > > > > > -BEGIN PGP SIGNATURE- > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > > iQA/AwUBPEchztqAgf0xoaEuEQJ4TACfeH/voSSUxDHrssH2yxJzHMZwmBcAnAlF > 0A9v/M5EMTD2QQeYsszeN2Dq > =tCcQ > -END PGP SIGNATURE- > msg03046/pgp0.pgp Description: PGP signature
Re: loopback device
I no the ip of my comp is totaly different that is why i was part of the reason i was wondering about the loop back traffic. I do have and lsof and i will look in to that to see what is going on.. And yesterday i saw a lot of traffic going in to and out of my DSL modem (physicaly seperate from my box) and i didnt show any new usage of the internet via netstat and my firwall monitoring utilitys.. do you think this could be a break in attempt or could i have already been broken in to? Thanks Craig On Thu, Jan 17, 2002 at 09:09:19AM +1300, [EMAIL PROTECTED] wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Actually, most loopback devices respond to any IP within the 127/8 IP range, > because the entire /8 block is reserved for loopback purposes. > > The fact that a program is using it isn't a ''bad'' thing, although it is > extremely odd. > > I do have a few concerns though. Is 45.253.14.97 an IP address on the system? > If not, you may want to investigate as to why traffic to the loopback subnet is > being routed there. > > Also, f you're running a *NIX varient (Being snort, I guess so)... See if > there is a version of a utility called 'lsof' available for your system. What > that does is list information about open filedescriptors, including sockets > (tcp, udp, unix, etc), pipes, fifos, normal files, and more. > > The output from that may be able to give you some insight as to what is binding > to that port on your system, if indeed anything is. > > On 15-Jan-2002 Craig Van Tassle wrote: > > My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig > > shows me.. and i have no idea what program is running on that port. > > Do you think that i could have a possible intrusin? > > > > Thanks > > Craig > > > > On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > >> No, you can't bypass the firewall using the loopback interface. Whats > >> interesting though is the IP address they're using... usually loopback is > >> 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program > >> is running? > >> > >> -Original Message- > >> From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > >> Sent: Monday, January 14, 2002 8:48 AM > >> To: secuirty-basics > >> Subject: loopback device > >> > >> > >> Is it possible for someone over a network to use my loopback to by pass my > >> firewall? If so what can i do to mitigate the problem and how damageing can > >> it be? > >> > >> The reason im asking is my Snort sytem is showing badd loopback traffic.. > >> thanks > >> > >> here is a snipit from my snort logs. > >> > >> [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > >> [Classification: Potentially Bad Traffic] [Priority: 2] > >> 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > >> TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > >> **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > >> > >> Thanks > >> Craig > >> > >> > > - -- > Phillip O'Donnell > Software Engineer, Esphion Limited > [EMAIL PROTECTED] > > > -BEGIN PGP SIGNATURE- > Version: PGP 6.5.1i > > iQA/AwUBPEXd7nbXtTBvmfCfEQKNyQCfd08qxIx1+JqoOl47TH/pm74eSRcAoO7g > Ky+CD/KuL2KCESveLJw30Gb1 > =VjXg > -END PGP SIGNATURE- msg03001/pgp0.pgp Description: PGP signature
Re: loopback device
My loop back is supposed to be 127.0.0.1.. at least that is what my ifconfig shows me.. and i have no idea what program is running on that port. Do you think that i could have a possible intrusin? Thanks Craig On Tue, Jan 15, 2002 at 10:44:48AM -0800, Glenn Pitcher wrote: > No, you can't bypass the firewall using the loopback interface. Whats > interesting though is the IP address they're using... usually loopback is > 127.0.0.1 and the port number, 5460 isn't assigned to anyone so what program > is running? > > -----Original Message- > From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > Sent: Monday, January 14, 2002 8:48 AM > To: secuirty-basics > Subject: loopback device > > > Is it possible for someone over a network to use my loopback to by pass my > firewall? If so what can i do to mitigate the problem and how damageing can > it be? > > The reason im asking is my Snort sytem is showing badd loopback traffic.. > thanks > > here is a snipit from my snort logs. > > [**] [1:528:2] BAD TRAFFIC loopback traffic [**] > [Classification: Potentially Bad Traffic] [Priority: 2] > 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 > TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 > **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 > > Thanks > Craig > > msg02959/pgp0.pgp Description: PGP signature
loopback device
Is it possible for someone over a network to use my loopback to by pass my firewall? If so what can i do to mitigate the problem and how damageing can it be? The reason im asking is my Snort sytem is showing badd loopback traffic.. thanks here is a snipit from my snort logs. [**] [1:528:2] BAD TRAFFIC loopback traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2] 01/12-14:10:11.568007 45.253.14.97:49847 -> 127.167.228.85:5460 TCP TTL:64 TOS:0x0 ID:37583 IpLen:20 DgmLen:40 **S* Seq: 0x3F4BB00A Ack: 0x0 Win: 0x200 TcpLen: 20 Thanks Craig msg02936/pgp0.pgp Description: PGP signature
Re: How can I detect someone sniffing my network?
I would look at the secuity focus artical.. It says how do detect the promoscius mode on NIC's and that is about all you can do.. Some programs put the NIC in promiscious mode just to work. Snort does beacuse it was designed to work over a network and not for only one host. HTH Craig On Mon, Jan 14, 2002 at 11:12:20AM -0500, [EMAIL PROTECTED] wrote: > How would you go about detecting what NIC's are in promiscuous mode? Is > there some sort of mass ping to find such a thing out? > > -Original Message----- > From: Craig Van Tassle [mailto:[EMAIL PROTECTED]] > Sent: Friday, January 11, 2002 3:09 AM > To: secuirty-basics > Subject: Re: How can I detect someone sniffing my network? > > > If you are on the same sub-net the only way would be to find out who has > there NIC in promiscous mode. If its out on the web AFAIK its not possible. > > Sniffing is a passive "attack" and is very hard to detect. If you are worred > about someone sniffing you passwords the i would recomend implementing some > form of encryption to prevent this. > That is the best way to stop someone from watching what you send. > > HTH > Craig > > On Wed, Jan 09, 2002 at 12:13:20AM -0200, Mario Camara wrote: > > Can someone help me with that? > > > > > > > > Mário Câmara > > [EMAIL PROTECTED] > > [EMAIL PROTECTED] > > ICQ: 331 335 > > msg02932/pgp0.pgp Description: PGP signature
Re: Security Update Software
My personal recomendation is doing it your self or with scripts. I have seen where a autoupdater like up2date has introduced new secuiry holes insted of fixing them. That was mostly from the default install was insecure but none the less you still had a sec hole (ie a problem). just my 0.02 Craig On Tue, Jan 08, 2002 at 12:12:01PM +0530, Devdas Bhagat wrote: > On 07/01/02 10:51 +0200, Udi dahan wrote: > > I'm working as a security manager for a big ISP and I'm looking for a > > GOOD security update software. > This would depend on which OS you are looking for. IF you have RH Linux, then > RH has up2date, MS has hfnetchk (IIRC) for Windows NT/2K, > http://windowsupdate.microsoft.com for the rest. I suggest monitoring > bugtraq and using a few good scripts to do this for you (I suggest > wget+sh). > > More details on what you are looking for would of course help a lot > more. > > Devdas Bhagat
Re: How can I detect someone sniffing my network?
If you are on the same sub-net the only way would be to find out who has there NIC in promiscous mode. If its out on the web AFAIK its not possible. Sniffing is a passive "attack" and is very hard to detect. If you are worred about someone sniffing you passwords the i would recomend implementing some form of encryption to prevent this. That is the best way to stop someone from watching what you send. HTH Craig On Wed, Jan 09, 2002 at 12:13:20AM -0200, Mario Camara wrote: > Can someone help me with that? > > > > Mário Câmara > [EMAIL PROTECTED] > [EMAIL PROTECTED] > ICQ: 331 335 >
re: Squid Proxy
Ok i thought that could be a possibality. I have seen a few portscans after the snort warning but iv verified where they were comeing from and alerted the proper isp (ps there were a few connection attempts to ports like 31337 and 6000-60036. Ok thanks for the info. You just confirmed what i was thinking was going on. Ok Later and thanks again Craig On Wed, Dec 12, 2001 at 06:23:55PM +, Edilson Osorio Junior wrote: > Hi Craig, > The scan could be started by someone on the Inet, whether you have or not a > static IP. It always happens. > The default port of Squid is 3128. Its interesting to put your firewall to > log these not allowed connections, so you'll see from where these > connections are generated. > The portscanning is the first action to a possible attack... Portscanning > let the intruder know something more about your system... If you have some > dangerous process running on any port, the portscan will show that, unless > its blocked by your firewall. So the intruder has the capability to DoS or > penetrating your system. > > []'s > Edilson > > - Original message follows - > > > Hello Everyone. I'v been noticeing in my snort logs a lot of Squid Proxy > attemts. My box is setup as a firewall/gateway for one of my friends but i > dont think that hes causing them (unless hes capable of spoofing what NIC > they come in on)I was wondering what could be causing the scans? and what > port Squid proxy uses? And also what kind of danger do these scans present > to the secruity of my computer? > Thanks > Craig > > > > ___ > Edilson Osorio Junior > 4Solutions Informática > Divisão NetHawk - Consultoria e Segurança de Redes > msg02216/pgp0.pgp Description: PGP signature
Re: please help with SSL
With most of the standard libs you cant reorder the packets manualy. What i wastalking about was the acutal stack for the TCP/IP networking code that is usualy in the Kernels. Im not totaly sure if the NIC programers have put the reordering code in there. But if you manualy create the packet im pretty sure that you could set how it reorders the packed but then why? what would be too much work! Craig On Tue, Dec 11, 2001 at 11:29:06AM -0500, vertigo wrote: > I don't, never have, and didn't even know it was possible to > to manipulate the packet order with the libraries I have used > (JSSE and RSA BSAFE SSL-C/J). As a "code guru" (well, not quite > a guru yet), I don't think about that stuff. If I have to, > then the API is broken from my perspective. > > vertigo > > > On Tue, 11 Dec 2001, Craig Van Tassle wrote: > > > Ok here is the basics of the OSI model for networking. > > layer 1 -physical (the actual wire) > > layer 2 - data link ( transmits the frames and recives the frames > > and it and verifies the delivery) > > layer 3 - network (communications between the machines ie the sub-net > >and routes from 192.168.0.0 to 192.168.1.0) > > layer 4 - transport (end to end integrity of transmissions) > > layer 5 - session (flow control) > > layer 6 - presentation ( translates between the different encoding schemes > > ie ascii to ebcdic) > > layer 7 - application ( the actual app that is useing the stack > > any thing from ftp to web browsing for porn(j/k) > > ) > > as you can see the application layer would be the ssl tunnel that you are using > > and the transport layer is what will reorder the packets. You dont want to havea >program like you email getting out of order or you stream from you local web-cast >radio station. THe packet reordering is done even before SSL comes in to play. The >data in the pay-load of the datagram will be encrypted, split up as it encounters >pipes that can't handle the frame at it's "true" size. As it goes about the internet >and gets fragmanted its reordered as it comes in to you NIC/modem/cable/whatever then >the headder information is stripped and sent to the program using the ssl. And it >may be a little slow but TCP (transmission control protocol) is whats used to make >sure that everything goes to and from the web server to you box. > > To answer the original question in a strict sence the answer is no. > > The informaion is reorderd by the transport layer. > > If you need more informaion look up the TCP rfc's. > > > > HTH > > Craig > > > > On Sat, Dec 08, 2001 at 06:05:47PM -0800, Pradeep Kumar wrote: > > > Packet reordering has nothing to do with SSL. Packet reordering can be > > > implemented as a additional check. Check with the code gurus how they > > > implement it. If your device has to do a packet reordering, then it wont be > > > most efficient. When the traffic is voice, you dont want this feature( bug > > > !! ) > > > > > > -Pradeep > > > > > > -Original Message- > > > From: 'ken'@FTU [mailto:[EMAIL PROTECTED]] > > > Sent: Thursday, November 29, 2001 1:09 PM > > > To: Tarek Koudsi > > > Cc: [EMAIL PROTECTED] > > > Subject: Re: please help with SSL > > > > > > > > > SSL occurs at the layer above TCP. Therefore the reordering of packets > > > happens before the block is decrypted. > > > > > > 'ken' > > > > > > Tarek Koudsi wrote: > > > > > > > Mailer: SecurityFocus > > > > > > > > I would highly appreciat eit if someone could answer > > > > this quesiton? is it possible in SSL for the receiver to > > > > reorder SSL record blocks > > > > that arrive out of order? if yes how? if not, why not? > > > > > > > > > > > > > > > > > > > > msg02212/pgp0.pgp Description: PGP signature
Re: Squid Proxy
ok here is a snipit from my snort logs. [Classification: Attempted Information Leak] [Priority: 2] 12/09-04:29:03.758283 x.x.x.x:SNORT -> x.x.x.x:x TCP TTL:64 TOS:0x0 ID:10629 IpLen:20 DgmLen:60 DF **S* Seq: 0xD62DA19F Ack: 0x0 Win: 0x TcpLen: 40 TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 36535395 0 On Wed, Dec 12, 2001 at 08:38:20AM +0900, Min Lee wrote: > I do not understand your meaing. > > could you show us more detailed information of security issue occur? > > - Original Message ----- > From: "Craig Van Tassle" <[EMAIL PROTECTED]> > To: "secuirty-basics" <[EMAIL PROTECTED]> > Sent: Tuesday, December 11, 2001 3:49 AM > Subject: Squid Proxy > > msg02191/pgp0.pgp Description: PGP signature
Re: please help with SSL
Ok here is the basics of the OSI model for networking. layer 1 -physical (the actual wire) layer 2 - data link ( transmits the frames and recives the frames and it and verifies the delivery) layer 3 - network (communications between the machines ie the sub-net and routes from 192.168.0.0 to 192.168.1.0) layer 4 - transport (end to end integrity of transmissions) layer 5 - session (flow control) layer 6 - presentation ( translates between the different encoding schemes ie ascii to ebcdic) layer 7 - application ( the actual app that is useing the stack any thing from ftp to web browsing for porn(j/k) ) as you can see the application layer would be the ssl tunnel that you are using and the transport layer is what will reorder the packets. You dont want to havea program like you email getting out of order or you stream from you local web-cast radio station. THe packet reordering is done even before SSL comes in to play. The data in the pay-load of the datagram will be encrypted, split up as it encounters pipes that can't handle the frame at it's "true" size. As it goes about the internet and gets fragmanted its reordered as it comes in to you NIC/modem/cable/whatever then the headder information is stripped and sent to the program using the ssl. And it may be a little slow but TCP (transmission control protocol) is whats used to make sure that everything goes to and from the web server to you box. To answer the original question in a strict sence the answer is no. The informaion is reorderd by the transport layer. If you need more informaion look up the TCP rfc's. HTH Craig On Sat, Dec 08, 2001 at 06:05:47PM -0800, Pradeep Kumar wrote: > Packet reordering has nothing to do with SSL. Packet reordering can be > implemented as a additional check. Check with the code gurus how they > implement it. If your device has to do a packet reordering, then it wont be > most efficient. When the traffic is voice, you dont want this feature( bug > !! ) > > -Pradeep > > -Original Message- > From: 'ken'@FTU [mailto:[EMAIL PROTECTED]] > Sent: Thursday, November 29, 2001 1:09 PM > To: Tarek Koudsi > Cc: [EMAIL PROTECTED] > Subject: Re: please help with SSL > > > SSL occurs at the layer above TCP. Therefore the reordering of packets > happens before the block is decrypted. > > 'ken' > > Tarek Koudsi wrote: > > > Mailer: SecurityFocus > > > > I would highly appreciat eit if someone could answer > > this quesiton? is it possible in SSL for the receiver to > > reorder SSL record blocks > > that arrive out of order? if yes how? if not, why not? > > > > > > > msg02161/pgp0.pgp Description: PGP signature
Re: Squid Proxy
Well i checked out all the irc servers ive been at and the ip does not resolve to any of the servers ive been using.. so i was just wondering if its possible that someone else could be trying to crash against my port 3128? Thanks Craig On Mon, Dec 10, 2001 at 07:28:53PM -0600, dewt wrote: > On Monday 10 December 2001 12:49 pm, Craig Van Tassle wrote: > > Hello Everyone. I'v been noticeing in my snort logs a lot of Squid Proxy > > attemts. My box is setup as a firewall/gateway for one of my friends but i > > dont think that hes causing them (unless hes capable of spoofing what NIC > > they come in on)I was wondering what could be causing the scans? and what > > port Squid proxy uses? And also what kind of danger do these scans present > > to the secruity of my computer? Thanks > > Craig > squid uses port 3128 by default, many irc networks now scan a connecting > machine for running proxies, this could be causing the alert msg02159/pgp0.pgp Description: PGP signature
Re: Unix Security Standards, books, tools...
On Wed, Nov 28, 2001 at 06:08:37PM -0800, tony toni wrote: > Folks, > > I recently was assigned the project of developing security standards for our > Unix environment. We have about 400 unix box's (HP-UX, Sun Solaris, AIX, > etc)and the admins do their *own thing* with these boxes. Well that is what some sys-admins do.. what kind of security do they have setup?Do all the unix boxes have individual firewalls. Do you use Kerbos of S/key authentactions? (sorry about my spelling). What about the routers between all the Unix boxes are they locked down or a nice wide open door? > > This is not a project I exactly like...I am buried with 20 other > projects...and I am not Unix guru. For each Unix *flavor*, I need to develop > Unix security standards that will cover areas like configuration settings, > defaults, permissions, admin. account, password file, shells, trusts, root, > patch's, logging, etc. > > These are my questions: > > (1) Does anyone know where I can quickly get my hands on some high quality, > concise security standards/templates/checklists? for each Unix *flavor*? there are many web-pages with this informations on locking down unix. search google for some ideas. check out this web site.. i find it pretty food http://www.deter.com/unix/ Also check out www.secureroot.com and www.securityfocus.com they have a lot of informaion on computer security informaing and good links to other sources. > > (2) What about good books/sites on Unix Security? Maximum Security: a hacker's guide to protecing your internet site and network Practical UNIX & internet secuity. Essential System Administration. Firewall and Internet Security: Repelling the Whily Hacker Building Internet firewalls Hacking exposed. They are all good books availiable at almost any local book store. I know Borders has a section about computer security. Look there they have a lot of good informaion > > (3) What about user friendly software tool(s) that I can periodically use > to audit the Unix boxes for compliance to the new security standards I > developed? If you want user friendly tools. I dont know of many for unix.. i would recomend using something like snort for IDS, and setup scripts to watch for wierd activity. And rembemer the basic rule of secuity. What is not needed is not installed > > Thanks > > Tony > IT Security Manager > Major Telecommunications Company > > > > > > _ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > msg01928/pgp0.pgp Description: PGP signature
Re: relaying in exchange 2000
On Tue, Nov 27, 2001 at 06:16:39PM -0500, Eugene Chai wrote: > > > > > > Hello. > > > > Here's my deal. > > > > I got about thirty employees outside the office that access our > > exchange server through IMAP to get their email. Relaying was left > > open so that it is possible for them to send out through our email > > server regardless of how they are connected through the internet. > > Well, seems someone is using my email server for spamming purposes. > > Ummm... So I did everything i'm supposed to do in the virtual SMTP > > properties. i tried to deny relay access from the hotmail.com and > > yahoo.com domains. that doesn't work, i tired to disable anonymous > > authentication in the acess tabs, but this prevents anyone from > > sending. SUpport tells me i should enable a password authentication > > on the outgoing server. Did that, and it rejects the password. Tried > > only basic authentication, nope. Tried every combination of basic, > > integrated, and anonymous authentication. Nope. It either allows > > everyone to relay or no one to send. On the relay tab, i tried grant > > relay to only the list below and left the list empty but checked > > "Allow all computers who authenticate to relay, regardless of list > > above" this doesn't work- no one can send. > > > > Am i making sense here? Please ask me to be more specific if i am not > > making any sense because i do not wanna call micro$oft. > > > > > > sorry and thanks so much. > > > > Eugene > > Well did you try to setting it to only relay for you domain? I know Sendmail postfix and qmail all can be set to do that. Im done know exchange, but these abilities should be in every email server. If im correct its in a rfc for it. But then when have M$ ever followed the RFC's when they didnt want to. Good luck and let me know how it goes Craig msg01905/pgp0.pgp Description: PGP signature
Re: Microsoft EFS Question?
I think you can set up efs to use the certificate that you want it to use.. (i only used one on my old win2k box) If you are looking to encrypt just a couple of files i recomend gpg or pgp. Hope this helps On Tue, Nov 27, 2001 at 03:26:48PM -0500, Randall Laura wrote: > > Does anyone have or know where I can get information about using multiple > certificates with EFS? > > I have two certificates in my certificate store (an imported corporate PKI > certificate, and the certificate generated solely for EFS use). When > encrypting files, there is not an option to choose a certificate for > encryption. Is it possible to do this or does EFS only use the auto > generated certificate? > > Also does anyone know of any good file encryption software. Your assistance > is appreciated. > > Thank You, > > Laura Randall > Security Consultant > Booz | Allen | Hamilton > msg01842/pgp0.pgp Description: PGP signature
Re: Xmas and null scans
Well i know what a port scan is and how it works.. i was asking about the Xmas and NULL type scans. What flags do they set? I was just asking bout these specific types of scans not port scanning in general. Ill look up the Phrak mag artical to see if it has the info i'm looking for thanks Craig On Fri, Nov 23, 2001 at 05:12:40PM +0100, Jeremie Werner wrote: > Hello, > > I'm not sure I have clearly understand all the questions, but this may help > you (I hope :). > > The ports that are marked as open are ports from your box, so the only port > that could be open are services you are running on your box. It may be httpd, > or even X server ... > > To detect the scan, you can use a NIDS (like snort), or even a specific > program that detect portscan (Like scanlogd from openwall.com). To block > portscan you should install a firewall, to filter the incoming packet. > > In order to understand the way of portscanning, you should read the paper > from Fyodor published in Phrack 51 (phrack.org) and called 'The art of port > scanning'. > > For more help, just try google.com :) > > Have fun ... > > >Hello everyone. > >I'm running FreeBSD 4.4 and i was doing a port scan of my self (from a > >remote > >box that i have legal access to) and i was getting a log of open ports from > >nmap -sN and nmap -sX. I was wondering why i was getting all of these "open > >ports" > >and does any one know how to stop these scans from getting though? > >and how do these scans work? > > >Thanks > >Craig
Xmas and null scans
Hello everyone. I'm running FreeBSD 4.4 and i was doing a port scan of my self (from a remote box that i have legal access to) and i was getting a log of open ports from nmap -sN and nmap -sX. I was wondering why i was getting all of these "open ports" and does any one know how to stop these scans from getting though? and how do these scans work? Thanks Craig msg01570/pgp0.pgp Description: PGP signature
Re: Using Nmap to send Spoofed packets
IMHO if your firewall is set up properly you will be able to block all the scanning packets. I know for a fact that freebsd's IPF is cabable of blocking the packets. and how to do it...well RTFMP. look under decoy Hope this helps On Tue, Nov 20, 2001 at 02:35:08PM +0800, [EMAIL PROTECTED] wrote: > Hey people, > > I read an article at http://www.sans.org/top20.htm that said that ontop of > the portscanning abilities of nmap, it also has the functionality to "send > decoy packets or spoofed packets to test for" spoofed IP filtering (at the > routers and firewall). > > Although I have used Nmap to for the obvious, I am interested of how to > execute this functionality to test for, or if the anti-spoofing ACL/FW > drop filters are inplace for internal, reserved, mulitcast, and RFC1918 > addresses. > > Any help appreciated... :) > > Regards, > Nick