Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

Network Guru...

 [1/16] from: pwoodward::cncdsl::com at: 14-Dec-2001 10:54


Hi - I trying to track down a persistent series of probes against systems at my home. I'm an XO DSL subscriber (tho not for long with the way things are going) - and have a 24/7 connection. I run ZoneAlarm on my Windows systems - and that's what has alerted me to a series of probes, coming from XO's own network. Essentially I see a probe from their news server on port 1080 every 30 - 60 minutes. 1080 is commonly used as a proxy port under Windows for Internet Connection Sharing via Proxy. Naturally this port is not open on my system - and ZA lets me know that something just tried to talk to me. I also periodically see probes from old Code-Red (I'm sometimes running a web-server, not IIS, so I can tell by looking at the logs). Here's my problem - I've taken the proxy server from the scripts section of rebol.com, and told it to listen to port 1080 - and I get hits on it. But - they aren't looking for a URL, or contacting me to use it as a proxy. So - it's not real clear what they are trying to send out. I did create a stripped down server, and used 'copy to print out the probe - but that was singularly unrevealing. Has any one got a better way to setup a server port to just listen to the inbound packets and record them? - Porter Woodward PS: I've contact XO's security team twice about this, and the probes are still going strong 2 months later! I just want to find out what is coming in. It could be a curious little security breach that would be good to know about.

 [2/16] from: ryanc:iesco-dms at: 14-Dec-2001 9:41


I might got just what you looking for. It is a scan detection utility I made when I was researching hackers. It doesnt listen to many ports under windows 98--10 I think. Runs fine under linux though. Probably would run fine under under NT/2000 too. My experience with these guys is that if they detect an open port, they come back and try it again. So using this program attracts hackers. Worse yet, sometimes they mistake this progam for a real service, and they may flood you with futile attacks. It was worthwhile risk for me, as it gave me all kinds of information about hackers. Interestingly, I found during my three months of testing, it seemed almost all attackers knew only one hack, obviously script kiddies. Only a few knew two or three. It seems real hackers are hard to find. Another interesting thing is that only a few of the 30 or so admins I contacted about their hacked machines ever replied to my emails. Most of those machines had all the signs of a default install. Most those machines where ran by US and oriental companies, and US universities. Could make for some fascinating investigative reporting. Here is a link to my program: http://www.sonic.net/~gaia/misc/scan-det/scan-det.r You might try this using this ini file, it is setup to listen on the most commonly hacked ports. http://www.sonic.net/~gaia/misc/scan-det/scan-det.ini USE AT YOUR OWN RISK!!! --Ryan Porter Woodward wrote:
> Hi - > I trying to track down a persistent series of probes against systems at my
<<quoted lines omitted: 24>>
> [rebol-request--rebol--com] with "unsubscribe" in the > subject, without the quotes.
-- Ryan Cole Programmer Analyst www.iesco-dms.com 707-468-5400 The contradiction so puzzling to the ordinary way of thinking comes from the fact that we have to use language to communicate our inner experience which in its very nature transcends lingistics. -D.T. Suzuki

 [3/16] from: louisaturk:coxinet at: 14-Dec-2001 13:53


Ryan, At 09:41 AM 12/14/2001 -0800, you wrote:
>My experience with these guys is that if they detect an open port, they come >back and try it again.
I'm running Windows 2000 and a cable modem (alway on), and I've also been noticing that people are trying to access my computer. I'm not sure if they have been successful or not, but I really need to make sure that my programs and data are secure. I am using the follow script to run another script (which sends files to a remote web server) every 50 minutes. forever [ do %sendfiles.r ; rebol script to do. wait 00:50:00 ; wait hours:minutes:seconds. ] In between runs, is a port open for invasion? If so, how can the script be changed so as to open the port, run the program, then close and secure the port until the next run? Also, how can I know if an invasion has happened? Louis

 [4/16] from: mtiefert:mindspring at: 16-Dec-2001 8:27


Louis -- At 01:53 PM 12/14/01 -0600, you wrote:
>Also, how can I know if an invasion has happened?
You can get ZoneAlarm (a firewall) free for personal use from http://www.zonelabs.com/ I've been satisfied with it. cheers, Marj * * * Marj Tiefert Technical Writer, Website Manager -- and more! http://www.mindspring.com/~mtiefert/resume/MTiefert.html

 [5/16] from: brett:codeconscious at: 17-Dec-2001 11:45


> In between runs, is a port open for invasion? If so, how can the script
be
> changed so as to open the port, run the program, then close and secure the > port until the next run? > > Also, how can I know if an invasion has happened?
I doubt that your Rebol script is accepting connections only opening a connection to your target machine when required. So on that basis there would be no ports open due to Rebol. Unless you were running a FTP server script or something. However I think you have bigger concerns than Rebol if your machine is full time connected (actually same problem for dial up) to the internet. There are constant network port scans occurring across the internet. I suggest you go to http://grc.com and read the "Shields Up" information provided there. Also look for the information about denial of service. Brett.

 [6/16] from: pwoodward:cncdsl at: 17-Dec-2001 17:04


Marj - I agree, ZoneAlarm, on my home PC has been a boon. At work, I've got a firewall to protect me, but my Home PC really didn't have much, and since I run Win2K, I've never had too much faith that my system was secured. In my original posting, I indicated that I was running ZA, and that's what tipped me off to these constant probes against my system. And, then I noticed that my ISP's news server was probing against my port 1080... So I posted looking for something to help me analyze the probes a little bit better than the rather simplistic messages ZA records. After running a script to setup a "server" on port 1080, I've caught some traffic, but it's just pings really. All the attempted intrusion seems to be doing is "pinging" to see if the port is open (1080 is commonly used as a Windows proxy port for HTTP) - nothing more. It's strange to see if coming from the news server of my ISP though. I assume they've been compromised, and mailed them about it twice. - Porter ----- Original Message ----- From: "M. A. Tiefert" <[mtiefert--mindspring--com]> To: <[rebol-list--rebol--com]> Cc: <[louisaturk--coxinet--net]@mta0x15.coxmail.com>

 [7/16] from: louisaturk:eudoramail at: 17-Dec-2001 16:38


Marj and Brett, I took your advice---read the articles and installed zonealert. Nothing seems to be trying to access the internet from my computer, so I suppose that is good news. However, zonealert shows that rebol is constantly running, even when my scripts are not running. Since I must manually relax security (both read and write) for my script to run, and the security seems to stay relaxed after my script runs, I am still concerned. Is there some way the script itself can set security---open the door, do its work, then shut and lock the door? Louis At 11:45 AM 12/17/2001 +1100, you wrote:

 [8/16] from: louisaturk:eudoramail at: 17-Dec-2001 16:50


Marj and Brett, I took your advice---read the articles and installed zonealert. Nothing seems to be trying to access the internet from my computer, so I suppose that is good news. However, zonealert shows that rebol is constantly running, even when my scripts are not running. Since I must manually relax security (both read and write) for my script to run, and the security seems to stay relaxed after my script runs, I am still concerned. Is there some way the script itself can set security---open the door, do its work, then shut and lock the door? Louis At 11:45 AM 12/17/2001 +1100, you wrote:
>I doubt that your Rebol script is accepting connections only opening a >connection to your target machine when required.
<<quoted lines omitted: 8>>
>denial of service. >Brett.
-- To unsubscribe from this list, please send an email to [rebol-request--rebol--com] with "unsubscribe" in the subject, without the quotes.

 [9/16] from: brett:codeconscious at: 18-Dec-2001 15:10


Hi Louis,
> I took your advice---read the articles and installed zonealert. Nothing > seems to be trying to access the internet from my computer, so I suppose > that is good news. > However, zonealert shows that rebol is constantly > running, even when my scripts are not running.
Your script example earlier showed this: forever [ do %sendfiles.r ; rebol script to do. wait 00:50:00 ; wait hours:minutes:seconds. ] ZoneAlarm probably *would* indicate Rebol was running but not producing network activity during the 50 minute period for this bit of code. If you were sure that this code or any other Rebol script were not running and yet ZoneAlarm shows Rebol running - then not so good. But I really doubt this. Recheck you setup. Perhaps you are automatically running Rebol on boot up of your machine.
> Since I must manually relax > security (both read and write) for my script to run, and the security
seems
> to stay relaxed after my script runs, I am still concerned.
Security is relaxed for the lifetime of the Rebol interpreter instance you started - unless you set it back. You wording makes me think that you believe %sendfiles.r is the script that you are apply the security setting to. This is not the case. You are applying the security setting to the Rebol interpreter instance that is evaluating the script that has the "forever" loop in it, or whatever calls it.
> Is there some > way the script itself can set security---open the door, do its work, then > shut and lock the door?
I'm not sure you need that because I'm presuming you know exactly what your scripts are doing, probably because you wrote them yourself and so you trust them. If you run your trusted scripts in a relaxed security setting and are confident that those trusted scripts have no possibility of calling or evaluation untrusted scripts or code then I don't think you have a problem. Just let them do their work. If you are using someone else's scripts and you are not confident it is trus tworthy in regards to security, then consider asking about the suspect code on the Rebol mailing list. Security in relation to Rebol hasn't been discussed too much yet. I suggest you read the security section of the Core manual and create some dummy test scripts to see what happens in various situations. Brett

 [10/16] from: louisaturk:eudoramail at: 18-Dec-2001 2:01


Hold on! I have just started a back up using the NT Tape Backup Utility, and ZoneAlarm is telling me that the backup utility wants to access the internet? Why would the NT Tape Backup Utility need to access the internet? Louis

 [11/16] from: al:bri:xtra at: 18-Dec-2001 21:34


> I have just started a back up using the NT Tape Backup Utility, and > ZoneAlarm is telling me that the backup utility wants to access the > internet? Why would the NT Tape Backup Utility need to access the
internet? Perhaps you should do a full virus scan? You just might have a virus on computer. Andrew Martin ICQ: 26227169 http://valley.150m.com/

 [12/16] from: pwoodward:cncdsl at: 18-Dec-2001 7:49


Or it could just be that since the Tape Backup is a service - it may have some remote administration hooks in it... Thus it may open itself as a network "server" in order to accessed via a domain controller, or however it is that one does remote admin on NT. - Porter

 [13/16] from: louisaturk:coxinet at: 18-Dec-2001 1:30


Hi Brett, I really appreciate your help. At 03:10 PM 12/18/2001 +1100, you wrote:
>Security is relaxed for the lifetime of the Rebol interpreter instance you >started - unless you set it back. You wording makes me think that you
<<quoted lines omitted: 17>>
>I suggest you read the security section of the Core manual and create some >dummy test scripts to see what happens in various situations.
Are you saying that when security is relaxed to run a script, it is relaxed only for that script? I wrote my own scripts, and trust them. What is concerning me is that, while security is relaxed, a hacker might enter my computer and do mischief. But you are saying that while the script with the forever loop is running, it alone has control of any port it (or the script it calls) opens. Is that correct? I did read the documentation, but it did not seem to directly answer my questions, and I would like direct answers just for peace of mind. Louis

 [14/16] from: louisaturk:eudoramail at: 18-Dec-2001 11:22


Andrew and Porter, A virus scan did not find any virus. After looking at the error messages generated by the back up utility, it appears that the ZoneAlarm alert was a result of the backup utility trying to back up rebol and eudora, both of which were online at the time. I think I just being overly cautious due to having some nightmare data losses in the past. Thanks for responding. Louis At 07:49 AM 12/18/2001 -0500, you wrote:

 [15/16] from: brett:codeconscious at: 19-Dec-2001 13:22


> Are you saying that when security is relaxed to run a script, it is
relaxed
> only for that script? I wrote my own scripts, and trust them.
It is relaxed for the Rebol session the script runs in. It is not something that is associated with the script. Conceptually there is a minimum set of permissions that your script needs in order to complete successfully. If the Rebol session your script runs in has a higher level of security than what you script can run in you will get the dialogue box popping up. Or if you are running the session in quite mode, then the session is terminated because it is treated as a failure.
> What is > concerning me is that, while security is relaxed, a hacker might enter my > computer and do mischief. But you are saying that while the script with > the forever loop is running, it alone has control of any port it (or the > script it calls) opens. Is that correct?
I believe so.
> I did read the documentation, but it did not seem to directly answer my > questions, and I would like direct answers just for peace of mind.
Fair enough. The points should be made clear. Keep asking :) Brett.

 [16/16] from: louisaturk:eudoramail at: 18-Dec-2001 21:28


Brett, At 01:22 PM 12/19/2001 +1100, you wrote:
> > What is > > concerning me is that, while security is relaxed, a hacker might enter my > > computer and do mischief. But you are saying that while the script with > > the forever loop is running, it alone has control of any port it (or the > > script it calls) opens. Is that correct? > >I believe so.
Great! that is the answer I was hoping to hear. I appreciate you time in answering. Thanks, Louis

Notes
  • Quoted lines have been omitted from some messages.
    View the message alone to see the lines that have been omitted