Network Guru...
[1/16] from: pwoodward::cncdsl::com at: 14-Dec-2001 10:54
Hi -
I trying to track down a persistent series of probes against systems at my
home. I'm an XO DSL subscriber (tho not for long with the way things are
going) - and have a 24/7 connection. I run ZoneAlarm on my Windows
systems - and that's what has alerted me to a series of probes, coming from
XO's own network.
Essentially I see a probe from their news server on port 1080 every 30 - 60
minutes. 1080 is commonly used as a proxy port under Windows for Internet
Connection Sharing via Proxy. Naturally this port is not open on my
system - and ZA lets me know that something just tried to talk to me. I
also periodically see probes from old Code-Red (I'm sometimes running a
web-server, not IIS, so I can tell by looking at the logs).
Here's my problem - I've taken the proxy server from the scripts section of
rebol.com, and told it to listen to port 1080 - and I get hits on it. But -
they aren't looking for a URL, or contacting me to use it as a proxy. So -
it's not real clear what they are trying to send out. I did create a
stripped down server, and used 'copy to print out the probe - but that was
singularly unrevealing. Has any one got a better way to setup a server port
to just listen to the inbound packets and record them?
- Porter Woodward
PS: I've contact XO's security team twice about this, and the probes are
still going strong 2 months later! I just want to find out what is coming
in. It could be a curious little security breach that would be good to know
about.
[2/16] from: ryanc:iesco-dms at: 14-Dec-2001 9:41
I might got just what you looking for. It is a scan detection utility I made
when I was researching hackers. It doesnt listen to many ports under windows
98--10 I think. Runs fine under linux though. Probably would run fine under
under NT/2000 too.
My experience with these guys is that if they detect an open port, they come
back and try it again. So using this program attracts hackers. Worse yet,
sometimes they mistake this progam for a real service, and they may flood you
with futile attacks. It was worthwhile risk for me, as it gave me all kinds of
information about hackers.
Interestingly, I found during my three months of testing, it seemed almost all
attackers knew only one hack, obviously script kiddies. Only a few knew two or
three. It seems real hackers are hard to find.
Another interesting thing is that only a few of the 30 or so admins I contacted
about their hacked machines ever replied to my emails. Most of those machines
had all the signs of a default install. Most those machines where ran by US and
oriental companies, and US universities. Could make for some fascinating
investigative reporting.
Here is a link to my program:
http://www.sonic.net/~gaia/misc/scan-det/scan-det.r
You might try this using this ini file, it is setup to listen on the most
commonly hacked ports.
http://www.sonic.net/~gaia/misc/scan-det/scan-det.ini
USE AT YOUR OWN RISK!!!
--Ryan
Porter Woodward wrote:
> Hi -
> I trying to track down a persistent series of probes against systems at my
<<quoted lines omitted: 24>>
> [rebol-request--rebol--com] with "unsubscribe" in the
> subject, without the quotes.
--
Ryan Cole
Programmer Analyst
www.iesco-dms.com
707-468-5400
The contradiction so puzzling to the ordinary way
of thinking comes from the fact that we have to use
language to communicate our inner experience
which in its very nature transcends lingistics.
-D.T. Suzuki
[3/16] from: louisaturk:coxinet at: 14-Dec-2001 13:53
Ryan,
At 09:41 AM 12/14/2001 -0800, you wrote:
>My experience with these guys is that if they detect an open port, they come
>back and try it again.
I'm running Windows 2000 and a cable modem (alway on), and I've also been
noticing that people are trying to access my computer. I'm not sure if
they have been successful or not, but I really need to make sure that my
programs and data are secure.
I am using the follow script to run another script (which sends files to a
remote web server) every 50 minutes.
forever [
do %sendfiles.r ; rebol script to do.
wait 00:50:00 ; wait hours:minutes:seconds.
]
In between runs, is a port open for invasion? If so, how can the script be
changed so as to open the port, run the program, then close and secure the
port until the next run?
Also, how can I know if an invasion has happened?
Louis
[4/16] from: mtiefert:mindspring at: 16-Dec-2001 8:27
Louis --
At 01:53 PM 12/14/01 -0600, you wrote:
>Also, how can I know if an invasion has happened?
You can get ZoneAlarm (a firewall) free for personal use from
http://www.zonelabs.com/
I've been satisfied with it.
cheers,
Marj
* * *
Marj Tiefert
Technical Writer, Website Manager -- and more!
http://www.mindspring.com/~mtiefert/resume/MTiefert.html
[5/16] from: brett:codeconscious at: 17-Dec-2001 11:45
> In between runs, is a port open for invasion? If so, how can the script
be
> changed so as to open the port, run the program, then close and secure the
> port until the next run?
>
> Also, how can I know if an invasion has happened?
I doubt that your Rebol script is accepting connections only opening a
connection to your target machine when required.
So on that basis there would be no ports open due to Rebol. Unless you were
running a FTP server script or something.
However I think you have bigger concerns than Rebol if your machine is full
time connected (actually same problem for
dial up) to the internet. There are constant network port scans occurring
across the internet.
I suggest you go to http://grc.com and read the "Shields Up" information
provided there. Also look for the information about
denial of service.
Brett.
[6/16] from: pwoodward:cncdsl at: 17-Dec-2001 17:04
Marj -
I agree, ZoneAlarm, on my home PC has been a boon. At work, I've got a
firewall to protect me, but my Home PC really didn't have much, and since I
run Win2K, I've never had too much faith that my system was secured.
In my original posting, I indicated that I was running ZA, and that's what
tipped me off to these constant probes against my system. And, then I
noticed that my ISP's news server was probing against my port 1080... So I
posted looking for something to help me analyze the probes a little bit
better than the rather simplistic messages ZA records.
After running a script to setup a "server" on port 1080, I've caught some
traffic, but it's just pings really. All the attempted intrusion seems to
be doing is "pinging" to see if the port is open (1080 is commonly used as a
Windows proxy port for HTTP) - nothing more. It's strange to see if coming
from the news server of my ISP though. I assume they've been compromised,
and mailed them about it twice.
- Porter
----- Original Message -----
From: "M. A. Tiefert" <[mtiefert--mindspring--com]>
To: <[rebol-list--rebol--com]>
Cc: <[louisaturk--coxinet--net]@mta0x15.coxmail.com>
[7/16] from: louisaturk:eudoramail at: 17-Dec-2001 16:38
Marj and Brett,
I took your advice---read the articles and installed zonealert. Nothing
seems to be trying to access the internet from my computer, so I suppose
that is good news. However, zonealert shows that rebol is constantly
running, even when my scripts are not running. Since I must manually relax
security (both read and write) for my script to run, and the security seems
to stay relaxed after my script runs, I am still concerned. Is there some
way the script itself can set security---open the door, do its work, then
shut and lock the door?
Louis
At 11:45 AM 12/17/2001 +1100, you wrote:
[8/16] from: louisaturk:eudoramail at: 17-Dec-2001 16:50
Marj and Brett,
I took your advice---read the articles and installed zonealert. Nothing
seems to be trying to access the internet from my computer, so I suppose
that is good news. However, zonealert shows that rebol is constantly
running, even when my scripts are not running. Since I must manually relax
security (both read and write) for my script to run, and the security seems
to stay relaxed after my script runs, I am still concerned. Is there some
way the script itself can set security---open the door, do its work, then
shut and lock the door?
Louis
At 11:45 AM 12/17/2001 +1100, you wrote:
>I doubt that your Rebol script is accepting connections only opening a
>connection to your target machine when required.
<<quoted lines omitted: 8>>
>denial of service.
>Brett.
--
To unsubscribe from this list, please send an email to
[rebol-request--rebol--com] with "unsubscribe" in the subject, without the quotes.
[9/16] from: brett:codeconscious at: 18-Dec-2001 15:10
Hi Louis,
> I took your advice---read the articles and installed zonealert. Nothing
> seems to be trying to access the internet from my computer, so I suppose
> that is good news.
> However, zonealert shows that rebol is constantly
> running, even when my scripts are not running.
Your script example earlier showed this:
forever [
do %sendfiles.r ; rebol script to do.
wait 00:50:00 ; wait hours:minutes:seconds.
]
ZoneAlarm probably *would* indicate Rebol was running but not producing
network activity during the 50 minute period
for this bit of code. If you were sure that this code or any other Rebol
script were not running and yet ZoneAlarm shows
Rebol running - then not so good. But I really doubt this. Recheck you
setup. Perhaps you are automatically running Rebol
on boot up of your machine.
> Since I must manually relax
> security (both read and write) for my script to run, and the security
seems
> to stay relaxed after my script runs, I am still concerned.
Security is relaxed for the lifetime of the Rebol interpreter instance you
started - unless you set it back. You wording makes me think that you
believe %sendfiles.r is the script that you are apply the security setting
to. This is not the case. You are applying the security setting to the Rebol
interpreter instance that is evaluating the script that has the "forever"
loop in it, or whatever calls it.
> Is there some
> way the script itself can set security---open the door, do its work, then
> shut and lock the door?
I'm not sure you need that because I'm presuming you know exactly what your
scripts are doing, probably because you
wrote them yourself and so you trust them. If you run your trusted scripts
in a relaxed security setting and are confident that those trusted scripts
have no possibility of calling or evaluation untrusted scripts or code then
I don't think you have a problem. Just let them do their work.
If you are using someone else's scripts and you are not confident it is trus
tworthy in regards to security, then consider
asking about the suspect code on the Rebol mailing list. Security in
relation to Rebol hasn't been discussed too much yet.
I suggest you read the security section of the Core manual and create some
dummy test scripts to see what happens in various situations.
Brett
[10/16] from: louisaturk:eudoramail at: 18-Dec-2001 2:01
Hold on!
I have just started a back up using the NT Tape Backup Utility, and
ZoneAlarm is telling me that the backup utility wants to access the
internet? Why would the NT Tape Backup Utility need to access the internet?
Louis
[11/16] from: al:bri:xtra at: 18-Dec-2001 21:34
> I have just started a back up using the NT Tape Backup Utility, and
> ZoneAlarm is telling me that the backup utility wants to access the
> internet? Why would the NT Tape Backup Utility need to access the
internet?
Perhaps you should do a full virus scan? You just might have a virus on
computer.
Andrew Martin
ICQ: 26227169 http://valley.150m.com/
[12/16] from: pwoodward:cncdsl at: 18-Dec-2001 7:49
Or it could just be that since the Tape Backup is a service - it may have
some remote administration hooks in it... Thus it may open itself as a
network "server" in order to accessed via a domain controller, or however it
is that one does remote admin on NT.
- Porter
[13/16] from: louisaturk:coxinet at: 18-Dec-2001 1:30
Hi Brett,
I really appreciate your help.
At 03:10 PM 12/18/2001 +1100, you wrote:
>Security is relaxed for the lifetime of the Rebol interpreter instance you
>started - unless you set it back. You wording makes me think that you
<<quoted lines omitted: 17>>
>I suggest you read the security section of the Core manual and create some
>dummy test scripts to see what happens in various situations.
Are you saying that when security is relaxed to run a script, it is relaxed
only for that script? I wrote my own scripts, and trust them. What is
concerning me is that, while security is relaxed, a hacker might enter my
computer and do mischief. But you are saying that while the script with
the forever loop is running, it alone has control of any port it (or the
script it calls) opens. Is that correct?
I did read the documentation, but it did not seem to directly answer my
questions, and I would like direct answers just for peace of mind.
Louis
[14/16] from: louisaturk:eudoramail at: 18-Dec-2001 11:22
Andrew and Porter,
A virus scan did not find any virus. After looking at the error messages
generated by the back up utility, it appears that the ZoneAlarm alert was a
result of the backup utility trying to back up rebol and eudora, both of
which were online at the time.
I think I just being overly cautious due to having some nightmare data
losses in the past.
Thanks for responding.
Louis
At 07:49 AM 12/18/2001 -0500, you wrote:
[15/16] from: brett:codeconscious at: 19-Dec-2001 13:22
> Are you saying that when security is relaxed to run a script, it is
relaxed
> only for that script? I wrote my own scripts, and trust them.
It is relaxed for the Rebol session the script runs in. It is not something
that is associated with the script.
Conceptually there is a minimum set of permissions that your script needs in
order to complete successfully.
If the Rebol session your script runs in has a higher level of security than
what you script can run in you will get
the dialogue box popping up. Or if you are running the session in quite
mode, then the session is terminated because
it is treated as a failure.
> What is
> concerning me is that, while security is relaxed, a hacker might enter my
> computer and do mischief. But you are saying that while the script with
> the forever loop is running, it alone has control of any port it (or the
> script it calls) opens. Is that correct?
I believe so.
> I did read the documentation, but it did not seem to directly answer my
> questions, and I would like direct answers just for peace of mind.
Fair enough. The points should be made clear. Keep asking :)
Brett.
[16/16] from: louisaturk:eudoramail at: 18-Dec-2001 21:28
Brett,
At 01:22 PM 12/19/2001 +1100, you wrote:
> > What is
> > concerning me is that, while security is relaxed, a hacker might enter my
> > computer and do mischief. But you are saying that while the script with
> > the forever loop is running, it alone has control of any port it (or the
> > script it calls) opens. Is that correct?
>
>I believe so.
Great! that is the answer I was hoping to hear. I appreciate you time in
answering.
Thanks,
Louis
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted