ISP(s): Don't Do It! :-)

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
GeneratriX
Posts: 4250
Joined: Tue Oct 21, 2003 2:07 am
Location: Rosario / Santa Fe / República Argentina

ISP(s): Don't Do It! :-)

Unread postby GeneratriX » Tue Sep 19, 2006 1:36 am

On reply to some asks to reveal more info about a recent security gap through my system:

I'm pretty sure the problem was a service that I've temporarily asked to my ISP to allow at my account on their server for an easier use for an specific network programme. I want to add, the mentioned programme has not any particular failure or problem at all, but if you ask (as I've done many months ago) to your ISP to change some particular settings at their server node to speed up your link, then you could end having some problems like mine a few hours ago.

I've requested these extra service to allow me to try these app for a few days, many months ago just when I've changed my ISP for the actual one. By those days I was slightly interested on the above mentioned app to allow me to transfer some big files to/from a few selected boxes.

I've not enjoyed using it (really), since it was very resources hungry, and then after a couple days with a few tests, I've definitively uninstalled the whole thing from my disk; but missing to call to my ISP to ask to remove these optional service previously requested for my trials.

So, what I'm saying is, the real problem was not actually some service running locally on my IRIX box, but instead a process running on the ISP's server node which would allow a back door to your local boxes.

I know I'm not telling you too much with this; but I could not add too many details for it on a public fashion, but I'm sure enough that such kind of service could end creating a security failure by doing publicly available some important network settings through your nearest ISP node on the chain. I'm also sure that many people more capable on the network area will know very quickly the service of which I'm talking about.

If it serves of something, don't try to enhance the use for the mentioned app by using some commonly available means from your ISP. Or even better; if you have some valuable stuff at your boxes, don't use these app at all! ;)

...I'm really sure I'll not hear their charming anymore, no matter what! ;)

I hope it helps.
Diego

User avatar
jan-jaap
Donor
Donor
Posts: 4881
Joined: Thu Jun 17, 2004 11:35 am
Location: Wijchen, The Netherlands
Contact:

Unread postby jan-jaap » Tue Sep 19, 2006 5:05 am

I'm assuming you have a proper firewall in place? As a rule of thumb, you should never trust any machine that you don't have control over, and that includes your ISP and the rest of the internet.

I guess you mean you had your ISP open/forward a port so you could run the donkey on your system. And then someone exploited mldonkey.

Most interesting is the fact that a non-x86 system was exploited. I ran an old DEC alpha as a firewall for many years. It was full of exploitable bugs, but nobody succeeded because it didn't grok the x86 assembly they were injecting :lol: :lol: :lol:

If you want to be a little safer you should run any service that is open to the world in a readonly sandbox/vserver/xenbox/whatever. That way the amount of damage anyone can do is limited and easily undone by restarting the sandbox.
:PI: :Indigo: :Indigo: :Indy: :Indy: :Indy: :Indigo2: :Indigo2: :Indigo2IMP: :Octane: :Octane2: :O2: :O2+: Image :Fuel: :Tezro: :4D70G: :Skywriter: :PWRSeries: :Crimson: :ChallengeL: :Onyx: :O200: :Onyx2: :O3x02L:
To accentuate the special identity of the IRIS 4D/70, Silicon Graphics' designers selected a new color palette. The machine's coating blends dark grey, raspberry and beige colors into a pleasing harmony. (IRIS 4D/70 Superworkstation Technical Report)

User avatar
GeneratriX
Posts: 4250
Joined: Tue Oct 21, 2003 2:07 am
Location: Rosario / Santa Fe / República Argentina

That's All!

Unread postby GeneratriX » Tue Sep 19, 2006 12:13 pm

jan-jaap wrote:I'm assuming you have a proper firewall in place? As a rule of thumb, you should never trust any machine that you don't have control over, and that includes your ISP and the rest of the internet.

I guess you mean you had your ISP open/forward a port so you could run the donkey on your system. And then someone exploited mldonkey.


Don't turn it so difficult! :P ..actually the problem was a lot easier. Yeah, I've oppened some ports at some point, but this was not the problem; and in fact, the mentioned programme was removed about six months ago from my hard disk. Then, it was not any kind of exploit for these programe.

jan-jaap wrote:Most interesting is the fact that a non-x86 system was exploited. I ran an old DEC alpha as a firewall for many years. It was full of exploitable bugs, but nobody succeeded because it didn't grok the x86 assembly they were injecting :lol: :lol: :lol:

If you want to be a little safer you should run any service that is open to the world in a readonly sandbox/vserver/xenbox/whatever. That way the amount of damage anyone can do is limited and easily undone by restarting the sandbox.


Again; don't call it exploit! :) ...I was not a classic exploit; just some curious guy using a file which mimics on their ISP node many of the necessary network settings from my box, and was actually almost publicly available through my ISP's node. I used it to find an straight path to my box; and now I realize it was a relatively easy task for him, weird that it never happened me before.

And that's all I can add! ;)

SAQ
Posts: 5871
Joined: Wed Jul 19, 2006 8:37 am
Location: Renton, WA

clarification

Unread postby SAQ » Sat Sep 23, 2006 11:34 am

So- did the ISP hack provide the necessary login information in some way, or did it merely forward the malevolent party to a IRIX hole?

That's what I'm concerned about- the information from the ISP would have had to have been used against your machine somehow. It sounds like you weren't running anything known to be exploitable (P2P programs), so the file must have either contained user login information or somehow given away a hole.

Sorry if this seems pedantic, but I imagine some of us are worried.

unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

Unread postby unixmuseum » Sat Sep 23, 2006 11:43 am

Just got an "interesting" case yesterday: I receive an obviously fake paypal e-mail asking me to click on a redirected paypal login link... Pretty simple, no big deal, just ignore it... Now, the amazing thing though is that somehow (I'm guessing using java), even though I didn't click on the link, my firefox profile got altered and paypal's login page was now triggering firefox's anti-phishing tools... I obviously didn't log into paypal, didn't load anything, just the simple fact that I had firefox opened when I received the e-mail in thunderbird did the trick... I simply nuked my firefox profile and everything went back to normal, but it's a pretty darn good scam... Oh, and BTW, it was on Solaris 10 SPARC, no x86, no Winblows, nothing... Just plain old UNIX... DARN!

User avatar
hamei
Posts: 10433
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Unread postby hamei » Sat Sep 23, 2006 11:55 am

unixmuseum wrote:Just got an "interesting" case yesterday: I receive an obviously fake paypal e-mail asking me to click on a redirected paypal login link...... Oh, and BTW, it was on Solaris 10 SPARC, no x86, no Winblows, nothing... Just plain old UNIX... DARN!

You have your firefox and t-bird successfully talking to each other ? Mail-to links in firefox open t-bird and all that ? All that help-you stuff seems to lead to this :-(

unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

Unread postby unixmuseum » Sat Sep 23, 2006 11:59 am

hamei wrote:You have your firefox and t-bird successfully talking to each other ? Mail-to links in firefox open t-bird and all that ? All that help-you stuff seems to lead to this :-(
Yeah... It's built-in the Sun versions of thunderbird/firefox... Coincidentally, the Solaris SPARC ports of these applications are made by Sun Beijing, I blame the commies for that (especially because the fake e-mail came from a .ru address) ! :-D

User avatar
recondas
Moderator
Moderator
Posts: 5440
Joined: Sun Jun 06, 2004 5:55 pm
Location: NC - USA

Unread postby recondas » Sat Sep 23, 2006 2:40 pm

hamei wrote:You have your firefox and t-bird successfully talking to each other ? Mail-to links in firefox open t-bird and all that ?


I may have completely mis-read this, but if you're asking if it's possible with FF 1.5.x and TB 1.5.x under IRIX, it is <last post>.

User avatar
hamei
Posts: 10433
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Unread postby hamei » Sat Sep 23, 2006 4:55 pm

recondas wrote:
hamei wrote:You have your firefox and t-bird successfully talking to each other ? Mail-to links in firefox open t-bird and all that ?


I may have completely mis-read this, but if you're asking if it's possible with FF 1.5.x and TB 1.5.x under IRIX, it is <last post>.

Yes, but it sounds as if this opens you to a new type of exploit :-(

User avatar
GeneratriX
Posts: 4250
Joined: Tue Oct 21, 2003 2:07 am
Location: Rosario / Santa Fe / República Argentina

Negative-Feebackers!

Unread postby GeneratriX » Sat Sep 23, 2006 6:06 pm

Hey guys! ...Well, You're not tuned with the latest scream of "blaming technology"! :P

Some idiot is spending some money to just be able to leave negative feedbacks by buying products from my auctions at some online shop... yeah, you could not believe such degree of stupidity, but it seem that somebody is VERY angered with me... enough angered to spend money buying about four products at good price (including once time an offer greater than the auction price to just be able to get the item packaged and sent faster!)

Many of them even insist a lot to have the product, fighting with other users to buy it, no matter if by paying a lot more!

...In fact one of them paided in advance for the product shipped, and once shipped the item, the courier returned the package with address-unexistant! :shock: ...Then he just called me everything except "nice", and proceeded to left his negative feedback. What a jerk! :P

All of them are users with nicks without feedbacks, they don't have any product published for sale, and all of them are EXTREMELY FRIENDLY, to reach success at having me lefting a positive feedback ... then they always seem to do the same: they show up their poor spirit leaving a negative feedback for me, blaming me a lot! :lol:

Yeah, I know... I should not make any fun of it, but by some weird reason I really found funny that they are spending money just to blame me! :P

Oh, well... I could not say I'm not enjoying these plus of money at my pocket! ;) ...But I can't believe that one/more folks can be SO ANGERED with me, as to spend money just to blame me at discretion...

...What do you think about these bunch of jerks? :roll: ...Now that I know the truth, then I don't know too well what to do with them... of course they are trying to ruin me (and they are really trying hard), and they really don't care about if they have to invest some money to do it... it seems that they are happy buying my worst stuff at higher prices than any other healthy people would buy it... :shock:

unixmuseum
Posts: 2783
Joined: Mon Apr 19, 2004 4:25 pm
Location: Los Angeles, CA

Unread postby unixmuseum » Sun Oct 01, 2006 1:53 pm

unixmuseum wrote:Just got an "interesting" case yesterday: I receive an obviously fake paypal e-mail asking me to click on a redirected paypal login link... Pretty simple, no big deal, just ignore it... Now, the amazing thing though is that somehow (I'm guessing using java), even though I didn't click on the link, my firefox profile got altered and paypal's login page was now triggering firefox's anti-phishing tools... I obviously didn't log into paypal, didn't load anything, just the simple fact that I had firefox opened when I received the e-mail in thunderbird did the trick... I simply nuked my firefox profile and everything went back to normal, but it's a pretty darn good scam... Oh, and BTW, it was on Solaris 10 SPARC, no x86, no Winblows, nothing... Just plain old UNIX... DARN!
Looks like this could be what happened to me: http://news.com.com/2100-1002_3-6121608 ... &subj=news

SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon.

An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi said in a presentation at the ToorCon hacker conference here. The flaw affects Firefox on Windows, Apple Computer's Mac OS X and Linux, they said.


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest