[Intrusions] Are Internet Cafes safe ?
TILLEY, Alex
Alex.TILLEY at suncorp.com.au
Thu Jun 23 22:14:37 GMT 2005
(self promotion time)
In my GSEC paper oh so many (2) years ago now I covered how the owner/IT
staff can make them safer for clients, it's a bit dated and not exactly what
you're after but it might give you some idea's of the problems around from a
basic perspective.
http://www.giac.org/certified_professionals/practicals/gsec/4062.php
Alex
-----Original Message-----
From: intrusions-request at lists.sans.org
[mailto:intrusions-request at lists.sans.org]
Sent: Thursday, 23 June 2005 10:00 PM
To: intrusions at lists.sans.org
Subject: Intrusions Digest, Vol 15, Issue 15
Send Intrusions mailing list submissions to
intrusions at lists.sans.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
intrusions-request at lists.sans.org
You can reach the person managing the list at
intrusions-owner at lists.sans.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."
Today's Topics:
1. Re: `tattle`, now with goodness (Rick.Wanner at sasktel.sk.ca)
2. Tattle WHOIS protential problem (security.alerts at dynamicnet.net)
3. Re: UDP traffic on port 48864 (Andrew Daviel)
4. Are Internet Cafes safe ? (Andrew Daviel)
----------------------------------------------------------------------
Message: 1
Date: Thu, 16 Jun 2005 13:49:40 -0600
From: Rick.Wanner at sasktel.sk.ca
Subject: Re: [Intrusions] `tattle`, now with goodness
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
Cc: "'Intrusions List \(GCIA Practicals\)'"
<intrusions at lists.sans.org>, intrusions-bounces at lists.sans.org
Message-ID:
<OFA2C1CD18.2361153D-ON06257022.006CC8C9-06257022.006CEB85 at sasktel.sk.ca>
Content-Type: text/plain; charset="US-ASCII"
> Oh yes; I didn't check, but you certainly want to make sure
> you don't report addresses more than once every few days ....
>
y??
if they brute force me 13 days in a row
I should only send one or two messages?
isnt 1 every 24 hour period an acceptable frequency
to underscore the urgency of the action required on
the isp's part?
RW> Speaking as someone who has had to deal with these sorts of things...
These things do take time. I would expect that once a week would be
adequate.
Rick
NOTICE: This confidential e-mail message is only for the intended
recipient(s). If you are not the intended recipient, be advised that
disclosing, copying, distributing, or any other use of this message, is
strictly prohibited. In such case, please destroy this message and notify
the sender.
------------------------------
Message: 2
Date: Fri, 17 Jun 2005 06:16:03 -0400
From: "security.alerts at dynamicnet.net"
<security.alerts at dynamicnet.net>
Subject: [Intrusions] Tattle WHOIS protential problem
To: intrusions at lists.sans.org
Message-ID: <6.2.1.2.2.20050617061205.0c0b5e30 at mail.dynamicnet.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
Greetings CJ:
Jun 14 16:46:36 webnew sshd(pam_unix)[10076]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211-23-176-222.hinet-ip.hinet.net
Jun 14 16:46:36 webnew sshd(pam_unix)[10103]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211-23-176-222.hinet-ip.hinet.net
Was found by tattle.pl to email spam at ms1.hinet.net
Yet the APIC WHOIS for 211.23.0.0 - 211.23.255.255 is CHTD, Chunghwa
Telecom Co.,Ltd. whose abuse email addresses are as follows:
network-adm at hinet.net
fkchung at ms1.hinet.net
hostmaster at twnic.net
See http://www.apnic.net/apnic-bin/whois.pl
Please look at this issue for resolution.
Thank you.
------------------------------
Message: 3
Date: Mon, 20 Jun 2005 18:19:43 -0700 (PDT)
From: Andrew Daviel <andrew at andrew.triumf.ca>
Subject: Re: [Intrusions] UDP traffic on port 48864
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Message-ID: <Pine.LNX.4.53.0506201808390.13651 at andrew.triumf.ca>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 14 Jun 2005, James C Slora Jr wrote:
> Andrew Daviel wrote Monday, June 13, 2005 6:42 PM
>
> > I've been seeing UDP traffic sent to a host here on port 48864; it
seems
> to all (or mostly) targetted at one particular host, which does not seem
to
> respond (apart from maybe ICMP unreachable). It's from random places on
the
> net (including residential, like P2P), but the packets are quite small
> (15-500 bytes) and don't seem to have any ASCII content.
>
> Packets would be nice.
17:00:07.923609 195.205.132.226.24432 > 142.x.y.z.48864: udp 123
17:00:07.924007 142.x.y.z.48864 > 195.205.132.226.24432: udp 21
17:00:09.276406 201.24.74.50.4674 > 142.x.y.z.48864: tcp 0 (DF)
17:00:09.276557 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:12.225555 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:16.692418 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:16.692571 142.x.y.z.48864 > 69.166.222.155.65351: tcp 0 (DF)
17:00:16.808173 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:18.362210 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:40.624674 128.195.4.205.2087 > 142.x.y.z.48864: udp 102
17:00:40.625105 142.x.y.z.48864 > 128.195.4.205.2087: udp 43
17:00:44.110763 65.94.161.239.25409 > 142.x.y.z.48864: udp 97
17:00:44.111089 142.x.y.z.48864 > 65.94.161.239.25409: udp 43
17:00:44.541082 128.195.4.205.2087 > 142.x.y.z.48864: udp 102
17:00:44.541422 142.x.y.z.48864 > 128.195.4.205.2087: udp 43
17:00:56.322058 154.20.232.86.16800 > 142.x.y.z.48864: udp 103
User Datagram Protocol, Src Port: 24432 (24432), Dst Port: 48864 (48864)
Data (123 bytes)
0000 40 b8 02 82 8f e2 0c 77 b9 71 df 3a 5b 45 f5 23 @......w.q.:[E.#
0010 e0 f8 6a 3b 7e 46 68 95 08 52 94 fc f5 42 5b 67 ..j;~Fh..R...B[g
0020 ae ca 1a 7f d9 c6 50 1f ab f1 4c 23 0e 01 67 03 ......P...L#..g.
0030 63 b1 51 50 fc 08 76 d8 3e 6d 35 22 13 3f 54 3e c.QP..v.>m5".?T>
0040 56 23 ef 06 e0 a2 a3 68 49 e5 47 d9 7f 77 90 dd V#.....hI.G..w..
0050 66 a6 ca 6e 40 86 e5 0b 8e 4c 11 58 fa 70 4f 93 f..n at ....L.X.pO.
0060 49 7f 5d 73 d9 18 61 8c 3a ee ed 5d 4f c0 79 0e I.]s..a.:..]O.y.
0070 9c ec b4 f1 0c df 94 8f 22 e7 78 ........".x
User Datagram Protocol, Src Port: 48864 (48864), Dst Port: 24432 (24432)
Data (21 bytes)
0000 00 16 02 c6 7e ea 95 50 77 c1 5f 42 8f e9 b6 ea ....~..Pw._B....
0010 9a 52 e4 fd 02 .R...
User Datagram Protocol, Src Port: 2087 (2087), Dst Port: 48864 (48864)
Data (102 bytes)
0000 9d 8a 02 98 21 b8 a6 00 59 d3 8d 9a a5 8b 95 c5 ....!...Y.......
0010 09 54 c9 79 2c 7e ea f0 13 7f 2c 89 71 80 74 fd .T.y,~....,.q.t.
0020 3d d4 67 aa 93 08 30 b9 a8 a3 87 da 16 73 9d 34 =.g...0......s.4
0030 01 05 c6 9a 73 76 99 c5 71 d7 c3 f1 d6 96 7f 7e ....sv..q......~
0040 48 a0 ba de f9 c4 22 65 f8 be 32 63 31 9f 97 df H....."e..2c1...
0050 d9 25 24 df 30 fa 67 e0 ad 54 9a 49 b9 4b af 53 .%$.0.g..T.I.K.S
0060 1d 35 ee 5c 2a 24 .5.\*$
etc.
There are also occasional tcp packets - remote sends SYN, local sends
SYN, ACK, remote either doesn't respond or sends RST. No data.
I don't see that our local machine is a worthy recipient of a DDoS attack
- it's basically a Windows desktop
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
------------------------------
Message: 4
Date: Mon, 20 Jun 2005 18:26:47 -0700 (PDT)
From: Andrew Daviel <andrew at andrew.triumf.ca>
Subject: [Intrusions] Are Internet Cafes safe ?
To: intrusions at incidents.org
Message-ID: <Pine.LNX.4.53.0506201822510.13651 at andrew.triumf.ca>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Let me rephrase that.
Is it possible to safely use a PC at an Internet Cafe to login to
somewhere ? Millions of travellers want to know (or they ought to!)
(We are tracking an incident where we suspect a trojaned PuTTY SSH
client, or a keystroke logger, was used to capture passwords in a cafe).
So the question is, if you aren't allowed to boot your own system off a
CD or memory stick, or read in long keys off media, how can you use a
system where you can't trust the keyboard ?
One-time-pad tokens would work, but only to protect the initial login,
not the text or any further logins made from the shell account.
Ideas ? What are other people doing ?
(I tried to post this on Bugtraq but I guess it was considered off-topic
and went in the bit bucket. I thought they used to at least send a
rejection message ... it's probably off-topic here, but I can't think
of a more appropriate forum offhand)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
------------------------------
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
End of Intrusions Digest, Vol 15, Issue 15
******************************************
-----------------------------------------------------------------------------------
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on 13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author and does not necessarily reflect the view of Suncorp. The content, including attachments, is a confidential communication between Suncorp and the intended recipient. If you are not the intended recipient, any use, interference with, disclosure or copying of this e-mail, including attachments, is unauthorised and expressly prohibited. If you have received this e-mail in error please contact the sender immediately and delete the e-mail and any attachments from your system.
If this e-mail constitutes a commercial message of a type that you no longer wish to receive please reply to this e-mail by typing Unsubscribe in the subject line.
More information about the Intrusions
mailing list