[Intrusions] EXPLOIT ISAKMP Attack
John Mulkerin
jmulkerin at keypointcu.com
Sun Jun 26 00:34:07 GMT 2005
All of a sudden, I'm seeing regular Port 500 attacks This is an older
Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload
Buffer Overflow attempt. Any one know of any trojans, or viruses that
might be trying this. I'm seeing it from several
IPs:71.109.123.242:500 , 206.72.72.29:500, & 24.23.161.111:500
Here is an example: Sorry no payloads, yet.:
[**] [1:2376:3] EXPLOIT ISAKMP first payload certificate request length
overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
06/24-16:46:06.359154 206.72.72.29:500 -> Mygateway.IP.address::500 UDP
TTL:109 TOS:0x0 ID:22593 IpLen:20 DgmLen:128
Len: 100
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0040][Xref
=> http://www.securityfocus.com/bid/9582]
John Mulkerin
CTO
KeyPoint Credit Union
408-731-4324
---------------------------------------------------------------
This e-mail is the property of KeyPoint Credit Union. It is intended
only for the addressee(s) and may contain information that is
privileged, confidential, or otherwise protected from disclosure. If you
are not the intended recipient(s), you are prohibited from copying,
distributing, or disclosing this e-mail or its contents to any other
person or entity. If you have received this e-mail in error, please
immediately notify the sender at the e-mail address identified above and
delete and destroy any and all copies of this e-mail.
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of
intrusions-request at lists.sans.org
Sent: Saturday, June 25, 2005 3:10 PM
To: intrusions at lists.sans.org
Subject: Intrusions Digest, Vol 15, Issue 16
Send Intrusions mailing list submissions to
intrusions at lists.sans.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
intrusions-request at lists.sans.org
You can reach the person managing the list at
intrusions-owner at lists.sans.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Intrusions digest..."
Today's Topics:
1. Re: Are Internet Cafes safe ? (TILLEY, Alex)
2. Re: Are Internet Cafes safe ? (Jon Hedlund)
3. Re: Are Internet Cafes safe ? (James C Slora Jr)
4. TCP 445 is Safe (James C Slora Jr)
5. Re: Are Internet Cafes safe ? (Mike Chandler)
6. Re: Are Internet Cafes safe ? (Matt Kirchhoff)
7. Re: Are Internet Cafes safe ? (Hazel, Scott A.)
----------------------------------------------------------------------
Message: 1
Date: Fri, 24 Jun 2005 08:14:37 +1000
From: "TILLEY, Alex" <Alex.TILLEY at suncorp.com.au>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: intrusions at lists.sans.org
Message-ID:
<C13B3B68F2E19A4CB2556642EEE8F22E0722D63F at MMSX008.suncorpmetway.net>
Content-Type: text/plain; charset="us-ascii"
(self promotion time)
In my GSEC paper oh so many (2) years ago now I covered how the owner/IT
staff can make them safer for clients, it's a bit dated and not exactly
what you're after but it might give you some idea's of the problems
around from a basic perspective.
http://www.giac.org/certified_professionals/practicals/gsec/4062.php
Alex
-----Original Message-----
From: intrusions-request at lists.sans.org
[mailto:intrusions-request at lists.sans.org]
Sent: Thursday, 23 June 2005 10:00 PM
To: intrusions at lists.sans.org
Subject: Intrusions Digest, Vol 15, Issue 15
Send Intrusions mailing list submissions to
intrusions at lists.sans.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
intrusions-request at lists.sans.org
You can reach the person managing the list at
intrusions-owner at lists.sans.org
When replying, please edit your Subject line so it is more specific than
"Re: Contents of Intrusions digest..."
Today's Topics:
1. Re: `tattle`, now with goodness (Rick.Wanner at sasktel.sk.ca)
2. Tattle WHOIS protential problem (security.alerts at dynamicnet.net)
3. Re: UDP traffic on port 48864 (Andrew Daviel)
4. Are Internet Cafes safe ? (Andrew Daviel)
----------------------------------------------------------------------
Message: 1
Date: Thu, 16 Jun 2005 13:49:40 -0600
From: Rick.Wanner at sasktel.sk.ca
Subject: Re: [Intrusions] `tattle`, now with goodness
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
Cc: "'Intrusions List \(GCIA Practicals\)'"
<intrusions at lists.sans.org>,
intrusions-bounces at lists.sans.org
Message-ID:
<OFA2C1CD18.2361153D-ON06257022.006CC8C9-06257022.006CEB85 at sasktel.sk.ca
>
Content-Type: text/plain; charset="US-ASCII"
> Oh yes; I didn't check, but you certainly want to make sure you don't
> report addresses more than once every few days ....
>
y??
if they brute force me 13 days in a row
I should only send one or two messages?
isnt 1 every 24 hour period an acceptable frequency to underscore the
urgency of the action required on the isp's part?
RW> Speaking as someone who has had to deal with these sorts of
things...
These things do take time. I would expect that once a week would be
adequate.
Rick
NOTICE: This confidential e-mail message is only for the intended
recipient(s). If you are not the intended recipient, be advised that
disclosing, copying, distributing, or any other use of this message, is
strictly prohibited. In such case, please destroy this message and
notify the sender.
------------------------------
Message: 2
Date: Fri, 17 Jun 2005 06:16:03 -0400
From: "security.alerts at dynamicnet.net"
<security.alerts at dynamicnet.net>
Subject: [Intrusions] Tattle WHOIS protential problem
To: intrusions at lists.sans.org
Message-ID: <6.2.1.2.2.20050617061205.0c0b5e30 at mail.dynamicnet.net>
Content-Type: text/plain; charset="us-ascii"; format=flowed
Greetings CJ:
Jun 14 16:46:36 webnew sshd(pam_unix)[10076]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211-23-176-222.hinet-ip.hinet.net
Jun 14 16:46:36 webnew sshd(pam_unix)[10103]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=211-23-176-222.hinet-ip.hinet.net
Was found by tattle.pl to email spam at ms1.hinet.net
Yet the APIC WHOIS for 211.23.0.0 - 211.23.255.255 is CHTD, Chunghwa
Telecom Co.,Ltd. whose abuse email addresses are as follows:
network-adm at hinet.net
fkchung at ms1.hinet.net
hostmaster at twnic.net
See http://www.apnic.net/apnic-bin/whois.pl
Please look at this issue for resolution.
Thank you.
------------------------------
Message: 3
Date: Mon, 20 Jun 2005 18:19:43 -0700 (PDT)
From: Andrew Daviel <andrew at andrew.triumf.ca>
Subject: Re: [Intrusions] UDP traffic on port 48864
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Message-ID: <Pine.LNX.4.53.0506201808390.13651 at andrew.triumf.ca>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Tue, 14 Jun 2005, James C Slora Jr wrote:
> Andrew Daviel wrote Monday, June 13, 2005 6:42 PM
>
> > I've been seeing UDP traffic sent to a host here on port 48864; it
seems
> to all (or mostly) targetted at one particular host, which does not
> seem
to
> respond (apart from maybe ICMP unreachable). It's from random places
> on
the
> net (including residential, like P2P), but the packets are quite small
> (15-500 bytes) and don't seem to have any ASCII content.
>
> Packets would be nice.
17:00:07.923609 195.205.132.226.24432 > 142.x.y.z.48864: udp 123
17:00:07.924007 142.x.y.z.48864 > 195.205.132.226.24432: udp 21
17:00:09.276406 201.24.74.50.4674 > 142.x.y.z.48864: tcp 0 (DF)
17:00:09.276557 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:12.225555 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:16.692418 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:16.692571 142.x.y.z.48864 > 69.166.222.155.65351: tcp 0 (DF)
17:00:16.808173 69.166.222.155.65351 > 142.x.y.z.48864: tcp 0 (DF)
17:00:18.362210 142.x.y.z.48864 > 201.24.74.50.4674: tcp 0 (DF)
17:00:40.624674 128.195.4.205.2087 > 142.x.y.z.48864: udp 102
17:00:40.625105 142.x.y.z.48864 > 128.195.4.205.2087: udp 43
17:00:44.110763 65.94.161.239.25409 > 142.x.y.z.48864: udp 97
17:00:44.111089 142.x.y.z.48864 > 65.94.161.239.25409: udp 43
17:00:44.541082 128.195.4.205.2087 > 142.x.y.z.48864: udp 102
17:00:44.541422 142.x.y.z.48864 > 128.195.4.205.2087: udp 43
17:00:56.322058 154.20.232.86.16800 > 142.x.y.z.48864: udp 103
User Datagram Protocol, Src Port: 24432 (24432), Dst Port: 48864 (48864)
Data (123 bytes)
0000 40 b8 02 82 8f e2 0c 77 b9 71 df 3a 5b 45 f5 23 @......w.q.:[E.#
0010 e0 f8 6a 3b 7e 46 68 95 08 52 94 fc f5 42 5b 67 ..j;~Fh..R...B[g
0020 ae ca 1a 7f d9 c6 50 1f ab f1 4c 23 0e 01 67 03 ......P...L#..g.
0030 63 b1 51 50 fc 08 76 d8 3e 6d 35 22 13 3f 54 3e c.QP..v.>m5".?T>
0040 56 23 ef 06 e0 a2 a3 68 49 e5 47 d9 7f 77 90 dd V#.....hI.G..w..
0050 66 a6 ca 6e 40 86 e5 0b 8e 4c 11 58 fa 70 4f 93 f..n at ....L.X.pO.
0060 49 7f 5d 73 d9 18 61 8c 3a ee ed 5d 4f c0 79 0e I.]s..a.:..]O.y.
0070 9c ec b4 f1 0c df 94 8f 22 e7 78 ........".x
User Datagram Protocol, Src Port: 48864 (48864), Dst Port: 24432 (24432)
Data (21 bytes)
0000 00 16 02 c6 7e ea 95 50 77 c1 5f 42 8f e9 b6 ea ....~..Pw._B....
0010 9a 52 e4 fd 02 .R...
User Datagram Protocol, Src Port: 2087 (2087), Dst Port: 48864 (48864)
Data (102 bytes)
0000 9d 8a 02 98 21 b8 a6 00 59 d3 8d 9a a5 8b 95 c5 ....!...Y.......
0010 09 54 c9 79 2c 7e ea f0 13 7f 2c 89 71 80 74 fd .T.y,~....,.q.t.
0020 3d d4 67 aa 93 08 30 b9 a8 a3 87 da 16 73 9d 34 =.g...0......s.4
0030 01 05 c6 9a 73 76 99 c5 71 d7 c3 f1 d6 96 7f 7e ....sv..q......~
0040 48 a0 ba de f9 c4 22 65 f8 be 32 63 31 9f 97 df H....."e..2c1...
0050 d9 25 24 df 30 fa 67 e0 ad 54 9a 49 b9 4b af 53 .%$.0.g..T.I.K.S
0060 1d 35 ee 5c 2a 24 .5.\*$
etc.
There are also occasional tcp packets - remote sends SYN, local sends
SYN, ACK, remote either doesn't respond or sends RST. No data.
I don't see that our local machine is a worthy recipient of a DDoS
attack
- it's basically a Windows desktop
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
------------------------------
Message: 4
Date: Mon, 20 Jun 2005 18:26:47 -0700 (PDT)
From: Andrew Daviel <andrew at andrew.triumf.ca>
Subject: [Intrusions] Are Internet Cafes safe ?
To: intrusions at incidents.org
Message-ID: <Pine.LNX.4.53.0506201822510.13651 at andrew.triumf.ca>
Content-Type: TEXT/PLAIN; charset=US-ASCII
Let me rephrase that.
Is it possible to safely use a PC at an Internet Cafe to login to
somewhere ? Millions of travellers want to know (or they ought to!)
(We are tracking an incident where we suspect a trojaned PuTTY SSH
client, or a keystroke logger, was used to capture passwords in a cafe).
So the question is, if you aren't allowed to boot your own system off a
CD or memory stick, or read in long keys off media, how can you use a
system where you can't trust the keyboard ?
One-time-pad tokens would work, but only to protect the initial login,
not the text or any further logins made from the shell account.
Ideas ? What are other people doing ?
(I tried to post this on Bugtraq but I guess it was considered off-topic
and went in the bit bucket. I thought they used to at least send a
rejection message ... it's probably off-topic here, but I can't think
of a more appropriate forum offhand)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
------------------------------
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
End of Intrusions Digest, Vol 15, Issue 15
******************************************
------------------------------------------------------------------------
-----------
This e-mail is sent by Suncorp-Metway Limited ABN 66 010 831 722 or one
of its related entities "Suncorp".
Suncorp may be contacted at Level 18, 36 Wickham Terrace, Brisbane or on
13 11 55 or at suncorp.com.au.
The content of this e-mail is the view of the sender or stated author
and does not necessarily reflect the view of Suncorp. The content,
including attachments, is a confidential communication between Suncorp
and the intended recipient. If you are not the intended recipient, any
use, interference with, disclosure or copying of this e-mail, including
attachments, is unauthorised and expressly prohibited. If you have
received this e-mail in error please contact the sender immediately and
delete the e-mail and any attachments from your system.
If this e-mail constitutes a commercial message of a type that you no
longer wish to receive please reply to this e-mail by typing Unsubscribe
in the subject line.
------------------------------
Message: 2
Date: Wed, 22 Jun 2005 20:23:36 -0500
From: Jon Hedlund <JH_ML at invtools.com>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Message-ID: <42BA0F18.10901 at invtools.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
With the easy availability of hardware and software keystroke loggers
I'd say you should treat any public PC like a postcard and assume
anything you enter can be seen by the world. For some situations, using
one-time passwords or disposable web-mail accounts can lower the threat
this presents to an acceptable level. But for many remote access
purposes, the only safe access method is with your own hardware over an
encrypted/authenticated channel, or arranging for someone you trust to
do whatever it is that needs to be done from a secure PC.
Myself, I always lug a laptop around along with whatever devices I may
need for a network connection - cellphone adapter, acoustical modem,
wireless NIC, satellite link, etc. Plus SSH/SSL/VPN clients to secure
the link.
There was a discussion about this on Slashdot recently that you might
want to check out for other opinions.
JonH
Andrew Daviel wrote:
>Let me rephrase that.
>
>Is it possible to safely use a PC at an Internet Cafe to login to
>somewhere ? Millions of travellers want to know (or they ought to!)
>
>(We are tracking an incident where we suspect a trojaned PuTTY SSH
>client, or a keystroke logger, was used to capture passwords in a
cafe).
>
>So the question is, if you aren't allowed to boot your own system off a
>CD or memory stick, or read in long keys off media, how can you use a
>system where you can't trust the keyboard ?
>
>One-time-pad tokens would work, but only to protect the initial login,
>not the text or any further logins made from the shell account.
>
>Ideas ? What are other people doing ?
>
>(I tried to post this on Bugtraq but I guess it was considered
off-topic
>and went in the bit bucket. I thought they used to at least send a
>rejection message ... it's probably off-topic here, but I can't think
>of a more appropriate forum offhand)
>
>
>
------------------------------
Message: 3
Date: Thu, 23 Jun 2005 11:59:09 -0400
From: "James C Slora Jr" <Jim.Slora at phra.com>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: "'Intrusions List \(GCIA Practicals\)'"
<intrusions at lists.sans.org>
Message-ID: <20050623160212.069AD31B196 at mail29-haw.bigfish.com>
Content-Type: text/plain; charset="iso-8859-1"
My thoughts. YMMV.
Anything that is trusted needs to be encrypted in a non-replayable form
when
travelling through untrusted networks or devices.
The Internet Caf? computer is an untrustable device on an untrustable
network, so unless the input is encrypted before typing, and the output
is
decrypted after being displayed on the screen, then no usage of that
device
is trustable.
If you assume that every keystroke you type, every click of your mouse,
and
everything you send or receive on the computer have all been captured by
someone else - and if you are OK with that - then it is perfectly safe.
Tools like SecureID can greatly reduce the risk of login credential
misuse
if that is all you are worried about, but they do little to prevent
real-time shenanigans or session capture.
------------------------------
Message: 4
Date: Fri, 24 Jun 2005 11:56:58 -0400
From: "James C Slora Jr" <Jim.Slora at phra.com>
Subject: [Intrusions] TCP 445 is Safe
To: "'Intrusions List \(GCIA Practicals\)'"
<intrusions at lists.sans.org>
Message-ID: <20050624160007.32CB630731E at mail25-ash.bigfish.com>
Content-Type: text/plain; charset="us-ascii"
I found this humorous in a laugh-instead-of-cry kind of way.
"Microsoft is not aware of any active attempts to exploit any Microsoft
vulnerabilities via TCP Port 445"
From
http://news.zdnet.com/2100-1009_22-5759667.html?tag=nl.e589
<sarcasm>
Is anyone else aware of any TCP 445 exploits agains MS operating system
flaws?
If not, I guess it is safe to stop filtering it.
</sarcasm>
------------------------------
Message: 5
Date: Sat, 25 Jun 2005 11:55:31 -0700
From: "Mike Chandler" <mchandl1 at san.rr.com>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
Message-ID: <AGEMJOIFBMCHOENPDIMBIEKECGAA.mchandl1 at san.rr.com>
Content-Type: text/plain; charset="us-ascii"
How can you trust someone else's system to protect your data? You
can't!
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org]On Behalf Of Andrew Daviel
Sent: Monday, June 20, 2005 6:27 PM
To: intrusions at incidents.org
Subject: [Intrusions] Are Internet Cafes safe ?
Let me rephrase that.
Is it possible to safely use a PC at an Internet Cafe to login to
somewhere ? Millions of travellers want to know (or they ought to!)
(We are tracking an incident where we suspect a trojaned PuTTY SSH
client, or a keystroke logger, was used to capture passwords in a cafe).
So the question is, if you aren't allowed to boot your own system off a
CD or memory stick, or read in long keys off media, how can you use a
system where you can't trust the keyboard ?
One-time-pad tokens would work, but only to protect the initial login,
not the text or any further logins made from the shell account.
Ideas ? What are other people doing ?
(I tried to post this on Bugtraq but I guess it was considered off-topic
and went in the bit bucket. I thought they used to at least send a
rejection message ... it's probably off-topic here, but I can't think
of a more appropriate forum offhand)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
------------------------------
Message: 6
Date: Thu, 23 Jun 2005 08:42:10 -0700
From: Matt Kirchhoff <mek at pdx.edu>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Message-ID: <42BAD852.4080009 at pdx.edu>
Content-Type: text/plain; charset=ISO-8859-1
Quoth Andrew Daviel on 6/20/2005 6:26 PM:
> Let me rephrase that.
>
> Is it possible to safely use a PC at an Internet Cafe to login to
> somewhere ?
In short, no. If you didn't configure the system, you can't trust it.
Even if you *could* boot your own OS from external media, you *still*
can't trust the system. Consider the case of a sealed kiosk where a
hardware keylogger has been inserted between the keyboard and PC.
The definition of "safe," however, is debateable. Safe to browse news
sites, weather reports, movie times? Probably. Safe to check email, bank
accounts, or other authenticated sites? Probably not.
--
mek at pdx.edu
------------------------------
Message: 7
Date: Fri, 24 Jun 2005 08:44:27 -0400
From: "Hazel, Scott A." <Scott.Hazel at unisys.com>
Subject: Re: [Intrusions] Are Internet Cafes safe ?
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>,
<intrusions at incidents.org>
Message-ID:
<CD37228E9BE22B41B53208CE8A8AEC0B06283F6A at USBB-EXCH2.na.uis.unisys.com>
Content-Type: text/plain; charset="iso-8859-1"
Howdy Andrew.
My gut reaction is no. Public access terminals like this are not safe.
However, it may all depend on who's watching the hen house. If the
location has a professional managed services provider monitoring the
systems with appropriate 24x7 Host/Network IDS/Firewall then its
probably a safer option (or the lesser of two evils). Even with these
precautions, if someone has slipped a hardware based keystroke logger
into the mix, all bets are off.
A better option would be a caf? or hotspot that allows you to bring in
your own system (aka notebook PC, etc.). You may not control the network
but you can control your own host security. Encrypted communications
should thwart 3rd party sniffers but you also can't ignore a possible
man-in-the-middle.
There are probably other more experienced security folk that can expand
or debunk my statements above so YMMV. Hope this is helpful.
Scott Hazel
Security Operations Center
Unisys
scott.hazel at unisys.com
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Andrew Daviel
Sent: Monday, June 20, 2005 9:27 PM
To: intrusions at incidents.org
Subject: [Intrusions] Are Internet Cafes safe ?
Let me rephrase that.
Is it possible to safely use a PC at an Internet Cafe to login to
somewhere ? Millions of travellers want to know (or they ought to!)
(We are tracking an incident where we suspect a trojaned PuTTY SSH
client, or a keystroke logger, was used to capture passwords in a cafe).
So the question is, if you aren't allowed to boot your own system off a
CD or memory stick, or read in long keys off media, how can you use a
system where you can't trust the keyboard ?
One-time-pad tokens would work, but only to protect the initial login,
not the text or any further logins made from the shell account.
Ideas ? What are other people doing ?
(I tried to post this on Bugtraq but I guess it was considered off-topic
and went in the bit bucket. I thought they used to at least send a
rejection message ... it's probably off-topic here, but I can't think of
a more appropriate forum offhand)
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
------------------------------
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
End of Intrusions Digest, Vol 15, Issue 16
******************************************
More information about the Intrusions
mailing list