People snooping on the net

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,931
Location
USA
Last night I left my port 80 open so a friend could download a file from my home machine. Figuring not many people would see my machine for a few hours I wasn't very concerned. (plus my home page is blank)

I found one person who must have been scanning addresses and in my logs I see the following line:

61.77.50.51 - - [09/Sep/2004:22:45:26 -0400] "POST /_vti_bin/_vti_aut/fp30reg.dll HTTP/1.1" 404 425

I looked up "fp30reg.dll" and their is a buffer overflow exploit with this file, so this person was trying to get in (so it seems).

1.) I'm running apache without FrontPage extensions, so they got a 404 error.
2.) I tracrt this address and the IP is still alive
3.) I visited the IP address and it's an actual website.

So, either this person is using their server to scan for exploits, or they have some virus doing it for them. I can't read the site because it's in Chinese (I think?). Can anyone read their website and tell me their contact info?
hxxp://61.77.50.51
 

blakerwry

Storage? I am Storage!
Joined
Oct 12, 2002
Messages
4,203
Location
Kansas City, USA
Website
justblake.com
Code:
[blake@localhost root]# whois 61.77.50.51
[Querying whois.apnic.net]
[Redirected to whois.nic.or.kr]
[Querying whois.nic.or.kr]
[whois.nic.or.kr]
#ѱ####ͳ########([url]www.nic.or.kr)####[/url] ####ϴ# Whois #### #Դϴ#.

query: 61.77.50.51

# ENGLISH

KRNIC is not a ISP but a National Internet Registry similar to APNIC.
The IPv4 address is allocated and still held by the following ISP, or
its Whois information is not updated after assigned to end-users.

Please see the following ISP contacts for further information
or network abuse.

[ ISP Organization Information ]
Org Name      : Korea Telecom
Service Name  : KORNET
Org Address   : 206 Jungja-dong, Bundang-gu, Sungnam city, Gyunggi-do, Korea, 463-711

[ ISP IP Admin Contact Information ]
Name          : IP Administrator
Phone         : +82-2-3674-5708
Fax           : +82-2-747-8701
E-Mail        : [email]ip@ns.kornet.net[/email]

[ ISP IP Tech Contact Information ]
Name          : IP Manager
Phone         : +82-2-3674-5708
Fax           : +82-2-747-8701
E-mail        : [email]ip@ns.kornet.net[/email]

[ ISP Network Abuse Contact Information ]
Name          : Network Abuse
Phone         : +82-2-3675-1499
Fax           : +82-2-747-8701
E-mail        : [email]abuse@kornet.net[/email]

 KOREAN

#ȸ#Ͻ# IPv4#Ҵ# #Ʒ### ISP## ##(End-User)#### IPv4#Ҹ# #Ҵ### ## #Ҵ系###
KRNIC## #뺸## #### ####ų#, ####### ###### #Ҵ#### ### #Ʒ# ISP##
#Ұ# #Դϴ#.

###, #ȸ#Ͻ# IPv4#ҿ# #### ###Ǵ# #Ʒ### ISP ####ڿ### #####Ͻñ# #ٶ#ϴ#.


[ ISP## IPv4## #### ### ]
## ## ##      : #ѱ####
###�#      : #ѱ#######ͳݼ###
### ##     : ###### #д籸 ##ڵ# 206 #ѱ#### e-Biz#### ##ȹ##

[ ISP## IPv4## å#### ### ]
##    ##      : IP#Ұ###
##ȭ##ȣ      : +82-2-3674-5708
#ѽ###ȣ      : +82-2-747-8701
###ڿ###      : [email]ip@ns.kornet.net[/email]

[ ISP## IPv4## #### ### ]
##    ##      : IP#Ҵ####
##ȭ##ȣ      : +82-2-3674-5708
#ѽ###ȣ      : +82-2-747-8701
###ڿ###      : [email]ip@ns.kornet.net[/email]

[ ISP## Network Abuse ##### ### ]
##    ##      : ####/##ŷ###
##ȭ##ȣ      : +82-2-3675-1499
#ѽ###ȣ      : +82-2-747-8701
###ڿ###      : [email]abuse@kornet.net[/email]

- KRNIC Whois Service -
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
I read about two weeks ago that currently the time taken to compromise an unprotected machine on the internet is twenty minutes. 20 minutes. 20 whole friggin minutes. I'm not at all surprised by your experience. These days, Andy Grove's words have become my mantra - Only the paranoid survive.
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
I'm not surprised either. Several years ago I had a MS Proxy server directly exposed to the internet through a cable modem with only its internal firewall operating. Please note that I actually had several internal protections for my internal network so that even if the proxy server was penetrated everything was entirely safe: In actuallity I was actually very paranoid. I then told it to log all unauthorized accesses. After a signifigent time period (a year?) I then tried to look at the log and failed - It was well over 2 GB's in size. I was amazed, so I then went to some effort and broke the file into chunks that could be read by a normal editor and analyzed the results.

I was averaging over 50,000 attempted accesses per day. Now when I started excluding everything that were total non events like router queries, broadcasting game servers, DHCP requests, ... I was still left with an aprox average of 4 real invasion attempts per day. That was six years ago and I'm sure it has only gotten far worse with time.

Note, I did find out that my cable company was actively examining for ftp servers, and web servers (not allowed per signed agreement)
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,931
Location
USA
Is it easy to spoof the IP so that apache logs something incorrectly? I'd like to know why they felt the need to try an exploit something on my machine, but I suspect it didn't come from them, or is masked by something.

Mark, that's a crazy amount of traffic to your proxy, was this on your home network, or a business?
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
That was on a Home/Business network. I had no servers or anything running externally that would attract any attention whatsoever.
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
Things that I learned -

1. Quality firewalls are a necessity and not optional to anyone that accesses the internet. Four attacks per day was four too many. I do note that the vast majority of computers don't have anything of value on them but that is really irrelevant because once inside then bad things can be made to happen or even worse someone could theoretically take control and use that machine as a base for other unacceptable activity that would make the original hacker untracable.

2. The logging that current firewall generate don't really tell everything that is going on. i.e. they lie big-time as to what is actually querying your ports. On the other hand it takes a lot of effort to filter out all the junk by hand and that if they actually listed everything only the most paranoid would bother logging anything. So maybe there is a point to autofiltering rather than logging everything.
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
Handruin said:
Is it easy to spoof the IP so that apache logs something incorrectly? I'd like to know why they felt the need to try an exploit something on my machine, but I suspect it didn't come from them, or is masked by something.

Mark, that's a crazy amount of traffic to your proxy, was this on your home network, or a business?

Yes, theoretically you can spoof the IP but don't forget that when the packets get returned then routers will direct them to the spoofed IP addresses so the real location won't ever see anything. Now if the spoofing is occuring on the local loop (between you and the nearest router) then the IP address doesn't matter but rather the MAC address is used for returning packets. Also, if the spoofed IP address is close enough to the actual IP address that it gets to the same ending switch then again it is the MAC address that determines the final destination.
 

Clocker

Storage? I am Storage!
Joined
Jan 14, 2002
Messages
3,554
Location
USA
So, are routers like some people are using at home (i.e. Linksys, Negear) an adequate defense? Or should I be doing more than that? I've stopped using ZoneAlarm in favor of WinXP SP2's firewall. My thought right now is that I'm pretty safe with the hardware wall as well as the (the rather soft) software firewall. Any other recommendations? I have several family members who I'm sure could also benefit. Right now, they're using some type of router with M$'s software firewall too.

File/Print sharing is disabled as well as NetBIOS over TCP/IP and Client for M$ Networks.

Thanks,
Clocker
 

P5-133XL

Xmas '97
Joined
Jan 15, 2002
Messages
3,173
Location
Salem, Or
I'd say for the vast majority of people that a HW router/firewall (especially if they are using NAT with an interior privite IP (non-routable) addresses such as 192.168.x.x) is adequate as long as they have quality anti-virus and anti-spyware. They really do a good job blocking out the outside world as long as you don't invite the outside world in by running a DMZ or some server like a web server. If you need accountability (logging), or if you invite the outside world inside, require the common ports open (80 Http, 21 ftp, 139 Netbios...), or you have something valuable enough to justify someone attacking your system then you need more.

Getting rid of File/Print, Netbios, and client for M$ networks is excelent too as long as you don't need those services.
 

Handruin

Administrator
Joined
Jan 13, 2002
Messages
13,931
Location
USA
In this case it was my own fault/risk, but fortunately nothing happened. I forwarded port 80 to my main PC just overnight and someone else noticed. If I had more machines I'd look into setting up a smoothwall.
 
Top