lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200303100914.h2A9E6xN000923@mailserver1.hushmail.com>
From: netw3_security at hushmail.com (Curt Wilson)
Subject: Bypassing Black Ice PC protection?

-----BEGIN PGP SIGNED MESSAGE-----


Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.

Windows 2000 pro, all service packs/hotfixes, legit install of Serv-U FTP server.

Black Ice PC Protection,
Product version 3.6.cbd
blackice.exe version 3.6.32
blackd.exe version 3.6.32
blackdll.dll version 3.6.28
BlackDrv.sys version 3.6.28
iss-pam1.dll version 3.6.06

>From Serv-u FTP log file:

[5] Sat 08Mar03 19:09:07 - (000008) Connected to 80.117.235.141 (Local address 192.xxx.x.x)
[5] Sat 08Mar03 19:09:07 - Connection denied to IP-number 80.117.235.141

host141-235.pool80117.interbusiness.it

Black Ice is set to PARANOID and set to block all FTP access except specified IP ranges. This IP 80.117.235.141 is NOT included.

Black Ice did generate an alert to indicate a block, 4 seconds earlier:

Time, Event, Intruder, Count
3/8/2003 7:09:03 PM, TCP_Probe_Ftp, 80.117.235.141, 1

>From attack-list.csv:

Severity timestamp (GMT)issueId issueName intruderIp victimIp parameters count responseLevel intruderPort VictimPort packetFlags

4 2003-03-09 01:09:03 2003004 TCP_Probe_Ftp 80.117.235.141 192.168.x.x port=21&reason=Firewalled 1 A 3392 21 0x22d06

What did the attacker do 4 seconds later to bypass Black Ice? I don't see how Serv-U should have known about this persons IP if Black Ice was doing it's job. I see these FTP probes all the time but this is the first one that's actually appeared in my FTP server log. Unfortunately, I don't have the log*.enc file for more in-depth analysis.

Any ideas, or inside information about a Black Ice bypass technique?

Curt R. Wilson
GSEC, GCFW, GEEK(!)
Netw3 Security
www.netw3.com
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5sVo0cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3KyBUAKCvs/rNMD/tz3ADUjoj3lEBovjLpwCcDalmOhw+ZC592NE2C0KjHR5QMyg=
=UUnM
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ