[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE69TGpaoG1VR00036762@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: "the badhat saga" a sad but true tale...
For those interested, this is a exerpt of a conversation from a good
meaning,
but very misguided "professional"
note: there is no flaming here, just some mild shock in my reactions and
expressions
*** lamehat (~me@...241.xxx.xxx) has joined #0sec
<@morning_wood> hi
<lamehat> Why would I be getting port scans originating from this server?
<@MrWood> you shouldnt
<@MrWood> i have scanning off
<lamehat> Care to see the logs?
<@MrWood> yea...
<lamehat> Where do you want me to send them?
------------- start snippy --------------------
Hack attempts by this intruder:
Date & Time: 2003-06-04 01:28:20 (-5:00 GMT)
Time Zone: Central Daylight Time
TCP_Probe_Gnutella (port=6346)
Victim IP: 12.241.xxx.xxx
Attempts: 2
Date & Time: 2003-06-06 00:33:53 (-5:00 GMT)
Time Zone: Central Daylight Time
TCP_Probe_HTTP (port=80)
Victim IP: 12.241.xxx.xxx
Attempts: 32
-------------- end snippy -----------
<@MrWood> thats from my gnutella client
<lamehat> 68 attempts to different ports
<@MrWood> thats a standard connect for gnutella based clients
<@MrWood> i dont get it
<@MrWood> yea y tf would i scan 68 times
<@MrWood> i used a new client last night called Nova
<lamehat> well abuse report has already been sent to ATT...the box it is
hitting is a SNORT IDS box
<@MrWood> as in they make repeated attempts
<lamehat> I have never been here before or to your site
<@MrWood> exelent i suggest getting p2p off your wire then
<@MrWood> a abuse report?
<lamehat> there isn't any P2P on this box. It is an intrusion detection box
<@MrWood> are you nuts?
<@MrWood> then your being picked up
<@MrWood> on your wire
<@MrWood> as a open client
<@MrWood> if your ports are in recieve ( server mode) its gunna connect
<lamehat> I'll let att sort it out
<@MrWood> ya geee thanks
<@MrWood> lame man
<lamehat> The box is locked down, there is nothing but listening going on
here
<@MrWood> I NEVER SCANNED ANYONE 32 F*CKING TIMES IN MY LIFE
<@MrWood> its a fscing p2p connect
<@MrWood> wtf you send abuse for?
<@MrWood> how long have you been in the security field?
<lamehat> 15 years CISSP certified
<@MrWood> 32 times is bullsh*t
<@MrWood> i got no reason to scan you more than once
<@MrWood> if i even did that
<@MrWood> port scanning is not against any law
<lamehat> True, but it is against ATT's acceptable use policy, as is running
this
server and your web server
<@MrWood> i just read the doj guidelines
<@MrWood> the hell it is
<@MrWood> they ( ATT ) knows not only i run a httpd
<@MrWood> but a router as well
<@MrWood> they also know im in the security arena
<@MrWood> its in thier notes because i work close with them
<@MrWood> you realy should confer before sending out lame abuse reports
<@MrWood> esp when your on p2p
<@MrWood> and what state am i in?
<lamehat> item xiv...toward the bottom of the page
<@MrWood> your in mesquite texas?
<lamehat> BTW, I am connected to you via port 6667 with an IRC client
<lamehat> yep
<@MrWood> yes obviously
<lamehat> Examples of prohibited programs and equipment include,
but are not limited to, mail, ftp, http, file sharing,
game, newsgroup, proxy, IRC servers, multi-user interactive forums
and Wi-Fi devices;
<@MrWood> so
<lamehat> from att's acceptable use policy
<@MrWood> i told you
<@MrWood> its in their notes
<@MrWood> for the last year
<@MrWood> man you are the worst kind of security person
<@MrWood> take your white hat off for a few sometime
<@MrWood> sending abuse for a suspected scan
<@MrWood> lame bro
<lamehat> With my certification comes the obligation to assist
in protecting the network from abuse..port scanning is an abuse
<@MrWood> uhh huu i see
<@MrWood> i cant tell you how to conduct your internet experience .... so
<@MrWood> in 3 years you are the second person to send abuse
<@MrWood> obviously im not doing anything severe here now am i
<@MrWood> ?
<@MrWood> take yer cert and shove it, it gives you no obligation
<@MrWood> i suggest reading up on what I do here
<@MrWood> im not malicious, you got scanned because your giving out false
p2p packets
<@MrWood> and running a honeypot
<@MrWood> wtf you run a honeypot for?
<@MrWood> thats like waiting for a vic
<lamehat> It's not a honeypot, it is an intrusion detection system
<@MrWood> yours are the worst kind, certified, think they own sec
<lamehat> big difference
<@MrWood> ROFL no its not, tell me how
<@MrWood> snort is a honeypot pure and simple
<lamehat> IDS simply looks for patterns and reports them...honeypot
imitates an insecure system to entice/re-direct hack attempts
<@MrWood> and my pissant port scans have got you more worried than some
chineese scan cuz you can send abuse to my isp
<lamehat> how is logging and examining packets a honey pot?
<@MrWood> i sure the f*ck dont send out lame ass portscan as a abuse
<@MrWood> get off yer high horse and catch a real internet criminal
<lamehat> Your choice
<@MrWood> tell it to Full Disclosure.. you do subscribe?
<@MrWood> i got better things to do than discuss some ids port scan
<lamehat> actually I prefer bugtraq to full disclosure
<@MrWood> i bet
<@MrWood> i use both
<@MrWood> for all my reports
<@MrWood> try searching on Mourning Woode
<@MrWood> you should find about 7 or 8
<lamehat> Then you should be able to secure your system to prevent scans
from it to any of my systems
<lamehat> BTW, you may want to pop out to dshield.org...your IP is listed
there as being reported numerous times
<@MrWood> funny i was there last week
<@MrWood> it was clean then
<lamehat> on 5/9....multiple ports
<@MrWood> until i commit a real crime, im not real worried
<lamehat> Apparently my system isn't the first that has been scanned from
your system
<@MrWood> run along back to your whitehat brethern, and tell them to leave
me alone
<@MrWood> i guess i can go to dsshield and report you
<@MrWood> very lame guy
<@MrWood> i mean realy
------------ snip ---------------------
http://www.dshield.org/ipinfo.php?ip=12.229.234.100&Submit=Submit
------------ snip ---------------------
This is a near verbatim discussion I had this morning,
Yes theres a few "reported" scans, nothing more than parinoid wannabee
security pros and
a small selection of ports, gimme a break.
interesting, one day weird ports, looks like a p2p client trying to NaT
and I am now some "evil hacker" scanning like wildfire. A very sad day.
well there you have it, a egotistical "professional" reporting abuse for
nothing. :(
I was trying different setups with various p2p clients, with a NaT router
on the day
and time of his logs. Please, reports to abuse of this type are flat out
unjustified.
Here he is sniffing the wire, arping p2p signals that will attract requests
from p2p,
p2p sees a "known" port for a certain client and tries to connect, I try
various ports
and techniques in my setups testing ( i dont p2p as a rule ). And now Im
abused? :((
my 2 bits
wood
Powered by blists - more mailing lists