lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Law11-OE69TGpaoG1VR00036762@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: "the badhat saga" a sad but true tale...

 For those interested, this is a exerpt of a conversation from a good
meaning,
but very misguided "professional"
note: there is no flaming here, just some mild shock in my reactions and
expressions

*** lamehat (~me@...241.xxx.xxx) has joined #0sec
<@morning_wood> hi
<lamehat> Why would I be getting port scans originating from this server?
<@MrWood> you shouldnt
<@MrWood> i have scanning off
<lamehat> Care to see the logs?
<@MrWood> yea...
<lamehat> Where do you want me to send them?
------------- start snippy --------------------
Hack attempts by this intruder:
  Date & Time: 2003-06-04 01:28:20 (-5:00 GMT)
  Time Zone: Central Daylight Time
  TCP_Probe_Gnutella (port=6346)
  Victim IP: 12.241.xxx.xxx
  Attempts: 2

Date & Time: 2003-06-06 00:33:53 (-5:00 GMT)
  Time Zone: Central Daylight Time
  TCP_Probe_HTTP (port=80)
  Victim IP: 12.241.xxx.xxx
  Attempts: 32
  --------------  end snippy -----------

<@MrWood> thats from my gnutella client
<lamehat> 68 attempts to different ports
<@MrWood> thats a standard connect for gnutella based clients
<@MrWood> i dont get it
<@MrWood> yea y tf would i scan 68 times
<@MrWood> i used a new client last night called Nova
<lamehat> well abuse report has already been sent to ATT...the box it is
hitting is a SNORT IDS box
<@MrWood> as in they make repeated attempts
<lamehat> I have never been here before or to your site
<@MrWood> exelent i suggest getting p2p off your wire then
<@MrWood> a abuse report?
<lamehat> there isn't any P2P on this box. It is an intrusion detection box
<@MrWood> are you nuts?
<@MrWood> then your being picked up
<@MrWood> on your wire
<@MrWood> as a open client
<@MrWood> if your ports are in recieve ( server mode) its gunna connect
<lamehat> I'll let att sort it out
<@MrWood> ya geee thanks
<@MrWood> lame man
<lamehat> The box is locked down, there is nothing but listening going on
here
<@MrWood> I NEVER SCANNED ANYONE 32 F*CKING TIMES IN MY LIFE
<@MrWood> its a fscing p2p connect
<@MrWood> wtf you  send abuse for?
<@MrWood> how long have you been in the security field?
<lamehat> 15 years CISSP certified
<@MrWood> 32 times is bullsh*t
<@MrWood> i got no reason to scan you more than once
<@MrWood> if i even did that
<@MrWood> port scanning is not against any law
<lamehat> True, but it is against ATT's acceptable use policy, as is running
this
 server and your web server
<@MrWood> i just read the doj guidelines
<@MrWood> the hell it is
<@MrWood> they ( ATT ) knows not only i run a httpd
<@MrWood> but a router as well
<@MrWood> they also know im in the security arena
<@MrWood> its in thier notes because i work close with them
<@MrWood> you realy should confer before sending out lame abuse reports
<@MrWood> esp when your on p2p
<@MrWood> and what state am i in?
<lamehat> item xiv...toward the bottom of the page
<@MrWood> your in mesquite texas?
<lamehat> BTW, I am connected to you via port 6667 with an IRC client
<lamehat> yep
<@MrWood> yes obviously
<lamehat> Examples of prohibited programs and equipment include,
 but are not limited to, mail, ftp, http, file sharing,
 game, newsgroup, proxy, IRC servers, multi-user interactive forums
 and Wi-Fi devices;
<@MrWood> so
<lamehat> from att's acceptable use policy
<@MrWood> i told you
<@MrWood> its in their notes
<@MrWood> for the last year
<@MrWood> man you are the worst kind of security person
<@MrWood> take your white hat off for a few sometime
<@MrWood> sending abuse for a suspected scan
<@MrWood> lame bro
<lamehat> With my certification comes the obligation to assist
 in protecting the network from abuse..port scanning is an abuse
<@MrWood> uhh huu i see
<@MrWood> i cant tell you how to conduct your internet experience .... so
<@MrWood> in 3 years  you are the second person to send abuse
<@MrWood> obviously im not doing anything severe here now am i
<@MrWood> ?
<@MrWood> take yer cert and shove it, it gives you no obligation
<@MrWood> i suggest reading up on what I do here
<@MrWood> im not malicious, you got scanned because your giving out false
p2p packets
<@MrWood>  and running a honeypot
<@MrWood> wtf you run a honeypot for?
<@MrWood> thats like waiting for a vic
<lamehat> It's not a honeypot, it is an intrusion detection system
<@MrWood> yours are the worst kind, certified, think they own sec
<lamehat> big difference
<@MrWood> ROFL  no its not, tell me how
<@MrWood> snort is a honeypot pure and simple
<lamehat> IDS simply looks for patterns and reports them...honeypot
 imitates an insecure system to entice/re-direct hack attempts
<@MrWood> and my pissant port scans have got you more worried than some
 chineese scan cuz you can send abuse to my isp
<lamehat> how is logging and examining packets a honey pot?
<@MrWood> i sure the f*ck dont send out lame ass portscan as a abuse
<@MrWood> get off yer high horse and catch a real internet criminal
<lamehat> Your choice
<@MrWood> tell it to Full Disclosure..  you do subscribe?
<@MrWood> i got better things to do than discuss some ids port scan
<lamehat> actually I prefer bugtraq to full disclosure
<@MrWood> i bet
<@MrWood> i use both
<@MrWood> for all my reports
<@MrWood> try searching on Mourning Woode
<@MrWood> you should find about 7 or 8
<lamehat> Then you should be able to secure your system to prevent scans
from it to any of my systems
<lamehat> BTW, you may want to pop out to dshield.org...your IP is listed
there as being reported numerous times
<@MrWood> funny i was there last week
<@MrWood> it was clean then
<lamehat> on 5/9....multiple ports
<@MrWood> until i commit a real crime, im not real worried
<lamehat> Apparently my system isn't the first that has been scanned from
your system
<@MrWood> run along back to your whitehat brethern, and tell them to leave
me alone
<@MrWood> i guess i can go to dsshield and report you
<@MrWood> very lame guy
<@MrWood> i mean realy

------------ snip ---------------------
http://www.dshield.org/ipinfo.php?ip=12.229.234.100&Submit=Submit
------------ snip ---------------------

 This is a near verbatim discussion I had this morning,

 Yes theres a few "reported" scans, nothing more than parinoid wannabee
security pros and
a small selection of ports, gimme a break.

interesting, one day weird ports, looks like a p2p client trying to NaT
and I am now some "evil hacker" scanning like wildfire. A very sad day.

well there you have it, a egotistical "professional" reporting abuse for
nothing. :(

 I was trying different setups with various p2p clients, with a NaT router
on the day
and time of his logs. Please, reports to abuse of this type are flat out
unjustified.
Here he is sniffing the wire, arping p2p signals that will attract requests
from p2p,
p2p sees a "known" port for a certain client and tries to connect, I try
various ports
and techniques in my setups testing ( i dont p2p as a rule ). And now Im
abused? :((

my 2 bits

wood




















Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ