lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <d43c8d1b05012906587f4e5358@mail.gmail.com> From: michael4447 at gmail.com (Michael Rutledge) Subject: Transamericana.org Actually, I forgot about this discussion going on (message thread "[Full-Disclosure] ICMP Covert channels question") It seems cyberpixl is doing research creating a covert channel using icmp packets. Since ping uses ICMP, maybe he is playing on your box. :) -Michael On Fri, 28 Jan 2005 23:45:00 +0100, cyberpixl <cyberpixl@...il.com> wrote: > I've been doing some research on creating covert channels using icmp > packets and a bounce server and so far everything worked fine. I can > contact my web server through a bounce server outside of my network > (like www.google.com or whatever). In my current setup both client and > target are located in the same network and comunicate through the > bounce server using icmp packets. > > Now, would it be possible to access a server behind a firewall, that > normally isn't accessable, using this technique, if i'm outside of the > target network? > > Assume there is a local machine (our target) with ip 192.168.0.2 that > is connected to the internet using a router 192.168.0.1/88.88.88.88 > (that is not blocking icmp packets) and my machine is say, > 33.33.33.33. If i then send an icmp packet to the 88.88.88.88 router > with source ip set to 192.168.0.2, would it forward that packet to the > host in its local network, or will it discard it? Is there any way to > deliver my packet to that local machine? > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > On Sat, 29 Jan 2005 08:53:31 -0600, Michael Rutledge <michael4447@...il.com> wrote: > This may be a stretch (a large stretch), but someone could have > planted something on your Windows box that is using pings as a covert > channel (given that person has also taken control of the webserver > that hosts transamericana.org and can watch the connection logs). Do > you have a capture of the pings for someone to do a frequency analysis > on? > > Also, you may want to post a list of your currently running processes > in hopes someone may spot something that looks wrong. > > -Michael > > On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira > <tat@...tmark.net> wrote: > > Gregh wrote: > > > ----- Original Message ----- > > > From: "Antonio Henrique Oliveira" <tat@...tmark.net> > > > To: <full-disclosure@...ts.netsys.com> > > > Sent: Saturday, January 29, 2005 9:46 PM > > > Subject: [Full-Disclosure] Transamericana.org > > > > > > > > > > > >>Dear all, > > >> > > >>Please excuse me if this is a bit off-topic, but since this is the only > > >>IT related mailing list I subscribe (apart from Secunia's) I decided to > > >>post here. > > >> > > >>From sometime ago (I cannot determine exactly when this started to > > >>happen), my workstation (WinXP SP2 PT, fully patched) has been sending > > >>out ping requests to www.transamericana.org when I login to the machine > > >>(right at the beginning of the login process, and only at that time). > > >> > > > > > > > > > Perchance is your DNS hosted there? Eg, your ISP's DNS servers? > > > > > > Greg. > > No. The Linux box runs bind for the internal (and external) networks and > > does direct queries to the root servers, not using our ISP's DNS. The > > internal network is configured with DHCP and the DNS server for all > > hosts is set to the linux box internal address. Also, my workstation > > (and there are 5 more) is the only one doing this. > > > > Regards, > > -- > > Anto'nio Henrique A. Proenca de Oliveira > > > > "Although we can never go back, like an old sweet song with a strong > > refrain, memories remain" - (Someone) > > > > Please avoid sending me Word or PowerPoint attachments. > > See http://www.fsf.org/philosophy/no-word-attachments.html > > $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.netsys.com/full-disclosure-charter.html > > >
Powered by blists - more mailing lists