Lachlan passed away in January 2010.  As a memorial, this site remains as he left it.
Therefore the information on this site may not be current or accurate and should not be relied upon.
For more information follow this link


(This Webpage Page in No Frames Mode)

Welcome to Lachlan Cranswick's Personal Homepage in Melbourne, Australia

Software, Computer Security, Intrusion Detections and Stuff - Links

Lachlan's Homepage is at http://lachlan.bluehaze.com.au

[ Back to Lachlan's Homepage]

[What's New on Lachlan's Page]

[Intro - CranClan] . . [Happening Things] . . [The Daresbury Laboratory Web Ring of Life] . . [NCS - Non-Competitive Scrabble] . . [Garden Gnomes of Daresbury Laboratory] . . [Nature and Local UK Things] . . [USA 2001 and LDEO Columbia University] . . [Historical Literature/Poetry] . . [Music] . . [Misc Things] . . [DL SRS Status] . . [Conference and Travel Things] . . [The Wonders of Team Building] . . [Other People's Homepages] . . [Crystallographic Internet Front] . . [While in Melbourne] . . [Semi Relevant Links]

Stuff

Books to try out as well


To: Exploit-Dev
 Subject: Re: ssh-1.2.27 remote buffer overflow - exploitable
 Date:  Mon Nov 08 1999 21:24:17
 Author: Daniel Jacobowitz
 Message-ID: [19991109112417.A30046@drow.res.cmu.edu]


On Tue, Nov 09, 1999 at 01:48:53AM -0000, Frank wrote:
> This is submitted to the Freebsd bug tracking system, although there
> are doubtless other vendors who leave this package, despite the
> existence of the ssh-2.X.  While Debian appears to be immune, I was
> able to crash my ssh daemon (much to my dismay), and there appears
> the potential to execute arbitrary code, as long as you encrypt it
> first...
>
> Here is the freebsd report.. it describes the method to crash a
> remote Ssh daemon (lets hope you ran sshd from your xinetd, etc).
>
> http://www.freebsd.org/cgi/query-pr.cgi?pr=14749
>

And here's a patch.  Not tested, as I don't use the rsaref glue on any
machine here.

Dan

/--------------------------------\  /--------------------------------\
|       Daniel Jacobowitz        |__|        SCS Class of 2002       |
|   Debian GNU/Linux Developer    __    Carnegie Mellon University   |
|         dan@debian.org         |  |       dmj+@andrew.cmu.edu      |
\--------------------------------/  \--------------------------------/

--- rsaglue.c.orig      Tue Nov  9 11:12:32 1999
+++ rsaglue.c   Tue Nov  9 11:17:58 1999
@@ -139,6 +139,10 @@

   input_bits = mpz_sizeinbase(input, 2);
   input_len = (input_bits + 7) / 8;
+  if(input_bits > MAX_RSA_MODULUS_BITS)
+    fatal("Attempted to encrypt a block too large (%d bits, %d max) (malicious?).",
+       input_bits, MAX_RSA_MODULUS_BITS);
+
   gmp_to_rsaref(input_data, input_len, input);

   rsaref_public_key(&public_key, key);
@@ -172,6 +176,10 @@

   input_bits = mpz_sizeinbase(input, 2);
   input_len = (input_bits + 7) / 8;
+  if(input_bits > MAX_RSA_MODULUS_BITS)
+    fatal("Received session key too long (%d bits, %d max) (malicious?).",
+       input_bits, MAX_RSA_MODULUS_BITS);
+
   gmp_to_rsaref(input_data, input_len, input);

   rsaref_private_key(&private_key, key);





  • 5.6. Can I use ssh to protect services like FTP or POP?

    5.6. Can I use ssh to protect services like FTP or POP?

    If you want to avoid sending FTP passwords in cleartext over the net, you can use ssh to encrypt your command channel. This will still leave your data channel open to all attacks on TCP, and will not work through a firewall.

    You can either use ftpsshd by Per-Erik Martin at http://www.docs.uu.se/~pem/hacks/ for SSH1, or you can do this by hand.

    SSH1: Suppose you are on a host called myhost and want to initiate a ftp connection to ftphost. On myhost, you do

    myhost$ ssh -L 1234:ftphost.example.com:21 ssh-server
    This logs you on to ftphost and also forwards connections to 1234 on myhost to ftphost.

    Note: You need to use -g if you're forwarding to localhost (SSH1 only).

    Then, in another window, you do

    myhost$ ftp localhost 1234
    220 ftphost FTP server (Foonix 08/15) ready.
    Name: (myhost:yourname):
    331 Password required for yourname
    Password:
    230 User yourname logged in.
    This works if the remote ftp daemon accepts PORT commands which specify a different host from the one the command channel appears to come from, and if the ftp client always uses PORT. This is true for vanilla UNIX ftp client and ftpd servers; it may not work for more advanced ftpds, such as wu-ftpd.

    For servers which do not accept this, you can see wether you ftp client supports passive mode, and wether the ftp server accepts PASV.

    Note, however, that unencrypted ftp data connections are still vulnerable to session hijacking and snooping.

    SSH2: Just use sftp instead. :-)

    For POP, Stephane Bortzmeyer (bortzmeyer@pasteur.fr) has written a script which protects the mail transfer and passwords ussing ssh. It requires no modification to existing POP servers or clients, and is available from ftp://ftp.internatif.org/pub/unix/gwpop/ .

    Or, you can use similar means for secure POP:

    myhost$ ssh -L 1234:popserver.example.com:110 ssh-server

    Other services could be secured by similar means.

    5.7. Can I use ssh across a Socks firewall?

    Socks 4 and 5 support should work in 1.2.16 or later. Socks support in version 2.0.11 and later should work.


  • Newsgroups: comp.security.unix
    Subject: Re: secure pop from sniffing
    From: [bglbv@my-deja.com]
    X-Newsreader: Gnus v5.7/Emacs 20.6
    Date: 06 Jun 2000 20:29:54 +0100
    
    
    "Bernd Dürrer" [duerrer@ika.ruhr-uni-bochum.de] writes:
    
    > "kukulkan" [isman@fsksm.utm.my] schrieb im Newsbeitrag
    > news:393C65B2.5A676C14@fsksm.utm.my...
    > > any software/methods to secure pop(esp. Eudora users) from being sniff?I
    > > have ssh  here to protect remote login and file transfer, but still it
    > > has no meaning If I cannot have the pop to be secure ..
    
    > You want to use the port forwarding capabilities of SSH: Have a look at
    > http://www.employees.org/~satch/ssh/faq/ssh-faq-5.html#ss5.6
    > 
    > If this doesn't help you, please post what SSH implementation on what OS
    > your pop users are using.
    
    I don't think Eudora supports the SSH protocol at all.
    What it might support is:
    
    (a) APOP (Authenticated POP), which involves transmitting a (non-replayable)
    hash of the POP password and of a challenge sent by the POP server.
    The POP password is distinct from the password used for interactive logins.
    
    (b) POP over an SSL tunnel (to port 995 rather than 110).
    
    If I remember correctly, Eudora can do (a) but not (b), while Netscape
    Messenger can do (b) [but not (a)?]. It's probably wise to support both.
    And to make the POP passwords different from the login passwords in
    any case.
    
    Also make sure your POP server has no known security holes. (Some
    versions of Qpopper are to be avoided, for example.)


    From: eitz@weh.rwth-aachen.de (Holger Eitzenberger)
    Newsgroups: comp.security.unix
    Subject: Re: secure pop from sniffing
    Date: 7 Jun 2000 09:22:00 GMT
    Organization: RWTH Aachen
    Lines: 16
    
    On Tue, 06 Jun 2000 10:45:06 +0800, isman@fsksm.utm.my (kukulkan) wrote:
    
    >any software/methods to secure pop(esp. Eudora users) from being sniff?I
    >have ssh  here to protect remote login and file transfer, but still it
    >has no meaning If I cannot have the pop to be secure ..
    
    You may want to use APOP (authenticated POP3), which i use also.  Both
    QPopper (on server side) and fetchmail (on client side) support it.
    APOP uses an encrypted one-time key to get mail.
    
    Holger
    
    
    -- 
    + GnuPG Public Key -> finger eitz@jonathan.weh.rwth-aachen.de +

    Using APOP at NCSA - What is APOP?

    • "APOP is a challenge-response authentication scheme built on top of the standard POP protocol. It's designed in a way that protects your password from ever being sent across the network.

      To keep your password safe, the server actually stores your password in a file on local disk. Whenever your mail client connects to the APOP server a magic string is sent back. That string contains a unique identifier for this session based upon the process id (PID) and current time. Here's a sample string (the special part is enclosed within angle brackets):

      +OK QPOP (version 2.53) at mx1.ncsa.uiuc.edu starting. <14156.916910505@mx1.ncsa.uiuc.edu>

      Your email program uses the text within those angle brackets to perform a mathematical calculation upon your password. The server also performs the same calculation on the password that it has stored locally. When your email program is finished with its calculations it sends a 128-bit "fingerprint" to the APOP server, which then compares that value with the one that was calculated locally. If both fingerprints match, then it knows that the same password was used to perform the calculation in both places.

      Since the string that the server sends is based on the current time and PID it's impossible for anyone to reuse it; each connection to the server results in a new challenge/response and calculation. "

    • At http://www.ncsa.uiuc.edu/General/CC/email/apop.html#whatis





  • Restricting a user to a home directory



  • BT bills go open source

  • Mobiles more dangerous than wild elephants

  • Microwindows and NanoGUI Projects

  • ACM (Association for Computing Machinery) - founded in 1947

  • SIGOPS is the ACM Special Interest Group on Operating Systems

  • Wine Development HQ

  • Plex86

  • The FreeDOS Project (A free version of DOS)

  • Net_Stat for Windows 95 - Graphic Netstat with logging and update - shareware

  • NetScanTools for Windows 95 - Graphic Netstat with logging and update - shareware

  • Syslog Daemon for Windows - freeware

  • syslog-ng for UNIX

  • Any Speed - shareware

  • The Eternity Service - Distributed Storage of Provocative Material

  • C Benson - Welcome to my Internet Security Page

  • SGI/IRIX Security Frequently Asked Questions (FAQ)

  • SGI/IRIX FAQ Frequently Asked Questions (FAQ)

  • Guide for making an IndyCam 'picture' in a WWW page (by Christopher Spry)

  • Guide for configuring an SGI Indy with IRIX 6.5 (by Christopher Spry)

  • A script that sets the shutter speed on an Indycam (by A. Kooijman a.kooijman@io.tudelft.nl)

  • Scanlogd (a port scan detection tool)

  • Sam Spade

  • Win32s, WinG for Windows 3.1

  • Network Calculators

  • L2TP

  • NADS

  • Cheops

  • CheopsNG

  • npadmin

  • Lubbock

  • Tom's Root Boot

  • Linuxcare Bootable Business Card

  • Scanlogd for linux - Port Scan detection and "John the Ripper" password breaker

  • Basic information on passwords and how they are compromised

  • Funny Photos - Anti Microsoft - humour / humor

  • Abacus Sentry for UNIX

  • Know Your Enemy:III, by Lance Spitzner

  • Analysis of the T0rn rootkit

  • chkrootkit - locally checks for signs of a rootkit on a UNIX system

  • Wietse Venema's TCP Wrapper (tcpwrapper) and other tools, COPs, Tiger, etc

  • Wietse Venema's RPC Bind - rpcbind/portmapper

  • Restricting Root Access to a Linux box to console login
  • Restricting Access to rpcbind in IRIX 6.5.x
  • ipfw and ipfilter firewall software as relating to FreeBSD
  • Restricting Access to NFS/Mountd/Portmapper in IRIX 6.5.x

  • IP NETWORK INDEX

  • Getting an SGI O2 running 100 Mb/s full duplex / Setting ethernet speed.
  • Use nvram to see the settings then you can use the nvram command to set a PROM setting via a normal shell option if the name is in non-VOLATILE RAM.
  • In the help page, refers to /var/sysgen/master.d/if_ecf file where int ecf_spdpx= will set the speed
  • SGI O2 can support 10Mbps, full duplex
  • autoconfig to rebuild the kernel
  • init 6 to reboot from a root-shell.
  • To see what speed and mode the SGI O2 Network card is in:
    ifconfig ec0 debug
    Unplug/replug network cable, and check console and SYSLOG. 
    ifconfig ec0 -debug
    
    Alexis Cousein                  al@brussels.sgi.com     
    Systems Engineer                SGI Belgium

  • Adding a domain name on an SGI IRIX machine.

  • Finding out swap settings on an SGI O2, reserved, etc.

  • Finding out what bus and ID a device is on with an SGI

  • Klaxon for UNIX

  • Tcplogd

  • Syslog for Win 95

  • Downloading LPD software for Win 95

  • Mocha W32 LPD version 1.3 for Win 95 adn Win98

  • Remote Print Manager LPD for Win95

  • LPD32 for Win95

  • Networking Servers for Windows 95

  • Rootkit

  • Pedestal Software

  • Detect-Scans

  • Synlog

  • iplog for Linux

  • Logit for UNIX

  • ippl for UNIX

  • Dictionary lists for Password Cracking

  • Guide for setting up Samba v 2.0.* on an Indy running IRIX 6.5.*

  • This document outlines steps to compile a recent version of Sendmail for IRIX 6.2 without resorting to SGI's native cc compiler.

  • SGI IRIX and Internet Applications including Proftpd, Secure Shell and Apache 1.3.x Web Server - getting lots of 255.255.255.255 in the server logs and related program failures due to not logging the correct IP address

  • SRP (The Stanford SRP Authentication Project)

  • Unix tools for NT, this includes a NIS password synchronization tool

  • Moneky - a commercial enhanced OPIE - OneTime Password in Everything

  • OPIE Information - OneTime Password in Everything

  • OPIE Information - OneTime Password in Everything

  • Audio CD Database - creating custom CD-ROMs

  • Articles/resources about Software Patents / Windows NT Patents

  • DOE Web-enables scientific research (Searching of scientific journals)

  • Watcher Intrusion Detector - detecting various type of Intrusion

  • Windows NT crashed.
    I am the Blue Screen of Death
    No one hears your screams.

  • Tips for recovering from the 'Blue Screen of Death'.

  • What information is shown in the Blue Screen of Death (BSOD)?

  • Blue Screen of Death n.

  • Blue Screen of Death n.

  • C2 Net Software Inc

  • Matt's UNIX Security Page

  • Commands to Mount ISO9660 based CD-ROMs in UNIX and have HTML browsable/upper case characters.

  • Steven Wozniak Website

  • Obtaining Device Drivers

  • Windrivers.com

  • the-ctrl-alt-del.com (Why did you crash today?)

  • Accumulated DEC Material - VAXstation, Q-bus, DCL, Software

  • Tektronix Postscript Colour Printer Drivers for Win95

  • List of Sources for Software Drivers

  • Microsoft, the NSA, and You

  • CDROM God/CD-ROM God - Device Drivers for CD-ROM

  • Geek Pride

  • Superman's Burning 101 (CD-ROMs FAQ)

  • Bin-X - convert Bin files into ISO

  • Explaning ISO9660 CD-ROM Format

  • [comp.publish.cdrom] CD-Recordable FAQ, Part 2/4 - [3-5-1] ISO-9660/ISO9660

  • [comp.publish.cdrom] [3-35] How do I make my CD-ROM work on the Mac, WinNT, and UNIX?

  • Another short Explanation of ISO-9660

  • Defcon4

  • Private IP Address Spaces

  • Linux Distributions

  • Red Hat Linux

  • Security-Enhanced Linux - from the National Security Agency, US Government

  • NSA secures Win-2K / Win2000 - from the National Security Agency, US Government

  • IPO = Initial Public Offering (for a company)

  • Introduction to Linux training manual - including installating Redhat Linux

  • Erik's Linux links and questions/answers - backspace not working in X, etc. compiling the linux kernal, etc

  • Linux stuff: questions/answers - config on X

  • autoRPM - keeping an installation of Linux (such as Redhat Linux up to date)

  • reading linux ext2fs partitions with DOS/Windows

  • Winux

  • RawWrite 0.3 for windows (NT & 95)

  • Using Samba and automount to support removable media

  • Network Disk-copy for Linux using faucet and hose

  • Network Disk-copy for Linux using faucet and hose

  • Booting Linux from the NT boot loader

  • Linux Filesystems HOWTO (not just Linux)

  • Linux configuration and compiling up a kernel HOWTO

  • 2003 And Beyond

  • Debian Linux

  • Getting security patches/updates for Debian Linux using "apt"

  • APT User's Guide (package manager/install manager used in Debian Linux)

  • apt

  • dpkg-multicd (package manager/install manager used in Linux - Debian)

  • @dopt/Adopt an MP - anti UK Electronic Commerce Bill site with demo

  • Xrpm - a graphical interface to RedHat's rpm software.

  • An overview of Linux installation and configuration tools

  • Linuxconf Project Web site

  • Linux Documentation Project: Linux Links

  • Linux Documentation Project: System Administration

  • Josh's Linux Guide -- Using RPM

  • Josh's Linux Guide -- Installing Software Packages

  • Forcing Linux on a crap Presario laptop - Linux and Winmodem, Linux and ADSL

  • Face recognition technology a proven farce

  • Salford Software (make Fortran and C compilers)

  • Fortran Market

  • ftnchek - GPL static Fortran 77 analyzer

  • fortran program not running when increasing Array size
  • MiniVend free GPL ecommerce shopping cart system

  • Commercial eCommerce software

  • TheStoreMaker.com - travel - Ecommerce creation site

  • www.rpm.org RPM (Redhat Package Manager homesite)

  • Using RPM

  • Welcome to the RPM repository on rpmfind.net

  • Freshrpms is on the RedHat contrib

  • Linux Enterprise Computing

  • DosLinux

  • Converting from HTML

  • DEMORONISER (Correct Moronic Microsoft HTML)

  • Redirex (Redirect HTTP Requests to New Web Server)

  • WatchFull (Unix Tools for Monitoring File System Capacity and Averting Crises )

  • base64: encode and decode base64 files

  • BLITZ: Blast Listserver Idiot Turkey Zombies

  • flashback: Instant Directory Backup for Unix

  • TeX to GIF converter for Web documents

  • logtail -- Monitor multiple log files on multiple machines

  • The Ten Commandments for C Programmers (Annotated Edition) by Henry Spencer

  • HTML to text converter Version 1.01 (perl script) (very good and solid!! - Lachlan)

  • Markup Remover v1.1 (for Windows)

  • DOS ASCII/UNIX ASCII and MAC ASCII Nuances

  • DOS ASCII/UNIX ASCII and MAC ASCII Nuances

  • HTML to ASCII Converters (links to Windows programs)

  • html2txt - HTML to text converter (Linux binaries and Pascal source?)

  • HTML Markdown (for Mac)

  • Web2Text by Damien Burke (for Windows)

  • Free HTML to ASCII converter Information

  • HTMLCHEK: Free HTML to ASCII converter Information

  • HTML Parser

  • HTMLess (The fastest HTML to TXT converter on the Web)

  • html2ascii/htmltoascii html to ascii converter (PS/DOS/Windows)

  • HTML converters

  • txt2HTML Converter

  • Linux Virtual Server Project

  • "more evil than satan himself": More Evil Than Dr. Evil?: search on Google.com

  • "What ......... is greater than God, more evil than Satan, poor people have it, rich people need it, if you eat it you will die"

  • about:mozilla

  • Misc software packages

  • Linuxinfo

  • STAMOS for Linux

  • Real-time Linux

  • Hackers Defense Foundation

  • Hacker Crackdown - Law and Disorder on the Electronic Frontier by Bruce Sterling

  • How To Use HTML Meta Tags

  • DSL Reports - Review your ISP

  • iPrint.com - Business Printing, Stamps, logos, etc via the web

  • Bungling and out sourcing/out-sourcing Government IT in Australia

  • Meta Tag Lawsuits

  • qmail - sendmail alternative

  • A D. J. Bernstein Homepage

  • The Academic Directory: Search The UK Academic Internet

  • Index Data

  • The qmail Security Challenge

  • Anti-spam patch filter to qmail

  • SPAM Blocking at Deep Eddy

  • Protecting Your Webserver From Spam Harvesters

  • Spambot Beware

  • The Web Robots Database

  • MS-Windows Tricks categories

  • Micro Charging / Micro Chargine / Micro Payment / Micropaymet companies

  • Part II. - CRASHING (not about computers it turns out - but the journey of Dogstar)

  • Windows NT users see 'screen of death' (March 4, 1998 article)

  • The Apple Mac Collection

  • New! Windoze 98 Flamed Here!

  • Open mail relay test
  • ftpcheck/relaycheck
  • Postfix - sendmail alternative
  • ELM Email and tutorials

  • Pine Email - latest is no longer free software

  • ISP Review - UK Internet Service Provider Info

  • The Mutt E-Mail Client

  • Sigaba Software Seeks to Ease Paranoia About E-Mail

  • Sigaba (alternative to PGP)

  • SecureDelivery.com (alternative to PGP)

  • tkPGP

  • GnuPGP

  • GnuPGP (secure shell ssh replacement)

  • The SLRN Newsreader

  • Fetchmail

  • Arena web browser for UNIX/SGI

  • List of web based Email clients.

  • List of Netscape mirror sits and Netscape FTP Download

  • iCab for MacOS- Internet Web Browser (Recommended)

  • Power Browser web browser (Highly Recommended - 5 cows Award at Tucows)

  • List of web browsers for Windows via Tucows

  • Putting GUIs/menus on old legacy code/fortran code for MS-Windows

  • IMP Webmail Client

  • Eudora Email

  • Eudora e-mail hole discovered

  • IMAP Mail Server Protocol

  • Secure IMAP Mail and POP Servers - SSL wrap your popd daemons

  • Willow -- the Washington Information Looker-upper Layered Over Windows

  • MKS - UNIX Tools for Windows

  • WGET - FTP and HTTP Mirroring

  • PAVUK - FTP and HTTP Mirroring

  • LFTP

  • Mirror - Perl based FTP mirroring

  • MirrorDir

  • Running FTP via Secure Shell ssh

  • scp (secure copy) for Windows

  • List Javascript based menu/navigation systems

  • Free Javascripts

  • Javascript based menu/navigation - Tutorial on Relational Menus (by Nick Heinle)

  • Webcoder.com - the scriptorium

  • Javascript based menu/navigation systems

  • Javascript Mailing List

  • Plexel

  • JavaScript Coolness Centre

  • Javascript based menu/navigation systems

  • Javascript based menu/navigation systems - Pulldown Menu (Double)

  • Portable menu/navigation - stays with the Window

  • PowBall DeluXe - Pong/Arkanoid like game

  • GameLan - huge number of java and javascript applets.

  • Stoned - A Curling Simulaton - the 3D curling simulation that fits into 32K!

  • Grand Theft Auto Released For Free

  • BATTLEFIELD 1942 POSTERS

  • Unison file synchronizer GPL'd (can use the rsync protocol)

  • On-line web language translator (Spanish to English, etc)

  • Xdelta

  • VMS Clusters’ Trial By Fire - multi-site clustering and real time offsite backups.

  • Scansoft Omnipage pro

  • UMAX Scanners - updated software drivers:

  • cfengine

  • pikt

  • REBOL

  • rdist - rival to rsync - high effeciency mirroring

  • Backing up via Secure Shell

  • BRU Backup Software

  • Haskel Programming Language (far better than c)

  • Rexx Language Association (RexxLA)

  • C Tutorials

  • The Association of C & C++ Users

  • Some recommended books

  • LISP/Scheme

  • The UIUC Smalltalk Archive

  • The Icon Programming Language

  • Sather - object oriented programming language

  • Eiffel Programming Language

  • DVD to VCV Conversion software

  • Canon Livescope viewer software Webcams

  • Webcams that work on FreeBSD

  • Decompiling Windows programs into MASM compatible files (MASM = Microsoft Assembler)

  • Reverse Engineering Technology (Decompilers and File Formats)

  • CookieCrK =- Tools Debuggers Disassemblers Decompilers

  • DEBUG VIEW 4.02 / COOL DEBUGGER 2.0 / BORG 2.21- DISASSEMBLERS/DEBUGGERS/DECOMPILERS

  • Programmer's Tools

  • Sudden Discharge - programmer tools, decompilers, etc

  • EXETools

  • CODA - advanced file system with server replication - possible rival to rsync

  • Netload - Shareware

  • Perl Services Upload Helper

  • Re: HOW to UPLOAD files to http server?

  • Linux backup options

  • Free Linux backup options

  • KBackup - KBackup is a backup program for UNIX machines.

  • Midnight Backup

  • Make CD-ROM Recovery

  • Mindi Linux

  • Mondo Backup / Mondo Rescue for Linux and Windows


    From: phr@netcom.com (Paul Rubin)
    Newsgroups: comp.infosystems.www.servers.unix,comp.infosystems.www.servers.misc
    Subject: Re: PROXY-ABUSE PROXY ABUSE (Apache/Linux) - HELP and INFO wanted
    Subject: Re: PROXY ABUSE (Apache/Linux) - HELP and INFO wanted
    Date: 10 Jun 2000 20:06:05 GMT
    Organization: NETCOM / MindSpring Enterprises, Inc.
    Lines: 53
    X-Newsreader: trn 4.0-test72-NUGLOPS (19 April 1999)
    
    
    In article <39429960.5C67DCBD@uc.net>, Marc Moeller  <mm@uc.net> wrote:
    >hi,
    >
    >> > I started rejecting IP-addresses, but my real question is:
    >> > WHERE/WHY DO THESE REQUEST COME FROM ?
    >> > any clues/help appreciated.
    >> 
    >> Turn off your proxy for outside addresses. Someone is using your machine
    >> to relay click-thru's and is probably being paid for each hit.
    >
    >I refuse all proxy-access to any IP, but WHY does this happen ?
    >From where do 'they' get my IP-addresses ? Or does this happen to all 
    >(many) other webservers, too ?
    >Beside the traffic (which doesn't have any affect on my machine(s),
    >there
    >is also CPU-waste in sending 403-replies. 
    >:-(
    >
    >do YOU know about such abuse - the requests are more than every minute!
    
    I've never heard of that exact scam being done before, but it's similar
    to the usual spammer trick of finding open SMTP relays and hijacking them.
    
    What's happened is somebody has sold banner ads on his web site.  He
    has a web page containing, say, porno pictures, along with a banner
    ad at the top.  The banner company gives the site operator a piece of
    HTML to put at the top of his page, which typically looks like this:
    
        <img src=http://ad.bannercompany.com/banner.gif?id=12345>
    
    The banner ad is supposed to get served by bannercompany.com's server
    and they use the ID number to know which site the banner appeared in.
    They pay the site operator a certain amount for every hit.
    
    If the HTML instead looks like
    
       <img src=http://yourproxy.youraddress.at/http://ad.bannercompany... >
    
    guess what?  You're now paying for the bandwidth to serve the banner
    to the final viewer, instead of the ad company paying for it.  If the
    ad company is there in .at with you, and most of the users are in North
    America and it's more expensive to send IP traffic across the ocean than
    within Austria, the banner operator is ripping you off for a lot of money.
    
    You might log the incoming referer headers to see what site is
    including those ads.  If you want to creatively get back at them a
    little, instead of sending 403 responses, you could set up your server
    to send good 200 responses, but send your own version of the banner ad
    for the customer to see instead of the ad company's, heh heh heh.
    It's probably not worth your time though.
    
    http://cache.jp.apan.net/proxy-checker has a proxy security checker
    



    Misc WAP (Wireless Application Protocol) Stuff and Links

    Summary: WAP is CRAP (but can be made to work)




    New Domains being registered at a rate of around one a second

    Domain name speculation seems to have increased considerably this year, as the advent of multiple registrars for .com|.net|.org has led to cheaper prices and greater promotion. In a 10 day period during March around three quarters of a million new domains were registered. What is startling is how quickly the new registrars have been able to build awareness and take market share from NSI. On a sample of new domain registrations in the same period, register.com, were taking almost 17%.

    Resonate load balances 2% of web sites

    Resonate, which recently received an investment from Sun and filed to go public, has a load balancing product which slightly perturbs the tcp/ip characteristics of the systems behind it. It is possible to use this to determine Resonate installations, and the current survey has found 222 of these, which broadly matches Resonate's claim of more than 250 customers worldwide. These systems load balance slightly over 2% of the hosts found in the current survey. Resonate may have additional product versions which do not have the same effect on tcp/ip characteristics, and so their actual installed base may be bigger than we report here, but the numbers seem impressive in any case.

    Wap content pouring on to the web

    With wap enabled phones such as the Nokai 7110 now fairly widely available, there has been a surge of wap content onto the web, with the leading cellular providers developing mini-portals of wap content, and sites such as yahoo.co.uk and iii.co.uk already delivering information via WAP. However, one other early content provider has already commented that the tiny screens and limited bandwidth make for a frustrating user experience.

    Credit card theft rife, chronic ecommerce site security

    MSNBC reported on 17th March, and again on 24th March, cases in which large numbers of credit card numbers and associated information had been stolen from sites, while theregister.co.uk recently headlined an article "Hacking credit cards is preposterously easy". Certainly, it is clear that large numbers of valid credit cards are now in the wild, and being used to fraduently buy goods and services around the web. Another Microsoft associate, Expedia reported that it had discovered that up to 18% of its revenue for the last quarter had been fraudulent. 18% of revenue is a massive hit in a low margin business such as selling airline tickets. Visa had earlier announced that around half its disputes concern internet based credit card transactions, despite these only making up 2% of its total revenue.

    These incidents make plain that, however much encryption is used to protect information in transit (as SSL does), data is still not protected if the systems at the end points are insecure. The amount of disruption caused for credit card fullfilment has led to a small resurgence of internet in the use of the SET protocol instead of SSL to alleviate the problems of weak merchant security. SET uses trusted centralised servers, typically run by financial institutions, and digitally signed information to avoid the need for the merchant to receive and store the credit card number itself. The customer has software which signs the payment authorisation using their private signature key.

    SET therefore might seem attractive: merchant systems would not accumulate large amounts of credit card data, so introduce less vulnerability into the system. However customers have to store private signature keys on their own systems, the theft of which would allow someone else to assume their identity as far as the SET protocol is concerned. It is an interesting judgement which is worse and more difficult to fix; 100,000 insecure merchant databases, or 100 million personal computers containing secret signature keys, superficially protected by the typical user's weak choice of password, and open to being extracted by any combination of trojan code, network insecurity or physical access, to which typical PCs might be vulnerable.





    Hacker/Security Pages


    Example of Searching for Relevant Drivers for a new Windows 95 Installation

    • Setting up Win95/98 but ignoring SCANDISK: setup /is (The /IS means IGNORE SCANDISK) (from the CD-ROM GOD site)

    Peripherals


    From: Viral [sbviral@giasbma.vsnl.net.in] 
    To: nmap-hackers@insecure.org 
    Subject: Re: Nmap Users Favourite Tools 
    
    
    Hi,
    I've compiled a summary of a few package names by flicking them from the
    Debian Package descriptions.
    Here's a summary of 25 or so tools that I could extract automatically.
    I hope its useful.
    
    
    Viral.
    
    
    Tool Name           : Nessus 
    URL                 : http://www.nessus.org 
    Debian Package Name : nessus 
    
    Description: Remote network security auditor, the client
     The Nessus Security Scanner is a security auditing tool. It makes
     possible to test security modules in an attempt to find vulnerable
     spots that should be fixed.
     .
     It is made up of two parts: a server, and a client. The server/daemon,
     nessusd, is in charge of the attacks, whereas the client, nessus,
     interferes with the user through nice X11/GTK+ interface.
     .
     This package contains the GTK+ 1.2 client, which exists in other
     forms and on other platforms, too.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Netcat 
    URL                 : http://www.l0pht.com/~weld/netcat/ (unofficial site) 
    Debian Package Name : netcat 
    
    Description: TCP/IP swiss army knife
     A simple Unix utility which reads and writes data across network
     connections using TCP or UDP protocol.  It is designed to be a reliable
     "back-end" tool that can be used directly or easily driven by other
     programs and scripts. At the same time it is a feature-rich network
     debugging and exploration tool, since it can create almost any kind of
     connection you would need and has several interesting built-in
     capabilities.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Tcpdump 
    URL                 : http://www.tcpdump.org 
    Debian Package Name : tcpdump 
    
    Description: A powerful tool for network monitoring and data acquisition
     This program allows you to dump the traffic on a network. It can
     be used to print out the headers of packets on a network interface
     that matches a given expression. You can use this tool to track down
     network problems, to detect "ping attacks" or to monitor the network
     activities.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Snort 
    URL                 : http://www.snort.org 
    Debian Package Name : snort 
    
    Description: flexible packet sniffer/logger that detects attacks
     Snort is a libpcap-based packet sniffer/logger which can be used as a
     lightweight network intrusion detection system. It features rules
     based logging and can perform content searching/matching in addition
     to being used to detect a variety of other attacks and probes, such
     as buffer overflows, stealth port scans, CGI attacks, SMB probes, and
     much more. Snort has a real-time alerting capability, with alerts being
     sent to syslog, a separate "alert" file, or even to a Windows computer
     via Samba.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Ethereal 
    URL                 : http://ethereal.zing.org/ 
    Debian Package Name : ethereal 
    
    Description: Network traffic analyzer
     Ethereal is a network traffic analyzer, or "sniffer", for Unix and
     Unix-like operating systems.  It uses GTK+, a graphical user interface
     library, and libpcap, a packet capture and filtering library.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Abacus Portsentry 
    URL                 : http://www.psionic.com/abacus/portsentry/ 
    Debian Package Name : portsentry 
    
    Description: Portscan detection daemon
     PortSentry has the ability to detect portscans(including stealth scans) on
     the network interfaces of your machine. Upon alarm it can block the attacker
     via hosts.deny, dropped route or firewall rule. It is part of the Abacus
     program suite.
     .
     Note: If you  have no idea what a port/stealth scan is, I'd recommend to have
     a look at http://www.psionic.com/abacus/portsentry/ before installing this
     package. Otherwise you might easily block hosts you'd better not(e.g. your
     NFS-server, name-server, ...).
    
    -------------------------------------------------------------------------
    
    Tool Name           : Tripwire 
    URL                 : http://www.tripwire.com/ (COMMERCIAL) 
    Debian Package Name : tripwire 
    
    Description: A file and directory integrity checker.
     Tripwire is a tool that aids system administrators and users in
     monitoring a designated set of files for any changes.  Used with
     system files on a regular (e.g., daily) basis, Tripwire can notify
     system administrators of corrupted or tampered files, so damage
     control measures can be taken in a timely manner.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Sniffit 
    URL                 : http://reptile.rug.ac.be/~coder/sniffit/sniffit.html 
    Debian Package Name : sniffit 
    
    Description: packet sniffer and monitoring tool
     sniffit is a packet sniffer for TCP/UDP/ICMP packets.
     sniffit is able to give you very detailed technical info
     on these packets (SEC, ACK, TTL, Window, ...) but also
     packet contents in different formats (hex or plain text,
     etc. ).
    
    -------------------------------------------------------------------------
    
    Tool Name           : SATAN 
    URL                 : http://www.fish.com/satan/ 
    Debian Package Name : satan 
    
    Description: Security Auditing Tool for Analysing Networks
     This is a powerful tool for analyzing networks for vulnerabilities
     created for sysadmins that cannot keep a constant look at bugtraq,
     rootshell and the like.
    
    -------------------------------------------------------------------------
    
    Tool Name           : iptables 
    URL                 : http://netfilter.kernelnotes.org/ 
    Debian Package Name : iptables
    
    Description: IP packet filter administration for 2.4.X kernels
      Iptables  is  used  to  set  up, maintain, and inspect the
      tables of IP packet filter  rules  in  the  Linux  kernel.
      The iptables tool also supports configuration of dynamic and static
      network address translation.
    
    -------------------------------------------------------------------------
    
    Tool Name           : John The Ripper 
    URL                 : http://www.openwall.com/john/ 
    Debian Package Name : john
    
    Description: An active password cracking tool
     john, normally called john the ripper, is a tool to find
     weak passwords of your users.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Hunt 
    URL                 : http://www.cri.cz/kra/index.html#HUNT 
    Debian Package Name : hunt 
    
    Description: Advanced packet sniffer and connection intrusion.
     Hunt is a program for intruding into a connection, watching it and
     resetting it.
     .
     Note that hunt is operating on Ethernet and is best used for connections
     which can be watched through it. However, it is possible to do something
     even for hosts on another segments or hosts that are on switched ports.
    
    -------------------------------------------------------------------------
    
    Tool Name           : SSH 
    URL                 : http://www.ssh.com/commerce/index.html (some versions COMMERCIAL) 
    Debian Package Name : ssh 
    
    Description: Secure rlogin/rsh/rcp replacement (OpenSSH)
     OpenSSH is derived from OpenBSD's version of ssh, which was in turn
     derived from ssh code from before the time when ssh's license was
     changed to be non-free.
     Ssh (Secure Shell) is a program for logging into a remote machine
     and for executing commands on a remote machine.
     It provides secure encrypted communications between two untrusted
     hosts over an insecure network.  X11 connections and arbitrary TCP/IP
     ports can also be forwarded over the secure channel.
     It is intended as a replacement for rlogin, rsh and rcp, and can be
     used to provide rdist, and rsync with a secure communication channel.
    
     This software may be freely imported into the United States; however,
     the United States Government may consider re-exporting it a criminal
     offense.  Thus, if you are outside the US, please retrieve this
     software from outside the US.
     In some countries, particularly Russia, Iraq, Pakistan, and France, it
     may be illegal to use any encryption at all without a special permit.
    
    -------------------------------------------------------------------------
    
    Tool Name           : tcp wrappers 
    URL                 : ftp://ftp.porcupine.org/pub/security/index.html 
    Debian Package Name : libwrap0
    
    Description: Wietse Venema's TCP wrappers library
     Wietse Venema's network logger, also known as TCPD or LOG_TCP.
     .
     These programs log the client host name of incoming telnet,
     ftp, rsh, rlogin, finger etc. requests. Security options are:
     access control per host, domain and/or service; detection of
     host name spoofing or host address spoofing; booby traps to
     implement an early-warning system.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Ntop 
    URL                 : http://www.ntop.org 
    Debian Package Name : ntop 
    
    Description: display network usage in top-like format
     ntop is a Network Top program. It displays a summary of network usage by
     machines on your network in a format reminicent of the unix top utility.
     .
     It can also be run in web mode, which allows the display to be browsed with
     a web browser.
    
    -------------------------------------------------------------------------
    
    Tool Name           : traceroute 
    URL                 : http://www.linux.com (or most other UNIX) 
    Debian Package Name : traceroute
    
    Description: Traces the route taken by packets over a TCP/IP network.
     The traceroute utility displays the route used by IP packets on their way to a
     specified network (or Internet) host.  Traceroute displays the IP number and
     host name (if possible) of the machines along the route taken by the packets.
     Traceroute is used as a network debugging tool.  If you're having network
     connectivity problems, traceroute will show you where the trouble is coming
     from along the route.
     .
     Install traceroute if you need a tool for diagnosing network connectivity
     problems.
    
    -------------------------------------------------------------------------
    
    Tool Name           : telnet 
    URL                 : http://www.linux.com (or most other UNIX) 
    Debian Package Name : telnet
    
    Description: The telnet client.
     The telnet command is used for interactive communication with another host
     using the TELNET protocol.
    
    -------------------------------------------------------------------------
    
    Tool Name           : scanlogd 
    URL                 : http://www.openwall.com/scanlogd/ 
    Debian Package Name : scanlogd 
    
    Description: A portscan detecting tool
     Scanlogd is a daemon written by Solar Designer
     to detect portscan attacks on your maschine.
    
    -------------------------------------------------------------------------
    
    Tool Name           : logcheck 
    URL                 : http://www.psionic.com/abacus/logcheck/ 
    Debian Package Name : logcheck 
    
    Description: Mails anomalies in the system logfiles to the administrator
     Logcheck is part of the Abacus Project of security tools. It is a program
     created to help in the processing of UNIX system logfiles generated by the
     various Abacus Project tools, system daemons, Wietse Venema's TCP Wrapper
     and Log Daemon packages, and the Firewall Toolkit© by Trusted Information
     Systems Inc.(TIS).
     .
     Logcheck helps spot problems and security violations in your logfiles
     automatically and will send the results to you in e-mail. This program is
     free to use at any site. Please read the disclaimer before you use any of
     this software.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Perl 
    URL                 : http://www.perl.org 
    Debian Package Name : perl 
    
    Description: Fake package used for a smooth upgrade
     This package depends on perl-5.004. Perl-5.005 will conflict
     with perl so that all dependencies on perl will have to have
     vanished before perl-5.005 will be installed. The scripts and
     non-binary modules have to depend on perl5 and the
     binary modules on perl-5.005 (or whatever is the latest version
     of perl available in Debian).
     .
     It does also contain the io provides/replaces/conflicts. This
     has been removed from the perl-5.00X since io has disappeared
     a long time ago.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Ngrep 
    URL                 : http://www.packetfactory.net/Projects/ngrep/ 
    Debian Package Name : ngrep 
    
    Description: grep for network traffic
     ngrep strives to provide most of GNU grep's common features,
     applying them to the network layer.  ngrep is a pcap-aware tool that
     will allow you to specify extended regular expressions to match
     against data payloads of packets.  It currently recognizes TCP, UDP
     and ICMP across Ethernet, PPP, SLIP and null interfaces, and
     understands bpf filter logic in the same fashion as more common
     packet sniffing tools, such as tcpdump and snoop.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Cheops 
    URL                 : http://www.marko.net/cheops/ 
    Debian Package Name : cheops 
    
    Description: A GTK based network "swiss-army-knife"
     Cheops gives a simple interface to most network utilities, maps local or 
    remote networks and can show OS types of the machines on the network.
    
    -------------------------------------------------------------------------
    
    Tool Name           : Libnet 
    URL                 : http://www.packetfactory.net/libnet/ 
    Debian Package Name : libnet0-dev
    
    Description: Routines for the construction and handling of network packets.
     libnet provides a portable framework for low-level network packet writing and
     handling.
     .
     Libnet features portable packet creation interfaces at the IP layer and link
     layer, as well as a host of supplementary functionality.  Still in it's
     infancy however, the library is evolving quite a bit. Additional functionality
     and stability are added with each release.
     .
     Using libnet, quick and simple packet assembly applications can be whipped up
     with little effort. With a bit more time, more complex programs can be written
     (Traceroute and ping were easily rewritten using libnet and libpcap).
    
    -------------------------------------------------------------------------
    
    Tool Name           : LSOF 
    URL                 : ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/ 
    Debian Package Name : lsof-2.2
    
    Description: List open files.
     Lsof is a Unix-specific diagnostic tool.  Its name stands
     for LiSt Open Files, and it does just that.  It lists
     information about any files that are open by processes
     current running on the system.
     The binary is specific to kernel version 2.2
    
    -------------------------------------------------------------------------
    
    Tool Name           : IPTraf 
    URL                 : http://cebu.mozcom.com/riker/iptraf/ 
    Debian Package Name : iptraf 
    
    Description: Interactive Colorful IP LAN Monitor
     IPTraf is an ncurses-based IP LAN monitor that generates
     various network statistics including TCP info, UDP counts,
     ICMP and OSPF information, Ethernet load info, node stats,
     IP checksum errors, and others.
     .
     Note that since 2.0.0 IPTraf requires a kernel >= 2.2
    
    -------------------------------------------------------------------------
    
    Tool Name           : Queso 
    URL                 : http://www.apostols.org/projectz/queso/ 
    Debian Package Name : queso 
    
    Description: Guess the operating system of a remote machine
     by looking in the TCP replies.
    
    -------------------------------------------------------------------------
    


    Taken from Greg Lindahl homepage at: http://www.pbm.com/~lindahl/


    [Intro - CranClan] . . [Happening Things] . . [The Daresbury Laboratory Web Ring of Life] . . [NCS - Non-Competitive Scrabble] . . [Garden Gnomes of Daresbury Laboratory] . . [Nature and Local UK Things] . . [USA 2001 and LDEO Columbia University] . . [Historical Literature/Poetry] . . [Music] . . [Misc Things] . . [DL SRS Status] . . [Conference and Travel Things] . . [The Wonders of Team Building] . . [Other People's Homepages] . . [Crystallographic Internet Front] . . [While in Melbourne] . . [Semi Relevant Links]
    [ Back to Lachlan's Homepage]

    (This Webpage Page in No Frames Mode)

    If you are feeling sociable, my new E-mail address is [address now invalid] (replace the *at* with an @ ) . Old E-mail addresses might be giving forwarding or reliability problems. Please use clear titles in any Email - otherwise messages might accidentally get put in the SPAM list due to large amount of junk Email being received. So, if you don't get an expected reply to any messages, please try again.