How do I know if I am being hacked[violated]?

Discussion in 'Linux Networking' started by root-n-toot-n, Sep 3, 2003.

  1. What to look for in /var/log/messages?
    Box is PII 400Mhz RH8.0, rhn'd up2date'd.
     
    root-n-toot-n, Sep 3, 2003
    #1
    1. Advertisements

  2. root-n-toot-n

    Bit Twister Guest

    Ha, ha, ha. A good crack would not show anything.

    Look here
    http://groups.google.com/advanced_group_search

    google_tag_cracked_4_next_time in the first box
    alt.os.linux in the Newsgroup box, pick English
     
    Bit Twister, Sep 3, 2003
    #2
    1. Advertisements

  3. [ snort ]

    Thanx NJ BT, I'm clean...
     
    root-n-toot-n, Sep 4, 2003
    #3
  4. root-n-toot-n

    Alan Connor Guest


    If you run a packet sniffer on the interface and run a grep loop on the
    output to notify you of unusual packets, then you can catch them.

    I've caught several, and immediately did a harsh nmap on the IP they were
    using (got it scripted) and they ran like dogs with a 500 pound cat on
    their tails....

    ALWAYS run a packet sniffer when you are on the Internet.


    Alan C
     
    Alan Connor, Sep 4, 2003
    #4
  5. root-n-toot-n

    Bit Twister Guest

    Yeah that is real smart.

    Cracker uses a zombie machine, you hit him with nmap. Cracker shoots
    the logs to isp cleans out his tracks and you loose.

    Just a few state selections.

    http://www.capitol.state.tx.us/statutes/pe/pe0003300.html#pe001.33.01
    Read 33.01. Definition (1) "Access"
    33.02. Breach of Computer Security (a)

    http://www.umpqua.cc.or.us/policy/oregon-law.htm
    Read 1 (a) then (4)
     
    Bit Twister, Sep 4, 2003
    #5
  6. root-n-toot-n

    Alan Connor Guest

    I don't see why you call that "losing".

    To ME winning is protecting my machine. I'm not into tracking anyone
    down and punishing them.

    My approach IS real smart.

    And I will keep using it because it WORKS.



    I don't give a **** about any statutes anywhere.


    I do what I need to do to protect my machine.


    And no, I do not run the nmap from a machine that is even on this continent.

    You have heard, I trust, of shell accounts run by email sent via a series
    of anonymous forwarders with the initial mail being sent via a telnet
    connection to an open smtp server?


    Oh yes, you certainly have. Or am I 'mixed' up? :)



    Alan C
     
    Alan Connor, Sep 4, 2003
    #6
  7. Alan Connor graced us by uttering:
    With all due respect, this law has "adversely affected" someone
    clpm is quite familiar with.

    http://www.lightlink.com/spacenka/fors/jeffrey/ovs/

    It's especially worth noting that the Oregon Computer Crime Law
    *does not require evidence* and that it is a *felony*. See below
    for why this still should matter to you.
    "This" as opposed to "that", but what is your reference
    continent? Or do all linux users live on one continent? ;)

    More importantly, though, is where *YOU* are and where the
    *VICTIM* is.
    Whatever derivative method you use, be careful that (a) you
    are not violating laws in the victim's jurisdiction, (b) that
    you are not violating any laws in YOUR jurisdiction (where you
    are), and (c) you are not violating any laws in the jurisdiction
    in which the above machine operates. Laws in any jurisdictions
    through which the nmap scan pass may also apply.

    You're free to talk as big as you like on Usenet, but I'd really
    rather not hear about another acquaintance being convicted of a
    felony. Intel made an example of Randal with Oregon's help. If
    crackers compromise a high-profile server and twist it to their
    ends, as they did <http://www.gnu.org/>, there's no telling who's
    machine you might assault, thinking it's the crackers'.

    Tim Hammerquist
     
    Tim Hammerquist, Sep 4, 2003
    #7
  8. root-n-toot-n

    Alan Connor Guest


    Well Tim, I think it's pretty funny that you refer to someone who is
    trying to crack my machine as a victim.

    And trying to blame ME for sloppy security on some other machine.
    No one uses MY network for anything like that, and it is MY responsibility
    to see that it doesn't happen.

    And you seem to think that nmapping harms a computer, which it doesn't.


    I am not "talking big" at all. This is all very simple and practical.


    And if someone tries to bust my box they get hammered.

    Period. And the program I use is not actually nmap, but a much more
    serious cousin of its.

    (Note that I do run a whois on the IP, first, to make sure there isn't
    some legitimate activity going on, say, on the part of one of my ISPs.)

    Your opinion in this matter means nothing to me at all.


    Run your own machine. *I* run mine.

    I do wonder where all these egomaniacs come from that think they have
    a right to tell a person how to live.


    They are a source of never-ending amusement to me.


    As are most fools.


    Alan C
     
    Alan Connor, Sep 4, 2003
    #8
  9. root-n-toot-n

    Alan Connor Guest

    Just a note here for the benefit of any newbies that might have taken
    Tim's absurd article seriously:

    nmap is a port MAPPER. It maps ports. It doesn't hurt anything.

    I have verified this numerous times on my own box, and those belonging to
    friends.


    If some cracker was using someone else's server to do his/her dastardly
    work from, then a blatant nmapping would do nothing but alert the owners
    of that server that something was wrong.

    You would be doing them a FAVOR.


    Alan C
     
    Alan Connor, Sep 4, 2003
    #9
  10. root-n-toot-n

    jbuchana Guest

    Alan is, of course, right.

    But in these paranoid times, you might get someone at your ISP paying
    attention to you if you get a complaint. I never have, despite using
    it when curious about people I find scanning me in my firewall logs.

    If you have nmap at work though, get permission to use it first. Your
    first indication that it's not welcome might be when your networking
    team shuts of your ethernet jack! :)

    In the factory I work at, many of the automated testers and some of
    the junkier printers that are 'net aware freeze up when they are
    port-scanned. When the automated testers freeze up, it shuts down
    production lines and costs lots of money.

    Port scanning is forbidden by anyone outside of IT, and we never scan
    entire network segments, just single machines, because of this.

    They may also forbid it out of general paranoia.
     
    jbuchana, Sep 4, 2003
    #10
  11. root-n-toot-n

    Bit Twister Guest

    I am not going to argue with you. I have see you argue about
    testing pppd link connectivity. :(

    You need to read your Terms Of Service (TOS) and/or Acceptable Use
    Policy (AUP). Your nmap activity violates one or both and they can
    terminate your account.

    The two laws I indicated can get you into deep doo doo with the legal
    system with your nmap DOS.

    If the cracker uses a zombie aircraft control tower or a water lock or
    dam control system, you may get free lodging at the barbed wire hotel.
     
    Bit Twister, Sep 4, 2003
    #11
  12. root-n-toot-n

    Bit Twister Guest

    Alan is of course, not right in the eyes of the law.
    The two laws shown can be used to put a person in jail and that hurts.
    Alan even said it made the targetn machine run slow; that is denial of
    service (DOS).

    Some people pay connection fees charged by the byte. If I were one of
    those I would use the law to "teach that idiot to nmap my box".
     
    Bit Twister, Sep 4, 2003
    #12
  13. root-n-toot-n

    /dev/rob0 Guest

    And now a note for those (newbies or otherwise) who did not.

    Yes, the laws are absurd. Tim's article is not.
    Alan knows that. Tim knows that. I know that. You do too. But go out and
    ask someone who has absolutely no understanding of computers nor
    networking. Chances are, without detailed explanation, this person will
    think it sounds like an attack.

    The people who make and enforce laws generally come from this category,
    and you won't get a chance to explain it all to them. Most judicial
    processes are not designed to get at the truth. I would not take a
    chance. I do not expect courts to uphold justice.

    Alan, in his typical zeal, is not listening. Laws are not about right
    and wrong.
    As long as the friends remain friends, or at least remain honourable and
    dignified, this is safe. Intel gave up honour and dignity in their
    successful quest to harm a former friend, Randal Schwartz.

    We recently discussed this in c.o.l.security. Yes, some people believe
    that port scanning is legal, or at least that they can trust the police
    and/or the courts to listen to reason and to do what's right. What it
    boils down to IMHO is that choice: do you trust the law and those who
    enforce it?

    For those who do, I have some questions, and I would appreciate sincere
    answers.
    1. Is this trust based on real-life firsthand or secondhand
    experience? Do you know someone personally who was wrongly
    accused of a crime, for whom the police or courts upheld justice?
    2. Do you know someone who was wrongly convicted?
    3. Is your trust influenced by portrayals of police or courts in the
    mass media (entertainment industry)?
    4. Is your trust influenced by what you learned in public schools?
    5. How do you think the other people you know who believe as you
    (which incidentally includes most people I know IRL) would answer
    the previous 4 questions?

    It is a terrible ordeal to face criminal charges, regardless of the
    facts. Police and prosecutors have far more resources to fight than do
    most (all?) individuals. Those who are involved in a prosecution are
    generally advised, if not forced, to keep silent about the case, and
    thus we are less likely to hear their side of the story. The
    prosecutors' side, OTOH, is likely to be heard in the mass media
    ("information" industry). IME with newsworthy events in which I have
    been personally involved, I have never known the news media's report to
    have been accurate nor unbiased.

    Because of his many posts which come across as rude and vicious, some
    people might like to see Alan learn the "error of his ways" (well, no
    one is saying he's wrong, just that the law says he's wrong) the hard
    way. But that's not right. This is really a matter of "us" (computer
    geeks, either hobbyist or professional) v. "them" (everyone else.) I
    hope it does NOT happen to Alan, nor to any of us.
     
    /dev/rob0, Sep 4, 2003
    #13
  14. root-n-toot-n

    /dev/rob0 Guest

    I wouldn't. Some day those very laws could come around to "teach" you.
    And to knowingly participate in an injustice is in my eyes a violation
    of the laws of nature ... "what goes around, comes around".
     
    /dev/rob0, Sep 4, 2003
    #14
  15. root-n-toot-n

    Bill Unruh Guest

    ]>
    ]>
    ]> On Thu, 04 Sep 2003 03:38:44 GMT, Alan Connor wrote:
    ]>
    ]>> I've caught several, and immediately did a harsh nmap on the IP they were
    ]>> using (got it scripted) and they ran like dogs with a 500 pound cat on
    ]>> their tails....
    ]>
    ]> Yeah that is real smart.
    ]>
    ]> Cracker uses a zombie machine, you hit him with nmap. Cracker shoots
    ]> the logs to isp cleans out his tracks and you loose.
    ]>

    ]I don't see why you call that "losing".

    ]To ME winning is protecting my machine. I'm not into tracking anyone
    ]down and punishing them.

    Losing means that you spend a few thousand dollars of your money and a few
    months of your time defending yourself against prosecution.


    ]My approach IS real smart.

    ]And I will keep using it because it WORKS.



    ]> Just a few state selections.
    ]>
    ]> http://www.capitol.state.tx.us/statutes/pe/pe0003300.html#pe001.33.01
    ]> Read 33.01. Definition (1) "Access"
    ]> 33.02. Breach of Computer Security (a)
    ]>
    ]> http://www.umpqua.cc.or.us/policy/oregon-law.htm
    ]> Read 1 (a) then (4)


    ]I don't give a **** about any statutes anywhere.

    Well, they have ways of making you care.
     
    Bill Unruh, Sep 4, 2003
    #15
  16. [ snip ]

    OK,
    So I run Firestarter with all incoming denied...
    And I run a looping tail last 50 lines of /var/log/messages...
    And I notice in the Firestarter log some KarpetKisser from
    Egypt is hitting me on port 137 (whois'd the IP address.)

    I do a fin stealth (~1 minute with no responses) figure its
    an BillyBox.
    Then I do a syn stealh and the report shows all open and filtered
    ports and says it _is_ a BillyBox. Thats it. I'm done. No more
    scans against AllahJeersYa.
    No harm done.
     
    root-n-toot-n, Sep 5, 2003
    #16
  17. tail -f does a much better job of what (I think) you are trying to do.
    --
    -johann koenig
    Now Playing: Boy Sets Fire - Our Time Honored Tradition Of Cannibalism :
    After The Eulogy
    Today is Boomtime, the 28th day of Bureaucracy in the YOLD 3169
    My public pgp key: http://mental-graffiti.com/pgp/johannkoenig.pgp

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.3 (GNU/Linux)

    iD8DBQE/V+CRFk4duwOzQpURAlCbAJwIss85lPAG5CywCkZs1rl+Ew5QGQCfV73l
    INQ7aqIqFGHPpSoOTCPaKik=
    =sYrc
    -----END PGP SIGNATURE-----
     
    Johann Koenig, Sep 5, 2003
    #17
  18. root-n-toot-n

    Bit Twister Guest

    Just for the 20,000 ft view look at
    http://www.dshield.org/
    when you get around to it.
     
    Bit Twister, Sep 5, 2003
    #18
  19. Alan Connor graced us by uttering:
    We do not live under Hammurabi's Code, no matter what continent
    you live on. Some other host's abuse of your box, whether
    malicious intent by the other of said host or not, does not
    constitute a right or privilege to reciprocate.
    Yes. Protection is your responsibility. Retaliation is not.
    No, it (and its cousins) harms bandwidth. It consumes an
    enormous amount of bandwidth.

    In addition, nmap and friends are considered tools for
    discovering a remote host's configuration and, as such,
    unauthorized use is forbidden by most ISPs and corporate
    networks, including my own employer, whether outside or within
    the corporate firewall. As such, your own ISP shutting off your
    access or, worse, a remote host prosecuting you, are very real
    risks.
    I'm disappointed. We've conversed quite civilly in other
    newsgroups, you and I, and I didn't think I'd done so much to
    deserve this kind of vicious attitude. I sincerely don't wish to
    see more prosecution of undeserving users, but your thoughts on
    the matter are, indeed, quite clear.

    Farewell, then.

    Tim Hammerquist
     
    Tim Hammerquist, Sep 5, 2003
    #19
  20. root-n-toot-n

    Alan Connor Guest


    Would you like to put a little money where your glib mouth is?


    I will bet you $10000 that one year from now I have not even had to
    *talk* to any law enforcement officials of any kind.

    (I will be happy to hire a lawyer in your town to handle the signing
    of the documents involved.)


    How about it?


    Talk's cheap.


    And those people are more than aware of this fact, particularly talk on
    the Usenet.


    In order for you to get them to take even ONE step towards even looking into
    my behaviour on the Internet, you are going to have to provide them with
    some concrete evidence that what I posted isn't just hot air.


    And attempting to obtain that evidence would require you to break even
    more serious laws, which *I* would be documenting as the attempts unfolded.



    <chuckle>



    Alan C
     
    Alan Connor, Sep 5, 2003
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.