ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE
Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network
- Code: Select all
This excellent tutorial is the work of NTSA, who has very kindly consented to the TAZ hosting it.
Enjoy!
This is an impromptu tutorial on tracing skiddiots – because I just found one in our logs:
ClientHost LogTime Service Machine
——————————————————————————-
199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERVServerIP Target Parameters
—————————————————————————-
xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir
I’m sure we all recoginse the cook-book directory traversal explot attempted here (which failed btw). So it’s a kiddiot. Let’s take a quick trip to www.samspade.org :
Trying whois -h whois.arin.net 199.111.104.201
VERnet (NETBLK-VERNET-CIDR1)
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
USNetname: NETBLK-VERNET-CIDR1
Netblock: 199.111.0.0 – 199.111.255.255
Maintainer: VERCoordinator:
Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU
(804) 924-0616Domain System inverse mapping provided by:
UVAARPA.VIRGINIA.EDU 128.143.2.7
JUNO.ACC.VIRGINIA.EDU 128.143.22.119Record last updated on 05-Apr-1994.
Database last updated on 14-Jun-2002 20:01:02 EDT.
So the kiddiot is (probably) a student at University of Virginia. A nasty letter to the Netblock administartor will mean that’s one kiddiot who’s in for a nasty shock monday morning Word Up – and the word was ‘busted’.
Hi –You are listed as the admin contact for the Netblock: 199.111.0.0 – 199.111.255.255University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line.
I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be ‘l33t’ – perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism.
Regards,