TheTAZZone - Internet Chaos

Tutorial – Network Intrusions

ORIGINALLY POSTED BY NOKIA FOR THETAZZONE/TAZFORUM HERE

Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Code: Select all
This excellent tutorial is the work of NTSA, who has very kindly consented to the TAZ hosting it.Enjoy!

This is an impromptu tutorial on tracing skiddiots – because I just found one in our logs:

ClientHost LogTime Service Machine
——————————————————————————-
199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERVServerIP Target Parameters
—————————————————————————-
xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir

I’m sure we all recoginse the cook-book directory traversal explot attempted here (which failed btw). So it’s a kiddiot. Let’s take a quick trip to www.samspade.org :

Trying whois -h whois.arin.net 199.111.104.201
VERnet (NETBLK-VERNET-CIDR1)
University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901
USNetname: NETBLK-VERNET-CIDR1
Netblock: 199.111.0.0 – 199.111.255.255
Maintainer: VER

Coordinator:
Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU
(804) 924-0616

Domain System inverse mapping provided by:

UVAARPA.VIRGINIA.EDU 128.143.2.7
JUNO.ACC.VIRGINIA.EDU 128.143.22.119

Record last updated on 05-Apr-1994.
Database last updated on 14-Jun-2002 20:01:02 EDT.

So the kiddiot is (probably) a student at University of Virginia. A nasty letter to the Netblock administartor will mean that’s one kiddiot who’s in for a nasty shock monday morning Word Up – and the word was ‘busted’.

Hi –You are listed as the admin contact for the Netblock: 199.111.0.0 – 199.111.255.255

University of Virginia
Academic Computing Center
Gilmer Hall
Charlottesville, VA 22901

We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line.

I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be ‘l33t’ – perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism.

Regards,

Leave a Reply

Your email address will not be published. Required fields are marked *

Advertise

If you'd like to advertise on The Mutt ( aka TheTAZZone.com ) feel free to contact us at: administration[at]thetazzone.com

TheTAZZone is a non-commercial entity. We do not sell any products or services ourselves. Our revenue comes from advertising and donations only.

We appreciate your support! Your advertising revenue ( or donations ) helps us to continue to upgrade, improve, and offset the costs of maintaining this site.

Donations can be made through the page ' Donate '.