Mon, 28 Feb 2005

VoIPong

To go along with the SIP.edu post of earlier this morning, VoIPong is able to (supposedly) detect and capture SIP, H323, Skinny, RTP and RCTP- based conversations. According to the home page, this thing worked properly when stuck into a 45MB/sec feed. joat: 14:00:00 28 Feb 2005

| [/Security_Tools] permanent link

SIP.edu

My first impression is that this (SIP.edu on Internet2) cannot be secure. Has anyone had any experience with it? joat: 13:00:00 28 Feb 2005

| [/Valuable_URLs] permanent link

Sun, 27 Feb 2005

Asterisk

It appears that I'm going to be setting up Asterisk in the near future. I've got it installed on the laptop so that I can take a play around with configuration and poke at the software. Take a look at the feature list (here) and see if you have the same response that I had: OMFG! (heh) I only need about two of those features for what I want to do but I'll probably stand up a full blown install at a later date. joat: 21:30:00 27 Feb 2005

| [/Configuration] permanent link

IA & Digital Evidence

Here's an interesting research paper, on the FBI site, entitled "Information Assurance Applied to Authentication of Digital Evidence". It's further divided into sub-topics including: Authentication of Evidence Information Assurance Services Information Assurance Applied to Digital Evidence Digital Video Evidence System Generalized Information Assurance Solution Daubert Compliance joat: 13:00:00 27 Feb 2005

| [/Theory] permanent link

Sat, 26 Feb 2005

Sarb-Ox

Here's a link page of Sarbanes-Oxley-related info. joat: 22:50:00 26 Feb 2005

| [/Valuable_URLs] permanent link

Convergence or just more trouble?

What's-her-face (I hate the show) just had her sidekick hacked and numerous "stars" were inconvenienced or lost part of their "privacy". The local news show did the usual sensationalist "what can hackers get from your cell phone" bit. I just wanted to make a comment that things are only going to get worse as we buy personal video players with wireless capabilities and camera cell phones with Internet capability. The politics are only going to get worse also. As an example, there's a group in DC called "Enough is Enough" that is upset that Congress has not prevented Playboy from making their content available via WAP. Seems that parents are concerned what their teenagers can download with their Internet-enabled cell phones. Ten points to anyone who can come up with what parents should do if they're actually concerned what their children do with cell phones. joat: 21:30:00 26 Feb 2005

| [/Boneheaded_Doings] permanent link

Fri, 25 Feb 2005

Tux

Tux hypes itself as "The First and Only Magazine for the New Linux User". Subscriptions are free. Format is PDF, no hardcopy. Issue #1 is out. joat: 21:40:00 25 Feb 2005

| [/Valuable_URLs] permanent link

IPSec Links

Here's a medium sized link list of IPSec-related items. joat: 21:30:00 25 Feb 2005

| [/Security_Tools] permanent link

Bloat

In response to FurryGoat's post, I'd like to suggest the term "bloat" for the condition described. We all suffer from it from time to time (on a regular basis?). joat: 13:00:00 25 Feb 2005

| [/Silliness] permanent link

Thu, 24 Feb 2005

IPv6 Cookbook

If you're planning on experimenting with IPv6, the IPv6 Cookbook will probably come in handy. joat: 13:00:00 24 Feb 2005

| [/Valuable_URLs] permanent link

Wed, 23 Feb 2005

AODV

This is going to sound like I'm riding the dying horse yet another mile but, what the heck, I like tweaking the wireless box. In any case, here's the page for the Adhoc On- demand Distance Vector (AODV) kernel module for reactive routing. In other words, I want to try mesh networking. I'll keep you posted. joat: 13:00:00 23 Feb 2005

| [/Wireless] permanent link

Tue, 22 Feb 2005

Under construction

I'm going to be tweaking the back end of the blog over the coming weeks so please bear with me if things disappear or move around. joat: 11:52:14 22 Feb 2005

| [/Blogging] permanent link

What did I learn today?

I learned that you should point a browser at your Tivo (or port scan it) once Tivo upgrades the OS for the box. joat: 11:49:55 22 Feb 2005

| [/Silliness] permanent link

Thumb drive security

HNS has an article which discusses the basics of thumb drive security. joat: 11:45:04 22 Feb 2005

| [/Theory] permanent link

Mon, 21 Feb 2005

IPv6 sites

I've also added an IPv6 category to the wiki and a list of sites to visit in IPv6 space. joat: 13:45:00 21 Feb 2005

| [/Wireless] permanent link

OpenWRT

I finally have the house network switched over from LinkSys's firmware to OpenWRT's. So far, it has a lot less load issues (less junk running on it) and I'm able to separate the wired from the wireless in-house networks. Things I learned in getting the system up and running: RTFM - it helps to read the docs and the stuff available on the website (especially the part about what happens if you hold in the reset button while power cycling) most of your custom changes goes in S99done, NOT S10boot! trying to stand up an additional AP is harder than replacing the original AP keep notes on everything, draw a basic network diagram and label the interfaces have a backup copy of a working firmware before you make any changes extra cables come in handy installing the tcpdump package as early as possible helps immensely and, again, RTFM! I have a request to all the other OpenWRT users --> document how you did it so the rest of us can benefit (I'll post mine shortly). joat: 13:30:00 21 Feb 2005

| [/Wireless] permanent link

w00t! IPv6!

"RTFM" is definitely something that should have been screamed in my ear today. I was using the wrong prefix in my radvd.conf file which was causing my return traffic to go to someone else's network. At one point, I had a nasty routing loop which spiked the traffic level. I did get it corrected and I'm now able to ping6 sites. In any case, I've got a basic write-up of it here. Props to Sysmin and Quigon (The Hacker Pimps) for reminding me about IPv6 and turning me on to OpenWRT. Try to find the PDF of their presentation for a little extra help in playing with the 54G. joat: 13:30:00 21 Feb 2005

| [/Wireless] permanent link

Sun, 20 Feb 2005

Arrg!!

Setting an IPv6-over-IPv4 tunnel up and running via OpenWRT on a WRT54G can be a frustrating experience. I know I have the tunnel part up and running as I can "ping6 www.kame.net" from the 54G. Tcpdump shows the packets going out and coming back. The ping6 output looks okay. The problem is when I "ping6 www.kame.net" from the computer. Tcpdump shows the packets going out but not coming back. I suspect the problem is in the radvd configuration (i.e., the wrong prefix is being assigned??). Maybe someone can reading this can tell me what I'm doing wrong, so I'll post the data here. I use Hurricane Electric's tunnel broker (http://www.tunnelbroker.net). Tunnel Information: Server IPv4 address: 64.71.128.82 Server IPv6 address: 2001:470:1F00:FFFF::656/127 Client IPv4 address: My IP Address Client IPv6 address: 2001:470:1F00:FFFF::657/127 Assigned /64: none ASN: none Last Ping6: Sun, Feb 20 3:07 pm PST Last Inbound Packet: none Registration Date: Sun, Feb 20, 2005 Update: You have to click on the "Submit" button on the "/64 Allocation" page, whether or not you fill in the DNS entries. Otherwise, you don't get the /64 allocation. So, "Assigned /64:" in the table above should read: 2001:470:1F00:911::/64 From /etc/init.d/S99done: insmod ipv6 insmod ip6_tables insmod ip6table_filter echo 1 > /proc/sys/net/ipv6/conf/all/forwarding From /etc/init.d/rcS: # set up the IPv6 tunnel ip tunnel add he.net mode sit remote 64.71.128.82 local MYIPADDRESS ttl 255 ip link set he.net up ip addr add 2001:470:1F00:FFFF::657/127 dev he.net ip route add ::/0 dev he.net ip -f inet6 addr ip -6 addr add 2001:470:1F00:CAFE::1/64 dev eth1 radvd Am I missing something? joat: 22:30:00 20 Feb 2005

| [/Wireless] permanent link

GooglePot?

Okay, I don't get this one. To quote the site: Google Hack Honeypot is the reaction to a new type of malicious web traffic: search engine hackers. Here's my take on it (please correct me if I'm wrong): It's not a new type of malicious web traffic. Google's spider generates the traffic (it's legitimate traffic). At that point, exposure is your (the owner's) problem. It's not a new type of malicious web traffic. It's a reconnaissance technique and is not necessarily malicious as the tools/techniques are available to all. I think it slightly misses the definition of a honeypot in that attackers are researching known exploits via Google and are getting pointed towards GHH. At best, you might get a list of IPs attempting to exploit a vulnerability. As GHH relies on Google entries to point to the honeypot, it lessens Google's accuracy just a bit more (little though it may be). That said, I'd still like to try it out as it IS an interesting approach. Comments, thoughts, beatings? joat: 13:00:00 20 Feb 2005

| [/Security_Tools] permanent link

GoogleMaps XML

According to this and this GoogleMaps output can be switched to XML by adding "output=xml" to the URL. The feature probably won't last that long if it gets abused (now that it's known) but it'll be interesting to see what happens with it... joat: 13:00:00 20 Feb 2005

| [/Valuable_URLs] permanent link

Sat, 19 Feb 2005

Huh?

Let me see if I can get this straight... Two amateurs performed a make-believe (the article says "hypothetical") study of that old horse called "mine-is-more-secure-than-yours" and announced a winner, but then said that they couldn't afford to include any other OS's other than the two worst to begin with? Does anyone else smell sensationalism? Or stinky feet (sock puppets)? Why don't they just say that your kids are danger or that old people will die? Anyone else in 757 want to help do a study on these studies? It might get us into a Con or two... joat: 23:30:00 19 Feb 2005

| [/Boneheaded_Doings] permanent link

Why Johnny Can't Encrypt

Alma Whitten's paper "Why Johnny Can't Encrypt" is referenced often when discussing cryptography and crypto tools. Basically, it's a study of the shortcomings in the PGP interface. Some of it may be OBE as the paper is over five years old and external interfaces (e.g. mail clients) have matured somewhat. joat: 13:00:00 19 Feb 2005

| [/Cryptography] permanent link

Fri, 18 Feb 2005

Security Links

It says it hasn't been updated in almost a year but here's a quite large page of security-related links. joat: 13:00:00 18 Feb 2005

| [/Valuable_URLs] permanent link

Thu, 17 Feb 2005

Wireless

Finally took the time to get OpenWRT installed on one of my WRT54G's. Now to figure out how to get an IPv6 connection up and running. I've added various applicable links in the Wireless section of the wiki. joat: 13:00:00 17 Feb 2005

| [/Wireless] permanent link

Not a solution

I don't like Paul Hoffman's solution any better than he likes "turn IDN off" or "make the problem so obnoxious that you cannot fail to notice it". His solution is based on the assumption that people pay attention to things. Quick quiz: without looking, what color is the lock in the corner of your browser? Okay, how about in its other state? joat: 02:24:48 17 Feb 2005

| [/Boneheaded_Doings] permanent link

Wed, 16 Feb 2005

Spammer profile

Here's yet another spammer analysis. This one is incomplete but will hopefully help someone else in their searches. The following URL's show up in unending attempts to post comment spam to the blog: 888.ronnieazza.com buy-phentermine.ronnieazza.com buy-viagra.future-2000.net buy-xanax.ronnieazza.com carisoprodol.future-2000.net cialis.future-2000.net credit-cards.ronnieazza.com didrex.future-2000.net diet-pills.ronnieazza.com free-poker.future-2000.net generic-viagra.ronnieazza.com loans.future-2000.net online-pharmacy.future-2000.net online-poker.future-2000.net party-poker.ronnieazza.com payday-loan.future-2000.net pay-day-loan.ronnieazza.com payday-loans.ronnieazza.com phentermine.future-2000.net poker-games.future-2000.net poker-online.ronnieazza.com poker.ronnieazza.com private-mortgage.future-2000.net prozac.future-2000.net reductil.ronnieazza.com soma.ronnieazza.com student-loans.ronnieazza.com texas-hold-em.future-2000.net texas-holdem.ronnieazza.com tramadol.ronnieazza.com valium.ronnieazza.com viagra.future-2000.net www.future-2000.net www.ronnieazza.com All of the above translate to IP address 219.150.118.16 A WHOIS lookup of 219.150.118.16 results in: % [whois.apnic.net node-2] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html inetnum: 219.150.112.0 - 219.150.255.255 netname: CHINATELECOM-ha descr: CHINANET henan province network descr: China Telecom descr: No.31,jingrong street descr: Beijing 100032 country: CN admin-c: CH93-AP tech-c: HZ149-AP mnt-by: MAINT-CHINANET mnt-lower: MAINT-CHINATELECOM-ha changed: hostmaster@ns.chinanet.cn.net 20030820 status: ALLOCATED NON-PORTABLE source: APNIC person: Chinanet Hostmaster address: No.31 ,jingrong street,beijing address: 100032 country: CN phone: +86-10-66027112 fax-no: +86-10-58501144 e-mail: hostmaster@ns.chinanet.cn.net e-mail: anti-spam@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20021016 remarks: hostmaster is not for spam complaint,please send spam complaint to anti-spam@ns.chinanet.cn.net source: APNIC person: Hongbiao Zhang nic-hdl: HZ149-AP e-mail: ip@hntele.com address: 97# Zhongyuan Street, Zhengzhou,Chinese phone: +86-371-5310007 fax-no: +86-371-5310044 country: CN changed: zhb@hntele.com 20030813 mnt-by: MAINT-CHINATELECOM-HA source: APNIC A WHOIS lookup of future-2000.net results in: Domain Name: FUTURE-2000.NET Registrant: Jim Fox 122 W 90 Street NYC NY US 10024 Administrative Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Billing Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Technical Contact: Leonel, Morgan (NIC-21487) mail29@support-2000.net Morgan Leonel Horseshoe Trail 65 Tabor Alaska, US 90471 Phone: 9454141824 Domain servers in listed order: NS0.DNS2005.NET NS1.DNS2005.NET Record created on 2001-12-23 12:42:00.0 Database last updated on 2005-02-10 12:30:04.967 Domain Expires on 2007-12-23 12:42:00.0 A WHOIS lookup of ronnieazza.com results in: Domain Name: RONNIEAZZA.COM Registrar: MONIKER ONLINE SERVICES, INC. Whois Server: whois.moniker.com Referral URL: http://www.moniker.com/whois.html Name Server: NS0.MANAGE-DNS.NET Name Server: NS1.MANAGE-DNS.NET Status: REGISTRAR-LOCK Updated Date: 05-feb-2005 Creation Date: 24-mar-2002 Expiration Date: 24-mar-2007 Registrant: Susan Lee 112 W 77 Street NYC NY US 10020 Administrative Contact: Evelin, Porter (NIC-14080) contact56@support-24x7.biz Porter Evelin Woodmere Ct 56 Saint Ansgar Kansas, US 46318 Phone: 8183780401 Billing Contact: Erika, Alicia (NIC-14090) contact66@support-24x7.biz Alicia Erika Devon State Rd 66 Sanborn Montana, US 43848 Phone: 8193680401 Technical Contact: Evelin, Porter (NIC-14080) contact56@support-24x7.biz Porter Evelin Woodmere Ct 56 Saint Ansgar Kansas, US 46318 Phone: 8183780401 Domain servers in listed order: NS0.MANAGE-DNS.NET NS1.MANAGE-DNS.NET Record created on 2002-03-24 09:04:00.0 Database last updated on 2005-02-05 01:56:13.25 Domain Expires on 2007-03-24 09:04:00.0 As both registrants are in the middle of Manhattan Island at addresses that do not correspond to any mailing address known to Google or Yahoo, I'm willing to bet that they're fake. Let's take a look at the mailing addresses for the technical and administrative contacts. A WHOIS lookup for support-2000.net returns: domain: SUPPORT-2000.NET owner-address: Chen owner-address: 282 Shibuya-ku owner-address: 100-0005 owner-address: Tokyo owner-address: Japan admin-c: CY187-GANDI tech-c: AR41-GANDI bill-c: CY187-GANDI nserver: full1.gandi.net 217.70.177.42 nserver: full2.gandi.net 217.70.179.34 reg_created: 2004-12-08 04:30:26 expires: 2005-12-08 04:30:26 created: 2004-12-08 10:30:27 changed: 2004-12-08 10:30:27 person: Chen Young nic-hdl: CY187-GANDI address: 282 Shibuya-ku address: 100-0005 address: Tokyo address: Japan phone: +81.332146532 e-mail: contact@support-2000.net lastupdated: 2004-12-08 10:34:09 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Ah, it's that nice Registrar in France: Gandi. How about the other? A WHOIS lookup for support-24x7.biz returns: support-24x7.biz = [ 217.70.180.17 ] Domain Name: SUPPORT-24X7.BIZ Domain ID: D7437648-BIZ Sponsoring Registrar: GANDI SARL Sponsoring Registrar IANA ID: 81 Domain Status: ok Registrant ID: O-854424-GANDI Registrant Name: Ron Miles Registrant Organization: Phentermine Deals Registrant Address1: P.O.box 710 Registrant City: St John's English Harbour Registrant Postal Code: 2003 Registrant Country: Antigua and Barbuda Registrant Country Code: AG Registrant Phone Number: 268.4606129 Registrant Email: 99f8210a45bbd8f39062cf022ba867b7-856213@owner.gandi.net Administrative Contact ID: RM957-GANDI Administrative Contact Name: Ron Miles Administrative Contact Organization: Phentermine Deals Administrative Contact Address1: P.O.box 713 Administrative Contact City: St John's English Harbour Administrative Contact Postal Code: 2003 Administrative Contact Country: Antigua and Barbuda Administrative Contact Country Code: AG Administrative Contact Phone Number: 268.4606129 Administrative Contact Email: dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net Billing Contact ID: AR41-GANDI Billing Contact Name: CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Billing Contact Organization: Gandi SARL Billing Contact Address1: 38 rue Notre-Dame de Nazareth Billing Contact City: Paris Billing Contact Postal Code: 75003 Billing Contact Country: France Billing Contact Country Code: FR Billing Contact Email: support@gandi.net Technical Contact ID: AR41-GANDI Technical Contact Name: CONTACT NOT AUTHORITATIVE see http://www.gandi.net/whois Technical Contact Organization: Gandi SARL Technical Contact Address1: 38 rue Notre-Dame de Nazareth Technical Contact City: Paris Technical Contact Postal Code: 75003 Technical Contact Country: France Technical Contact Country Code: FR Technical Contact Email: support@gandi.net Name Server: FULL1.GANDI.NET Name Server: FULL2.GANDI.NET Created by Registrar: GANDI SARL Last Updated by Registrar: GANDI SARL Domain Registration Date: Tue Jul 27 06: 48: 49 GMT 2004 Domain Expiration Date: Tue Jul 26 23: 59: 59 GMT 2005 Domain Last Updated Date: Thu Aug 26 15: 05: 55 GMT 2004 >>> Whois database was last updated on: Sat Feb 12 23: 43: 13 GMT 2005 <<< NOTE: FAILURE TO LOCATE A RECORD IN THE WHOIS DATABASE IS NOT INDICATIVE OF THE AVAILABILITY OF A DOMAIN NAME. Yep, the nice Registrar again. Let's look at mail servers... The mail server for future-2000.net is: Non-authoritative answer: *** Can't find future-2000.net: No answer Authoritative answers can be found from: future-2000.net origin = ns0.future-2000.net mail addr = hostmaster.future-2000.net serial = 200308131 refresh = 1800 retry = 900 expire = 604810 minimum = 1200 Hmm... Doesn't exist. If we ask ns0.future-2000.net we get: Server: ns0.future-2000.net Address: 219.150.118.16 Authoritative answers can be found from: (root) nameserver = F.ROOT-SERVERS.net (root) nameserver = G.ROOT-SERVERS.net (root) nameserver = H.ROOT-SERVERS.net (root) nameserver = I.ROOT-SERVERS.net (root) nameserver = J.ROOT-SERVERS.net (root) nameserver = K.ROOT-SERVERS.net (root) nameserver = L.ROOT-SERVERS.net (root) nameserver = M.ROOT-SERVERS.net (root) nameserver = A.ROOT-SERVERS.net (root) nameserver = B.ROOT-SERVERS.net (root) nameserver = C.ROOT-SERVERS.net (root) nameserver = D.ROOT-SERVERS.net (root) nameserver = E.ROOT-SERVERS.net So it doesn't exist. An "A" query for future-2000.net (just in case it's an explicit name rather than a MX) yields the similar results. Actually, any query to ns0.future-2000.net returns only pointers to the root servers. This might be valuable later in complaining about the domain. Also, please note that the root servers indicate that the domain is served by ns0.future-2000.net and that it is at 219.150.118.16. This most definitely is valuable when we look at server headers below. The mail server for support-24x7.biz is: Server: full1.gandi.net Address: 217.70.177.42 support-24x7.biz preference = 10, mail exchanger = redir-mailav-telehouse1.gandi.net support-24x7.biz preference = 10, mail exchanger = redir-mailav-telehouse2.gandi.net support-24x7.biz nameserver = full1.gandi.net support-24x7.biz nameserver = full2.gandi.net Let's see if we can grab web server headers: > wget -S http://www.support-24x7.biz --19:05:00-- http://www.support-24x7.biz/ => `index.html.7' Resolving www.support-24x7.biz... done. Connecting to www.support-24x7.biz[217.70.180.17]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 302 Found 2 Date: Sun, 13 Feb 2005 00:05:03 GMT 3 Server: Apache/1.3.28 (Unix) 4 Location: http://redir-error.gandi.net 5 Connection: close 6 Content-Type: text/html; charset=iso-8859-1 Location: http://redir-error.gandi.net [following] --19:05:03-- http://redir-error.gandi.net/ => `index.html.7' Resolving redir-error.gandi.net... done. Connecting to redir-error.gandi.net[217.70.178.17]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 00:05:03 GMT 3 Server: Apache/1.3.23 (Unix) Debian GNU/Linux 4 Last-Modified: Thu, 23 Dec 2004 15:30:56 GMT 5 ETag: "2fe87-275-41cae4b0" 6 Accept-Ranges: bytes 7 Content-Length: 629 8 Connection: close 9 Content-Type: text/html; charset=iso-8859-1 100%[====================================>] 629 614.26K/s ETA 00:00 19:05:03 (614.26 KB/s) - `index.html.7' saved [629/629] This could be the standard redir that some of the registrar's have started doing. (Yeah, even Network Solutions uses this unethical practice.) > wget -S http://www.future-2000.net --19:14:15-- http://www.future-2000.net/ => `index.html.9' Resolving www.future-2000.net... done. Connecting to www.future-2000.net[219.150.118.16]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 13:17:15 GMT 3 Server: Apache 4 Accept-Ranges: bytes 5 X-Powered-By: PHP/4.2.2 6 Content-Length: 2121 7 Connection: close 8 Content-Type: text/html; charset=UTF-8 100%[====================================>] 2,121 4.86K/s ETA 00:00 19:14:17 (4.86 KB/s) - `index.html.9' saved [2121/2121] Ah! Not a redirect! Grabbing www.future-2000.net returns a page that looks like: This former info is currently under investigation - Due to mis-proper use of the hosting account Service Unavailable! Take a step to eliminate service agreement breaches. Please fill the form so we can take action. Issue: Your site/URL: Additional Information: Verification Code:    The publisher of this web site expressly denies liability and undertakes no responsibility for the reliance on information or services found herein. We and/or our respective suppliers may make improvements and/or changes in the sites/services at any time. This website is for your personal and non-commercial use. In the above, I disabled the following two lines: <form name=frm method='post' action=' http://64.234.220.141/submitAbuse.php' onsubmit='return checkSubmit()'> <img align=middle src="http://64.234.220.141/captcha.php" width=70 height=20>   Somehow, I'm still not convinced. Let's take a look at that IP address. A reverse lookup of 64.234.220.141 returns: Name: shetef.com Address: 64.234.220.141 A Google lookup on "shetef.com" leads to a slew of bloggers who've gotten this far and have complained about a spammer and are looking for someone to pound. A WHOIS lookup on the 64.234.220.141 returns: OrgName: WebStream, Inc. OrgID: WEBSTR Address: 2200 West Commercial Blvd Address: Suite 204 City: Fort Lauderdale StateProv: FL PostalCode: 33309 Country: US NetRange: 64.234.192.0 - 64.234.223.255 CIDR: 64.234.192.0/19 NetName: WEBSTREAM-1 NetHandle: NET-64-234-192-0-1 Parent: NET-64-0-0-0-0 NetType: Direct Allocation NameServer: WEB.WEBSTREAM.NET NameServer: WW2.WEBSTREAM.NET Comment: RegDate: 2002-09-09 Updated: 2003-10-10 OrgAbuseHandle: ABUSE39-ARIN OrgAbuseName: Abuse Investigations OrgAbusePhone: +1-954-730-7405 OrgAbuseEmail: abuse@webstream.net OrgTechHandle: HOSTM11-ARIN OrgTechName: Hostmaster OrgTechPhone: +1-954-730-7405 OrgTechEmail: hostmaster@webstream.net # ARIN WHOIS database, last updated 2005-02-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. Just to play it safe, let's look at WebStream also. A WHOIS returns: Registrant: WebStream, Inc. 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US Domain name: WEBSTREAM.NET Administrative Contact: Master, Host hostmaster@WEBSTREAM.NET 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US 954-730-7405 Fax: 954-733-7067 Technical Contact: Master, Host hostmaster@WEBSTREAM.NET 2200 W Commercial Blvd Suite 204 Fort Lauderdale, FL 33309 US 954-730-7405 Fax: 954-733-7067 Registration Service Provider: Webstream, Inc. 954-730-7405 954-733-7067 (fax) http://www.webstream.net Registrar of Record: TUCOWS, INC. Record last updated on 03-Feb-2004. Record expires on 26-Jun-2005. Record created on 27-Jun-1997. Domain servers in listed order: WEB.WEBSTREAM.NET 64.234.192.5 WW2.WEBSTREAM.NET 64.234.192.6 NS2.WEBSTREAM.NET 64.234.192.6 NS1.WEBSTREAM.NET 64.234.192.5 A DNS MX lookup on shetef.com returns: Non-authoritative answer: shetef.com preference = 10, mail exchanger = mail.shetef.com Authoritative answers can be found from: shetef.com nameserver = ns2.dnsmadeeasy.com shetef.com nameserver = ns3.dnsmadeeasy.com shetef.com nameserver = ns4.dnsmadeeasy.com shetef.com nameserver = ns0.dnsmadeeasy.com shetef.com nameserver = ns1.dnsmadeeasy.com mail.shetef.com internet address = 67.18.52.66 ns2.dnsmadeeasy.com internet address = 66.117.40.198 ns3.dnsmadeeasy.com internet address = 64.246.42.123 ns4.dnsmadeeasy.com internet address = 205.177.124.51 ns0.dnsmadeeasy.com internet address = 63.219.151.3 ns1.dnsmadeeasy.com internet address = 69.10.137.166 The mail server for shetef.com is in yet another IP range? A WHOIS lookup on 67.18.52.66 returns: OrgName: ThePlanet.com Internet Services, Inc. OrgID: TPCM Address: 1333 North Stemmons Freeway Address: Suite 110 City: Dallas StateProv: TX PostalCode: 75207 Country: US ReferralServer: rwhois://rwhois.theplanet.com:4321 NetRange: 67.18.0.0 - 67.19.255.255 CIDR: 67.18.0.0/15 NetName: NETBLK-THEPLANET-BLK-11 NetHandle: NET-67-18-0-0-1 Parent: NET-67-0-0-0-0 NetType: Direct Allocation NameServer: NS1.THEPLANET.COM NameServer: NS2.THEPLANET.COM Comment: RegDate: 2004-03-15 Updated: 2004-07-29 TechHandle: PP46-ARIN TechName: Pathos, Peter TechPhone: +1-214-782-7800 TechEmail: abuse@theplanet.com OrgAbuseHandle: ABUSE271-ARIN OrgAbuseName: Abuse OrgAbusePhone: +1-214-782-7802 OrgAbuseEmail: abuse@theplanet.com OrgNOCHandle: TECHN33-ARIN OrgNOCName: Technical Support OrgNOCPhone: +1-214-782-7800 OrgNOCEmail: admins@theplanet.com OrgTechHandle: TECHN33-ARIN OrgTechName: Technical Support OrgTechPhone: +1-214-782-7800 OrgTechEmail: admins@theplanet.com # ARIN WHOIS database, last updated 2005-02-11 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database. A DNS reverse lookup on 67.18.52.66 returns: Name: escape.websitewelcome.com Address: 67.18.52.66 Remember the WHOIS lookup for future-2000.net? It had the following DNS servers: NS0.DNS2005.NET NS1.DNS2005.NET A WHOIS lookup on dns2005.net returns: domain: DNS2005.NET owner-address: Phentermine Deals owner-address: P.O.box 710 owner-address: 2003 owner-address: St John's, English Harbour owner-address: Antigua and Barbuda admin-c: RM957-GANDI tech-c: AR41-GANDI bill-c: RM957-GANDI nserver: ns0.dns2005.net 64.234.220.141 nserver: ns1.dns2005.net 64.234.220.141 reg_created: 2004-10-12 10:20:26 expires: 2005-10-12 10:20:26 created: 2004-10-12 16:20:24 changed: 2004-10-12 16:42:24 person: Ron Miles nic-hdl: RM957-GANDI address: Phentermine Deals address: P.O.box 713 address: 2003 address: St John's, English Harbour address: Antigua and Barbuda phone: +268.4606129 e-mail: dea8e5907adc69b07c4df20c207e1894-rm957@contact.gandi.net lastupdated: 2004-11-29 01:08:27 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Again, Gandi.net. Also note the IP addresses for the DNS servers: 64.234.220.141. We've seen that one. It's our friend shetef.com again! How about the DNS servers for ronnieazza.com? A WHOIS lookup on manage-dns.net returns: domain: MANAGE-DNS.NET owner-address: Betina owner-address: Alameda Santos, 2233 owner-address: 4461 owner-address: Sao Paulo owner-address: Brazil admin-c: BR701-GANDI tech-c: AR41-GANDI bill-c: BR701-GANDI nserver: ns0.manage-dns.net 64.234.220.141 nserver: ns1.manage-dns.net 64.234.220.141 reg_created: 2004-11-10 13:29:50 expires: 2005-11-10 13:29:50 created: 2004-11-10 19:29:51 changed: 2004-11-10 19:42:10 person: Betina Raul nic-hdl: BR701-GANDI address: Alameda Santos, 2263 address: 4461 address: Sao Paulo address: Brazil phone: +55.1130692263 e-mail: contact@top-support.net lastupdated: 2005-02-03 14:10:46 person: GANDI Auto Register 4.1 nic-hdl: AR41-GANDI address: GANDI address: 38 rue Notre-Dame de Nazareth address: F-75003 address: Paris address: France phone: N/A e-mail: support@gandi.net Again, the Gandi registrar and the shetef.com DNS server. How about MX records for those two? A DNS MX lookup on dns2005.net returns: Authoritative answers can be found from: dns2005.net origin = ns0.dns2005.net mail addr = hostmaster.dns2005.net serial = 200308131 refresh = 1800 (30M) retry = 900 (15M) expire = 604810 (1w10s) minimum ttl = 1200 (20M) A familiar failure. A DNS MX lookup on manage-dns.net returns: ** server can't find manage-dns.net: SERVFAIL So MX records for manage-dns.net aren't configured. Remember that the WHOIS lookup for manage-dns.net points back to 64.234.220.141. Let's take a closer look at that IP. Remember the reverse lookup on 64.234.220.141 returned: Name: shetef.com Address: 64.234.220.141 and that the MX record for shetef.com returned: Non-authoritative answer: shetef.com preference = 10, mail exchanger = mail.shetef.com Authoritative answers can be found from: shetef.com nameserver = ns2.dnsmadeeasy.com shetef.com nameserver = ns3.dnsmadeeasy.com shetef.com nameserver = ns4.dnsmadeeasy.com shetef.com nameserver = ns0.dnsmadeeasy.com shetef.com nameserver = ns1.dnsmadeeasy.com mail.shetef.com internet address = 67.18.52.66 ns2.dnsmadeeasy.com internet address = 66.117.40.198 ns3.dnsmadeeasy.com internet address = 64.246.42.123 ns4.dnsmadeeasy.com internet address = 205.177.124.51 ns0.dnsmadeeasy.com internet address = 63.219.151.3 ns1.dnsmadeeasy.com internet address = 69.10.137.166 Connecting to port 25 on the mail server returns: > telnet 67.18.52.66 25 Trying 67.18.52.66... Connected to escape.websitewelcome.com. Escape character is '^]'. 220-escape.websitewelcome.com ESMTP Exim 4.44 #1 Sat, 12 Feb 2005 20:00:14 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail. quit 221 escape.websitewelcome.com closing connection Connection closed by foreign host. Pointing a browser at http://shetef.com () indicates that shetef.com is an Israeli software seller with the following info: A fax number of +972-8-9389070 A business number of +972-8-930-0519 A mailing address of: Shetef Solutions & Consulting Ltd. P.O. Box 637 Ness-Ziona 704000 ISRAEL Grabbing the server headers for shetef.com returns: > wget -S http://shetef.com --21:08:31-- http://shetef.com/ => `index.html.11' Resolving shetef.com... done. Connecting to shetef.com[67.18.52.66]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 02:08:35 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a 4 Last-Modified: Fri, 06 Aug 2004 17:08:39 GMT 5 ETag: "db843b-75f-4113bb17" 6 Accept-Ranges: bytes 7 Content-Length: 1887 8 Keep-Alive: timeout=15 9 Connection: Keep-Alive 10 Content-Type: text/html 100%[====================================>] 1,887 263.25K/s ETA 00:00 21:08:31 (263.25 KB/s) - `index.html.11' saved [1887/1887] The domain websitewelcome.com is registered via Enom, Inc. who does not give out their customer's domain info. Grabbing the web server headers for http://escape.webserverwelcome.com returns: > wget -S http://escape.websitewelcome.com --21:17:48-- http://escape.websitewelcome.com/ => `index.html.12' Resolving escape.websitewelcome.com... done. Connecting to escape.websitewelcome.com[67.18.52.66]:80... connected. HTTP request sent, awaiting response... 1 HTTP/1.1 200 OK 2 Date: Sun, 13 Feb 2005 02:17:52 GMT 3 Server: Apache/1.3.33 (Unix) PHP/4.3.10 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635 mod_ssl/2.8.22 OpenSSL/0.9.7a 4 Last-Modified: Mon, 17 May 2004 00:18:11 GMT 5 ETag: "1fe5b-b9d-40a804c3" 6 Accept-Ranges: bytes 7 Content-Length: 2973 8 Keep-Alive: timeout=15 9 Connection: Keep-Alive 10 Content-Type: text/html 100%[====================================>] 2,973 31.90K/s ETA 00:00 21:17:48 (31.90 KB/s) - `index.html.12' saved [2973/2973] Pointing a browser at http://escape.websitewelcom.com brings up the standard cPanel default page. So does pointing the browser at the IP address. Performing a Google lookup on websitewelcome.com reveals that that domain appears to be a reseller client of hostgator.com. Suspiciously, it appears to be their only reseller client. One of HostGator's features is that reseller clients are allowed to host unlimited sites. Pointing a browser at http://www.websitewelcome.com returns a directory listing. Going back to shetef.com, a Google search reveals that CodyTheFreak is quite unhappy with shetef.com. He also points out a few extra domains. It appears that CodyTheFreak and I are the only ones that have traced the spammer back that far and have complained about it. All other Google entries appear to be spam for the shareware/software available on shetef's site. I've probably missed a bunch of stuff associated with this spammer, but as I've spent the better part of a Saturday afternoon working on this, I'm going to drop it here. joat: 13:00:00 16 Feb 2005

| [/Spammers] permanent link

Tue, 15 Feb 2005

ARP-SK

Here's the homepage for ARP-SK which also has a good discussion of ARP basics and theory. joat: 13:00:00 15 Feb 2005

| [/Theory] permanent link

Mon, 14 Feb 2005

Fighting Spammers

Security Focus has a two-part series entitled "Fighting Spammers With Honeypots". (Part 1) (Part 2) joat: 13:00:00 14 Feb 2005

| [/Theory] permanent link

Sun, 13 Feb 2005

Kostya Kortchinsky

In doing a bit of research on IPv6, I came across Kostya Kortchinsky who seems to be very prolific in the IPv6, honeypots, and security areas. joat: 13:00:00 13 Feb 2005

| [/Valuable_URLs] permanent link

Sat, 12 Feb 2005

Tivo Upgrade

This is worse than being five and having to live through that time between Thanksgiving and Christmas. I read in Tivo's support forums that it's been taking about a month to get the 7.x upgrade. For me, it's going on five weeks so it's supposedly going to happen any day now. Tivo! Save my wife's sanity! She can't stand to hear my continuous kvetching about waiting for the upgrade. (heh) joat: 19:00:00 12 Feb 2005

| [/Silliness] permanent link

Anti-419

Artists Against 419 is a site devoted to DoS'ing the scam artists' fake bank sites. I don't know that I'd recommend this approach as you can be prosecuted in most places for DoS'ing someone. It is interesting to watch though. joat: 13:30:00 12 Feb 2005

| [/Boneheaded_Doings] permanent link

Blogging

Added Oddbob/Dipnet to ports page. Added Anonymity, Cryptography and Steganography pages to the wiki (links at the top-center of this page). joat: 13:00:00 12 Feb 2005

| [/Blogging] permanent link

More ShmooCon

amk has further commentary about the ShmooCon that hasn't been posted here (i.e., he attended many of the presentations that I didn't). Read his comments here. joat: 13:00:00 12 Feb 2005

| [/Cons] permanent link

Fri, 11 Feb 2005

PodCasting

CNN has an article about podcasting. It's not technical but does some of the "why" and the "who". I recently started listening to various people's podcasts on the way into work (a 1-hour drive). joat: 13:00:00 11 Feb 2005

| [/Valuable_URLs] permanent link

Thu, 10 Feb 2005

IPSec Pentesting

Security Focus has a good article on pentesting IPSec VPNs. joat: 22:30:00 10 Feb 2005

| [/Theory] permanent link

Wed, 09 Feb 2005

Ask Jeeves

"Ask Jeeves" has acquired Bloglines (the aggregator that I use). joat: 13:00:00 9 Feb 2005

| [/Blogging] permanent link

ShmooCon end

Richard Bejtlich described it much better (hint: 3 links) than I could. To add to what Richard has said: Brian was pressed for time towards the end so he started talking faster (syllables and inflections intact). So much so that only those of us from NY could understand him. There were some shenanagins at the conference but not enough to involve evictions or law enforcement. (Those involved will have to incriminate themselves.) Richard's picture of Renderman wearing his warpack doesn't do it justice. In the picture, it's disassembled, missing the two antennas that stick up about two feet higher than that hat, missing the cables, and missing the other hand-held antenna (that's only one he's holding). Someone out there has a better picture. Here's a version of the story about the vulnerability that the Shmoo Group demo'd during the closing of the Con. On behalf of the entire conference, I'd like to apologize to the religious group(s) occupying the two floors (of conference rooms) above us. We're not evil, we're just drawn that way. (At least three older women ignored my attempted Jedi warning of "you don't want to go down there" and rounded the corner just in time to see the word "fuck" displayed on a large plasma screen display.) Someone in hotel booking had a sense of humor, booking the hacker convention on the bottom floor and filling in with church groups above. Lastly, I propose a game for next year. DefCon has "Spot the Fed". Given the location and the size of the conference, spotting a Fed would have been too easy. How about we run "Spot the Author" as an east coast game? I was able to meet/talk to/drink beer with Jason Scott and Richard Thieme. I molested Johnny Long for an autograph and would have liked to meet Richard Bejtlich and a few others. Rather than throwing a party at a club across town, have the authors hold court in the lobby bar and pay their tab (Rumor has it that the mostly non-author liquor sponges went through $6K of free booze at the club in less than a hour.) (For the math challenged, that's a bit over $100 of alcohol per minute.). Oh, and thanks to the GrayArea.info bunch for fronting for those of us that were avoiding the dress code and the DC cab ride. joat: 02:41:53 9 Feb 2005

| [/Cons] permanent link

Tue, 08 Feb 2005

Shmoo Presentations

I'm getting help in making the ShmooCon presentations loaded. (I don't want to anger the quota gods here.) joat: 13:00:00 8 Feb 2005

| [/Cons] permanent link

Mon, 07 Feb 2005

Caezar

One memorable meme from from Riley "Caezar" Eller's Keynote speech from Saturday: "Life sucks." However, he wasn't talking about his own life. He was justifying why we, as security professionals, should make things simple and safe enough for the inbred yokel to use. None of that is a direct quote but you get the idea... joat: 21:30:00 7 Feb 2005

| [/Cons] permanent link

Target-based IDS

Sat in on the Target-based IDS (Snort) brief on Sunday. A lot of interesting stuff is coming for Snort: New data acquisition modules (you'll be ablt to take the packets rejected by your IPFW/IPTables/etc. and feed them into Snort for analysis). New stream reassembly modules. IPv6. New defrag modules. Based on the presentation and depending on how it's implemented, Snort could get very complicated for production environments. joat: 21:00:00 7 Feb 2005

| [/Cons] permanent link

Sun, 06 Feb 2005

Module 7

About.com reports that Search Security's free CISSP training is up to domain 7. joat: 13:00:00 6 Feb 2005

| [/Valuable_URLs] permanent link

WRT54G

Sysmin and Quigon did an interesting talk on non-standard uses for the Linksys WRT54G. Hint: keep an eye on their site (www.hackerpimps.com) over the next few days for a new 54G-based tool. You'll snicker when you see it. To be fair, I won't name it/talk about it until they post it. joat: 01:34:00 6 Feb 2005

| [/Wireless] permanent link

Sat, 05 Feb 2005

Friday night

Got here safe and sound, after getting lost in downtown DC twice (why didn't anyone tell me that you can't make any turns off of K street!) (you have to get in the service lane). In any case, the con started nicely. Bruce Potter gave the opening speech, embarassing both his wife and his mother. (If Heidi blushed any harder, she'd probably fall over.) Bruce needs more hecklers (he can handle 'em). He introduced the rest of the Shmoo Group (that were present). Anyone missing was declared "at the liquor store" by those plants in the audience. Although Brian Caswell's (AKA Cazz) talk on autoloading Snort rules amounted to watching someone show off a script, it was entertaining and evoked some thought. Brian needs fewer hecklers but the argument over crypto was funny. It was a bit scary seeing Tina Bird wander through the audience with her CAT-5 of nine tails. The guys in the front row were having a good time with the Guiness and shots. Rodney needs to get over the little things. Sightings include: the Shmoo Group (of course), various of the Ghetto Hackers, Dark Tangent (who autographed at least one book at the Culture Junkie stand), various acronym'd people and 757. I haven't seen so much leather, hair (or lack of), and body piercings since the Friday night when I was stranded in Port Authority (NYC). Immediately after the scheduled talks, Tina was seen with a group in tow, headed into town. People that were interested in the whip? Where were they going? joat: 20:30:00 5 Feb 2005

| [/Cons] permanent link

Shmoo VPN info

Here's the Shmoo Group's VPN info page. joat: 13:00:00 5 Feb 2005

| [/Valuable_URLs] permanent link

Fri, 04 Feb 2005

IPSec Howto

From last night's TWUUG meeting, here's a site that's a good help in getting IPSec up and running. It's Linux-oriented but helpful in any case. joat: 15:15:17 4 Feb 2005

| [/Valuable_URLs] permanent link

On the road

I'm on the road to Shmoo. I'm an hour late getting out the door. Hope there's no traffic problems (I can wish, can't I?). joat: 15:13:29 4 Feb 2005

| [/Cons] permanent link

SecurityGeeks

Here's the Shmoo Group's SecurityGeeks blog. Mebbe we can ask them to "unstick" the blog at the con? joat: 13:10:00 4 Feb 2005

| [/Valuable_URLs] permanent link

TEMPEST

Here's the The Shmoo Group's TEMPEST page. joat: 13:00:00 4 Feb 2005

| [/Valuable_URLs] permanent link

Thu, 03 Feb 2005

Forensic discovery with MACtimes