NETWORK
INTRUSIONS
This excellent
tutorial is the work of NTSA, who has very kindly consented to the TAZ
hosting it.
You can find the original post here:
http://www.antionline.com/showthread.php?s=&threadid=230396
Enjoy!
This is an impromptu tutorial on tracing skiddiots - because I just
found one in our logs:
| Quote: |
| ClientHost LogTime Service Machine ------------------------------------------------------------------------------- 199.111.104.201 2002-06-15 17:49:30.000 W3SVC1 NTSA-SERV ServerIP Target Parameters ---------------------------------------------------------------------------- xxx.xxx.xxx.xxx /scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir |
I'm sure we all recoginse the cook-book directory traversal explot
attempted here (which failed btw). So it's a kiddiot. Let's take a
quick trip to www.samspade.org :
| Quote: |
| Trying whois -h whois.arin.net 199.111.104.201 VERnet (NETBLK-VERNET-CIDR1) University of Virginia Academic Computing Center Gilmer Hall Charlottesville, VA 22901 US Netname: NETBLK-VERNET-CIDR1 Netblock: 199.111.0.0 - 199.111.255.255 Maintainer: VER Coordinator: Jokl, James A. (JAJ17-ARIN) jaj@VIRGINIA.EDU (804) 924-0616 Domain System inverse mapping provided by: UVAARPA.VIRGINIA.EDU 128.143.2.7 JUNO.ACC.VIRGINIA.EDU 128.143.22.119 Record last updated on 05-Apr-1994. Database last updated on 14-Jun-2002 20:01:02 EDT. |
So the kiddiot is (probably) a student
at University of Virginia. A
nasty letter to the Netblock administartor will mean that's one kiddiot
who's in for a nasty shock monday morning Word Up - and the word was
'busted'.
| Quote: |
| Hi -- You are listed as the admin contact for the Netblock: 199.111.0.0 - 199.111.255.255 University of Virginia Academic Computing Center Gilmer Hall Charlottesville, VA 22901 We monitored an attempted network intrusion from an address in your IP range today (2002-06-15). The attack, (which failed) came from IP address 199.111.104.201 at 17:49:30(GMT). The actual attack attempted was a simple directory traversal expolit against a command line. I would be grateful if you could take appropriate sanctions against the student involved. Someone obviously considers themselves to be 'l33t' - perhaps you could explain to them that under new US legislation that such exploits are classed as terrorism. Regards, |
Original Tutorial
Submitted by
Nokia for TheTAZZone-TAZForum
Originally posted on March 7th, 2006 here
Do not use, republish, in whole or in part, without the consent of
the Author. TheTAZZone policy is that Authors retain the rights to the
work they submit and/or post...we do not sell, publish, transmit, or
have the right to give permission for such...TheTAZZone merely retains
the right to use, retain, and publish submitted work within it's
Network.