Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Browse the Internet As Localhost

Status
Not open for further replies.
Goons

Goons

Technical User
Mar 15, 2006
9
GB
Hey guys,

Have a bit of a strange one here. Hopefully I have put this topic in the correct forum as I didn't really know how to classify it. Anyway - on with the problem:

We have a website and forum (IPB 2 fully patched) and unfortunately, some troublemaking visitors. Obviously we can block the IP addresses, then they switch to using proxies so we put contermeasures in place to prevent users connecting through a proxy. However - we now have a couple of users who have started to browse the website and make forum posts which show up as coming from 127.0.0.1. I'd say I know a little about computer security and networking, but anyone have any idea how it is possible to browse the internet with your IP address showing up as 127.0.0.1?

I'm not looking for an intricate explaination or a 'HowTo', it's just that I have no idea how it is even possible and curiosity is getting the better of me.

Thanks for any ideas or suggestions,

Allan.
 
Sort by date Sort by votes
It would seem likely that these "troublemakers" have now compromised your webserver and are connecting through your host as a proxy.

If you have a Linux server, it would be worthwhile to run an 'lsof -i' and look for any ports open that you cannot explain. This may be a long list since this is a web server and it is likely that there are many http threads active at any given time.

If this is a Windows host, you can run 'netstat' to see a similar listing (you can do this as well on Linux, but lsof supposedly uses lower level primitives and is harder to spoof).

Of course you could also configure the web server not to listen on 127.0.0.1. That should only affect browsing the web site from the server itself.

In Linux, stunnel would provide the tunneling service that would make this type of browsing possible. So would a VPN and ssh (using tunneling) which are both available on Windows as well.

Frankly though, with programs like The Onion Router (tor) and Privoxy it is highly unlikely that you will be able to block anyone permanently.


pansophic
 
Upvote 0 Downvote
it's very nice pasophic, very nice.
Of course you could also configure the web server not to listen on 127.0.0.1. That should only affect browsing the web site from the server itself.
Click to expand...
If his webserver is at risk, isn't it to shallow just blocking webserver to listen on 127.0.0.1, besides the webserver he's gonna have lots of other problems too, right? After all a port is open...

I'm not asking for any special program, but theoretically how could you find which ports are open on a machine? Should you write a script that sends a request for all the 65,536 (whatever number!) number of ports on both TCP and UDP towers?! Is this practical?
 
Upvote 0 Downvote
Checking the open ports is not only practical, it is trivial. A simple netstat will show all open ports that haven't been masked through a rootkit. I you are running *nix, then lsof -i will show all open ports and usually can't be masked by a rootkit. But I would still run nmap (runs on *nix and Windows) from another machine to definitively identify any open ports. Run it from inside and outside the firewall to get a good picture not only of what is open, but what is accessible from the net as well.

If I thought that I had a rootkit (yes I have found them on my own and others' systems) I would rebuild the machine without question. There is no foolproof way to remove a rootkit. Some of the remote control programs will open an ephemeral port (1025 or higher) back to a server that is under the control of the hacker because outbound connections are rarely controlled through firewalls. This connection is the tunnel under which they control the system. An Intrusion Detection System (maybe host-based, definitely network-based) would be high on my list of technologies to implement. It may not stop a compromise, but it will let you know when one has likely happened.

And yes, making the webserver refuse connections from 127.0.0.1 is just a band-aid at best. If they already have that level of access to the system, they can easily undo whatever counter measures you put into place.


pansophic
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Vitor Fernandes-Neto
  • Locked
  • Question
Ldap authentication in classic asp, retrieving givenname, displayname etc
Replies
0
Views
366
Vitor Fernandes-Neto
Vitor Fernandes-Neto
SirBlack
  • Locked
  • Question
Internet connection problem
Replies
5
Views
101
kjv1611
kjv1611
TheFaz_
  • Locked
  • Question
Sending udp packets from fpga to the computer using Lwip tcp/ip stack using C programming
Replies
0
Views
284
TheFaz_
TheFaz_
chieftan
  • Locked
  • Question
IPv6 - possible issue or maybe the way it works
Replies
3
Views
89
chieftan
chieftan
anoop12
  • Locked
  • Question
SNMP agent identification of a device as Printer
Replies
0
Views
65
anoop12
anoop12

Part and Inventory Search

Sponsor

Back
Top