Network Administrator Edicate? Opinion? 8

[quell]

Guess this is the best place to post this. I'm just wanting to get some opinions here. It is obvious that if a network administrator wanted to find a vulnerable pc simply look through the IIS logs. I guess my question would be what should an admin do if they discover that an IP (that is not theirs) is vulnerable to an attack or it is used for a bounce?

The reason I ask is cause, after going through my logs I find certain IP's that ask for a strings such as:

x.x.x.x - - [20/Apr/2003:05:25:57 -0600] "GET /robots.txt HTTP/1.1" 401 4617 (IRC hack)
x.x.x.x - - [20/Apr/2003:14:39:10 -0600] &quot;GET /<Rejected-By-UrlScan>?~/default.ida HTTP/1.0&quot; 401 4598 (nimda virus)
x.x.x.x - - [20/Apr/2003:02:11:48 -0600] &quot;GET /<Rejected-By-UrlScan>?~/scripts/..%255c%255c../winnt/system32/cmd.exe HTTP/1.0&quot; 401 4804

After looking up on arin.net to see who the IP belongs to I did a port scan and found multiple ports open 21,25,53,139 just to name a few. Also tried the net use cmd, telnet, ftp, XP Remote Desktop Connection and others for the heck of it . Am I wrong for doing this despite the results? Should I let the owner of this IP know that they are vulnerable to certain attacks? After all we are all in this together, we should help each other out as much as possible. If it was me I would greatly appreciate someone letting me know that my servers were vulnerable, but that's just me. Let me know what you think about this.
Thanks

 

[manarth]

quell - definately tell the owner in some way.

firstly, be very careful what action you take - you don't want to be hauled up for hacking!

My flatmate's apache server keeps getting &quot;hit&quot; by an IP based in a nearby business park - it keeps trying various scripts (which, alas, only work on MS IIS ). The logs make interesting reading!

My guess is that the business knows nothing about these attacks; their PC has been hacked and is just being used as a launch board for cyber assaults.

I'm sure (given the ongoing nature of these attacks) they will, sooner or later, be 'successful' against someone's PC.

One of these days I may get round to tracking down the co near me and notifying them!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[PCLine]

Hi,
Your post made me smile.

What are the consequences for an Adminstrator if they are &quot;caught&quot; and reported for &quot;hacking&quot; another system?

How many cars have you seen parked in dubious places and thought, &quot;they're risking a smashed window parking there.&quot; and how many times have you gone over and smashed a window of such a car, to see if you were right?

As I said your post made me smile.

It's your pickle, I think you should be brave enough to make a decision ~ after all, you've already made the decision to &quot;broddle&quot; with someone's system.

All the best.

 

[xutopia]

quell,

Though I disagree with PCLine's analogy he's got a point. I feel the analogy is more like walking in to a house that left their door opened to tell them that someone can break in.

I would see nothing ethically wrong with you writing a text file on his desktop saying :

&quot;your computer has been hacked by such and such a worm. The person sending you this text file did not snoop, destroy or compromise your computer but wanted to warn you that your computer is infected with a worm that allows anyone to access your computer with ease. The worm also attempt to randomly infect other computers. Maybe you should do something about it. Try looking at these following links (symatec or norton URLs)&quot;

In many countries this wouldn't even be a fraudulent act but in the US you could be punished by the law for trying to be a good samaritan. And the worst thing is that people cought hacking tend to get worse jail time than people with other minor offence get. So I don't recommend you do anything about it. Let the person figure it out on his own. If there is a way for you to find out who that person is without hacking their computer then do it. But don't get in trouble with the law whatever you do.

Gary

http://www.xutopia.com

Haran
==========================

 

[PCLine]

xutopia,

Yes, your analogy is more appropriate.

I also think that your post hits the nail on the head.

Kind regards.

 

[sleipnir214]

quell:
xutopia's advice on how you should react is clouded by his politics. Despite what he wants to believe, you will not be punished in the United States for reporting to a server owner that a worm on his machine has tried to infect yours.

Whether you report it is a matter of ethics only, not law.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[chiph]

xutopia's advice on how you should react is clouded by his politics. Despite what he wants to believe, you will not be punished in the United States for reporting to a server owner that a worm on his machine has tried to infect yours.

Au contraire, you can indeed be sued for this (happened to someone on Slashdot last year).

Best bet would be to use the phone to call them up and tell them. I wouldn't send an email, or (horrors!) put a text file on their desktop. Just say something like &quot;Hey, I'm getting attacked by a machine that looks to belong to you. Could you please check the computer at this IP address?&quot;

If they're worth their pay, they'll check it out and clean the PC of the robot(s). Of course, the reality would be that they'll just ignore you. :-(

Chip H.

 

[sleipnir214]

If you do as xutopia advises -- just reporting the problem, no probes, no port scans, you cannot be sued.

Got a link to that Slashdot thread? I'll be the guy got sued not because he reported the worm activity, but because he attempted some kind of action against the offending server -- maybe something as innocuous as a port scan against the wrong target.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[garwain]

When I first stated running my server I was getting a couple dozen hits a day from NIMDA and CODERED, and possibly other such things, and was taking the time to track down the owner of the IP, and send them an email. Now, 2 years later after tracking down probably a hundred systems, and sending a hundred emails to the administrators, I've given up. I never got a single thank you for the task, but did get several messages telling me to mind my own buisness, or to that effect, and one person tell me to stop sending $%^&*() spam, he didn't want to know about whatever anyvirus I was trying to sell him.

My message was always the following
I would just like to notify you that my server logs are reporting intrusion attempts from one of your IP addresses. Could you please look into it?

then I would past a sample from my log file

 

[sleipnir214]

garwain:
I did the same thing for about the same amount of time with the same results, although I actually die get one &quot;thank you&quot; reply. It used to be that when I got the &quot;leave me alone&quot; replies, I would, where possible, find the next higher authority over his IP address range and let them in on the problem, too. That actually got some results once or twice.

And I've pretty much given up, too. It just doesn't seem to do any good.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[xutopia]

sleipnir,

I'm offended by your remarks. I just happen to be an informed individual and in the face of facts it is easy to &quot;jump&quot; to my conclusion. I believe if you read this article you might change your mind. My opinion in this matter has nothing to do with my political point of view but the laws in many countries including both of ours.

http://www.theregister.co.uk/content/55/26397.html

&quot;On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.

[...]

&quot;Puffer, who was employed briefly by the county's technology department in 1999, could get five years in jail and faces a $250,000 fine[...]&quot;

So I stand behind my first affirmation. Though it would be IMHO ethical to tell the guy that his computer is compromised, you would need to hack into his computer to tell him and that would be illegal.

Gary

http://www.xutopia.com

Haran
==========================

 

[KornGeek]

xutopia,
as you mention, he &quot;demonstrated ... how easy it was&quot; rather than just inform them. Telling them is doing nothing wrong. The demonstration is where he erred. You can send an email to tell him without admitting to the hack.

 

[sleipnir214]

xutopia:
You're right. I shouldn't have agreed with you, even partially -- I misread the part of your post which states, &quot;I would see nothing ethically wrong with you writing a text file on his desktop saying :&quot;. It never occurred to me that anyone in Tek-Tips would recommend such an asinine plan of action.

Hacking a system without permission, for whatever the reason, is and should be actionable. To continue the analogy you started, if you enter a house without permission, whether in France, the U.S., or the U.K., you are trespassing. The crime does not require the door's being locked.

But it is not necessary to hack the system to notify an authority. A simple ARIN whois query (or its counterparts RIPE, etc.) can give you enough information to find a person to whom to email a log excerpt.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[xutopia]

Korngeek,

I never said I agreed with this guy's actions. He certainly could have sent an email and be more silent about it. Unfortunatly he wanted to gain from publicizing his feat with the media and that is what was really wrong with his actions (from an ethical point of view anyways).

All,

Hacking into systems you do not own is illegal regarless of the intent. The reason why it is illegal is because in 99.999999999999% of the time hacking is malicious. Like I said originally &quot;If there is a way for you to find out who that person is without hacking their computer&quot; then do tell the person of his computer's state.

sleipnir,

ARIN or RIPE could get information from the system but I was unaware of that until you mentionned it. If using such a tool could get the name of the owner then it would be my recommended course of action.

Hacking isn't always actionable and for a good reasons. Hacking is like taking a walk, we should be free to do it so long as it doesn't infringe on other people's rights. This means not walk in people's house uninvited, walk in the middle of the highway for no particular reasons etc...

Sometimes hacking is a necessity and should remain that way:

http://zdnet.com.com/2100-1105-934839.html

Gary

http://www.xutopia.com

Haran
==========================

 

[CajunCenturion]

xutopia - I think there may be some confusion with respect to how the message is conveyed. In the case referenced by your link, the culprit DID hack the other system. Back to the previous analogy, that means the person did go over and break the window on the parked car. Why you hacked into the other system, or why you broke the window does not change the fact that you broke the law by your actions. And if you choose to report your findings that way, such as by placing a file on their desktop, then you most certainly can be sued, because you have hacked their system. You have walked into their house uninvited.

Commission of a crime for the purposes of proving that it can be done, does not grant you immunity from prosecution for committing the crime.

The reporting of the problem is not the reason you'd be sued. It's the method of reporting that can get you into trouble.

If you follow sleipnir214's and chiph's advice and report the problem with a phone call, or face to face, or my preference would be to invite the other administrator over for a cup of coffee and show him/her your logs, then you've still gotten the same message accross, but have not committed a crime by doing so.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[manarth]

CajunCenturion: &quot;or my preference would be to invite the other administrator over for a cup of coffee and show him/her your logs&quot;

I may just use that...

Bet it works wonders for asking future favours!

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[quell]

Thanx everyone for your opinion, for the record everything I tried (telnet, net use etc..) led me to a password prompt. This is were I stopped. (bad password sometimmes create logs) If someone really wanted to get in all they would need is a password cracker prog. I have contacted the proper owners (with no reply of course) via e-mail. If the same IP keeps hitting my server with bad strings then its going to be a phone call to the owners of the IP from a disgruntled administrator hehe

Just out of curiosity for this thread is it legal to connect but not guess passwords, or do a port scan without authorization from the owner? I'm going to look this up and post what I find.

 

[CajunCenturion]

I don't know if its legal or not to connect but not guess passwords.

But I have to ask, why are you connecting in the first place? Why run that risk. Regardless of your intention, the perception of your actions may very well put you in an unenviable position.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[xutopia]

Cajun,

I have the feeling once again I am misunderstood. I'm not saying what the guy did was legal. He never asked for permission to hack into that place but a county official was invited and present there so he wasn't doing it in secret hoping he could gain access or destroy sensitive information. All he did was tell the county official and the media that it was easy to hack.

&quot;On March 18, Puffer demonstrated to a county official and a Chronicle reporter how easy it was to gain access to the court's system using only a laptop computer and a wireless LAN card.&quot;

If we go back to the parked car analogy it's like as if I told you I could circumvent your car security system and open your car door using just a remote control. If I invite you to the parking lot as well as a reporter to show you and the world how easily it can be done I'm not really breaking any windows am I?

I agree whole heartedly that if there is a way using ARIN for example to contact the guy and tell him his computer is at risk. I'd say it is not only a good thing to do (the guy could get harm from not closing his ports and could harm others) but an ethical one.

At first I did not know that we could find out the information without hacking into the person's computer. I used the example of dropping a text file on the person's desktop because it didn't read information (some could be sensitive and I believe in the right to anonymity) but didn't say that it was an intelligent thing to do at all given the current laws. Taking the analogy of the parked car further it would be like opening the car door and gluing a yellow post-it on the steering wheel.

I'm glad the person in question was contacted by email.

Gary

http://www.xutopia.com

Haran
==========================

 

[sleipnir214]

Absolutely, CajunCenturion

quell:
You have no reason to be probing the foreign system at all. To stay in the bounds of ethical behavior, you have three possible actions available to you:
1. Ignore the worms.
2. Block the offending IP at your firewall or border router.
3. Inform the manager of the foreign system or the manager of a higher network.

You can pick more than one from the list, if appropriate.

However, do not port scan, do not probe, do not IP fingerprint, do not meddle.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!