Network Administrator Edicate? Opinion? 8

[quell]

Guess this is the best place to post this. I'm just wanting to get some opinions here. It is obvious that if a network administrator wanted to find a vulnerable pc simply look through the IIS logs. I guess my question would be what should an admin do if they discover that an IP (that is not theirs) is vulnerable to an attack or it is used for a bounce?

The reason I ask is cause, after going through my logs I find certain IP's that ask for a strings such as:

x.x.x.x - - [20/Apr/2003:05:25:57 -0600] "GET /robots.txt HTTP/1.1" 401 4617 (IRC hack)
x.x.x.x - - [20/Apr/2003:14:39:10 -0600] &quot;GET /<Rejected-By-UrlScan>?~/default.ida HTTP/1.0&quot; 401 4598 (nimda virus)
x.x.x.x - - [20/Apr/2003:02:11:48 -0600] &quot;GET /<Rejected-By-UrlScan>?~/scripts/..%255c%255c../winnt/system32/cmd.exe HTTP/1.0&quot; 401 4804

After looking up on arin.net to see who the IP belongs to I did a port scan and found multiple ports open 21,25,53,139 just to name a few. Also tried the net use cmd, telnet, ftp, XP Remote Desktop Connection and others for the heck of it . Am I wrong for doing this despite the results? Should I let the owner of this IP know that they are vulnerable to certain attacks? After all we are all in this together, we should help each other out as much as possible. If it was me I would greatly appreciate someone letting me know that my servers were vulnerable, but that's just me. Let me know what you think about this.
Thanks

 

[quell]

Here is some interesting reading on the issue.

http://www.usdoj.gov/criminal/cybercrime/cclaws.html

From what I gather from the above link and others is that port scanning is legal, unless you have malicious intent or your ISP has a policy against it. I could not find anything in black and white stating that port scanning is illegal or defining the terms of access. Unauthorized access is illegal but what defines access?

Technically during a telnet session you do access a pc, but if you do not enter a password then...Is that considered unauthorized access? Isn't this the same thing as accessing port 80 and getting a 401 error? (unless the script showed malicious intent. Then you would have to define malicious intent) What if that telnet server didn't require a password and after a port scan you tried it and got in...that's unauthorized access. This area is kind of shady and I think it would basically boil down to the judges interpretation.

As for me and my lesson learned here is leave it at the port scan. Cause bottom line is that if the port is open you can access the pc one way or another. My curiosity is not worth the prosecution.

 

[sleipnir214]

Exactly the reason for my advice.

Let's face it, all you're doing is exercising monkey curiosity. You're not going to solve the problem with a port scan or any other kind of probe.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[PCLine]

Well guys, having read all the posts above, I come back to
xutopia's comment in &quot;his&quot; first post;

&quot; Let the person figure it out on his own. If there is a way for you to find out who that person is without hacking their computer then do it. But don't get in trouble with the law whatever you do.&quot;

sleipnir214 took up the &quot;least&quot; important aspect of the post and turned it into the pivotal point, which it clearly wasn't.


As quell subsequently writes,

&quot;I have contacted the proper owners (with no reply of course) via e-mail. If the same IP keeps hitting my server with bad strings then its going to be a phone call to the owners of the IP from a disgruntled administrator hehe&quot;


clearly the action quell took corresponds to the advice (and others) gave.

Also, as quell further writes;

&quot;As for me and my lesson learned here is leave it at the port scan. Cause bottom line is that if the port is open you can access the pc one way or another. My curiosity is not worth the prosecution.&quot;

he is clearly not wanting to risk &quot;getting in trouble with the law&quot;. Another piece of advice suggested by xutopia.

sleipnir214 apparently provided the detail that enabled quell to gather the necessary info to send an e-mail. Well done. But if you had been looking favourably at xutopia's post rather than wanting to &quot;dismiss his politics&quot; you might have provided that detail sooner.

Just a passing observation that some people will agree with and other won't.



All the best.

 

[PCLine]

*clearly the action quell took corresponds to the advice xutopia (and others) gave.

 

[xutopia]

Thank you PCLine. It takes patience to make sense of everyone's post like that.

A star to you.

Gary

http://www.xutopia.com

Haran
==========================

 

[Tarwn]

I must be misunderstanding something here...

Sleipners major comment was only that contacting the owner would not be illegal. This was mixed with his opinion that since such an act would not be illegal, there was no reason to bring politics to the table.

Xutopia originally gave his advice as &quot;So I don't recommend you do anything about it. Let the person figure it out on his own. If there is a way for you to find out who that person is without hacking their computer then do it.&quot;
Note, the content of this is do nothing, and though there is the possibility he was inferring you contact the person with his last line, this is only an argument if you read the rest of the posts.

PCLine: Actually the first person to mention sending this guy an email was not xutopia. It was sleipner who mistakenly believed xutopia had posted that suggestion earlier (I assume he missed the whole putting a text file on the desktop and only saw the content). Which explains his later post mentioneing he had mis-read that part...



Personally I think the whole Puffer discussion was a complete waste of time unless someone wanted to start another thread on it. It did not apply in this case, only showed an example of why not to hack the remote computer.

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048

 

[CajunCenturion]

PCLine - I understand what you're saying, but when I read the 4th para of xutopia first post, his recommendation to &quot;Let the person figure it out on his own ...&quot; sounds like a conclusion based on the premise described in the first couple of sentences of that same paragraph. And although I respect your opinion that you feel that it's the &quot;least&quot; important aspect, when someone bases a conclusion upon a flawed premise (which in this case is politically based), then its quite appropriate to expose the flaws in the premise, especially when taking into account the comments concerning the ethical behavor espoused in the 2nd and 3th paragraphs of the same post.

You are unfortunately expressing yourself by flaming sleipnir214 for not looking favorably on the original post in question, and you can add me to the flame as well because I am very much against the notion that it's ethical to hack into and write a file to someone's desktop. The only thing I can find favorable in that post is at best a non sequitur conclusion to do nothing.

Good Luck
--------------
As a circle of light increases so does the circumference of darkness around it. - Albert Einstein

 

[manarth]

xutopia said:
&quot;I would see nothing ethically wrong with you writing a text file on his desktop&quot;
&quot;In many countries this wouldn't even be a fraudulent act but in the US you could be punished by the law for trying to be a good samaritan. And the worst thing is that people cought hacking tend to get worse jail time than people with other minor offence get. So I don't recommend you do anything about it.&quot;

CajunCenturion said to PCLine:
&quot;You are unfortunately expressing yourself by flaming sleipnir214 for not looking favorably on the original post in question, and you can add me to the flame as well because I am very much against the notion that it's ethical to hack into and write a file to someone's desktop...&quot;

Xutopia: you hit the nail on the head - nothing ethically wrong, but you could be busted. Dropping a txt file on someone's desktop (especially with such good intention) is IMO fine. Just don't put yourself at legal risk.

CajunCenturion: PCLine was suggesting Sleipnir214's views were clouded by political differences. Your views are a seperate matter - your stance (seems to be) it's unethical to write a file to someone else's desktop. Whilst you both have views apposite to Xutopia's, you hold these views for different reasons.

PCLine's perspective is that Sleipnir214's response derives from his political orientation, rather than from a constructed ethical argument.
Your argument, on the other hand, is based on a genuine ethical premise: to what extent can you ethically hack into someone else's system?

Please don't group the debates together, as these are completely different issues.

PCLine's point is his valid opinion, but don't lump his opinion about you in with someone elses; at least, not until he's lumped you in with all the rest

Perhaps a new thread is in order: the ethics of &quot;hacking&quot;?
I'm sure it's been done before


<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[PCLine]

CajunCenturion,
Am I right in reading your comment, &quot;...and you can add me to the flame as well...&quot; to mean that you are asserting that my opinion of sleipnir214's first posting was also a &quot;critical&quot; remark aimed at all people who thought in a like manner to sleipnir214 ro just yourself and sleipnir214. Where we would end up following that line of reasoning...

Oh, isn't life just tickety-boo when people look at people's posts to &quot;pull them up&quot; on totally pointless aspects. If I was to take issue with your &quot;claim&quot; to be affected by my alledged flaming, I would point out that my claim to having first been flamed by sleipnir214 is stronger than your claim to having been flamed by me ~ read the posts for the evidence.

As for xutopia's post: Firstly, he highlights that my analogy is synonymous with causing damage to the other persons property; that tresspassing is a more apt scenario.

Secondly, he states an opinion;

blah-de-blah-de-blah

I could look at each paragraph of uxtopia's post in such a matter but to what end? How you arrive at, &quot;...non sequitur conclusion to do nothing.&quot; is pretty amazing.

I will (read)listen to any reasoned argument and I reserve my right to express my arguments and counter-arguments when I have the opportunity and inclination to do so. But I do take issue with people that claim to have been flamed by myself when clearly that is a blatant misrepresentation of the truth.

If I have mis-read your statement, &quot;...and you can add me to the flame as well...&quot; and you actually wished to &quot;join with me&quot; in flaming sleipnir214, then I would also have to take issue with you again. I did not flame sleipnir214: for if my tame comment could actually be construed as &quot;flaming&quot; what would would sleipnir214's comment,

&quot; It never occurred to me that anyone in Tek-Tips would recommend such an asinine plan of action.&quot;

...be regarded as. Or indeed your own comment,

&quot;The only thing I can find favorable in that post is at best a non sequitur conclusion to do nothing.&quot;

If we are unable to point to the apparent failings in someone else's posting then how are we to achieve any sort of debate around issues such as these.

Please, in future, leave accusations of flaming to those justifable and warranted situations that deserve the &quot;labelling&quot; of such.

Kind regards.

 

[PCLine]

manarth,
An excellent critique.

Your post was published whilst I was constructing my previous one. Had I seen it I would probably not have posted the above comments.

all the best.

 

[sleipnir214]

manarth:
You have said that dropping a .txt file on another's desktop is, in your opinion, fine. I would very much would like the hear the set of inferences that led to you conclude that hacking any system for any reason without permission is an ethical act.

Hacking my system is a violation of the permissions I give you on my system. If I'm running a public web site, I give any and all users implicit permission to access the portions of my system that I select. But if I password-protect a subset of the content, you are not behaving ethically if you throw a password cracker at it, because you are trying to access my system beyond my implicit permissions. xutopia posted a link that illustrates this:

http://zdnet.com.com/2100-1105-934839.html

. In the case described, the hackers were given explicit permission to attempt to crack the password on the database -- they behaved ethically.

And if you hack a system to leave a nastigram on the desktop, you are way beyond any permission, implicit or explicit, that you might have been granted. As such, you are no longer behaving ethically. xutopia, again, has given another link which demonstrates the concept:

http://www.theregister.co.uk/content/55/26397.html

. Stefan Puffer demonstrated the insecurity of the system to a reporter and an unspecifed &quot;county official&quot;. It sounds to me like that county official did not have the authority to grant permission for Mr. Puffer to force entry to the system.

By extension, I think that a system administrator is ethically obligated to insure that his system does no damage to systems owned by others on the internet, because the system administrator doesn't have permission to damage those other machines. If keeping your system from attacking other systems is ethical, then to extend the concept further a deliberate attack against other systems without permission cannot be ethical.

There is no way of knowing how much damage you would do to that system just to put your nastigram on the desktop of that server. xutopia's second link reports a declaration by the court that Mr. Puffer did $5000 of damage to the court's computer system. Now I am sceptical of that figure, but even $5 of damage is $5 more than he has the right to do to the system.


Here's a metaphor: I drive a clunker of a car that has bad rings and smokes badly in traffic. You've been stuck behind me, sucking up my smog, for half an hour. You see me pull into a parking lot and park, and you follow me into the lot to give me a piece of your mind. By the time you park and find my clunker again, I'm out of sight, so you decide to leave a handwritten nastigram.

If you leave the nastigram taped to my windshield, then you are well within the extent of ethical behavior. But it's about to rain, and you don't want your note to bleed to unreadability, so you decide to leave it taped to my steering wheel. The instant you open my car door without my permission, whether it was locked or not, and even with the best of intentions, you have crossed the line and are no longer behaving ethically.


Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[greyted]

A question for you guys, if you use Gibson's Shields Up programme to scan your ports he has a disclaimer notice. Does he use this notice to prevent any legal come back on him or his company or does he have to ask your permission to scan your ports?
I offer no insight into this question but I did wonder if it is illegal to scan other people's computers then if Quell was caught scanning the said computer could the company sue him for infecting their machine?
An interesting thread.

sleipnir214,
On a lighter note, good to see you doing the donkey work with the dictionary, again.

Ted

 

[Tarwn]

Heh, funny...
Oh, isn't life just tickety-boo when people look at people's posts to &quot;pull them up&quot; on totally pointless aspects

I started reading the above posts and thought someone was attempting to make a valid point...until they spent a page doing exactly what they were accusing others of doing.

The difference between debate and argument is the ability of those involved to change their opinions.

I could spend the rest of the evening doing a critical analysis on people's posts and we would be no closer to changing our opinions.

The point is that we do agree that the ethical and legal response should be to simply contact the administrator of the remote machine and explain that it has been acting in a suspicious manner. If they choose not to follow it up that is their concern. If it is harming you, press charges.

I don't see anything useful coming out of the rest of the conversation beyond the usual arguments of selective portions of posts. While it may be absolutely imperitive that some people shout their disdain for other people's opinions under the cover of rebuking them for the same acts, I feel it to be wholly unprofessional and entirely lacking in useful content. Shouting louder does not make others listen.

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048

 

[sleipnir214]

Tarwn:

<aside type=&quot;monkey curiosity that's completely off the current topic&quot;>
How would one pronounce your handle? Possibilities I have come up with are &quot;TAR-win&quot;, &quot;TAR-un&quot;, &quot;TAR-oon&quot; (rhyming with &quot;moon&quot, and &quot;tar-OON&quot;
</aside>

I tried in my last post to start a strict ethics debate. No one so far has shown any interest in playing.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[xutopia]

Tawrn,

Let me concentrate on my favorite part of your post (something we don't seem to be in the mood for today).

I think we should just drop this discussion because it's not going anywhere.

If someone wants to start over then start a new related thread and it just might let us start fresh.

Gary

http://www.xutopia.com

Haran
==========================

 

[sleipnir214]

xutopia:
You also said very early in this thread that you found nothing ethically wrong with writing a file to the administrator's desktop, so my long post (directed to manarth) is available to you, too, if you want to discuss the ethics.

Want the best answers? Ask the best questions:

http://www.catb.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[xutopia]

Sleipnir,

I'm actually not really in the mood for discussing these things further. I think most points have been made and we're just rehashing something that's already puree.

On a side note though all these analogies of the parked car reminds me of something that happened to me as a kid about 6 years old.

It was summertime in the middle of an afternoon and I was walking back home. I was just a few streets away from home and noticed someone had left their lights on in their car. I had been told by my parents that leaving the lights on for too long could drain the battery and the engine wouldn't start. I was really shy as a kid and didn't dare knock on people's doors to see who the car belonged to but the car door was unlocked so I ventured in to try to shut off the lights.

I fiddled around with the switchs and finally found the light that I shut off (after turning on the four way flashers and other interesting things). I then closed the door of the car and turned back to go home but someone perched from a window started yelling at me &quot;What is your problem kid? That isns't your car!&quot;. At the same time he was yelling he put his finger up to his head attempting to convey that the screws in my head were not turning correctly.

My face turned red and for a few seconds I couldn't say a word. I then told the guy that the lights were on and I just wanted to do the owner a favor by shutting them off for him. The guy excused himself and didn't know where to put himself. I then said I was really sorry for doing something bad and he had to tell me &quot;No actually you didn't do anything bad. I just jumped to the wrong conclusion.&quot;.

Despite that I was scared to walk in front of his house for a few years.

Gary

http://www.xutopia.com

Haran
==========================

 

[Tarwn]

<aside in response to Sleipners aside>
TAR-win is how I've generally considered it to be pronounced... the odd thing is that I have been using that handle so long it takes concious though half the time to put the right name on the bottom of my emails
</aside>

xutopia: heh, I know I had one of those moments, but for the life of me, now that I try to remember, I can't

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048

 

[PCLine]

Hello Tarwn,

Do you know what irony is?

 

[Tarwn]

Guess not, otherwise I would know which statement you were inferring is ironic.

-Tarwn

[sub]01010100 01101001 01100101 01110010 01101110 01101111 01101011 00101110 01100011 01101111 01101101 [/sub]
[sup]29 3K 10 3D 3L 3J 3K 10 32 35 10 3E 39 33 35 10 3K 3F 10 38 31 3M 35 10 36 3I 35 35 10 3K 39 3D 35 10 1Q 19[/sup]
Get better results for your questions: faq333-2924
Frequently Asked ASP Questions: faq333-3048