Re: [Full-Disclosure] Transamericana.org
From: Michael Rutledge (michael4447_at_gmail.com)
Date: Sat, 29 Jan 2005 08:58:36 -0600 To: Antonio Henrique Oliveira <firstname.lastname@example.org>
Actually, I forgot about this discussion going on (message thread
"[Full-Disclosure] ICMP Covert channels question")
It seems cyberpixl is doing research creating a covert channel using
icmp packets. Since ping uses ICMP, maybe he is playing on your box.
On Fri, 28 Jan 2005 23:45:00 +0100, cyberpixl <email@example.com> wrote:
> I've been doing some research on creating covert channels using icmp
> packets and a bounce server and so far everything worked fine. I can
> contact my web server through a bounce server outside of my network
> (like www.google.com or whatever). In my current setup both client and
> target are located in the same network and comunicate through the
> bounce server using icmp packets.
> Now, would it be possible to access a server behind a firewall, that
> normally isn't accessable, using this technique, if i'm outside of the
> target network?
> Assume there is a local machine (our target) with ip 192.168.0.2 that
> is connected to the internet using a router 192.168.0.1/18.104.22.168
> (that is not blocking icmp packets) and my machine is say,
> 22.214.171.124. If i then send an icmp packet to the 126.96.36.199 router
> with source ip set to 192.168.0.2, would it forward that packet to the
> host in its local network, or will it discard it? Is there any way to
> deliver my packet to that local machine?
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
On Sat, 29 Jan 2005 08:53:31 -0600, Michael Rutledge
> This may be a stretch (a large stretch), but someone could have
> planted something on your Windows box that is using pings as a covert
> channel (given that person has also taken control of the webserver
> that hosts transamericana.org and can watch the connection logs). Do
> you have a capture of the pings for someone to do a frequency analysis
> Also, you may want to post a list of your currently running processes
> in hopes someone may spot something that looks wrong.
> On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
> <firstname.lastname@example.org> wrote:
> > Gregh wrote:
> > > ----- Original Message -----
> > > From: "Antonio Henrique Oliveira" <email@example.com>
> > > To: <firstname.lastname@example.org>
> > > Sent: Saturday, January 29, 2005 9:46 PM
> > > Subject: [Full-Disclosure] Transamericana.org
> > >
> > >
> > >
> > >>Dear all,
> > >>
> > >>Please excuse me if this is a bit off-topic, but since this is the only
> > >>IT related mailing list I subscribe (apart from Secunia's) I decided to
> > >>post here.
> > >>
> > >>From sometime ago (I cannot determine exactly when this started to
> > >>happen), my workstation (WinXP SP2 PT, fully patched) has been sending
> > >>out ping requests to www.transamericana.org when I login to the machine
> > >>(right at the beginning of the login process, and only at that time).
> > >>
> > >
> > >
> > > Perchance is your DNS hosted there? Eg, your ISP's DNS servers?
> > >
> > > Greg.
> > No. The Linux box runs bind for the internal (and external) networks and
> > does direct queries to the root servers, not using our ISP's DNS. The
> > internal network is configured with DHCP and the DNS server for all
> > hosts is set to the linux box internal address. Also, my workstation
> > (and there are 5 more) is the only one doing this.
> > Regards,
> > --
> > Anto'nio Henrique A. Proenca de Oliveira
> > "Although we can never go back, like an old sweet song with a strong
> > refrain, memories remain" - (Someone)
> > Please avoid sending me Word or PowerPoint attachments.
> > See http://www.fsf.org/philosophy/no-word-attachments.html
> > $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
Full-Disclosure - We believe in it.