Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Transamericana.org

From: Michael Rutledge <michael4447 () gmail com>
Date: Sat, 29 Jan 2005 08:58:36 -0600
Actually, I forgot about this discussion going on (message thread
"[Full-Disclosure] ICMP Covert channels question")

It seems cyberpixl is doing research creating a covert channel using
icmp packets.  Since ping uses ICMP, maybe he is playing on your box. 
:)

-Michael


On Fri, 28 Jan 2005 23:45:00 +0100, cyberpixl <cyberpixl () gmail com> wrote:

I've been doing some research on creating covert channels using icmp
packets and a bounce server and so far everything worked fine. I can
contact my web server through a bounce server outside of my network
(like www.google.com or whatever). In my current setup both client and
target are located in the same network and comunicate through the
bounce server using icmp packets.

Now, would it be possible to access a server behind a firewall, that
normally isn't accessable, using this technique, if i'm outside of the
target network?

Assume there is a local machine (our target) with ip 192.168.0.2 that
is connected to the internet using a router 192.168.0.1/88.88.88.88
(that is not blocking icmp packets) and my machine is say,
33.33.33.33. If i then send an icmp packet to the 88.88.88.88 router
with source ip set to 192.168.0.2, would it forward that packet to the
host in its local network, or will it discard it? Is there any way to
deliver my packet to that local machine?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html





On Sat, 29 Jan 2005 08:53:31 -0600, Michael Rutledge
<michael4447 () gmail com> wrote:

This may be a stretch (a large stretch), but someone could have
planted something on your Windows box that is using pings as a covert
channel (given that person has also taken control of the webserver
that hosts transamericana.org and can watch the connection logs).  Do
you have a capture of the pings for someone to do a frequency analysis
on?

Also, you may want to post a list of your currently running processes
in hopes someone may spot something that looks wrong.

-Michael

On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira
<tat () postmark net> wrote:

Gregh wrote:

----- Original Message -----
From: "Antonio Henrique Oliveira" <tat () postmark net>
To: <full-disclosure () lists netsys com>
Sent: Saturday, January 29, 2005 9:46 PM
Subject: [Full-disclosure] Transamericana.org




Dear all,

Please excuse me if this is a bit off-topic, but since this is the only
IT related mailing list I subscribe (apart from Secunia's) I decided to
post here.

From sometime ago (I cannot determine exactly when this started to
happen), my workstation (WinXP SP2 PT, fully patched) has been sending
out ping requests to www.transamericana.org when I login to the machine
(right at the beginning of the login process, and only at that time).




Perchance is your DNS hosted there? Eg, your ISP's DNS servers?

Greg.

No. The Linux box runs bind for the internal (and external) networks and
does direct queries to the root servers, not using our ISP's DNS. The
internal network is configured with DHCP and the DNS server for all
hosts is set to the linux box internal address. Also, my workstation
(and there are 5 more) is the only one doing this.

Regards,
--
Anto'nio Henrique A. Proenca de Oliveira

"Although we can never go back, like an old sweet song with a strong
refrain, memories remain" - (Someone)

Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
$Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: