Full Disclosure mailing list archives
Re: Transamericana.org
From: Michael Rutledge <michael4447 () gmail com>
Date: Sat, 29 Jan 2005 08:58:36 -0600
Actually, I forgot about this discussion going on (message thread "[Full-Disclosure] ICMP Covert channels question") It seems cyberpixl is doing research creating a covert channel using icmp packets. Since ping uses ICMP, maybe he is playing on your box. :) -Michael On Fri, 28 Jan 2005 23:45:00 +0100, cyberpixl <cyberpixl () gmail com> wrote:
I've been doing some research on creating covert channels using icmp packets and a bounce server and so far everything worked fine. I can contact my web server through a bounce server outside of my network (like www.google.com or whatever). In my current setup both client and target are located in the same network and comunicate through the bounce server using icmp packets. Now, would it be possible to access a server behind a firewall, that normally isn't accessable, using this technique, if i'm outside of the target network? Assume there is a local machine (our target) with ip 192.168.0.2 that is connected to the internet using a router 192.168.0.1/88.88.88.88 (that is not blocking icmp packets) and my machine is say, 33.33.33.33. If i then send an icmp packet to the 88.88.88.88 router with source ip set to 192.168.0.2, would it forward that packet to the host in its local network, or will it discard it? Is there any way to deliver my packet to that local machine? _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
On Sat, 29 Jan 2005 08:53:31 -0600, Michael Rutledge <michael4447 () gmail com> wrote:
This may be a stretch (a large stretch), but someone could have planted something on your Windows box that is using pings as a covert channel (given that person has also taken control of the webserver that hosts transamericana.org and can watch the connection logs). Do you have a capture of the pings for someone to do a frequency analysis on? Also, you may want to post a list of your currently running processes in hopes someone may spot something that looks wrong. -Michael On Sat, 29 Jan 2005 12:03:39 +0000, Antonio Henrique Oliveira <tat () postmark net> wrote:Gregh wrote:----- Original Message ----- From: "Antonio Henrique Oliveira" <tat () postmark net> To: <full-disclosure () lists netsys com> Sent: Saturday, January 29, 2005 9:46 PM Subject: [Full-disclosure] Transamericana.orgDear all, Please excuse me if this is a bit off-topic, but since this is the only IT related mailing list I subscribe (apart from Secunia's) I decided to post here. From sometime ago (I cannot determine exactly when this started to happen), my workstation (WinXP SP2 PT, fully patched) has been sending out ping requests to www.transamericana.org when I login to the machine (right at the beginning of the login process, and only at that time).Perchance is your DNS hosted there? Eg, your ISP's DNS servers? Greg.No. The Linux box runs bind for the internal (and external) networks and does direct queries to the root servers, not using our ISP's DNS. The internal network is configured with DHCP and the DNS server for all hosts is set to the linux box internal address. Also, my workstation (and there are 5 more) is the only one doing this. Regards, -- Anto'nio Henrique A. Proenca de Oliveira "Although we can never go back, like an old sweet song with a strong refrain, memories remain" - (Someone) Please avoid sending me Word or PowerPoint attachments. See http://www.fsf.org/philosophy/no-word-attachments.html $Id: .signature,v 1.3 2004/07/14 08:08:10 tat Exp tat $ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Transamericana.org Antonio Henrique Oliveira (Jan 29)
- Message not available
- Re: Transamericana.org Antonio Henrique Oliveira (Jan 29)
- Re: Transamericana.org Michael Rutledge (Jan 29)
- Re: Transamericana.org Michael Rutledge (Jan 29)
- Re: Transamericana.org Antonio Henrique Oliveira (Jan 29)
- Re: Transamericana.org Antonio Henrique Oliveira (Jan 29)
- Message not available