RE: Scans for proxy???

From: Andrew Thomas (andrewat_private)
Date: Thu May 24 2001 - 09:08:48 PDT

Next message: gattacaat_private: "Re: another wave?"

Previous message: freeholdat_private: "Re: Scans for proxy???"
Maybe in reply to: Jan Marek: "Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Johannes B. Ullrich [mailto:euclidianat_private]
> Sent: Thursday, May 24, 2001 5:48 PM
> Cc: incidentsat_private
> Subject: RE: Scans for proxy???
>
> I don't believe in any large organized effort to do
> anything like that. The cracker community is not that
> organized. You may have a guy come out with a new
> tool like 'lion' or 'adore' and then others are jumping
> on and modify it to suit their purposes. This has overall
> the appearance of an organized wave. 
Who said anything about large and organized? A couple of reports
does not qualify as large in my books. And as for organisation, 
do you really believe that there are no organized 'crackers'?

There is a vast variety of skill levels out there.

> Anyone wants to setup a few honepots? I don't here much 
> from the honeynet. Are they publishing the code they 
> capture someplace? (and does anyone have a simple 
> step-by-step guide as to how to setup a honeypot safely?)

Quoting Jan Marek:
> > > I got from my snort this alerts: is there some new 
> > > vulnerabilities for squid or other proxies?

Non of this indicates that either a) he was running squid, or other
proxies, or even if he was, b) whether his system was believed to be 
compromised.

A couple of ideas off the top of my head: 
Firstly, the ability to anonymously exploit both the Unicode and 
CGI double-decode vulnerabilities.
Secondly, money making scams via payment for banner ad 
'clickthroughs' that record IP's.
Thirdly, abusing voting pages (again, once per IP).
...
...

You get the idea.

Yes, there may be an as-yet-unpublished vulnerability in Squid,
but on the balance on probabilities I'd go with Occam's Razor here
and side with the above until proven otherwise.

Take care,
  Andrew
-
Andrew Thomas
office: +27 21 4889820
facsimile: +27 21 4889830
mobile: +27 82 7850166
 "One trend that bothers me is the glorification of
stupidity, that the media is reassuring people it's 
alright not to know anything. That to me is far more 
dangerous than a little pornography on the Internet." 
  - Carl Sagan

Next message: gattacaat_private: "Re: another wave?"
Previous message: freeholdat_private: "Re: Scans for proxy???"
Maybe in reply to: Jan Marek: "Scans for proxy???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 24 2001 - 09:44:53 PDT