AM I HACKER-PROOF?!?!?!? LIGATT says I am not!
Before I start, why the fuck is "LIGATT" all in capital letters and if it is not an acronym, what does it mean? If it is not either, then I guess that Mr. Evans grabbed a few tiles from the Scrabble bag and came up with this horrible name.
On LIGATT and the scan itself
Anyway, I am sure that you have read the news on LIGATT so I will spare you the background. If you haven't heard of Gregory Evans, World's Number-One Hacker; read up on the links provided and I am certain that you'll begin to wonder how Kevin Mitnick's so-called "overwing" could fathom the concept of the firm.
Moving along, we are graced with an excellent photo of a yelling black man screaming, "am I hacker proof?" Needless to say, this is a question I scream at my boss every morning as I walk in. He doesn't speak to me much and doesn't invite me to team meetings anymore. Oh well.
I decided that since LIGNAT was offering the service that I'd take advantage of the free offer and see if I was as safe as I thought I was. Boy was I ever wrong and it has since caused me to place an extra seven layers of aluminium foil on my head.
According to LUGNUT's scan, the following were found thanks to my information and the scan itself!
- 327 web results
- 12 local results
- 164 video results
- 8 books results
- 208 blogs results
- 133 news results
- 16 images results
I am glad to know that there are books on Horatio out there.
What did it find besides books?
The results were that it found three vulnerabilities--them being ports open--on the host I connected from. However, it seems that LAGNAT is only doing a basic NMap scan. The scan appears to perform a broad scan and interpreting any open port as a vulnerability.
One of the many 'attempts' to bypass my gateway.
I didn't bother to monitor all activity, but I did at least log to determine what was going on. In particular, Apache and SSH were targeted by LEGNUT's scans.
97.74.195.39 - - [21/Jun/2010:19:49:10 -0700] "GET %2F%2Fetc%2Fpasswd
HTTP/1.1" 404 512 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;
http://nmap.org/book/nse.html)"
The above just repeats in similar fashion over and over again. It doesn't seem to make much of an emphasis on Apache bugs but rather at potential chroot escapes. With regards to SSH, it makes two attempts at exploiting two old bugs but nothing more than that.
Besides, SSH and HTTP, it scans for typical TCP/UDP ports such as FTP, mail services, Windows services, et cetera--nothing fancy really. Basically for $30 USD, LEGNUO will do what I will likely do for free if you ask me privately. There are also other services out there that will do the same for cheap or free.
The hosting provider he uses isn't really meant for such scans
To make matters more interesting, LUGJUG runs all of this off of a GoDaddy-provided server.
ckeigher@antares:~$ whois 97.74.195.39
[...]
NetRange: 97.74.0.0 - 97.74.255.255
CIDR: 97.74.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-97-74-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment: Please send abuse complaints to abuse@godaddy.com
RegDate: 2008-08-14
Updated: 2008-08-14
The scan happens to violate the AUP provided by GoDaddy themselves.
2. YOUR OBLIGATIONS
[...]
vi. interfere, disrupt or attempt to gain unauthorized access to any computer system, server, network or account for which You do not have authorization to access or at a level exceeding Your authorization;
vii. disseminate or transmit any virus, trojan horse or other malicious, harmful or disabling data, work, code or program;
viii. engage in any other activity deemed by Go Daddy to be in conflict with the spirit or intent of this Agreement or any Go Daddy policy; or
Before you initiate a scan, if you were to do this as a regular user, you'd unlikely understand what ports are and therefore the service would be violating the AUP. However, seeing that GoDaddy's track-record for enforcing their own policies and rather focusing on selling domains to dumbasses (such as Mr. Evans), I doubt that we'll see any action towards this practice.
Playing around
While feeding it some junk data, I did manage to get it to give me the following error:
Warning: Invalid argument supplied for foreach() in
/home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php
on line 624
Going directly to the mentioned file gives the following:
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php on line 6
Error occured
That first error was achieved when I changed the IP fed by the form to 127.0.0.1. It still scanned my host when I attempted this, but it seems to have broken something else. The end results returned were no different and it still scanned my host once more.
Overall, LIGGGGGGGGGGGGGORT is being quite the charlatan.