Repost: Monthly Infosec Nights – September 1st, 2010
Figure I'll post this here and see if anybody who reads this might be interested.
Subject: [Vanhackspace] Monthly Infosec Nights - Wednesday, September 1st, 2010 @ 19:00h Date: Wed, 04 Aug 2010 09:28:20 -0700 From: Colin KeigherReply-To: vanhackspace@lists.uselessdegree.net To: vanhackspace@lists.uselessdegree.net Hi all, I'd like to invite you all to the first-ever information security night at Vancouver Hack Space (VHS). If this is successful, we'll be having these at least once a month likely on the first Wednesday. Our first meeting will be on Wednesday, September 1st at 19:00. For some of you, this may be your first excuse to come down, so here are some details on where VHS is physically located: 45 W. Hastings Vancouver, British Columbia (778) 785-5982 (Entrance is located in the rear, in the alleyway) All members and non-members of all ages are welcome to attend! We do ask that non-members bring a donation of $5 to support the space. If you're having problems getting in, that phone number is a direct line inside. What will be discussed? Well, this is how I'd like the format to go: 19:00 - Doors open 19:30 - First talk 19:45 - Second talk (optional) 20:00 - Free form By talks, what I mean is that I invite anybody to step forward and suggest a topic that can be presented in the time allotted. Topics may include but are not limited to cryptography, intrusion, social engineering, exploitation, flaws, theories, espionage, privacy, legal issues, and anything computer security and hacking-related. If you're interested, message me on or off of this mailing list. I am also available on #vhs on OFTC IRC as "afreak". Free form is a period where we can all discuss, share, and so forth! Food and beverages are welcome in the space. As well, Internet access is also provided. If you're presenting a talk, a projector is also available. If you have any suggestions or ideas, do not hesitate to throw them my way! Thanks, Colin Keigher
AM I HACKER-PROOF?!?!?!? LIGATT says I am not!
Before I start, why the fuck is "LIGATT" all in capital letters and if it is not an acronym, what does it mean? If it is not either, then I guess that Mr. Evans grabbed a few tiles from the Scrabble bag and came up with this horrible name.
On LIGATT and the scan itself
Anyway, I am sure that you have read the news on LIGATT so I will spare you the background. If you haven't heard of Gregory Evans, World's Number-One Hacker; read up on the links provided and I am certain that you'll begin to wonder how Kevin Mitnick's so-called "overwing" could fathom the concept of the firm.
Moving along, we are graced with an excellent photo of a yelling black man screaming, "am I hacker proof?" Needless to say, this is a question I scream at my boss every morning as I walk in. He doesn't speak to me much and doesn't invite me to team meetings anymore. Oh well.
I decided that since LIGNAT was offering the service that I'd take advantage of the free offer and see if I was as safe as I thought I was. Boy was I ever wrong and it has since caused me to place an extra seven layers of aluminium foil on my head.
According to LUGNUT's scan, the following were found thanks to my information and the scan itself!
- 327 web results
- 12 local results
- 164 video results
- 8 books results
- 208 blogs results
- 133 news results
- 16 images results
I am glad to know that there are books on Horatio out there.
What did it find besides books?
The results were that it found three vulnerabilities--them being ports open--on the host I connected from. However, it seems that LAGNAT is only doing a basic NMap scan. The scan appears to perform a broad scan and interpreting any open port as a vulnerability.
One of the many 'attempts' to bypass my gateway.
I didn't bother to monitor all activity, but I did at least log to determine what was going on. In particular, Apache and SSH were targeted by LEGNUT's scans.
97.74.195.39 - - [21/Jun/2010:19:49:10 -0700] "GET %2F%2Fetc%2Fpasswd
HTTP/1.1" 404 512 "-" "Mozilla/5.0 (compatible; Nmap Scripting Engine;
http://nmap.org/book/nse.html)"
The above just repeats in similar fashion over and over again. It doesn't seem to make much of an emphasis on Apache bugs but rather at potential chroot escapes. With regards to SSH, it makes two attempts at exploiting two old bugs but nothing more than that.
Besides, SSH and HTTP, it scans for typical TCP/UDP ports such as FTP, mail services, Windows services, et cetera--nothing fancy really. Basically for $30 USD, LEGNUO will do what I will likely do for free if you ask me privately. There are also other services out there that will do the same for cheap or free.
The hosting provider he uses isn't really meant for such scans
To make matters more interesting, LUGJUG runs all of this off of a GoDaddy-provided server.
ckeigher@antares:~$ whois 97.74.195.39
[...]
NetRange: 97.74.0.0 - 97.74.255.255
CIDR: 97.74.0.0/16
OriginAS: AS26496
NetName: GO-DADDY-SOFTWARE-INC
NetHandle: NET-97-74-0-0-1
Parent: NET-97-0-0-0-0
NetType: Direct Allocation
NameServer: CNS1.SECURESERVER.NET
NameServer: CNS2.SECURESERVER.NET
NameServer: CNS3.SECURESERVER.NET
Comment: Please send abuse complaints to abuse@godaddy.com
RegDate: 2008-08-14
Updated: 2008-08-14
The scan happens to violate the AUP provided by GoDaddy themselves.
2. YOUR OBLIGATIONS
[...]
vi. interfere, disrupt or attempt to gain unauthorized access to any computer system, server, network or account for which You do not have authorization to access or at a level exceeding Your authorization;
vii. disseminate or transmit any virus, trojan horse or other malicious, harmful or disabling data, work, code or program;
viii. engage in any other activity deemed by Go Daddy to be in conflict with the spirit or intent of this Agreement or any Go Daddy policy; or
Before you initiate a scan, if you were to do this as a regular user, you'd unlikely understand what ports are and therefore the service would be violating the AUP. However, seeing that GoDaddy's track-record for enforcing their own policies and rather focusing on selling domains to dumbasses (such as Mr. Evans), I doubt that we'll see any action towards this practice.
Playing around
While feeding it some junk data, I did manage to get it to give me the following error:
Warning: Invalid argument supplied for foreach() in
/home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php
on line 624
Going directly to the mentioned file gives the following:
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/ligattsecuritycom/public_html/amihackerproof/check_this_scan_status_quick.php on line 6
Error occured
That first error was achieved when I changed the IP fed by the form to 127.0.0.1. It still scanned my host when I attempted this, but it seems to have broken something else. The end results returned were no different and it still scanned my host once more.
Overall, LIGGGGGGGGGGGGGORT is being quite the charlatan.