Category Archives: What?!

Chasing Ghosts this afternoon…

Starting yesterday evening, I’ve been noticing a LOT more attempted connections to :445 (tcp).

Initially I was under the impression that the issue was isolated to the network I was on, although I’ve had confirmations from another non-related network (plus another host I have offnet) that :445 traffic is slightly higher than what is believed to be normal, but then again – what’s normal (without a good netflow collector and historical data, you probably have no idea)

A quick scan of the DSL routers I have access to, shows 314 unique IPs originating such scans to multiple destinations (this is one quick run of “show ip cache flow  | i  01BD” on each of 3 routers). I’m seeing the same thing on a VPS host I have located in Virginia.

Being a little more than curious, I’ve fired up nepenthes and within 8 minutes I had 3 SMB exploit attempts, where the affected machine tries to download “myreceve.com”

These exploits were hitting vulnerabilities on :139 (tcp), however, and I don’t believe are related (also they’re from the same class B network)

66.xx.xx.xx -> 66.xx.xx.xx ftp://1:1@66.xx.xx.xx:9015/myreceve.com

Connecting to this host in particular gives a warm welcome:

nc 66.xx.xx.xx 9015
220 fuckFtpd 0wns j0

Back to what prompted my initial interest – :445, I can’t seem to figure out whats really going on – packet captures indicate more than a normal SYN scan, but without some additional review, I have no idea why so many requests from so many hosts identical to this:

NetBIOS Session Service
Message Type: Session message
Length: 47
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0x72)
Error Class: Success (0x00)
Reserved: 00
Error Code: No Error
Flags: 0x00
Flags2: 0x0000
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 0
Process ID: 604
User ID: 0
Multiplex ID: 0
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 12
Requested Dialects
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12

I’ve only slightly glanced over other SMB sessions, and this seems like a normal request… I’m a little baffled as to why every pcap I have from an apparently compromised host uses process id “604”, but otherwise each request appears valid.

So…. it’s probably nothing (usually is), but it definitely piqued my interest for a time today. Happy Thanksgiving!

Update at 22:25

At the advice of others, I’m installing dionaea, which apparently has better SMB support, to see if I can determine exactly what these connections are. I’ll post an update when I’m finished.

Update 06:00 11/25/2009

I’ve got dionea running and collecting bitstreams. Same basic signature (process id: 604), but now with a _lot_ more information in the captures (as dionaea is a little more fluent in the SMB protocol). Tonight: Cooking and reading pcaps.

Multiple WAN linux-based router

My friend Mat recently asked how difficult it is to build your own router. He’s living in a house with 4 or 5 other guys, and two Internet connections (one for work purposes, the other apparently comes with the house).

My immediate suggestion was to grab an old Sun Cobalt Raq server. My former router was based off a Qube3 picked up off ebay for less than $80.00. The things are great: low power consumption, two NICs, an LCD screen, a trippy green LED panel….

Fear my awesome green LED
Fear my awesome green LED
USB, Serial, and 2 ethers
USB, Serial, and 2 ethers

There’s numerous walkthroughs on how to turn these things into mailservers, etc… (google for them). The basic gest of what one needs to do is:

  • Upgrade the ROM. This has fixes for 2.6 kernels as well as support to boot from an ext3 filesystem.
  • Install the root filesystem on the drive(s). This can be done by mounting the IDE drives in another box, or using an nfs server to install from the Qube itself.
  • Compile a kernel. While there are many patches out there, I’ve found that (possibly aside from the LCD screen, which I’ve never bothered with), a vanilla 2.6 kernel will work fine

Nothing that’s too incredibly different from setting up a normal box. I would highly recommend two resources: The first of which is Braggtown, the second one being Tim and Tina Wileys site

As far as items to install: I’m personally using Quagga for static routing  and OSPF (I use the Cobalt as a route server. Also Quagga has a nice Cisco-like CLI), OpenSwan for VPN access, VTUN for quick tunnel here and there (over which I run OSPF), Roaring Penguin L2TP for various layer 2 tunnels, etc, etc..

Iproute2 provides for the ability to properly handle multiple WAN connections via multiple routing tables. There are 255 tables available for routing and  iproute2 makes the use of named tables easy – simply add the numeric value and tablename to /etc/iproute2/rt_tables.

When working with multiple WAN interfaces, I generally setup the second routing table and rules similar to this:

ip route add default via <gateway for this connection> dev <interface> table <tablename>

ip rule add from <WAN IP> table <tablename>

The above simply adds an interface into the table and adds a default gateway. To isolate a machine on the internal LAN to ONLY use the newly defined routing table, one can simply:

ip rule add from 192.168.32.10 table <tablename>

ip rule add to 192.168.32.10 table <tablename>

Depending on your default policy,  you may need to make alterations to your iptables rules as well (especially to support forwarding and NAT masquerading) You can also hook into TOS flags (amongst other things) and route based on port numbers, etc. Basically the sky is the limit (you can do round-robin routing out interfaces, etc)

Next up is IPv6. IPv6 tunnels are easy to come by these days – Hurricane Electric and Sixxs.net are two of the more popular tunnel-brokers, MyBSD is a Malaysian broker I would personally recommend (good for IRC, latency is high, it goes down semi-frequently.. but I like Malaysia).  Also be aware that some brokers block common IRC ports. (Luckily I’m currently testing IPv6 for the ISP I work for and am now working off our /32)

Quagga can handle IPv6 address auto-assignment on your LAN. By default, ipv6 nd suppress-ra is set on most all interfaces. Disable it on the LAN interface, slap an IPv6 address and subnet in that interface config – and voila – your IPv6 router is now handling IPv6 autoconfiguration.

I recently upgraded to using a small form-factor IBM ThinkCentre 8183B2U.

The ThinkCenter, with KnightRider eyes
ThinkCenter with a Courier dialup modem and 3 USB drives atop it

The power consumption is also fairly low (I believe), and wanting to do a little more with the router, I figured why not spend another $80. Of course, the downside to the ThinkCentre is having only 1 on-board NIC and 2 PCI slots. In the near future I plan on picking up a quad-port LINKX ethernet card, to consolidate cards (I presently have 2 PCI NICs added to the router for connections to the LAN and a monitoring tap). Hopefully I can find a quad port card that will fit in the small form-factor .

And excuse the mess, I’ve yet to make things “pretty” yet.

The “Fish” turns 111,111

My car (nicknamed “The Fish” for it’s fishlike appearance) just celebrated a birthday of sorts.

First of all, the car is a 1999 Ford Taurus SE.. and as you can see in this dealer picture – it has all of the features of an aquatic animal – two bulbous eyes, two smaller “nostril” looking things, sideview mirrors that could possibly be fins, and a mouth where the ford emblem is.

The FISH! (We'll, another Fish)
The FISH! (Well, another Fish)

I’ve been working for a while on the possibility of using a WebpadDT as a touchscreen for a car pc. The inside of the Fish is huge – but at 8 inches or so, the WebpadDT takes up a lot of space. On the other hand, it’s quite a bit cheaper than a lilliput screen.

While driving home this weekend, I looked down and noticed an upcoming milestone:

111,108 miles
111,108 miles

I got the camera ready – almost at 111,111 miles. Good Old Lucky 111,111 – make a wish!
Well… maybe not. Turns out 111,108 is an unlucky number:

My Brake Light is Out.
My Brake Light is Out.

My brake light was apparently out. A quick notice from the cop, and I was on my way. Being only about a mile from my house meant I had to drive around the block a few times, but finally I hit it:

111,111 miles
111,111 miles

DirectorySlash Hacking

The other day I came across the following scenario: A customer wanted to use Apache proxying to hide the virtual hostname that his customers were really pulling content from. The rewrite rule on the “masking host” (which I refer to as www.proxy.net in these examples) is easy enough:

RewriteRule ^/~(.*)$ http://user.proxiedto.net/~$1 [P]

Which works pretty well:

How the mod_rewrite [P] works.

The problem is what happens when DirectorySlash is enabled on the proxied-to host  (which it is by default). DirectorySlash fixes incorrectly identified resources – as an example, if you request a directory but without the trailing forwardslash.

GET /~gillespiem/images HTTP/1.1
Host: www.proxy.net

In this instance, you get a 301 redirect that appends a “/” to the end of the request BUT also sets the Location header to  the proxied-to virtualhostname.  The Jig is up – and now the address bar in the browser indicates the real host the end-user is speaking to :

When mod_rewrite [P] and DirectorySlash collide.

Here’s a snippet of response from the site:

HTTP/1.1 301 Moved Permanently
Date: Tue, 27 Oct 2009 16:28:27 GMT
Server: Apache/2.2.3 (CentOS)
Location: http://user.proxiedto.net/~gillespiem/images/

I’ve not been able to find an easy way to change what DirectorySlash uses in the Location header (maybe you can’t). DirectorySlash is important, so simply not using it won’t work in this application. Instead, I opted to use a RewriteMap to simply write my own version:  DirectorySlashHack and enable it in the vhost container (on the proxy-to site) ala:

DirectorySlash off
RewriteMap directoryslashhack        prg:/etc/httpd/maps/directoryslashhack
RewriteRule ^/~([^/]+)(/?.*)         ${directoryslashhack:%1*$1*$2}

While the solution is hack-ish (and the script and rewriterule could use a small bit of cleanup), it seems to work so far. The perl script determines if the requested resource is a directory, and if so it issues the appropriate 301 redirect using a customizable location header (which allows me to force the cleaned-up request back to the proxy).