From: "morning_wood" To: Subject: "the badhat saga" a sad but true tale... Date: Friday, June 06, 2003 11:56 AM For those interested, this is a exerpt of a conversation from a good meaning, but very misguided "professional" note: there is no flaming here, just some mild shock in my reactions and expressions *** lamehat (~me@12.241.xxx.xxx) has joined #0sec <@morning_wood> hi Why would I be getting port scans originating from this server? <@MrWood> you shouldnt <@MrWood> i have scanning off Care to see the logs? <@MrWood> yea... Where do you want me to send them? ------------- start snippy -------------------- Hack attempts by this intruder: Date & Time: 2003-06-04 01:28:20 (-5:00 GMT) Time Zone: Central Daylight Time TCP_Probe_Gnutella (port=6346) Victim IP: 12.241.xxx.xxx Attempts: 2 Date & Time: 2003-06-06 00:33:53 (-5:00 GMT) Time Zone: Central Daylight Time TCP_Probe_HTTP (port=80) Victim IP: 12.241.xxx.xxx Attempts: 32 -------------- end snippy ----------- <@MrWood> thats from my gnutella client 68 attempts to different ports <@MrWood> thats a standard connect for gnutella based clients <@MrWood> i dont get it <@MrWood> yea y tf would i scan 68 times <@MrWood> i used a new client last night called Nova well abuse report has already been sent to ATT...the box it is hitting is a SNORT IDS box <@MrWood> as in they make repeated attempts I have never been here before or to your site <@MrWood> exelent i suggest getting p2p off your wire then <@MrWood> a abuse report? there isn't any P2P on this box. It is an intrusion detection box <@MrWood> are you nuts? <@MrWood> then your being picked up <@MrWood> on your wire <@MrWood> as a open client <@MrWood> if your ports are in recieve ( server mode) its gunna connect I'll let att sort it out <@MrWood> ya geee thanks <@MrWood> lame man The box is locked down, there is nothing but listening going on here <@MrWood> I NEVER SCANNED ANYONE 32 F*CKING TIMES IN MY LIFE <@MrWood> its a fscing p2p connect <@MrWood> wtf you send abuse for? <@MrWood> how long have you been in the security field? 15 years CISSP certified <@MrWood> 32 times is bullsh*t <@MrWood> i got no reason to scan you more than once <@MrWood> if i even did that <@MrWood> port scanning is not against any law True, but it is against ATT's acceptable use policy, as is running this server and your web server <@MrWood> i just read the doj guidelines <@MrWood> the hell it is <@MrWood> they ( ATT ) knows not only i run a httpd <@MrWood> but a router as well <@MrWood> they also know im in the security arena <@MrWood> its in thier notes because i work close with them <@MrWood> you realy should confer before sending out lame abuse reports <@MrWood> esp when your on p2p <@MrWood> and what state am i in? item xiv...toward the bottom of the page <@MrWood> your in mesquite texas? BTW, I am connected to you via port 6667 with an IRC client yep <@MrWood> yes obviously Examples of prohibited programs and equipment include, but are not limited to, mail, ftp, http, file sharing, game, newsgroup, proxy, IRC servers, multi-user interactive forums and Wi-Fi devices; <@MrWood> so from att's acceptable use policy <@MrWood> i told you <@MrWood> its in their notes <@MrWood> for the last year <@MrWood> man you are the worst kind of security person <@MrWood> take your white hat off for a few sometime <@MrWood> sending abuse for a suspected scan <@MrWood> lame bro With my certification comes the obligation to assist in protecting the network from abuse..port scanning is an abuse <@MrWood> uhh huu i see <@MrWood> i cant tell you how to conduct your internet experience .... so <@MrWood> in 3 years you are the second person to send abuse <@MrWood> obviously im not doing anything severe here now am i <@MrWood> ? <@MrWood> take yer cert and shove it, it gives you no obligation <@MrWood> i suggest reading up on what I do here <@MrWood> im not malicious, you got scanned because your giving out false p2p packets <@MrWood> and running a honeypot <@MrWood> wtf you run a honeypot for? <@MrWood> thats like waiting for a vic It's not a honeypot, it is an intrusion detection system <@MrWood> yours are the worst kind, certified, think they own sec big difference <@MrWood> ROFL no its not, tell me how <@MrWood> snort is a honeypot pure and simple IDS simply looks for patterns and reports them...honeypot imitates an insecure system to entice/re-direct hack attempts <@MrWood> and my pissant port scans have got you more worried than some chineese scan cuz you can send abuse to my isp how is logging and examining packets a honey pot? <@MrWood> i sure the f*ck dont send out lame ass portscan as a abuse <@MrWood> get off yer high horse and catch a real internet criminal Your choice <@MrWood> tell it to Full Disclosure.. you do subscribe? <@MrWood> i got better things to do than discuss some ids port scan actually I prefer bugtraq to full disclosure <@MrWood> i bet <@MrWood> i use both <@MrWood> for all my reports <@MrWood> try searching on Mourning Woode <@MrWood> you should find about 7 or 8 Then you should be able to secure your system to prevent scans from it to any of my systems BTW, you may want to pop out to dshield.org...your IP is listed there as being reported numerous times <@MrWood> funny i was there last week <@MrWood> it was clean then on 5/9....multiple ports <@MrWood> until i commit a real crime, im not real worried Apparently my system isn't the first that has been scanned from your system <@MrWood> run along back to your whitehat brethern, and tell them to leave me alone <@MrWood> i guess i can go to dsshield and report you <@MrWood> very lame guy <@MrWood> i mean realy ------------ snip --------------------- http://www.dshield.org/ipinfo.php?ip=12.229.234.100&Submit=Submit ------------ snip --------------------- This is a near verbatim discussion I had this morning, Yes theres a few "reported" scans, nothing more than parinoid wannabee security pros and a small selection of ports, gimme a break. interesting, one day weird ports, looks like a p2p client trying to NaT and I am now some "evil hacker" scanning like wildfire. A very sad day. well there you have it, a egotistical "professional" reporting abuse for nothing. :( I was trying different setups with various p2p clients, with a NaT router on the day and time of his logs. Please, reports to abuse of this type are flat out unjustified. Here he is sniffing the wire, arping p2p signals that will attract requests from p2p, p2p sees a "known" port for a certain client and tries to connect, I try various ports and techniques in my setups testing ( i dont p2p as a rule ). And now Im abused? :(( my 2 bits wood