[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is this a practical vulnerability?

On Sat, 20 Oct 2012 11:29:57 +0000, Anon Mus wrote:
...
> I had been creating/running corporate web sites since the mid 1990's, I 
> hardly think that qualified me as a newbie. Not sure what was the 
> purpose of this remark was.

The purpose of the remark was get any concrete information on the
kinds of attack you were experiencing. If those are the same that
everyone on the internet is getting then it is hardly a sign of
you being under attack specifically after having accessed your
own hidden service.

> The web server itself was supposed to be fire walled from the open web 
> (with only Tor access) but a "hole" bug in the firewall's code meant 
> that a "stop access" mode only caused "logging" mode to be initially 
> turned on.

Did you run the server before (I suppose not) and have the firewall
rules before so you could cross-check the attacks after the hidden
service with the time before?

...
> Well with you being such an "experienced" and "savvy" web person I am 

I just operate a few http servers that have practically no regular
traffic, so my httpd logs are a pure trace of the vulnerabilities
that linger in diverse popular web applications.

Likewise I see the constant influx of windows RPC/messages/RDP stuff
in my firewall logs; and I wonder whether you actually know what
life on the internet is, or whether you simply installed the web
server & hidden service, saw all the shit hitting the server and
went 'omg, tor is obviously borken'.

...
> Of course, once again your vast experience will lead you to the 
> conclusion that once alerted to the attacks I used other tools (such as 
> my web server log & a packet sniffer) to see the details of the traffic.

So, what *are* the details of the traffic, especially in comparison to
the usual background, that can even indicate that there was a specific
attach on your server at that time.

Or, for instance, what are the signs I should be looking for in my
firewall/httpd logs to see whether there was a similar attack on
my systems after I started my hidden services.

...
> There were many attacks which I am sure you can research on the net 
> yourself.

Yeah, sure. I can research how you were specifically attacked. Care
to give some google keywords for that?

> They were mainly aimed at accessing parts of the server such 
> as files and various rpc O/S components.
> 
> They did focus on trying to identify what web server I was using, I 
> believe there were about 4 or 5 different

So what? The question is not whether someone is doing that, the
question is what makes you think you're getting these attacks
a) in relation to your hidden service and b) they are happening
only to you.

> Of course my web server did log the traffic that did get through, these 
> logs are now gone but here's a section from one which I queried someone 
> as to what it was..
> 
> >#Fields:
> >time c-ip cs-method cs-uri-stem sc-status
> >13:05:35 xxx.xxx.xxx.xxx GET /{Tor hidden service 
> >ID}/nonexistentfile.php 404
> >13:05:35 xxx.xxx.xxx.xxx GET /adxmlrpc.php 404
> >13:05:35 xxx.xxx.xxx.xxx GET /adserver/adxmlrpc.php 404
> >13:05:36 xxx.xxx.xxx.xxx GET /phpAdsNew/adxmlrpc.php 404
...
> >13:05:38 xxx.xxx.xxx.xxx GET /blog/xmlrpc.php 404
> >13:05:39 xxx.xxx.xxx.xxx GET /drupal/xmlrpc.php 404
> >13:05:39 xxx.xxx.xxx.xxx GET /community/xmlrpc.php 404

Yeah, sure. I get the same of every http server I have in the open
internet. Someone is always sweeping the internet for vulnerable
systems; the vulnerabilities change, the sweeping doesn't.

Nothing to see here, please move along and come up with something else.

Besides, the /{Tor hidden service ID}/nonexistentfile.php is
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php, right?

> I was told the above were attempts to gain access to a web servers 
> management system.

Yes, they are.

> The attacks all fell on stoney ground because none actually guessed the 
> web server I was using before I closed the loophole.

Those don't attack the web server per se but some types of blog/forum
software. That's nothing you need a hidden service to be attacked with.

Andreas

-- 
"Totally trivial. Famous last words."
From: Linus Torvalds <torvalds@*.org>
Date: Fri, 22 Jan 2010 07:29:21 -0800
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk