[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Is this a practical vulnerability?



On 20/10/2012 14:46, Andreas Krey wrote:
On Sat, 20 Oct 2012 11:29:57 +0000, Anon Mus wrote:
...
I had been creating/running corporate web sites since the mid 1990's, I
hardly think that qualified me as a newbie. Not sure what was the
purpose of this remark was.
The purpose of the remark was get any concrete information on the
kinds of attack you were experiencing. If those are the same that
everyone on the internet is getting then it is hardly a sign of
you being under attack specifically after having accessed your
own hidden service.


Sorry, but I don't see any questions in your original remark, so I don't see how you you expected to get information from it.

I quote..

"
Welcome to the internet. Have an open web server, and it will get

accessed by scum that tries known vulnerabilities: /memberlist.php,
/index.php, /user/soapCaller.bs, thats normal.
"

I expect most people would read your "remark" as talking down to someone.. more of a game of one-up-man-ship and given the tone of your most recent reply probably done to discredit my experience. Poo is a real stinker.



Did you run the server before (I suppose not) and have the firewall
rules before so you could cross-check the attacks after the hidden
service with the time before?


Yes it had been running about 6months without any specific software firewalling but with logging on both the soft firewall and the webserver, during that time, when I was developing a web forum in php. Also the whole system was behind a hardwared (router firmware) firewall, which should not have let it in anyway and thats why I logged very little (if any) internal traffic beforehand. To come home to see dozens of requests from my soft firewall for access to various O/S components and a log of gained access was a shock. This fact worried me for a long while as I immediately re-loaded my router's firmware and all its setting & passwords, but still they got in. Some while later I read of a vulnerability with the routers firmware (no details given, just that it could be hacked from outside) and I upgraded it. Interestingly the web server had been running, logging and all for about a year before this, as it came with the O/S. Not a single EXTERNAL request was ever passed to it in all that time until I started dev. with it.


...
Well with you being such an "experienced" and "savvy" web person I am
I just operate a few http servers that have practically no regular
traffic, so my httpd logs are a pure trace of the vulnerabilities
that linger in diverse popular web applications.

Likewise I see the constant influx of windows RPC/messages/RDP stuff
in my firewall logs; and I wonder whether you actually know what
life on the internet is, or whether you simply installed the web
server&  hidden service, saw all the shit hitting the server and
went 'omg, tor is obviously borken'.


Don't you use router firmware firewalls? So you wouldn't see this kind of traffic?

I thought the times when nerds spent days looking through router logs fuming at the drones that attpemt to access your system were long gone, no? Sounds like you are living in the past.

My current router doesn't even have a log on it!

...
Of course, once again your vast experience will lead you to the
conclusion that once alerted to the attacks I used other tools (such as
my web server log&  a packet sniffer) to see the details of the traffic.
So, what *are* the details of the traffic, especially in comparison to
the usual background, that can even indicate that there was a specific
attach on your server at that time.

Or, for instance, what are the signs I should be looking for in my
firewall/httpd logs to see whether there was a similar attack on
my systems after I started my hidden services.


Where all logs end up, on the end, in the bin!

...
There were many attacks which I am sure you can research on the net
yourself.
Yeah, sure. I can research how you were specifically attacked. Care
to give some google keywords for that?


Good, because I was only telling someone of my experience just so they could keep safe.

They were mainly aimed at accessing parts of the server such
as files and various rpc O/S components.

They did focus on trying to identify what web server I was using, I
believe there were about 4 or 5 different
So what? The question is not whether someone is doing that, the
question is what makes you think you're getting these attacks
a) in relation to your hidden service and b) they are happening
only to you.


Here's the sequence of event...

Have web server 2 years. no attacks.

Make hidden service

Within 12 hours of going live have seriously large number of attacks

Switch off hidden service and attacks stop a few days later

And somehow they got through a router firewall and a soft firewall !

And then they were looking for "a web-server" 3 / 4 type of web server were searched for.
Of course my web server did log the traffic that did get through, these
logs are now gone but here's a section from one which I queried someone
as to what it was..

#Fields:
time c-ip cs-method cs-uri-stem sc-status
13:05:35 xxx.xxx.xxx.xxx GET /{Tor hidden service
ID}/nonexistentfile.php 404
13:05:35 xxx.xxx.xxx.xxx GET /adxmlrpc.php 404
13:05:35 xxx.xxx.xxx.xxx GET /adserver/adxmlrpc.php 404
13:05:36 xxx.xxx.xxx.xxx GET /phpAdsNew/adxmlrpc.php 404
...
13:05:38 xxx.xxx.xxx.xxx GET /blog/xmlrpc.php 404
13:05:39 xxx.xxx.xxx.xxx GET /drupal/xmlrpc.php 404
13:05:39 xxx.xxx.xxx.xxx GET /community/xmlrpc.php 404
Yeah, sure. I get the same of every http server I have in the open
internet. Someone is always sweeping the internet for vulnerable
systems; the vulnerabilities change, the sweeping doesn't.


Thats drupal.org

Nothing to see here, please move along and come up with something else.

Oh! why am I NOT surprised....

Besides, the /{Tor hidden service ID}/nonexistentfile.php is
/a1b2c3d4e5f6g7h8i9/nonexistentfile.php, right?

Yeah you could be right I edited it out when I mailed my expert.

I was told the above were attempts to gain access to a web servers
management system.
Yes, they are.

The attacks all fell on stoney ground because none actually guessed the
web server I was using before I closed the loophole.
Those don't attack the web server per se but some types of blog/forum
software. That's nothing you need a hidden service to be attacked with.

Andreas



This "Hey prove it" nonsense could go on forever.. and I don't have the time.

Take it of leave it.

I wouldn't run a Tor hidden service, given the hassle and given the risk, unless I was having problems getting passed my ISP. It makes me laugh to see all these prognostications on sophisticated attacks when the USA can see it all, transparent, as I explained.

Of course, there will be those who spend their time, perhaps paid for by US gov, making asses out of internet users, thats called co-intel (pros).

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk