Puppy Linux Discussion Forum Forum Index Puppy Linux Discussion Forum
Puppy HOME page : puppylinux.com
"THE" alternative forum : puppylinux.info
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

The time now is Fri 24 Oct 2014, 03:16
All times are UTC - 4
 Forum index » Taking the Puppy out for a walk » Announcements
[Resolved]01micko.com compromised
Moderators: Flash, Ian, JohnMurga
Post new topic   Reply to topic View previous topic :: View next topic
Page 2 of 4 [46 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Author Message
01micko


Joined: 11 Oct 2008
Posts: 7835
Location: qld

PostPosted: Sat 14 Jun 2014, 16:09    Post subject:  

Iguleder wrote:
You can buy a cheap ARM computer and host everything at home. It's a one-time fee and you get full access to the server.

That's what I do - mine runs a modded distro with a web server I wrote myself. It's security hardened and surrounded with home-made honeypots. In total, I waste ten minutes on administration each month.

yeah thought of that and nearly did it but my upload speed at best is 80kbps Sad ..that would annoy everybody downloading from me apart from dialup users!

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Sun 15 Jun 2014, 06:48    Post subject:  

the firefox browser re-directs www.01micko.com to a sub page of www.68ecshop.com , which seems to be a Japanese shopping site , currently for me .

http://en.wikipedia.org/wiki/DNS_spoofing writes :
Quote:
DNS spoofing (or DNS cache poisoning) is a computer hacking attack,
whereby data is introduced into a Domain Name System (DNS) name server's cache database,
causing the name server to return an incorrect IP address,
diverting traffic to another computer (often the attacker's).


I have no idea how this a works except the thirteen so-called 13 " root name servers " .

According to the German http://de.wikipedia.org/wiki/Root-Nameserver
Code:
M       202.12.27.33    2001:dc3::35    WIDE Project    verteilt (Anycast)

is located in Japan .

But what it has with ANYCAST ??

In this case the CACHE file of some name server has been altered .

Since I am in Europe , I would have expected not being affected , since two main root servers are in Europe : London and Stockholm .

But my provider's APN is internet.t-mobile , which operates world-wide .

In any case , it looks like you'd need to contact ICANN directly, to clear the issue .
Back to top
View user's profile Send private message Visit poster's website 
01micko


Joined: 11 Oct 2008
Posts: 7835
Location: qld

PostPosted: Sun 15 Jun 2014, 07:08    Post subject:  

Yeah ICANN has been a thought. If the host doesn't clear it up by Monday that's the only option.

You are right, 13 root hint servers but there are other DNS servers, lots of them, you can fairly simply set one up yourself. DNS is an hierarchical system. The root hint server will deliver com. net. co. au. ca. tk. or whatever then it gets passed down the chain adding bits. These records are replicated around the world. If you haven't cleared cache in a long while it's possible that you get my site (like 8-bit did) but that wont last long.

What the attacker has done is hijacked the IP address somehow. If you do a whois you can find my IP (27.124.113.33 .actually easy gotten with ping -c3 01micko.com) and you do a reverse whois on that IP it leads to my host. So I don't think there is a lot ICANN can do. The domain is still mine and if worse comes to worse I can transfer it, which I'll do anyway.

Since that IP is hijacked I can't do anything with it. I have another domain which still works fine from said account, and it's IP is different but I can access my files over ftp. If you want that IP PM me.

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Sun 15 Jun 2014, 08:04    Post subject:  

I have found one :
CORRECT :
Code:
# busybox-1.21.0 nslookup 01micko.com 202.12.27.33
Server:    202.12.27.33
Address 1: 202.12.27.33 M.ROOT-SERVERS.NET

Name:      01micko.com
Address 1: 27.124.113.33 server-x-r6.ipv4.au.syrahost.com

Incomplete :
Code:
# busybox-1.21.0 nslookup 01micko.com 193.0.14.129
Server:    193.0.14.129
Address 1: 193.0.14.129 k.root-servers.net

Name:      01micko.com
Address 1: 27.124.113.33


I took the M (13) from
http://www.root-servers.org/
and that was right .

So I tried 12 and 11, and :
It is actually the K (11) that probably shows incomplete / wrong .
Operator : RIPE NCC

But that incomplete output may be network / server or client ( busybox ) related .

The German wikipedia apparently numbers the servers different than root-servers.org with the Japanese being Nr. 11 .

http://k.root-servers.org/nodes/nskix/
http://k.root-servers.org/nodes/tokyo/

And 68ecshop.com is apparently Chinese - not Japanese .
The Chinese apparently have the same international currency symbol .
chin.: Yuan
jap.: Yen

both have
Code:
# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.
Back to top
View user's profile Send private message Visit poster's website 
SFR


Joined: 26 Oct 2011
Posts: 1078

PostPosted: Sun 15 Jun 2014, 09:33    Post subject:  

Karl Godt wrote:
both have
Code:
# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

This one?
Code:
# echo -e '\xc2\xa5'
¥
#

Greetings!

_________________
[O]bdurate [R]ules [D]estroy [E]nthusiastic [R]ebels => [C]reative [H]umans [A]lways [O]pen [S]ource
Omnia mea mecum porto.
Back to top
View user's profile Send private message 
gcmartin

Joined: 14 Oct 2005
Posts: 4367
Location: Earth

PostPosted: Sun 15 Jun 2014, 11:06    Post subject:  

Everyone 01Micko is sharing an understanding of what is hacked. The various "whats" has been discussed in open forums on the internet for years. And this specific "what" is the topic of discussion that has raged for all too many years. In years pasts, it was blamed first on kids, then on hackers, then on the mob, then on the Russians, then African nations, now its the Chinese.

I offer that we use this thread to take focus for our purposes a manner of managing how we can exercise this event to our advantage.

Let's step back for a moment to look at some of the problems like this:
What happens when secondary/third-level DNS is poisoned such that a sitename is redirected to another host's IP? How is it repaired? (I maintain, as 01Micko does) that ISPs have dealt with this type of problem for years and are uniquely positioned to deal with this. In the past, I have always steered my customers (especially first-timers who lack staff to support website "Management" to use NSI (the strongest of the worlds's ISP) or Yahoo or Google and most recently had good results from GoDaddy for site management and issues resolution.
Reason: Years of experience and 24hour assistance from those I mentioned. They have seen many-most every website problem in existence and have solid manners for addressing such, directly and quickly.

This kind of problem, in the past, too, has resulted in a customer/ISP have its domain-name expire where "there is a business" of persons/companies circling-the internet waiting for domain-name expiration and seizing the name because of the number of hits. They then sell service on a their own webpage or they offer the name for purchase to the highest bidder (Again, this is a KNOWN business element of buying and selling expired domain-names). In this case, usually, the company which bought the name sells it back at a premium to the company or person who wants their old domain-name back.

Also, along the same lines, an ISP can be working over a weekend on updates and do get things screwed up in internet domain-name resolution issues. This, they usually fixed by a refreshed DNS blast for its domains at the end of their updates.

If it is clear which path was used to hijack the domain-name, we can turn this thread into a "Howto..." for addressing domain-name issues. Advantage: Puppyland Domain-name holders

As I mentioned before, there appears to be a similar domain-name issue with Smokey01.com where the sites files are there but to get there thru top-level sitename is gone. To better explain this to those who dont understand, http:/smokey01.com is gone from resolution, but, http:/smokey01.com/01micko is still there.

Anyone see my points??? Other ideas of how this problem can be our advantage?

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile
Back to top
View user's profile Send private message 
8-bit


Joined: 03 Apr 2007
Posts: 3382
Location: Oregon

PostPosted: Sun 15 Jun 2014, 11:37    Post subject:  

One thing that bothers me is this the start of a systematic attack of Puppy Domains? How many developers have files stored on those domains that they do not have backups of?
Imagine if this progressed to the point of this thread and also this forum suddenly getting directed to some other site as well as the backup forum.
I am hoping that the content of 01micko.com is still ok and the attack on his site is just a redirection to another site as well as preserving contents of other puppy domains.
Back to top
View user's profile Send private message 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Sun 15 Jun 2014, 11:59    Post subject:  

What irritates me further is , that 01micko.com still shows in the location bar in firefox .

When re-direction occurs, my experience was with phishing ,
that not xyz_bank.com is showing anymore in the location bar ,
but the real address of the page , in my cases mainly somewhere in Mexico .
Perhaps all of Mick's .html pages are replaced ?
Or the server at crazy domains.com presents a set of wrong index.html
that are located on the server partition ?

Or could there be any .php or .js scripts in Mick's index.html be injected ?

When Mick is capable of logging in , is it possible for him to view the .html files -- like `# less index.html' ?

What confuses me also , is the firefox view source shows
Code:
<div class="goodsbox1">
            <div class="imgbox1"><a href="goods.php?id=8"><img src="http://1.2.3.12/bmi/01micko.com/images/200905/thumb_img/8_thumb_G_1241425513488.jpg"

lines with " http://1.2.3.12/bmi/01micko.com " together with <a href="http://www.68ecshop.com">
--
while `# wget http://01micko.com'' shows no http://1.2.3.12/bmi/01micko.com -- only http://www.68ecshop.com
...
Back to top
View user's profile Send private message Visit poster's website 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Sun 15 Jun 2014, 12:08    Post subject:  

SFR wrote:
Karl Godt wrote:
both have
Code:
# echo -e '\0190'

ascii code sign ... #another project for me to display all special characters in the terminal , and not only bin squares and diamond question marks
.

This one?
Code:
# echo -e '\xc2\xa5'
¥
#

Greetings!

Yup ..

Code:
#!/bin/ash

A='0 1 2 3 4 5 6 7 8 9 a b c d e f'

for i in $A
do
for j in $A
do
for k in $A
do
for l in $A
do

case $i in
[0]) case $j in
[0-9]|[b-f]) case $k in
      8) case $l in
         [0-9]|[a-d]) continue;;
         esac
      ;;
      9|[a-f]) continue;;
      esac
   ;;
   esac
;;

[1-7]) case $j in
[0-9]|[a-f]) case $k in
      8) case $l in
         [0-9]|[a-d]) continue;;
         esac
      ;;
      9|[a-f]) continue;;
      esac
   ;;
   esac
;;
[8-9]|[a-b]|[e-f]) continue
;;
c|d) case $j in
 [0-1]|3) continue;;
  2) case $k in
   [0-9]|[c-f]) continue;;
     esac
     ;;
  [4-9]|[a-f]) case $k in
  [0-7]|[c-f]) continue;;
     esac
     ;;
   esac
;;
esac

echo -e "$i $j $k $l:"'"'"\\x$i$j\\x$k$l"'"''\n' >> ascii.hex.tab

done
done
done
done


Views in e3 , but
Code:
strings ascii.hex.tab >ascii.hex.tab.2
erases all these funny signs like
c 8 b f:"ȿ"
or
c 6 9 c:"Ɯ"
or
c 5 a 6:"Ŧ"
or
c 2 a 5:"¥"
Back to top
View user's profile Send private message Visit poster's website 
gcmartin

Joined: 14 Oct 2005
Posts: 4367
Location: Earth

PostPosted: Sun 15 Jun 2014, 12:34    Post subject: Share what your PC sees relating 01Micko's problem, to help  

To begin to see the DNS issue I speak of, do this from a terminal Window:
Code:
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=44 time=275.179 ms
64 bytes from 27.124.113.33: seq=2 ttl=43 time=278.243 ms
64 bytes from 27.124.113.33: seq=3 ttl=43 time=273.757 ms
64 bytes from 27.124.113.33: seq=4 ttl=43 time=274.601 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 273.757/275.445/278.243 ms
If this is done from every continent we begin to see what the DNS resolutions are telling your browsers. The above is from a North-Western Hemisphere PC.

What continent and what does your resolution show? This helps in that we can get a worldly picture of what the browsers are being told. And, to how far the problem has cascaded.

_________________
Get ACTIVE Create Circles; Do those good things which benefit people's needs!
We are all related ... Its time to show that we know this!
3 Different Puppy Search Engine or use DogPile

Last edited by gcmartin on Sun 15 Jun 2014, 14:50; edited 4 times in total
Back to top
View user's profile Send private message 
tallboy


Joined: 21 Sep 2010
Posts: 444
Location: Oslo, Norway

PostPosted: Sun 15 Jun 2014, 12:45    Post subject:  

This is probably the single most stupid question here, but both 01Micko.com and 68ecshop.com start with a numerical expression, does that have any significance?

Pinged from Oslo, Norway:(wifi)

Code:
# ping -c5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=1399.818 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=887.716 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=799.641 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=839.573 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=1007.489 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 799.641/986.847/1399.818 ms


tallboy

_________________
True freedom is a live Puppy on a multisession CD/DVD.
Back to top
View user's profile Send private message 
rokytnji


Joined: 20 Jan 2009
Posts: 1377
Location: Pecos/ Texas

PostPosted: Sun 15 Jun 2014, 13:18    Post subject:  

Code:
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33) 56(84) bytes of data.
64 bytes from 01micko.com (27.124.113.33): icmp_req=1 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=2 ttl=43 time=254 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=3 ttl=43 time=261 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=4 ttl=43 time=255 ms
64 bytes from 01micko.com (27.124.113.33): icmp_req=5 ttl=43 time=259 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 254.296/256.978/261.635/2.956 ms


Texas/Mexican Border.

_________________
If you know nothing about Linux, take some time to get familiarized with these courses.
I Have a Masters in Raising Hell Misery Loves Company.
Back to top
View user's profile Send private message Visit poster's website 
Karl Godt


Joined: 20 Jun 2010
Posts: 3972
Location: Kiel,Germany

PostPosted: Sun 15 Jun 2014, 13:22    Post subject:  

What I could think of that someone has copied a limited set of 6-12 .html from 68ecshop.com and placed them on Mick's server , since only the :80 port seems affected .

Reason would be to get people entering shopping ec-card information .

Code:
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=1 ttl=41 time=499.208 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=549.060 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=508.912 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=508.801 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 4 packets received, 20% packet loss
round-trip min/avg/max = 499.208/516.495/549.060 ms
# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=41 time=729.947 ms
64 bytes from 27.124.113.33: seq=1 ttl=41 time=509.697 ms
64 bytes from 27.124.113.33: seq=2 ttl=41 time=519.725 ms
64 bytes from 27.124.113.33: seq=3 ttl=41 time=490.085 ms
64 bytes from 27.124.113.33: seq=4 ttl=41 time=489.466 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 489.466/547.784/729.947 ms
Back to top
View user's profile Send private message Visit poster's website 
stemsee


Joined: 27 Jun 2013
Posts: 442
Location: London

PostPosted: Sun 15 Jun 2014, 14:12    Post subject:  

Code:
sh-4.1# ping -c 5 01micko.com
PING 01micko.com (27.124.113.33): 56 data bytes
64 bytes from 27.124.113.33: seq=0 ttl=45 time=396.678 ms
64 bytes from 27.124.113.33: seq=1 ttl=45 time=392.599 ms
64 bytes from 27.124.113.33: seq=2 ttl=45 time=408.535 ms
64 bytes from 27.124.113.33: seq=3 ttl=45 time=395.692 ms
64 bytes from 27.124.113.33: seq=4 ttl=45 time=402.718 ms

--- 01micko.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 392.599/399.244/408.535 ms


London, England
Back to top
View user's profile Send private message MSN Messenger 
01micko


Joined: 11 Oct 2008
Posts: 7835
Location: qld

PostPosted: Sun 15 Jun 2014, 16:55    Post subject:  

My host is allocated 27.124.111.0 to 27.124.118.255

My actual IP address is in the range 203.170.80.0 to 203.170.87.255. I can log on to that one with FTP. (Also allocated to my host)

Ping this domain; computerfairy.net, browse the site if you wish, it's a drupal install on my host, same root directory as 01micko.com. I own the domain. That's my real IP address.

Karl, see if you can log in through a browser once you have my real IP. The root folder is public_html, however you may only be able to get to public_html/KRG with your permissions.

In the browser bar
Code:
ftp://$REAL_IP_ADDRESS/public_html/


Happy hunting.

By the way, I've renamed my word press folder and removed any js from my index.html. I have removed a couple of perl scripts too. I don't expect to see an improvement based on the above info.

_________________
Woof Mailing List | keep the faith Cool |
Back to top
View user's profile Send private message Visit poster's website 
Display posts from previous:   Sort by:   
Page 2 of 4 [46 Posts]   Goto page: Previous 1, 2, 3, 4 Next
Post new topic   Reply to topic View previous topic :: View next topic
 Forum index » Taking the Puppy out for a walk » Announcements
Jump to:  

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group
[ Time: 0.1268s ][ Queries: 12 (0.0048s) ][ GZIP on ]