headers
anastasiosm | 1 Feb 2009 22:28
Picon

Re: Weird IP

As Ansgar Wiechers said,
> If the system was compromised, an attacker could also have altered the
> logs to clear his trails.

I would agree with that.

But it is also important to answer the questions made by Robin Wood before point any fingers to anyone.
Considering the only logs you have are coming from the webserver, and assuming that it is not compromised
(so that logs have been modified, passwords been stolen etc), I think it worths checking how the card
numbers can be accessed normally, eg through a web-interface, how do users authenticate etc, possible
attack scenario you should also include in your list could be that of a CSRF attack.

Tasos
Permalink | Reply | 0 comments |
headers
si-n-ka-o-res-t | 2 Feb 2009 10:19
Picon
Favicon

Re: Re: Weird IP

Can you teach.

how  to  hide  ID adress.

i love hacker  and i become to be hacker.

thx.
Permalink | Reply | 1 comment |
headers
Andre Pawlowski | 2 Feb 2009 11:04
Favicon

Re: Weird IP

Hi Joseph,

can you post us a litte part of the log file with the entries when  
172.16.x.x attacked?

Because 172.16.x.x is a private network range and routers shouldn't  
route it, I think your server couldn't send any data to this IP. But  
I'm asking myself which attack doesn't need any response from the  
victim? Well, an interesting case....

--

-- 
[] Andre Pawlowski

visit http://h4des.org
Permalink | Reply | 0 comments |
headers
Gary Douglas | 2 Feb 2009 12:21
Picon

Re: Weird IP

You might want to look into putting in a egress filter. On the network  
edge device set up a ACL to drop all private IP's from entering your  
network. You should also set up a filter to only allow your IP address  
range out. Both of these are common practice.

Thank you
Gary Douglas

On Jan 30, 2009, at Jan 30, 20099:45 AM, Ansgar Wiechers wrote:

> On 2009-01-30 Joseph Hanna wrote:
>> I am working on a case of fraud in my little organisation where we  
>> are
>> dealing with fraudulent credit cards. The only thing I can see is the
>> IP address has been logged as 172.16.x.x but isn't that Class B
>> internal? How are they doing this? I mean how are packets being  
>> routed
>> between our web-server and that IP? Any recommendations other than my
>> blanked block all Class A and Class B IPs?
>
> Yes, 172.16.0.0/12 is a private IP address range, as specified by RFC
> 1918. However, there's no such thing as class A or class B networks in
> this day and age anymore. Look up "Classless Inter-Domain Routing" to
> understand why that is.
>
> Anyway, usually it's no problem to send packets with private source IP
> addresses, because few routers on the Internet bother to check the
> source address field of a packet. It's pretty simple to do this kind  
> of
> spoofing for UDP connections. For TCP it's a lot harder, because the
(Continue reading)

Permalink | Reply | 0 comments |
headers
batman | 2 Feb 2009 13:17

Re: Weird IP

Joseph,

You say that you are working on a fraud case, from the detail in your post you don't seem to know much about what
you are doing. I suggest approaching your police high-tech crime unit or a certified forensics
investigator. Anything you find may be inadmissible in a court of law.

Matt_s
Permalink | Reply | 0 comments |
headers
Ricardo Carrillo | 2 Feb 2009 19:08
Picon

Re: Weird IP

Hi,
I have traced an email that has arrived to some mailing list of my
company, now, i would like prepare a report to present all information
found it!!..
	
Does anyone know's if exist any email evidence format or something similar?
Regards

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: L.I. Ricardo D. Carrillo Sánchez
:: Security Specialist
:: Universidad Nacional Autonoma de Mexico    ::
:: Ciudad Universitaria                                          ,
D.F. Mex
:: e-mail prim.: davxoc at gmai dot com
:: e-mail secu.: davxoc at hotmail dot com
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
Permalink | Reply | 3 comments |
headers
reflect ocean | 3 Feb 2009 14:35
Picon

OT: Importance of holding an E degree in infosec

Hi.
While reassessing the chance of getting back to school and engineer
degree , i would like to read your comments about the importance of
holding such degree specially on infosec field both on entry jobs or
even on higher positions.

Thanks
Permalink | Reply | 1 comment |
headers
Murda Mcloud | 3 Feb 2009 01:59

RE: Re: Weird IP

First, need a code name. Like all the greatest haxx0rs. Something kewl. Like
HAL9001. Or Neo. Then hang out at the Gentleman Loser and listen to the old
guys. Like Bobby Quine or Automatic Jack. They'll teach you a few things.

I use white-out to hide my ID address. 

> >-----Original Message-----
> >From: listbounce <at> securityfocus.com [mailto:listbounce <at> securityfocus.com]
> >On Behalf Of si-n-ka-o-res-t <at> hotmail.com
> >Sent: Monday, February 02, 2009 7:19 PM
> >To: security-basics <at> securityfocus.com
> >Subject: Re: Re: Weird IP
> >
> >Can you teach.
> >
> >
> >how  to  hide  ID adress.
> >
> >
> >i love hacker  and i become to be hacker.
> >
> >
> >thx.
Permalink | Reply | 0 comments |
headers
Debarko De | 3 Feb 2009 14:59
Picon

Re: Weird IP

We are talking of a web server compromisation so I don't think that no
reply policy of UDP packets gets any consideration. I would suggest
that the system logs be checked to verify any unauthorized acces to
the web server logs as system logs are much harder to mess with. Also
this case has all system compromisation written over it.
Permalink | Reply | 1 comment |
headers
kalgecin@gmail.com | 3 Feb 2009 21:55
Picon

[tool] MetaScanner V1.1

i am happy to announce that MetaScanner V1.1 is out now!
-what is it?-
MetaScanner is a script in ruby to scan a host for exploits than are
already in metasploit framework.
-what is it not?-
this is not a vulnerability scanner and may report some few false puritives
-what for?-
how many times have you scanned a host using nmap and then tried
different exploits from the framework? this tool automates that for
you.
-wow where can i find it?-
you can find it on http://kalgecin.110mb.com

--

-- 
Sent from Gmail for mobile | mobile.google.com
_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework
Permalink | Reply | 22 comments |

Gmane