[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: A ReYou'll be the judge. (was: Hackers from leb.net)
Hi Linux-IL people
I'm here to defend Alex Khalil from leb.net and me against these
incredible allegations about a "hack attack" against Israeli servers.
In the meantime the whole thing seems to go out of control and changes
from something where you could laugh about into a pretty severe case. A
gentleman from a security company c
is shining up in an Israeli news paper.
There he claims that hackers coming from leb.net did invade even Israeli
military sites and did some damage.
I'm not willing to remain quiet when I get drawn into something which
are pretty serious allegations.
It is really a shame that these people who released a false alarm which
was triggered by my operating system survey now try to save face by
accusing others of _criminal_ behaviour.
These who triggred the false alarm behaved unprofessional and hysteric
when the packets of my survey were registered by firewalls. This survey
runs about 10 days until all European web servers are queried for their
operating system.
Here the facts which can be proved because all described emails and logs
of my survey are saved:
The whole thing began when I got an forwarded email from Alex Khalil
from leb.net where an employee from a security company complained
the first time at 21 Oct 1998 18:27:04 +0000.
He complaint: "In the few weeks I withness several hackers attacks on
companies in Israel that are connected to the Internet.
All the attacks source is beirut.leb.net.
Please reply why all the attacks are carried out from your site.
You can contact me using my email or:" (tel nr follows)
My reply to him:
[begin response]
Date: Thu, 22 Oct 1998 01:07:01 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: ----@xxxxx.co.il,
alex khalil <iskandar@ee.tamu.edu>
Subject: Re: [---@xxxxx.co.il: Hacker Attack]
Hi ----,
sorry for the disturbance.
Your site was queried by my operating system counter
which builds statistics about operating systems running on the
Internet. The packets your host received are totally harmless. The
answer packets coming from your host are evaluated and the operating
system is determined. For details and statistics, please visit
http://www.hzo.cubenet.de/ioscount/
More than 940 000 hosts were queried until today.
To prevent further irritation I can put host into
the exclude file and they will no longer be queried.
If you want to exclude further hosts from the survey,
please send me the domain name(s) which should be excluded.
I'll put them on my exclude list.
Sorry for the irritation.
Best Regards
Hans
[end response]
I never get a response from this gentleman from xxxxx to whom I emailed.
About 24 hrs later when I come home at the evening and check my email, I
find urgent email forwarded by
Alex Khalil from leb.net. This time another gentleman from CC.HUJI.AC.IL
complains about hack attacks.
He mentions in his email, that the whole story will probably shine up in
the Israeli news papers tomorrow.
This email comes in at Fri 23 Oct 1998 00:59:21 +0000 here on my box.
Again I write an email now to this other guy:
[begin reply]
Date: Fri, 23 Oct 1998 04:08:05 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: a@VMS.HUJI.AC.IL>,
b@VM.BIU.AC.IL>,
c@CC.HUJI.AC.IL>,
c@WEIZMANN.weizmann.ac.il>,
d@VM.TAU.AC.IL>,
e@MOFET.MACAM98.AC.IL>
Cc: support@leb.net,
alexkhalil <iskandar@ee.tamu.edu>,
crawls@DORSAI.ORG
Subject: "Hack attack" is no hack but a survey about operating systems
Hi,
the sysadmin of leb.net emailed me urgently that you suspect a hack
attack which should origin from leb.net servers.
Be assured that this is not the case. I'm doing a survey about operating
system usage on the Internet. This survey builds statistics, which
operating systems are running on servers connected to the Internet.
To find this out, IP packets are sent to servers and answer packets are
evaluated. For results, please check out http://www.leb.net/~hzo/ which
holds the September '98 results.
To each server 2x 7 packets were sent which are totally harmless and the
answers were evaluated. The principle is available for further
evaluation at http://www.apostols.org/projectz/queso
To prevent any further irritation, servers of the .il domain will be
removed from further surveys and will therefore not shine up any longer
in
the survey which covers all the European domains.
Best Regards
Hans
<zocki@leb.net>
<hzo@gmx.de>
<hzo@goldfish.cube.net>
[end reply]
After a short pause I send a second reply to the adressees of the first
reply where I answers allegations, that logging facilities were
disabled and a firewall was surmounted.
[begin 2nd reply]
Date: Fri, 23 Oct 1998 04:54:14 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: a@VMS.HUJI.AC.IL>,
b@VM.BIU.AC.IL>,
c@CC.HUJI.AC.IL>,
c@WEIZMANN.weizmann.ac.il>,
c@VM.TAU.AC.IL>,
d@MOFET.MACAM98.AC.IL>
Cc: support@leb.net,
alexkhalil <iskandar@ee.tamu.edu>,
crawls@DORSAI.ORG
Subject: Re: "Hack attack" is no hack but a survey about operating
systems
As I read in your complaint to the leb.net admins, you claim that my
Internet survey caused that
"Firewall-1 system was bypassed and the log turned off after
compromise."
This claim cannot stand any proof. I sent the following packets to the
hosts I queried:
1) two SYN packets
2) two SYN+ACK packets
3) two FIN packets
4) two FIN+ACK packets
5) two SYN+FIN packets
5) two PSH packets
6) two SYN+XXX+YYY (XXX and YYY unused TCP flags)
all packets have random seq_num and a 0x0 ack_num.
I waited for 6 seconds for a response from the hosts.
not responding.
How can such totally harmless packets bypass a firewall system?
How can it happen that logging stops? There must be some
other problems, that logging stopped.
My survey for its part produces log files which can prove at which
time a server was queried.
Best Regards
Hans
[end second reply]
This gentleman, who triggerd this second alarm won't contact me until 2
days and 7 hrs later at Sun, 25 Oct 1998 12:02:01 +0200. Yes that's
correct. It is incredible! He notifies the Israeli press before
verifying at leb.net what really happend and then does not contact me
despite I send him two emails which refute his claims. I'm sorry to
state that I feel that this has to be described as an unprofessional
behaviour.
In the meantime Alex Khalil from leb.net forwards me email, where the
gentleman tho triggered the second
alarm, claims that UDP packets were fired against Israeli sites. The big
chunk of log file he includes shows
the typical packet fingerprint of my operating system survey. Not a
single UDP packet is registered but
all TCP packets which are sent to port 80 (http server). All these
packets are grouped into 7er series where
the address where replies should be sent to increase for exactly one
digit.. A typical queso finger print.
This log files document the Aug.98, Sep.98 and Oct.98 survey. I see that
my first survey in July '98 did not shine up in this log file...
Here comes an excerpt from the log file suppied with the forwarded
email:
Aug 13 08:46:25 anan 393621: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23470) ->
147.233.32.14(80), 1 packet
Aug 13 08:46:26 anan 393622: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23472) ->
147.233.32.14(80), 1 packet
Aug 13 08:47:09 anan 393625: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23474) ->
147.233.32.14(80), 1 packet
Aug 13 08:48:40 anan 393626: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23475) ->
147.233.32.14(80), 1 packet
Aug 13 08:48:42 anan 393627: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23476) ->
147.233.32.14(80), 1 packet
Aug 13 10:08:48 anan 393935: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8413) ->
147.233.32.180(80), 1 packe t
Aug 13 10:09:22 anan 393943: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8413) ->
147.233.32.180(80), 1 packet
Aug 13 10:09:42 anan 393945: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8414) ->
147.233.32.180(80), 1 packet
Aug 13 10:09:57 anan 393947: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8415) ->
147.233.32.180(80), 1 packet
Aug 13 10:10:19 anan 393949: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8416) ->
147.233.32.180(80), 1 packet
Aug 13 10:11:21 anan 393952: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8417) ->
147.233.32.180(80), 1 packet
Aug 13 10:11:55 anan 393953: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8418) ->
147.233.32.180(80), 1 packet
Aug 13 10:13:16 anan 393956: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8419) ->
147.233.32.180(80), 1 packet
Aug 14 00:49:47 anan 397400: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10469) ->
147.233.32.14(80), 1 packet
Aug 14 00:51:58 anan 397410: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10469) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:02 anan 397412: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10470) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:07 anan 397413: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10468) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:24 anan 397414: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10466) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:41 anan 397417: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10464) ->
147.233.32.14(80), 1 packet
Aug 14 03:39:32 anan 397985: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17401) ->
147.233.32.180(80), 1 packet
Aug 14 03:40:32 anan 397994: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17401) ->
147.233.32.180(80), 1 packet
Aug 14 03:40:34 anan 397996: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17402) ->
147.233.32.180(80), 1 packet
Aug 14 03:41:03 anan 397998: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17403) ->
147.233.32.180(80), 1 packet
Aug 14 03:41:43 anan 398000: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17404) ->
147.233.32.180(80), 1 packet
[about 12 times more log file attached to the email]
As you can see only tcp to port 80, return address increasing by one.
7er groups for each host.(14 groups may be possible when I sent each
packet double to improve packet loss rate).
Finally I get a reply from the gentleman who triggered the second alarm
after over two days.
Date: Sun, 25 Oct 1998 11:28:15 +0200
From: -----@ibm.net.il>
To: Hans Zoebelein <hzo@goldfish.cube.net>
Cc: alex khalil <iskandar@ee.tamu.edu>
Subject: Re: My host query
Parts/Attachments:
1 Shown ~232 lines Text
2 493 KB Application
----------------------------------------
At 04:49 PM 10/23/98 +0200, Hans Zoebelein wrote:
The attached picture shows a typical log output from the firewall. This
looks like an HTTP dos attack. -[name removed by me]
>Hi [name omitted],
>
>Alex Khalil from leb.net sent me an email about
>the problems which came up, caused through my survey.
>
>As you may know, the survey I'm doing is to find out which operating
>systems are running the Internet. A topic, which until now was pretty
in
>the dark. Numbers published relied on "estimates" or which software
>licenses an ISP did buy. A pretty obscure method, because you don't
know
>if the ISP buys NT licenses to run his servers or to run his Web
designer
>software.
>
>
>To the query itself:
>There shouldn't be udp packets involved but tcp packets
>which go to port 80 (as I checked web servers).
[rest of quote omitted]
If I understand right, now it is spoken about an HTTP dos attack. But
leb.net runs on Linux not on DOS.
But the worst has still to come. Included is an over 400kb bmp file
(Microsoft bitmap file) wich shows
the image of a log window containing two lines. The lines in this
bitmap files show this:
[begin bitmap file content]
SERVICE SOURCE DESTINATION PROTO RULE S_PORT INFO
http 206.127.55.2 192.116.xxx.239 tcp
0 20899 message->SYN->SYN-ACK -> timeout
[end bitmap file content, DESTINATION address xxx ed out partially
through me]
Since I think that the bmp file must be damaged , I send back a jpg copy
of this file (20kb) to show the
damage. But the gentleman answers me :
[begin quote]
"The 1st 2 lines is what is important. -[name omitted]"
[end quote]
I'm beginning to think that I'm included in a piece whitten by Kaffka.
This looks pretty mystery.
Youe receive a huge file which holds only two lines which don't show any
discriminating (or am I wrong?) and after your complaint you are told
that these two lines are the important stuff which makes it justified
to send such a byte monster to you.
After some time I find out, that some article was posted online by El
Haaretz about a hack on Israeli servers. I try to get it, but -yuck-
you need a password to read this article. So I'm writing the
postmaster and explain to him , that I think I'm accused to have hacked
these Israeli servers and if he could send me this article. After some
time I get response from El Haarez containing a pointer to this article
and a comment, that the article will be available there until Sunday.
So I fire up my browser to read it, but -yuck- again I'm questioned for
some pass word. It seems as if they are securing their articles better
than their military servers.
So I write again to El Haarez, telling them that this article pointer is
also secured by password and asking
for another chance to read the article. After some time, the answer
comes. They tell me, that they are open
only for subscribers. But I could subscribe too. This time they would
include the article for my
reference. And really the article is inclueded as attachment. I open the
attachment and -yuck- the article is
in Hebrew, which I unluckily don't understand, Only the words "denial of
service" and "leb.net" which shine up "unencrypted" seem to show pretty
clear, what there is written.
Hi Mr. Kaffka, how are you doing today?
Some times later (I'm up now about 30 hrs) I find out that another
article did shine up in another online magazine, this time unsecured, no
password, and "unencrypted" in plain English . That's pretty
careless. Easy to read for a hacker.
A gentleman from a computer security company (lets call this company
"ExeDry" and the gentleman "Mr. Baba" reports, that he witnessed how
hackers from a server called "beirut.leb.net" did hide behind 14
Israeli servers to finally assemble to attack even military sites. They
deleted and copied files from these
servers (which seem to have security holes like Swiss cheese [comment
by me])
Hm ....I remembered that I had heard this story once before. But the
first time it was a story from 1001 nights. And there were not 14 hosts
but 40 guys (hackers?) who did the stunt and hiding in big clay
vessels. Until Mr. Ali Baba ordered to fill up the vessels with
boilling water. ... Ouch! One could speculate, if the 14 servers
would have rebooted again, after filled up with boilling water for
"desinfection".
So I write a rebuttal. I hit the reply button, choose "Editor" as
recipient and a tiny edit window, perhaps
the size of 4cm pops up. I change my screen resolution from 1240X1024 to
800x600. Window still looks pretty liliput. Hitting the keys produces
liliput chars which pop up in the liliput frame.. I'm writing (hacking?)
semi blind. Here we go:
[begin rebuttal]
Dear sirs,
may I refute your article about the Libanese guy who
was hacking all the sites in Israel using two words:
Bull Shit!
I'm doing a survey about operating system usage on the Internet.
This survey runs once per month and began in July '98.
To see the results of the survey, please visit http://www.leb.net/~hzo/
The whole story came up, because someone thought
this was a hack, cried "fire" and now does not want to loose
his face.
I feel very sorry that the whole stuff seems to get out
of control. I had emailed the individual who fired up the alarm
as soon as I was aware that he thought this was a
hack against Israeli servers. But it seems that the
the people involved fear to loose face.
I have hoped since yesterday, that this whole incident
would be handled reasonable. But I doubt that it
will be possible that truth will take a victory.
Please ask these supporters of the hack attack these
questions:
1) Is it reasonable that a hacker is so stupid
to use his own host( which can easily be traced back).
2) How can a hacker fire up an "DOS http attack"
when the server (leb.net) is running on Linux,
an Unix clone.
3) Why should a hacker send always
7 packets to hosts he attacks:
0 SYN packet
1 SYN+ACK packet
2 FIN packet
3 Fin + ack
4 SYN+FIN FIN
5 PSH
6 SYN+XXX+YYY
If you don't unserstand what this means, please
ask an guy who knows about IP packets.
If you know about computing, check out
http://www.apostols.org/projectz/queso/
There the whole system of identifying
an operating system is described very nicely.
...
If you truth is what you want, you cannot
let this article stand uncorrected.
Shalom
Hans Zoebelin
<hzo@goldfish.cube.net>
<hzo@leb.net>
<hzo@gmx.de>
[end rebuttal]
After hitting the reply button, I ask myself if my rebuttal will ever
shine up anywhere. The words BS might be
too gross. I'm up now about 36 hrs. Before I stand up and go to take a
cup of sleep I still wonder why articles seem to be secured better than
military servers which seem to be so open as McDonalds fast food outlets
where terrorist hacker dudes from Lebanon are gathering to play catch
up between computer chips and are hiding behind hard disks.
PS: If these allegations about criminal activities will continue to pop
up, I'll have set up a web page, where all facts and log files will
be presented to the public for closer inspection. These gentlemen who
claim to have witnessed a "hack attack" on Israeli servers will then
also have the chance to present their evidence and log files to the
public for inspection by expert viewers from all the world.
Luckily nowadays it is easier to go public than in earlier times. You
don't have to own a whole news paper anymore. 10 mb of web space is
all you need.
Enjoy! & Shalom
Hans Zoebelein