[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

You'll be the judge. (was: "hack" from leb.net)



Hi Linux-IL people

I'm writing this to defend Alex Khalil from leb.net and me against
these incredible allegations about  a "hack attack" against  Israeli
servers. In the meantime the whole thing seems to go out of control and
changes from something where you could laugh about into a pretty severe
case. A gentleman from a security company  is shining up in an Israeli news paper.

There he claims that hackers coming from leb.net did invade even Israeli
military sites and did some damage.

I'm not willing to remain quiet when I see someone is drawn into
something which are pretty serious allegations and I'm convinced that
these allegation are not justified. .
It is really a shame that these people who released a false alarm which
was triggered by my operating system survey now try to save face by
accusing others of _criminal_ behavior.

These who triggered the false alarm behaved unprofessional and hysteric
when the packets of my survey were registered by firewalls. This survey
runs about 10 days until all European web servers are queried for their
operating system.

Here the facts which can be proved because all described emails and logs
of my survey are saved:

The whole thing began when I got an forwarded email from Alex Khalil
from leb.net where an employee from a security company complained
the first time at  21 Oct 1998 18:27:04 +0000.

He  complaint: "In the few weeks I witness several hackers attacks on
companies in Israel that are connected to the Internet.
All the attacks source is beirut.leb.net.
Please reply why all the attacks are carried out from your site.
You can contact me using my email or:"  (tel nr follows)

My reply to him:

[begin response]
Date: Thu, 22 Oct 1998 01:07:01 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: ----@xxxxx.co.il,
    alex khalil <iskandar@ee.tamu.edu>
Subject: Re: [---@xxxxx.co.il: Hacker Attack]

Hi ----,

sorry for the disturbance.

Your site was queried by my operating system counter
which builds statistics about operating systems running on the
Internet. The packets your host received are totally harmless. The
answer packets coming from your host are evaluated and the operating
system is determined. For details and statistics, please visit
http://www.hzo.cubenet.de/ioscount/
More than 940 000 hosts were queried until today.

To prevent further irritation I can put host into
the exclude file and they will no longer be queried.
If you want to exclude further hosts from the survey,
please send me the domain name(s) which should be excluded.
I'll put them on my exclude list.

Sorry for the irritation.

Best Regards
Hans
[end response]

I never get a response from this gentleman from xxxxx to whom I emailed.
About 24 hrs later when I come home at the evening and check my email, I
find urgent email forwarded by Alex Khalil from leb.net. This time another
gentleman from CC.HUJI.AC.IL complains about hack attacks.
He mentions in his email, that the whole story will probably shine up in
the Israeli news papers tomorrow.

His email comes in at  Fri 23 Oct 1998 00:59:21 +0000 here on my  box.
I write an email now to this other guy:

[begin  reply]
Date: Fri, 23 Oct 1998 04:08:05 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: -@VMS.HUJI.AC.IL>,
    -@VM.BIU.AC.IL>,
    -@CC.HUJI.AC.IL>,
    -@WEIZMANN.weizmann.ac.il>,
    -@VM.TAU.AC.IL>,
    -@MOFET.MACAM98.AC.IL>
Cc: support@leb.net,
    alexkhalil <iskandar@ee.tamu.edu>,
    crawls@DORSAI.ORG
Subject: "Hack attack" is no hack but a survey about operating systems

Hi,

the sysadmin of leb.net emailed me urgently that you suspect a hack
attack which should  origin from leb.net servers.

Be assured that this is not the case. I'm doing a survey about operating

system usage on the Internet. This survey builds statistics, which
operating systems are running on servers connected to the Internet.

To find this out, IP packets are sent to servers and answer packets are
evaluated. For results, please check out http://www.leb.net/~hzo/ which
holds the September '98 results.

To each server 2x 7 packets were sent which are totally harmless and the

answers were evaluated. The principle is available for further
evaluation at http://www.apostols.org/projectz/queso

To prevent any further irritation, servers of the .il domain will be
removed from further surveys and will therefore not shine up any longer
in
the survey which covers all the European domains.
Best Regards
Hans

<zocki@leb.net>
<hzo@gmx.de>
<hzo@goldfish.cube.net>
[end reply]

After a short pause I send a second reply  to the addresses of the first
reply where I answers allegations, that logging facilities were
disabled  and a firewall was surmounted.
[begin 2nd reply]
Date: Fri, 23 Oct 1998 04:54:14 +0200 (CEST)
From: Hans Zoebelein <hzo@goldfish.cube.net>
To: a@VMS.HUJI.AC.IL>,
    b@VM.BIU.AC.IL>,
    c@CC.HUJI.AC.IL>,
    c@WEIZMANN.weizmann.ac.il>,
    c@VM.TAU.AC.IL>,
    d@MOFET.MACAM98.AC.IL>
Cc: support@leb.net,
    alexkhalil <iskandar@ee.tamu.edu>,
    crawls@DORSAI.ORG
Subject: Re: "Hack attack" is no hack but a survey about operating
systems

As I read in your complaint to the leb.net admins, you claim that my
Internet survey caused that

"Firewall-1 system was bypassed and the log turned off after
compromise."

This claim cannot stand any proof. I sent the following packets to the
hosts I queried:

1) two SYN packets
2) two SYN+ACK packets
3) two FIN packets
4) two FIN+ACK packets
5) two SYN+FIN packets
5) two PSH packets
6) two SYN+XXX+YYY (XXX and YYY unused TCP flags)
all packets have random seq_num and a 0x0 ack_num.
I waited for 6 seconds for a response from the hosts.
not responding.

How can such totally harmless packets bypass a firewall system?
How can it happen that logging stops? There must be some
other problems, that logging stopped.

My survey for its part produces log files which can prove at which
time a server was queried.

Best Regards
Hans
[end second reply]

This gentleman, who triggers this second alarm won't contact me until  2
days and 7 hrs later at  Sun, 25 Oct 1998 12:02:01 +0200. Yes that's
correct. It is incredible! He notifies the Israeli press before
verifying at leb.net what  really  happened and then does not contact me
despite I send him two emails which refute his claims. I'm sorry to
state that I feel that this has to be described  as an unprofessional
behavior.

In the meantime Alex Khalil from leb.net forwards me email, where the
gentleman who triggered the second alarm, claims that UDP packets were
fired against Israeli sites. The big chunk of log file he includes  shows
the typical  packet fingerprint of my operating system survey. Not a
single UDP packet is registered but all TCP packets which are sent to port
80 (http server). All these packets  are grouped into 7er series where
the address where replies should be sent to increase for exactly one
digit..  A typical queso finger print. This log files document the Aug.98,
Sep.98 and Oct.98 survey. I see that my first  survey in July '98 did not
shine up in this log file...
Here comes an excerpt from the log file supplied with the forwarded email:

[begin logfile]
Aug 13 08:46:25 anan 393621: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23470) ->
147.233.32.14(80), 1 packet
Aug 13 08:46:26 anan 393622: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23472) ->
147.233.32.14(80), 1 packet
Aug 13 08:47:09 anan 393625: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23474) ->
147.233.32.14(80), 1 packet
Aug 13 08:48:40 anan 393626: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23475) ->
147.233.32.14(80), 1 packet
Aug 13 08:48:42 anan 393627: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(23476) ->
147.233.32.14(80), 1 packet
Aug 13 10:08:48 anan 393935: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8413) ->
147.233.32.180(80), 1 packe t
Aug 13 10:09:22 anan 393943: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8413) ->
147.233.32.180(80), 1 packet
Aug 13 10:09:42 anan 393945: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8414) ->
147.233.32.180(80), 1 packet
Aug 13 10:09:57 anan 393947: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8415) ->
147.233.32.180(80), 1 packet
Aug 13 10:10:19 anan 393949: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8416) ->
147.233.32.180(80), 1 packet
Aug 13 10:11:21 anan 393952: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8417) ->
147.233.32.180(80), 1 packet
Aug 13 10:11:55 anan 393953: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8418) ->
147.233.32.180(80), 1 packet
Aug 13 10:13:16 anan 393956: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(8419) ->
147.233.32.180(80), 1 packet
Aug 14 00:49:47 anan 397400: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10469) ->
147.233.32.14(80), 1 packet
Aug 14 00:51:58 anan 397410: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10469) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:02 anan 397412: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10470) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:07 anan 397413: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10468) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:24 anan 397414: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10466) ->
147.233.32.14(80), 1 packet
Aug 14 00:52:41 anan 397417: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(10464) ->
147.233.32.14(80), 1 packet
Aug 14 03:39:32 anan 397985: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17401) ->
147.233.32.180(80), 1 packet
Aug 14 03:40:32 anan 397994: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17401) ->
147.233.32.180(80), 1 packet
Aug 14 03:40:34 anan 397996: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17402) ->
147.233.32.180(80), 1 packet
Aug 14 03:41:03 anan 397998: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17403) ->
147.233.32.180(80), 1 packet
Aug 14 03:41:43 anan 398000: %SEC-6-IPACCESSLOGP: list 171 denied tcp
206.127.55.2(17404) ->
147.233.32.180(80), 1 packet
[about 12 times more log file attached to the email]

As you can see only tcp to port 80,  return address increasing by one.
7er groups for each host.(14 groups may be possible when I sent each
packet double to improve packet loss rate).

Finally I get a reply from the gentleman who triggered the second alarm
after waiting for over two days.

Date: Sun, 25 Oct 1998 11:28:15 +0200
From: -----@ibm.net.il>
To: Hans Zoebelein <hzo@goldfish.cube.net>
Cc: alex khalil <iskandar@ee.tamu.edu>
Subject: Re: My host query
Parts/Attachments:
   1 Shown   ~232 lines  Text
   2          493 KB     Application
----------------------------------------

At 04:49 PM 10/23/98 +0200, Hans Zoebelein wrote:

The attached picture shows a typical log output from the firewall. This
looks like an HTTP dos attack.   -[name removed by me]

>Hi  [name omitted],
>
>Alex Khalil from leb.net sent me an email about
>the problems which came up, caused through my survey.
>
>As you may know, the survey I'm doing is to find out which operating
>systems are running the Internet. A topic, which until now was pretty
in
>the dark. Numbers published relied on "estimates" or which software
>licenses an ISP did buy. A pretty obscure method, because you don't
know
>if the ISP buys NT licenses to run his servers or to run his Web
designer
>software.
>
>
>To the query itself:
>There shouldn't be udp packets involved but tcp packets
>which go to port 80 (as I checked web servers).
[rest of quote omitted]

If I understand right, now it is spoken about an HTTP dos attack.  But
leb.net runs on Linux not on  DOS. But the worst has still to come.
Included is an over 400kb bmp file (Microsoft bitmap file) wich shows
the image of a log window  containing two lines. The lines in this
bitmap files show this:

[begin bitmap file content]
SERVICE SOURCE         DESTINATION      PROTO RULE  S_PORT INFO
http    206.127.55.2   192.116.xxx.239  tcp   0     20899  message->
SYN->SYN-ACK -> timeout
[end bitmap file content, DESTINATION address xxx ed out partially through 
me]


Since I think that the bmp file must be damaged because it shows only a
header line and a line of a log file which looks pretty hmmm... neutral, 
I send back a jpg copy of this file (20kb) to the sender to show the
damage of the image. But the gentleman answers me :

[begin quote]
"The 1st 2 lines is what is important.   -[name omitted]"
[end quote]

I'm beginning to think that I'm included 'in a piece written by Kafka.
This looks pretty mystery.'You receive a huge file which holds only two
lines which don't show any discriminating (or  am I wrong?) and after your
complaint you are  told that these two lines are the important stuff which
makes it justified to send such a byte monster to you.

After some time I find out, that some article was posted online by El
Haaretz about a hack on Israeli servers. I try to get it, but  -yuck-
you need a password to  read this article.  So I'm writing the
postmaster and explain  to him , that I think I'm accused to have hacked
these Israeli servers and if he could send me this article.  After some
time I get response from El Haaretz containing a pointer to this article
and a comment, that the article will be available there until Sunday.

So I fire up my browser to read it, but -yuck- again I'm questioned for
some pass word. It seems as if they are securing their articles better
than their military servers.

So I write again to El Haaretz, telling them that this article pointer is
also secured by password and asking for another chance to read the
article. After some time, the answer comes. They tell me,  that they are
open only for subscribers. But I could subscribe too.  This time they
would include the article for my reference. And really the article is
included as attachment. I open the attachment and -yuck- the article is
in Hebrew, which I unluckily don't understand, Only the words "denial of
service" and "leb.net" which shine up "unencrypted" seem to show pretty
clear, what there is written.

Hi Mr. Kafka, how are you doing today?

Some times later (I'm up now around 30 hrs) I find out that another
article did shine up in another online magazine, this time unsecured, no
password, and "unencrypted" in plain English . That's pretty
careless. Easy to read for a hacker.

A gentleman from a computer security  company (lets call this company
"ExeDry" and the gentleman "Mr. Baba" reports, that he witnessed how
hackers from a server called "beirut.leb.net" did hide behind 14
Israeli servers to finally assemble to attack even military sites. They
deleted and copied files from these servers (which seem to have security
holes like Swiss cheese [comment by me])
Hm ....I remembered that I must have heard this story once before. But
the first time it was a story from 1001 nights. And there were not 14
hosts but 40 guys (hackers?) who did the stunt and did hide in big
clay vessels.  

Until Mr. Ali Baba ordered to fill up the vessels with boiling water. 
Ouch!  One could speculate, if the 14 servers would have rebooted again,
after been filled up with boiling water for "desinfection".

So I  write a rebuttal.  I hit the reply button, choose "Editor" as
recipient and a tiny edit window, perhaps
the size of 4cm pops up. I change my screen resolution from 1240X1024 to
800x600. Window still looks pretty liliput. Hitting the keys produces
liliput chars which pop up in the liliput frame.. I'm writing (hacking?)
semi blind. Here we go:

[begin rebuttal, all spelling errors from the rebuttal]
Dear sirs,

may I refute your article about the Lebanese guy who
was hacking all the sites in Israel using two words:

Bull Shit!

I'm doing a survey about operating system usage on the Internet.
This survey runs once per month and began in July '98.
To see the results of the survey, please visit http://www.leb.net/~hzo/

The whole story came up, because someone thought
this was a hack, cried "fire" and now does not want to loose
his face.
I feel very sorry that the whole stuff seems to get out
of control. I had emailed the individual who fired up the alarm
as soon as I was aware that he thought this was a
hack against Israeli servers. But it seems that the
the people involved fear to loose face.
I have hoped since yesterday, that this whole incident
would be handled reasonable. But I doubt that it
will be possible that truth will take a victory.

Please ask these supporters of the hack attack these
questions:

1) Is it reasonable that a hacker is so stupid
to use his own host( which can easily be traced back).

2) How can a hacker fire up an "DOS http attack"
when the server (leb.net) is running on Linux,
an Unix clone.

3) Why should a hacker send always
7  packets to hosts he attacks:

 0 SYN packet
 1 SYN+ACK packet
 2 FIN packet
 3 Fin + ack
 4 SYN+FIN FIN
 5 PSH
 6 SYN+XXX+YYY

If you don't understand what this means, please
ask an guy who knows about IP packets.
If you know about computing, check out
http://www.apostols.org/projectz/queso/
There the whole system of identifying
an operating system is described very nicely.
...
If you truth is what you want, you cannot
let this article stand uncorrected.

Shalom
Hans Zoebelin
<hzo@goldfish.cube.net>
<hzo@leb.net>
<hzo@gmx.de>
[end rebuttal]

After hitting the reply button, I ask myself if my rebuttal will ever
shine up anywhere.  The words BS might be too gross. I'm up now about 36
hrs. 

Before I stand up and go to take a cup of sleep I still wonder why
articles seem to be secured better than military servers which are openly 
accessible like McDonalds fast food outlets where terrorist hacker dudes
from Lebanon are gathering to play catch up between computer
chips and are hiding behind hard disks.

PS: If these allegations about criminal activities will continue to pop
up in public, I'll have set up a web page, where all facts and log files
will be presented to the public for closer inspection. It really was Alex
Khalil who insisted that I add a dateline to every  host name which was
queried for its OS. Do hackers request,  that you should log connect 
dates? I doubt.

These gentlemen who claim to have witnessed a "hack attack" on Israeli
servers will then also have the chance to present all their evidence 
like log files to the public for inspection by expert viewers from all
the world.

Luckily nowadays it is easier to go public than in earlier times. You
don't have to own a whole news paper publishing company anymore.
10 mb of web space is (nearly) all you need.


Enjoy! & Shalom
Hans Zoebelein


-- 
blinux == support for the Linux user who is blind.
blinux == http://www.hzo.cubenet.de/blinux/
-  -  -  -  -  -  -  -  -  -  -  -  -  -  -
ios++  == Internet Operating System Counter.
ios++  == http://www.leb.net/~hzo