Posts by TheOgre

Try running Wireshark on the new computer to see the details about the traffic. You'll be able to determine if the machine is trying to send out spam once it has an Internet connection, and you can see where that traffic is destined, as well as any other outbound connections the system is attempting to initiate.

Provided a few conditions are met, then yes.

You can add the code to the shell script. I'm guessing you're doing a MySQL dump of the data into a .sql file? Just add another line to the shell script to tar -czf {file.sql}. Either that or provide more details on what the shell script is doing in the first place.

http://www.google.com

Sure, I'd be happy to contact you, but [snipped] or [snipped] are both out of service/disconnected.

http://www.google.com

Try asking that question again without letting the cat walk on the keyboard so we can understand WTF you're saying.

You mean aside from committing a felony and breaking your ISP's TOS? If you really don't know that much about it, I'd suggest you learn how to setup a secure proxy. By the time you learn enough about what's involved, you'll realize they'd be better off just using Tor.

If you don't own the AP, don't connect to it.

Rewrite the syslog protocol to use TCP by default, using an SSL tunnel. That'd sure make MY life easier..

Have you bothered to read the manual to see if it changed? Did you try connecting to it over a LAN connection first to make sure it isn't a WiFi issue?

No? The problem seems to be either PEBCAK or an ID-10-T error..

You mentioned audio in your OP. If 30 laptops are going to connect to a single app server over WiFi on 2 APs, you'll either have to limit the bandwidth to each wireless client that connects, or add another 5 or 6 APs to your network to handle the load. If you spread the APs out around the room and decrease the power output (on the AP), you'll be able to "force" a limited number of clients in the immediate vicinity to connect to the nearest AP, thereby creating a kind of "managed" wireless network. If the laptops start moving around the room, then that'll defeat the purpose of what I just described.

It's not just the 4-foot cable - it's across your LAN, and if wireless is added to the mix, it's now in the air (unless you know for a fact that your key hasn't been compromised.)

Also, if you're sending login credentials to your router, they should be over HTTPS. Even if it's just a "can-I-do-this/make-work-project/academic-excercise with python" on a "lowly home network", get in the habit NOW of practicing good coding, using best practices, which includes keeping security in mind FROM THE VERY START.

Just a thoght: another way to approach this problem could wind up being very simple: have your router send its logs to a syslog server (use Google), and have a script or another program (I prefer OSSEC-HIDS) send you an e-mail alert when a new DHCP lease is given out. Quick, secure (well, more secure than your original method, at least), and easy. Not to mention you'll learn a few new things in the process :)

...I guess the card just doesn't support WPA2 under windows. Bummer.

If you were able to specify the settings for WPA2 under Windows, then it supports it.

Make sure the WiFi NIC is configured for DHCP, and nothing is hardcoded (DNS, WINS, etc.). The address range 169.254.0.0/16 is used when a valid DHCP lease can't be updated or acquired.

I'd recommend learning how to type using full and complete sentences, with proper spelling and pronunciation. I'd hate trying to read the first paragraph of your resume if that's how you type..

Do what Ancient Dragon suggested and practice. I'll add this: read. I'll add this as well: You won't get too much information by asking people "how to become a hacker", and you won't be taken seriously.

The OP never said anything at all about iTunes or Mac - they're using Slackware Linux. While the information you posted might be useful, it had nothing to do with the original question.

Did you bother to check to see whether or not my suggestion helped at all?

Repeating the same exact thing without supplying any additional information isn't going to get you anywhere.

Also, spell check your post before submitting it so you don't sound like a complete moron.

You can restrict connections to it in the "Source" column when you define the new rule allowing specific IP addresses (public or internal) to connect to the specific port.

If you would like additional, detailed information, feel free to contact me and I can walk you through it. I have hundreds of rules for this very thing on mine (CheckPoint).

Make sure that Windows isn't turning off power to the NIC to conserve power (which is the default setting) if you're on a Windows machine. Look in the Device Manager for the NIC, right-click your wireless card, choose "Properties", and click the "Resources" tab. It should be the top option. Uncheck it, "OK" out of it, and it should be fine.

Just did a quick search and found this, which might help you:

http://www.nthelp.com/upnpscrewup.htm

http://support.microsoft.com/kb/317843/en-us

You can also get some info on the IP owner here:
https://ws.arin.net/whois/?queryinput=239.255.255.250

It might be uPNP, as described here:

http://www.linuxsa.org.au/mailing-list/2002-11/1134.html

Grab a copy of Wireshark (unless you're familiar with tcpdump and have a *nix machine) and check out your local traffic.

The manual should have directions for backing it up. It depends on the manufacturer, but most if not all of them have a menu option to backup the config, once you're able to access (login) to it.

(using superscan)
go on web browser.. choose your favorite search engine.. copy the url & ip.. go to your superscan .. press lookup & copy the resolve put to your browser then click!

:D

If I read what you posted correctly (this is a large assumption on my part), you're explaining how to either do some kind of portscan of the box or do a DNS lookup on the domain (I can't figure out which) - both in a web browser (I think), neither of which are considered "hacking."

Lay off the crack. Seriously.

Are the images in a publicly-accessible directory, or outside the docroot?

root 14653 1 0 Dec09 ? 00:00:00 /usr/sbin/sshd That's the sshd process itself, running as root, not root being logged in to an SSH session (notice it's sshd, not ssh@)

man sshd

Yup, I know the difference, but the way you originally worded it made me unsure of whether or not you understood the differences yourself.

(Incidentally, I thought the answer you got from the VNC list back on the 8th was sufficient.)

Didn't know about that, but then again, I haven't used iptables (or Linux, for that matter) in years. I'd say go for it and see what happens :)

What did you use to generate that?

As far as creating functions, I'd suggest consulting the manpage for iptables. I haven't used iptables in about 10 years, and my *BSD boxen use pf, so I can't be of much help as far as cleanup goes.

As far as using Python (as you mentioned in your original post), my question is still "Use it for what?"

After reading your posts in this forum and others, it's wonderful how you became an expert on this subject in so little time. It seems like just yesterday (maybe because it was?) you were a n00b asking basic questions about various networking and Linux subjects, and here you are today citing wikipedia references to me (as if wikipedia was the end-all-be-all about everything.)

(And just to remind you, your original question was pertaining to authentication to a different application (OpenVPN), using certificates, not a web server. If you're such an expert on this, why are you asking this same question in various forums? I'm just curious...)

OK, let's go with it..

Gmail doesn't send you unencrypted data when the https connection has been established. They encrypt data with your public key.

The data is encrypted over a Secure Socket Layer (SSL) connection. There *is* no "public key", since we're dealing with certificates here. If you were using GnuPG or PGP, then you have a public key, as well as a private key (which, by the way, is used for encrypting data in a different fashion, but I won't confuse you with that stuff right now.) Not so with certificates - you have the server certificate (held on the server, in your example by Google) and the client certificate installed within the browser, and BOTH of them are signed by the root Certificate Authority (aka "root CA".) A "user" is never asked about the transaction (provided the …

If it doesn't listen on localhost, it won't work.

Secondly, use iptables to allow/deny connections on a different interface if you don't want to allow connections to a specific interface.

FYI, "interface" is NOT the same as IP address, since you can have numerous IP addresses bound to the same interface (eth0, eth1, etc.)

My iptables script is getting bloated, redundant, and there's code duplication everywhere, how can I clean it up?

Can you paste some examples of this "bloating" and "code duplication"? If there's duplicate rules defined in different areas, it shouldn't be too difficult to spot them and help you get them cleaned up.

Use shell script functions?
Develop it in a different language, like python?

Develop *what* in a different language? Something to clean it up, or are you meaning using python for iptables?

It means the process itself is running as root, which is required for sshd to function properly.

If you read the full pfsense thread, you would see that originally I didn't know how the signing worked.

I read the full thread completely, a few times, actually. It appears that you still don't fully understand PKI, since you keep mention "signing" when you mean "exchange."

The EXCHANGE occurs during the initial connection to establish trust and verification.

SIGNING is when you submit a .csr to a CA, who then signs it and returns to you an actual certificate that is used from then on in order to establish a trusted connection (this is what's used during the "exchange" mentioned above.)

Then at the end I realized that the user submits a self signed certificate to gmail. I already knew that the Thawte certificates were installed in the browser.

Still wrong. The user doesn't submit anything to Gmail. The browser has a certificate signed by the root CA already installed, and THAT is what's used to establish the trust between the browser and the server. Nothing is being "signed" anywhere in that entire process. Certificates are being VERIFIED - that's it.

hence my statement at the end of the thread,

"As for gmail, I guess they don't care who you are, so as long as you sign your own certificate they'll accept the connection."

was correct. I could have also added, "and as long as the client successfully verifies the gmail certificate".

No, that's NOT correct. I've already explained it, so I'm not going to …

I'm surprised no one mentioned the word proxy server yet.

Why add additional things to confuse them? The OP doesn't even know what a keylogger is, I doubt they'd know what a proxy is (no offense to the OP.)

And by the way, as far as your comment about Gmail not caring, you should really learn how something works before you make snide comments to people who know more than you and are trying to help you. The root CA that Gmail uses is already installed in your browser. Again, THERE IS NO SIGNING GOING ON.

Not true by any stretch.

Not to be rude (hey, I'm in a good mood this morning :) but I don't think you have a clue about how this works, based on your posts in the pfsense forum.

The certificates are for authentication, not for signing. When you want an SSL certificate for your website/mail server/whatever, you generate a .csr and submit that to the CA to sign. They, in turn, issue you a signed certificate (usually a .crt), and you use that along with a .key file to establish to your clients that you (whatever "you" happens to be) are who you say you are.

There is no signing that goes on in any connection to the server. Period.

So why is it "bad news for hackers"?

Only a few months old, and if someone else has the same exact question, they'll find the answer if they do a search, so it doesn't hurt to answer it.

And the c$\d$\e$ is an admin share, not a standard shared directory, so if they have admin rights on the box/network, they should be able to hit it.

...yes, on a Winblow$ box. I'm making that assumption based on the fact they referred to a "folder" and not a "directory."

Start > Run > \\computername\d$ (or e$, f$, etc.) [Enter]
This will pop up a new window displaying the contents of the USB stick (if you have the proper rights to access the machine/share/drive.

Then, just select all + copy + paste.

Firewalls don't protect against a keylogger..

You won't be able to truly stop invasion of privacy, so your next step is damage control.

If this is at a workplace, there is no "invasion of privacy."

A. Set up a workgroup within the network and secure it. Doing this will not stop invasion, but will let the intruder know that you are aware of the intrusions and are on the defense.

1.) The OP didn't mention anything about an "intruder." They were asking if the network admin would have access to their machine.

2.) Also, if the machine is a member of a domain, and the OP doesn't have domain admin rights, they can't remove the machine from a domain to create a workgroup.

3.) Doing this won't do anything to stop someone from accessing your files, and certainly won't stop anyone from seeing your network/bandwidth usage/history, if that is what the OP is concerned about. If they have any monitoring tools in place, this will do nothing to bypass/evade/stop them.

B. Work from within this network and password protect all of your files.

I don't think you really have a clue about network security, Bub, but nice try.

C. Clean your tracks after each session.

Can you define "clean your tracks" without mentioning clearing browser history and deleting cookies?

This is not the "solution" but it’s a start, who knows you may even gain a little respect :)

You might also piss off the network admin in the process, which …

If the admin is the one who configured everything, then YES to all of your questions.

If he didn't setup/configure the computer you use, but they did configure the network, then assume that your Internet progress/usage/history can and will be tracked/logged/inspected.

And no, there's nothing you can do about it, short of asking them nicely to stop (be prepared to be laughed at if you try that.)

Ever hear of ARP poisoning? I can assume any MAC on any network I want to, regardless of whether a machine is off or on, and I can make every other device on that network believe I'm the real thing.

The short answer to your question is YES, but not the way you were thinking. Establish static ARPs in your environment (no, I'm not going to explain how - use Google) and that should do a fairly good job for starters.

You can't have two machines with the same name on the same network.

If you have tcp/22 (SSH) open to the Internet, edit /etc/ssh/sshd_config and add the following line, replacing user1 with your username:

AllowUsers user1

Save your changes, and restart sshd to effect the changes. This will only allow 'user1' from logging in via SSH and sFTP - all others will be blocked, but keep in mind that this WILL NOT block any ATTEMPTS to brute force the service.

bruteforceblocker can also be used for this purpose - I use it on all of my production servers.

Of course, since I don't know much about your server or what service was compromised, I can't offer any specific suggestions or recommendations to follow. If you want to post more information, I'd be glad to offer some more suggestions.

Oh, and if the server was actually compromised, the standard best practices in this case would be to rebuild the box from scratch, as it can no longer be trusted. Even if you think it's safe, it's probably not...

Copy the full headers of the e-mail and forward them, along with the original message, to abuse@ whatever ISPs the message either originated from or passed through. You may have to do some digging (no pun intended :) to find out what the domain name is, since some MTAs only use IP addresses. nslookup is a good start.

Don't waste time or money buying any software for this, as you don't need to.

Secondly, there are no "legal issues" about reporting abuse. If someone is sending you abusive or threatening email messages, the first place to start with is their ISP's abuse department. Local, State and Federal authorities won't step in to do anything, either because they just don't know how, or something like this isn't important enough to spend their time on.

Trust me, you'll get farther by going to their ISP first. I doubt your uncle will be able to assist too much with this, unless he's a computer security expert with lots of contacts. Just being a "Fed" isn't enough..

Get some CEH Prep guides - those books are good for listing lots of tools.

You can also head over to insecure.org and view the list of tools they have there to see if there's anything else you might've missed.