Well basically those are the main objectives of a/an attacker/hacker/cracker(name it whatever u want but not script kiddies). Minimize signals here doesn't exclusively means that u lower down ur digital signals (that prolly a stupid move/things to do), what I mean here is how stealthy u are in launching ur attack :D
Stealth? Well that's a subjective matter right? For me, stealth in sense of how much indications and warnings that will be generated by your actions when penetrating any networks which I assume have appropriate defence mechanism ie firewall, IDS, IPS etc. Well I have one example situation that perhaps can be a good point to think/argue/debate/discuss etc.
Recently i've detected few connections from one of my clients to one particular server which is not in this country.
Myclient :52330 ----> outside server:443
Myclient :52325 ----> outside server:443
Myclient :52328 ----> outside server:443
And one of the traffic generates this alert from my IDS : ATTACK-RESPONSES id check returned root
with the payload : uid = 0 root.
It seems like that the traffic is normal but :
a). When I check the targeted server, (just grab the http header)
HTTP/1.1 200 OK
Date: Sun, 07 May 2006 15:44:55 GMT
Server: Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16
Last-Modified: Thu, 06 May 2004 17:59:15 GMT
ETag: "e460f-170e-409a7cf3"
Accept-Ranges: bytes
Content-Length: 5902
Connection: close
Content-Type: text/html
There's no ssl mod installed/loaded or whatsoever. It means that port 443 is not used for SSL connection. Hmm, perhaps used for other apps? I wonder..
This is header for site that have ssl enabled/installed/loaded
HTTP/1.1 302 Found
Date: Wed, 17 May 2006 21:02:59 GMT
Server: Apache/1.3.34 (Unix) mod_python/2.7.11 Python/2.3.4 mod_ssl/2.8.25 OpenSSL/0.9.8a PHP/4.4.2 mod_perl/1.29 FrontPage/5.0.2.2510
X-Powered-By: PHP/4.4.2
location: forum.php
Content-Type: text/html
Then if it's for SSL(even tho not possible based on the info gathered), why the hell the payload is in plain text? Well ssl meant for secure socket layer and suppose to be encrypted?
Most of my SAs argue that it's false positive and normal traffic. Even one of them think that the user of my client is accessing his/her mysql(?!) database with uid root. Well that's out of Q. False positive because of the ports and the traffic is legitimate. Is it? So what do u guys think?
Comments
any application can be bind to any port. so there is no such things as 443 = ssl+BLABLA, just do the test using apache or use pundek.rb :P hahahha
{noob}
interesting post mr ayoi....this adds more to our knowledge
Post a Comment