[Talk] break-in... anyone read chink?

[Terry Richards]

flux.simicich@spamgourmet.com wrote:

>The address you are connecting from is no secret - it can be
>substituted back into a response by cgi, php and, I have to assume,
>most servlets or other active pages.
>
>Your problem report was not very good - this answer contains a lot of
>conjecture which I could have skipped was the problem report more
>complete.
>
>Stupid question:
>Do you have proxying turned on in your web server?
>If so, why?
>Is it open to the outside world for connections back to that world, or closed?
>  
>

not that i know about

>Might be nice to know which log this came from. If it is error, then
>it might be someone probing for an open proxy. You over censored and
>there is no way to tell. If you are running an open proxy that does
>not stop people from connecting ports other than common http and https
>ports it might be someone using your proxy to scan.  Not knowing the
>complete log line and the type of log keeps us guessing.
>  
>
it is the access log

>If it was a successful logged connection that seemed to come from
>inside your firewall, well, most systems are not nearly as vulnerable
>to sequence number guessing (the way that people used to hack into IP
>filtered TCP ports, or fake origins) - conversely, many (especially
>home) firewalls do not send an RST when they get a fragment of an
>unknown (untranslated) TCP connection, and thus allow themselves to be
>used as a foil in what is arguably going to be a much, much longer
>search. (You should always send ICMP responses when you can't route a
>packet or RST packets when unknown TCP packets come in - while they do
>give away a small amount of information, the value of letting an
>attacked machine know that you are not the one attacking it exceeds
>the value of the information in a well designed network, or even, in
>many cases, in a poorly designed network.) What this means is that the
>IP address of origin is a lot more trustworthy than it used to be, but
>there is a very (vanishingly?) small possibility it was faked. Unless
>the attacker has a lot of time.
>  
>
i was in mexico for a month. the server came down the day i left and i
been getting flaky behavior since i been back. click a link and it goes
to a completely different site, an email dated before the epoch, 1969
something.

>As to why there is an unreadable (to me) Chinese phrase in the last
>part of what I first thought was a log entry but which now seems to be
>a web page, I presume it is part of the server variables on the web
>page.
>  
>

the lines i gave were the lines i got when i went to the requesting page
logged in my accesses to my webserver. those were lines from a page in
china with my ip as the remote host

>
>
>
>
>There are other pages out there that seem to produce what you reported
>in your log, which seems to be a PHP variable dump.  Some of them put
>my IP address on the page, unless I access them through the google
>cache.  I googled for "HTTP_PRAGMA: super gateway" to find them.
>
>The URL you referred me to is a live page that seems to dump that
>exact page except with my address.  You said, "I got this in my logs."
> What did you get - just the page in question which you then accessed
>and pasted?  In that case it is just putting the IP address in of
>whoever connects to it. Or was this just a successful connection to a
>URL from somewhere inside your firewall?
>
>Please explain why you would claim to be quoting your logs and not
>give us the complete line from your logs, tell us which log, and
>explain that the tail of your report was a web page and not from your
>logs, if that is in fact the case?
>  
>
218.10.111.119 - - [01/Nov/2007:01:57:44 -0500] "GET
http://218.10.111.119/lbc.php HTTP/1.1" 404 269 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"
218.10.111.119 - - [01/Nov/2007:02:29:48 -0500] "GET
http://218.10.111.119/lbc.php HTTP/1.1" 404 269 "-" "Mozilla/4.0
(compatible; MSIE 6.0; Windows NT 5.1)"

/|\