Follow us on Twitter!
Don't judge the unknown - Grindordie
Saturday, April 19, 2014
Navigation
Home
HellBoundHackers Main:
HellBoundHackers Find:
HellBoundHackers Information:
Learn
Communicate
Submit
Shop
Challenges
HellBoundHackers Exploit:
HellBoundHackers Programming:
HellBoundHackers Think:
HellBoundHackers Track:
HellBoundHackers Patch:
HellBoundHackers Other:
HellBoundHackers Need Help?
Other
Members Online
Total Online: 21
Guests Online: 20
Members Online: 1

Registered Members: 82843
Newest Member: hx47
Latest Articles
View Thread

HellBound Hackers | Computer General | Hacking in general

Author

Kaspersky... tsk, tsk.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 06-08-10 22:36
So apparently Kaspersky makes FTP requests straight from our machines. After some sniffing, I discovered a FTP address (38.117.98.202). I tried connecting with a random password, and was told to use my email address. So I used a random string with an @ symbol in it, and oh, look, I'm in. I have NO idea what this is (I can't find the public pages) or what it is for, but I'm pretty sure I can download programs straight from there. Anyway, have a look around it, post if you find anything interesting, or you know what it is used for Smile

Edited by jghgjb790 on 06-08-10 22:44
http://todaystopsite.site90.net
Author

RE: Kaspersky... tsk, tsk.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-08-10 00:49
My guess is that this is the kaspersky updater at work. Doing a dig of "dnl-13.geo.kaspersky.com" I get a response of the IP you listed. Additionally, looking on their forums shows a user asking about the update process and specifically mentions this IP adddress[1]. I've seen other update services do similar things over FTP. Do you have a pcap of the traffic you can share?

[1]http://forum.kasp. . .72952.html


Author

RE: Kaspersky... tsk, tsk.

goluhaque
Member



Posts: 197
Location: India
Joined: 17.02.10
Rank:
Apprentice
Warn Level: 30
Posted on 07-08-10 05:50
jghgjb790 wrote:
So apparently Kaspersky makes FTP requests straight from our machines. After some sniffing, I discovered a FTP address (38.117.98.202). I tried connecting with a random password, and was told to use my email address. So I used a random string with an @ symbol in it, and oh, look, I'm in. I have NO idea what this is (I can't find the public pages) or what it is for, but I'm pretty sure I can download programs straight from there. Anyway, have a look around it, post if you find anything interesting, or you know what it is used for Smile

Time to uninstall BitDefender.


That applause I receive from y'all on posting this post would have gotten me drunk on power if I hadn't already been high on life.
Author

RE: Kaspersky... tsk, tsk.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 07-08-10 07:41
only_samurai wrote:
My guess is that this is the kaspersky updater at work. [...] Do you have a pcap of the traffic you can share?

No, I was using Cain and it won't let me save them (as far as I know) or even copy them to save them...
[edit] Here's the info:
Time-stamp: 04/08/2010 - 12:57:18 (useless info)
FTP server: 38.117.98.202 (Already mentioned)
Client: 192.168.*.* (removed for privacy)
Username: anonymous
Password:ioB6kCioBm15n7Bl4OzBANNy4wLjEuMzIx@ (Not an email, not typed by human... Hmmmm.... Might be encrypted. I'll look it up and dictionary attack it)



Does anyone know about FTP servers? Can user permissions be set? I know that they can be for viewing them online (chmodding them) but can you restrict uploading, downloading, or deleting a file?

Edited by jghgjb790 on 07-08-10 07:51
http://todaystopsite.site90.net
Author

RE: Kaspersky... tsk, tsk.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-08-10 07:55
jghgjb790 wrote:
No, I was using Cain and it won't let me save them (as far as I know) or even copy them to save them...

Does anyone know about FTP servers? Can user permissions be set? I know that they can be for viewing them online (chmodding them) but can you restrict uploading, downloading, or deleting a file?


Really depens on the FTP dameon, some do it differently.... I know that pure-ftpd has a specified client side app to deal with all of that (pure-pw) others you might have to set up the folders and the permissions by yourself. Have you nmap'ed -sV 'ed that bitch?... post the results... That should give the software/version of what ftp dame0n its running... Then you can have an idea of what your up against.

edit: spellcheck!!!




Edited by on 07-08-10 07:59
Author

RE: Kaspersky... tsk, tsk.

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 07-08-10 09:17
I think samurai hit this one right on the spot. If you look around it's just a bunch of patches and some other stuff. Most of the other stuff is already available over HTTP, too. There definitely is a lot of files there, and it looks like fun to sort through a bit, but I seriously doubt anything too interesting will be there.

As for security, they of course weren't actually stupid enough to leave anything open. It's all read-only for anonymous users. Nmap doesn't recognize the FTP service version, so maybe it's something custom.

Anyways, I just took a quick look at it, maybe I'll check it out a bit more in the morning.
Oh, lol, and for sniffing, use wireshark for god's sake. Wink


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .

Edited by stealth- on 07-08-10 09:18
http://www.stealth-x.com
Author

RE: Kaspersky... tsk, tsk.

GTADarkDude
Member



Posts: 142
Location: The Netherlands
Joined: 23.02.08
Rank:
Newbie
Posted on 07-08-10 20:04
I bet it shows the same content as ftp://ftp.kaspersky.com/

Open FTP server for downloading updates and patches and stuff. Nothing interesting. Or at least I haven't found anything worth mentioning.


...

Edited by GTADarkDude on 07-08-10 20:07
- - -
Author

RE: Kaspersky... tsk, tsk.


Member

Your avatar

Posts:
Location:
Joined: 01.01.70
Rank:
Guest
Posted on 07-08-10 20:23
GTADarkDude wrote:
I bet it shows the same content as ftp://ftp.kaspersky.com/

Open FTP server for downloading updates and patches and stuff. Nothing interesting. Or at least I haven't found anything worth mentioning.


I'd bet too... If you do a lookup of that domain, you get the following:
Code

;; ANSWER SECTION:
ftp.kaspersky.com.      3546    IN      CNAME   ftp.kaspersky-labs.com.
ftp.kaspersky-labs.com. 846     IN      CNAME   dnl-geo.kaspersky-labs.com.
dnl-geo.kaspersky-labs.com. 3546 IN     CNAME   prd.geo.kaspersky.com.
prd.geo.kaspersky.com.  6       IN      A       38.117.98.196
prd.geo.kaspersky.com.  6       IN      A       38.117.98.199
prd.geo.kaspersky.com.  6       IN      A       38.117.98.202





ftp.kapersky.com actually points to the address in question, as well as a few others.


Author

RE: Kaspersky... tsk, tsk.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 08-08-10 21:10
Okay, thanks for looking at it. I haven't had very much time in the past few days due to work...Side note, there are 2 hotels next to where I work, both with unsecured wifi! I'm thinking of teaching them a lesson and routing the DNS requests (nothing serious, silly stuff. Yahoo to Google, Myspace to Facebook), but first I'm going to look into the legality of it.

The reason I was using Cain is because it automatically filters the packets (very nicely, too), whereas with wireshark, it's manual (better in some cases). I'm going to find a tutorial on filtering with wireshark.
http://todaystopsite.site90.net
Author

RE: Kaspersky... tsk, tsk.

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 09-08-10 03:11
MoshBat wrote:
jghgjb790 wrote:
legality of it.

No.


Gaining unauthorized access to a private network for the sole purpose of disrupting services a business relies on?
Why on earth wouldn't that be legal?


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com
Author

RE: Kaspersky... tsk, tsk.

jghgjb790
Member

Your avatar

Posts: 24
Location:
Joined: 20.06.10
Rank:
Newbie
Posted on 09-08-10 21:11

Gaining unauthorized access to a private network

They display a sign that says "Free Wifi", have no password on it, and broadcast well outside of their property. So it isn't exactly private. But the HBH members are usually right, so I'm not going to do anything. But still, having password free wifi advertised in a target rich environment like that... Probably not the smartest thing ever done. They could have at least put a simple password on it, and handed out the password to customers.

Side note, I've switched to wireshark, finally.



Please note that I have no idea what I'm talking about in the above post. Please do not make any assumptions that I have a clue what anything that I just wrote means. Thank you.
http://todaystopsite.site90.net
Author

RE: Kaspersky... tsk, tsk.

stealth-
Member



Posts: 1003
Location: Eh?
Joined: 10.04.09
Rank:
Mad User
Posted on 09-08-10 23:06
jghgjb790 wrote:

Gaining unauthorized access to a private network

They display a sign that says "Free Wifi", have no password on it, and broadcast well outside of their property. So it isn't exactly private. But the HBH members are usually right, so I'm not going to do anything. But still, having password free wifi advertised in a target rich environment like that... Probably not the smartest thing ever done. They could have at least put a simple password on it, and handed out the password to customers.

Side note, I've switched to wireshark, finally.


Hotel wifi is sort of a bad situation right from the startup. A bunch of people you don't know very well all hanging around on the same network? Not the best idea. In my opinion, the ideal situation would be one where the clients have all been firewalled from each other and everyone of them is smart enough to tunnel home, but we all know that's never going to happen.

Also, I sent you a PM about the legality of that.


The irony of man's condition is that the deepest need is to be free of the anxiety of death and annihilation; but it is life itself which awakens it, and so we must shrink from being fully alive.
http://www.stealt. . .
http://www.stealth-x.com