?

Log in

No account? Create an account
Someone set me up the bomb. - Chaz Meyers [entries|archive|friends|userinfo]
Chaz Meyers

[ website | chazmeyers.com ]
[ profile | view profile ]
[ archive | view archive ]

Links
[Links:| chazmeyers.com Twitter ]

Someone set me up the bomb. [Nov. 10th, 2005|02:34 am]
Chaz Meyers
[Tags|, , , ]
[Current Mood |tiredtired]

My Gibson has been hacked. :(

Like, literally. As in, connected in as the Administrator user I forgot to delete 3 years ago, changed the password, and removed my usual account from the Administrator group.

Talk about lame. Luckily, I got my tuition refund check a few days ago, so I could afford a new hard drive to boot from without wiping out my data. Even more luckily, Chris was over in Media, so I was able to get a copy of Windows XP from him.

For some odd reason, I can't convince the computer to boot when both the new hard drive and one of the old hard drives are both hooked up. Hopefully it's something stupid I can fix over the weekend. Getting access to my data would be mighty fine.

I'm thinking of making some changes to my network. Previously, my linksys router blocked all ports except http, ssh, vnc, and a few others. The rest were forwarded to the Windows machine. Now I'm thinking of only opening ssh and having that go to a FreeBSD or Debian machine. Then, if I need to connect to a service on the Windows machine while I'm out, I can forward the traffic over ssh by way of the *nix machine. That'll work, right? I've never daisy chained port forwarding over ssh like that, but I'm pretty sure I read somewhere about a year ago that this sort of thing is supported.

Why add the new machine into the mix? I don't trust Cygwin's sshd for some irrational reason I cannot explain.
LinkReply

Comments:
[User Picture]From: duckssaymip
2005-11-10 01:09 pm (UTC)
Any way to figure out who this joker is so we can take him down?
(Reply) (Thread)
[User Picture]From: instantdharma
2005-11-10 01:12 pm (UTC)
I told Chaz to file a police report. They'd have computer forensics tap the HD and find his IP addy.
(Reply) (Parent) (Thread)
[User Picture]From: finnell1912
2005-11-10 02:01 pm (UTC)
/Strong Mad

It's-not-csiiiiiiiiiiiiii!

/end Strong Mad
(Reply) (Parent) (Thread)
[User Picture]From: instantdharma
2005-11-10 03:58 pm (UTC)
Yes it is. My life is not CSI, but Law and Order.
(Reply) (Parent) (Thread)
[User Picture]From: njcowgurl
2005-11-10 03:02 pm (UTC)
Most likely that wouldn't happen, the police only use such resources for big dangerous crimes. If he filed a police report I'm thinking the police would do absolutely nothing.
(Reply) (Parent) (Thread)
[User Picture]From: ewindisch
2005-11-10 03:15 pm (UTC)
They might just take his harddrive and find a software debugger.. that could be dangerous.

Seriously though, the cops might actually search the machine for something incriminating. They certainly wouldn't search for the script kiddy who snagged his admin password, Chaz hasn't contributed enough to the police fund for that to happen.
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 03:33 pm (UTC)
I agree with Dana, Finnell, and Eric on this.
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 03:32 pm (UTC)
"Cyber-crime" is a particular annoying crime to investigate. From what I understand, the police don't even touch those cases unless it involves billions of lost revenue (like when Yahoo got DoS'd), dead bodies, or drugs.

(Reply) (Parent) (Thread)
[User Picture]From: instantdharma
2005-11-10 04:01 pm (UTC)
That blows my mind. The cops literally chased down a pack of gang banging kids that stole Beth's $150 cell phone, but they won't do investigations into a comptuer's HD? Please.
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 05:03 pm (UTC)
Most of the evidence isn't in my hard drive. Most of it the court admissable evidence is in Comcast's logs and the logs of the attacking computer's ISP.

This gets tricky because the original attacker usually isn't connecting directly from their computer. Generally, they took over another computer and are piggy backing on them to attack someone else. So, then you have to get their ISP involved. Additionally, the preceived attacking computer could be another compromised computer. With each new compromized computer, you have to get yet another court order to get a potentially overwhelming amount of collected data from the ISP, and hope that both they held onto enough information to be useful for the investigation and you can find that information.

Let's not forget that generally at least one of the computers involved are in another country. So, then you need to convince other nations to work with us. Better hope it's not Cuba! Even friendly nations are a bit wary of our privacy laws in the new Bush Patriot Act era.

In contrast, cell phones are easy to trace. Most modern ones even have GPS included. The ones that don't can still be guestimated if the phone is near enough towers.

It's really not cost effective for the police to investigate cyber-crime unless if the stakes are very high.
(Reply) (Parent) (Thread)
[User Picture]From: duckssaymip
2005-11-10 07:26 pm (UTC)
I wasn't talking about the po-po, man. I was asking if there was some way you could personally track this dude down so we could go take care of business Philly-style.

No, I'm not talking about giving him a cheesesteak and a beer... I'm talking about the ol' 700-level method of brutality against cyber-bastards. Mip, indeed.
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 07:54 pm (UTC)
Not really possible.

We might be able to figure out his IP address if I could boot off of the hard drives and get into an admin account.

Once we have his IP address, we can figure out his ISP.

Sadly, the buck stops there. Without their cooperation, we cannot find out who is connected to that computer, or if perhaps that computer was a victim acting on behalf of someone else. ISP's tend not to reveal that sort of information unless it is subpoenad. We can't supoena information. See my reply to Amanda for more details.

(Reply) (Parent) (Thread)
[User Picture]From: ewindisch
2005-11-10 03:02 pm (UTC)
OpenSSH under Cygwin and under Linux or FreeBSD should be just as secure under one environment as another.

However, I do see other advantages to creating the mapping to another machine, rather than the Windows machine.
1. Additional layers of security (users would need to break into multiple machines)
2. Wider range of tools available on the shell. Cygwin doesn't ship with the number of utilities available for Debian or FreeBSD.
3. Faster access to the non-SSH services on the Windows machine (offload SSH & data compression to the frontend machine)

I have my machines at home behind a Linux server with SSH listening on ports 22 and 443 (traverses most "super-tight" firewalls). I then use the following script for remote desktop access to my Windows server from work.

#!/bin/sh
(
[ $1 ] || (echo "Remote host unspecified."; exit 1)
[ $2 ] || (echo "Tunneled host unspecified."; exit 1)
) || (
echo "$0 [remote-host] [tunneled-host] [rdesktop-options]"
exit 1
) ||
exit 1

ssh -CfL 3389:$2:3389 $1 sleep 5; rdesktop ${@:3} localhost

You could easily modify that for use with Windows (and cygwin) by creating a shell script like the following... You could then want to create Windows shortcuts to it with the hosts an additional options you might want (width and height of window, fullscreen, color depth, etc). You can also specify a .rdp file.

#!/bin/sh
(
[ $1 ] || (echo "Remote host unspecified."; exit 1)
[ $2 ] || (echo "Tunneled host unspecified."; exit 1)
) || (
echo "$0 [remote-host] [tunneled-host] [mstsc-options]"
exit 1
) ||
exit 1
function getport() {
wheel="0123456789"
echo "9" # port starts with a 9
length=3 # plus 3 random digits (from 9000 to 9999)
# Take a spin
i=0
while [ "$i" -lt "$length" ]; do
echo -n ${wheel:$(($RANDOM % ${#wheel})):1}
i=$(($i+1))
done
}
ssh -CfL `getport`:$2:3389 $1 sleep 5; mstsc ${@:3} /v:localhost
(Reply) (Thread)
[User Picture]From: ewindisch
2005-11-10 03:10 pm (UTC)
I also have a WSH (Windows Shell Host) version of this, which I've actually tested, using VBscript and PuTTY's Plink. It is self-contained, thus more portable... but if you already have Cygwin...

Both solutions also require a Hotfix for Microsoft Windows XP. The Mstsc program doesn't like making loopback connections by default. Alternatively, you can use a Java based client: http://properjavardp.sourceforge.net/

There are also some programs out there which do all of this smoothly and transparently, but they're not free....
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 04:17 pm (UTC)
You're probably correct about Cygwin ssh vs Linux and FreeBSD ssh. I did say my mistrust was irrational, right? :)

I do agree with the alternative reasons you provided, though.

I'll probably end up setting up the port forwarding in PuTTY. This is mere laziness. I already PuTTY installed on most computers I use regularly and already have port forwarding configured so VNC traffic goes to a local port. Making the appropriate changes should be as easy as switching a few switches. I don't know if there will be speed problems by sending all the traffic over one SSH connection. But, on the other hand, I won't need to type in my password once for each program. :)

Using WSH with Plink is a nice idea, though. If going the GUI route ends up being more trouble than it's worth, I'll definitely take a look at this alternative.
(Reply) (Parent) (Thread)
[User Picture]From: ewindisch
2005-11-10 06:18 pm (UTC)
If you enable compression in your SSH software (PuTTY), I've found VNC through SSH is considerably faster. I've seven seen improvements on a 100mbps LAN. For this, you might actually want to turn down VNC's own compression, and rely on SSH to do the compression for you.

However, on that same token, I've found that Window's remote desktop is considerably faster and more reliable than VNC in general. VNC has the advantage that it doesn't lock the display when a remote user connects, and it provides a capacity for *2vnc programs. Unfortunately, it fails in every other regard -- and this is an admission from an OSS-loving hippy. Perhaps the vnc servers with "mirror" drivers are better? TightVNC has this feature, but I couldn't get it to work on Windows 2000 server. UltraVNC also has this feature, but I never tried it.

Regarding using PuTTY for the terminal... that will work fine, and for less commonly used tasks, I use a similar approach. If you do it often enough, it can make sense to create a one-click solution.

Regarding WSH+Plink vs Shell, the disadvantage of the shell is that it requires Cygwin under Windows, the advantage being that it can be refactored into a single script supporting Unix (Linux), Windows, and MacOS. I gave the shell example since it was more readily available to me.
(Reply) (Parent) (Thread)
[User Picture]From: cpm
2005-11-10 08:34 pm (UTC)
Yeah, I've been doing the ssh compression trick with VNC for a while. :)

I hadn't used remote desktop until earlier today, and I must agree that it is considerably faster than even ssh compressed vnc. I only used the free version of RealVNC, which I think just polls the screen and sends bitmap data over, so it's not surprising that something that just sends the API calls over the wire would be faster.

If you save all the port forwards in the putty session, shouldn't that be a one-click solution?
(Reply) (Parent) (Thread)
[User Picture]From: ewindisch
2005-11-10 09:13 pm (UTC)
> If you save all the port forwards in the putty session, shouldn't
> that be a one-click solution?

No, it isn't. You need to start PuTTY (click), minimize (click), start Vncviewer/RemoteDesktop (click). That is three clicks and you are stuck with a minimized PuTTY window which you need to make sure stays running.

I click and get automatically presented with a Windows login screen.
(Reply) (Parent) (Thread)