KCLUG October 2004

kclug@kclug.org

53 participants
175 discussions

HOWTO: install cheap RTL8180 wireless PCMCIA card in Linux
by Leo Mauler 02 Nov '04

02 Nov '04

Using ndiswrapper to make a RealTek 8180 wireless card work properly. Rather than bother with the proprietary drivers for Linux, use this one instead. Both URLs are the same link. http://tinyurl.com/657j5 http://www.linuxquestions.org/questions/showthread.php?postid=877345#post87… __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com

7 12

re: ndiswrapper
by Jonathan Hutchins 02 Nov '04

02 Nov '04

As I understand it, there is the potential for 802.11g cards to disrupt, or at least use, frequencies that are used by the military. Manufactureres have, according to rumor, been pressured not to release information that would allow users to select these frequencies. Open Source software does not provide any means for manufacturers to do this, and aparantly locking down the available frequencies in the hardware is impractical. This is just rumor - I have seen no confirmation that there has been any pressure on the manufacturers, nor can I confirm that this potential is anythnig more than an excuse to stick to a propietary model. That said, http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Linux.Wireless.drivers… Lists two 802.11g device driver projects, the Prism54 driver at http://prism54.org/ and the Intell IPW2200 at http://ipw2200.sourceforge.net/. A little searching finds the prism-based Tekram TM-802G available from pcbay.com at $22.98 shipped. This article says that Intel is releasing Linux drivers for it's Centrino platform: http://news.zdnet.co.uk/software/linuxunix/0,39020390,39156340,00.htm Here's an article from someone who picked up a prism based Netgear WG511 for $35 a year ago - gotta be cheaper now: http://toys.lerdorf.com/archives/15-802.11g-Netgear-WG511-and-Linux.html So it's just a matter of putting in the effort to find one that works, even if you really want 11g speed for $25.

3 2

RE: Crackers and correlations
by Brian Densmore 01 Nov '04

01 Nov '04

I get this type of attack also. The latest one is different in both the length of time spent on it and the distinct characteristic of only attempting to gain root access. By all indications, this was a scripted attack. The port numbers used seemed to follow a general upward trend with a pseudo-random reset to a lower port. I'm sure there are multiple scripts for running brute force attacks of this kind. I expect the scripted attacks to grow ever more sophisticated over time, as there is definitely a professional bent to system cracking these days. I do have a question for y'all. Is there some non-crippling thing I can do to my system to detect an attack and : 1) send me an email (optionally), 2) log the conversation for xxx seconds, 3) automatically update the firewall to block the offending user/script. Keep in mind I'm running on an antique here: Pentium Pro 200 MHz @ 40MB RAM w/ ~8 GB of disk. P.S. - I have an email and phone call in to the good people at the USDA and will update you all on anything I may find out. Assuming they will ever admit that one of their PCs has been compromised. > -----Original Message----- > From: Dustin Decker . > > I've been seeing a lot of traffic that behaves in similar > fashion, across > sensors deployed on various ISP's for which the only common > link is being a > client of mine, and the attacks. I (and more importantly my > clients) stay > off the radar pretty well, so I am inclined to think this is > a scripted > process, executed after a root-kit is installed etc. to further the > conquest. > > If you watch the behavior, and the ascending port numbers, it > looks more and > more like I am correct. What I find interesting is the > sources change over > time, and then we see the script trying an even larger number > of user names. > > Another reference point - I see this a lot more on roadrunner > clients than > any others. Someone is ramping up for something, looking for launch > platforms is my guess. Anyone interested in seeing the > entire conversations > (rather than the logged info below) can drop me an e-mail and I will > obfuscate things and offer 'em up. Due to confidentiality > clauses in my > contracts, I will have to munge the IPs that I am protecting, > and make a > mess of the checksums etc. >

6 10

OT: Entry level Sprint job
by Paul Taylor 30 Oct '04

30 Oct '04

If anyone is interested in an entry level position at Sprint within Corporate Security. Starting pay is around $30,000 per year (more if you have experience, but 99.99% sure nobody will) and it's an hourly wage job so overtime may be available based on business needs. http://careers.sprint.com/joblist.html Job list 187197 The *Electronic Surveillance Analyst I* is responsible for implementing, troubleshooting and maintaining court-ordered electronic surveillance, call record delivery, handset location tracking and overall support to law enforcement. The Electronic Surveillance Analyst will also provide law enforcement assistance for surveillance system outages and in emergency situations involving Sprint communication services. Based on seniority, the Analyst will require either weekend, evening or overnight shift coverage to provide 24-hour support to law enforcement agencies.

1 0

pictures
by mike＠handuma.com 30 Oct '04

30 Oct '04

Pictures from itech and the hospital. http://www.handuma.com/itech/hospital.jpg http://www.handuma.com/itech/itech.jpg http://www.handuma.com/itech/itech1.jpg http://www.handuma.com/itech/itech2.jpg http://www.handuma.com/itech/itech3.jpg http://www.handuma.com/itech/itech4.jpg http://www.handuma.com/itech/itech5.jpg http://www.handuma.com/itech/itech6.jpg handuma http://www.handuma.com

6 8

Graphic for CD Labels from last year's ITEC
by Chris Bier 30 Oct '04

30 Oct '04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Who had the nice graphic for CD Labels from last year's ITEC? Chris - -- I digitally sign my emails. If you see an attachment with .asc, then that means your email client doesn't support PGP digital signatures. http://www.gnupg.org/(en)/documentation/faqs.html#q1.1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBeCfrE5xXU3JS1mQRAjKwAKDSt3/nNrLgl6/woar0ccrgRBu0sgCgxB2E wfXHTlAWeR/cPpiikDaVxSY= =+p5n -----END PGP SIGNATURE-----

10 29

Crack attempt
by Brian Densmore 29 Oct '04

29 Oct '04

FYI. This guy spent two hours Thursday, 3am-5am, trying to break into my server's root account. 168.68.129.127 Dig says: ; <<>> DiG 2.1 <<>> @dns1.menandmice.is 168.68.129.127 A ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 10 ;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0 ;; QUESTIONS: ;; 168.68.129.127, type = A, class = IN ;; AUTHORITY RECORDS: . 300 SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. ( 2004102900 serial 1800 refresh (30 mins) 900 retry (15 mins) 604800 expire (7 days) 86400 ) minimum (1 day) ;; Total query time: 2 msec ;; FROM: us.mirror.menandmice.com to SERVER: default -- 0.0.0.0 ;; WHEN: Fri Oct 29 09:09:57 2004 ;; MSG SIZE sent: 32 rcvd: 107 *********************************************************8 ARIN says: OrgName: USDA Office of Operations OrgID: UOO-2 Address: Suite 133, Building A Address: 2150 Centre Ave City: Fort Collins StateProv: CO PostalCode: 80526 Country: US NetRange: 168.68.0.0 - 168.68.255.255 CIDR: 168.68.0.0/16 NetName: PPQ NetHandle: NET-168-68-0-0-1 Parent: NET-168-0-0-0-0 NetType: Direct Assignment NameServer: NS1.USDA.GOV NameServer: NS2.USDA.GOV NameServer: NS3.USDA.GOV Comment: RegDate: 1994-01-26 Updated: 2003-04-30 OrgAbuseHandle: ZU20-ARIN OrgAbuseName: USDA - Office of the ChiefInformation Officer OrgAbusePhone: +1-970-295-5277 OrgAbuseEmail: Network.Operations(a)usda.gov OrgNOCHandle: ZU20-ARIN OrgNOCName: USDA - Office of the ChiefInformation Officer OrgNOCPhone: +1-970-295-5277 OrgNOCEmail: Network.Operations(a)usda.gov OrgTechHandle: ZU20-ARIN OrgTechName: USDA - Office of the ChiefInformation Officer OrgTechPhone: +1-970-295-5277 OrgTechEmail: Network.Operations(a)usda.gov # ARIN WHOIS database, last updated 2004-10-28 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.

3 3

RE: Crack attempt
by Brian Densmore 29 Oct '04

29 Oct '04

> -----Original Message----- > From: Dustin Decker > > Immediately after I replied to your earlier post, I thought > to myself, "I > really aught to ask Brian what the traffic looked like." If > it's UDP, I'd > almost wholesale expect it is spoofed. Same applies to ICMP, > but if you're > looking at genuine TCP traffic, with an established > three-way-handshake, > it's a different story. (If you're working solely on the > basis of what you > find in syslog and the like, you might not be able to answer > the question > either. [Insert soapbox about logging all packets that > traverse the border > here.]) > Should definitely be TCP traffic. Attempts to log in via ssh from various ports. I don't think there's a port over 1024 on my system he/she left untouched. There may have been other ports/ services that were attempted, but they would have been dropped as part of the firewall rules. Not sure if I'm logging all the various ports/services such as ftp,etc. Don't want to open my server up to too easy of a DOS attack, so I basically ignore the impossible services.

1 0

RE: Crack attempt
by Brian Densmore 29 Oct '04

29 Oct '04

Interesting thing is this address is also a frequent visitor to West Virginia University. Possibly taking classes there? I've emailed the abuse department, have not heard back yet. <tinfoil hat> Could it be related to my complaint about beef inspection? Maybe they are confusing me with my cousin who is a cattle rustler? (just kidding all you secret policemen out there) Hey Doesn't Brian K. work for these people? ;') </tinfoil hat> It could also be a friend of mine playing a joke on me. He investigates cattle rustling and such stuff for the USDA people. Yeah, cattle rustling is big business in the US, it just doesn't make headlines much. I don't put much stock in this theory though. He's got better things to do at 3am. My bet is the ip is spoofed somehow, or one of the USDAs networks has been compromised. In any event, I'd recommend anyone who has a PC visible to the net to block this address. So far it's the only one in that block I've seen. I've got 24 entries in my blacklist. > -----Original Message----- > From: Jeremy Turner > > > On Fri, October 29, 2004 10:17 am, Brian Densmore said: > > OrgTechHandle: ZU20-ARIN > > OrgTechName: USDA - Office of the ChiefInformation Officer > > OrgTechPhone: +1-970-295-5277 > > OrgTechEmail: Network.Operations(a)usda.gov > > So they really are out to get you? =) > > That or some cracker is using zombie software to do the dirty work. > > Jeremy

2 1

RE: really cheap domain name sale
by Brian Kelsay 29 Oct '04

29 Oct '04

Whoops. You're right. It's .info. I guess the one I read before that one was .name. I was confoosed. To get the $1.00 deal, see the info below. Find your .INFO Domain Now! http://registrar.godaddy.com/default.asp?isc=gdf100781&tld=%2EINFO Prefer to order by phone? Call 1-480-505-8821 to order. Please be sure to mention offer code gdf100781 when calling. As an aside, you can opt-out of the promo mail/spam from them, but then you miss out on deals like this. Up to you. Brian Kelsay >>> "Gene Dascher" <gedascher(a)multiservice.com> 10/15/04 10:47AM >>> Hmmm, did you get an email about this? I just checked a few minutes ago and saw the special on the .biz domains, but not on the .name domains. They did have a $1.95 special on .info domains however.

3 3

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

KCLUG October 2004