Security Alert -- RDP Man in the Middle attacks

<< Regine Velasquez Concert Tickets up for grabs! | Home | 3rd Annual E-Commerce and Exhibit >>

Security Alert -- RDP Man in the Middle attacks

Tuesday, November 16, 2004 6:50 AM

Bitstop wishes to thank PI_flashbulb and his crew (www.phackers.org) for alerting us to a hacker post about security breaches in our network. We have done steps to protect ourselves, but much is still needed to determine the extent of the intrusion. We would like to warn other sys ads that hackers are now teaming up with TELCO insiders to launch attacks against networks. Therefore, sys ads at other networks must be made to be aware that intervening ISP/TELCO networks must be looked upon as being compromised.

Man in the middle attacks are launched by placing rogue servers in between the remote user, and the server in your network. For it to be successful, the hacker must have access or authority to reroute packets. Typically this is done by manipulating the DNS entries to fool the remote user to connect to the rogue server. By teaming up with, or colluding, or corrupting telco security insiders, the hackers are now able to launch these types of attacks. This presents a whole new and potentially bigger threat to the Philippine Internet Community.

We need to be aware and take more serious precautions.

Feedback

# re: Security Alert -- RDP Man in the Middle attacks

http://s3.invisionfree.com/fildevnet/index.php?s=e9fde55b17ab918170c7b66ebcacef71&showtopic=3&st=15

This kind of attack can be done without manipulating DNS entries. 11/16/2004 4:58 PM | anonymouse

# re: Security Alert -- RDP Man in the Middle attacks

look for tm1.no-ip.com :) 11/16/2004 8:03 PM | helper friend

# re: Security Alert -- RDP Man in the Middle attacks

h3h Crayden i buking kita sa boss mo! 11/16/2004 8:04 PM | helper friend

# re: Security Alert -- RDP Man in the Middle attacks

"We would like to warn other sys ads that hackers are now teaming up with TELCO insiders to launch attacks against networks. Therefore, sys ads at other networks must be made to be aware that intervening ISP/TELCO networks must be looked upon as being compromised."

Sir medyo matagal na tong ganitong senaryo... i still remember na isang sys ad ng isang medyo kilalang ISP ang member ng isang underground hacker.... and this group of hackes claimed na na hack daw nila yung ISP namigay pa sila ng free account.
11/18/2004 12:45 PM | Coologo

# re: Security Alert -- RDP Man in the Middle attacks

Where were you , sir when i needed your info ? :) Email me privately for more tidbits ha?
11/18/2004 3:01 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

http://tac.weblinq.com/main.htm

saw this when we hacked the server. This guy good.

31337-404 of India 11/18/2004 6:25 PM | 31337-404 of India

# re: Security Alert -- RDP Man in the Middle attacks

ISAW is a bunch of attention-hungry wannabe hackers without any credibility, intent on making a name for themselves by using and reporting the exploits of the pinoy hacker underground 11/18/2004 6:34 PM | jt

# re: Security Alert -- RDP Man in the Middle attacks

http://commentz.no-ip.com/ 11/18/2004 8:15 PM | wannabe

# re: Security Alert -- RDP Man in the Middle attacks

Yup, 404-india. No question about it. Rebarz99 is skilled. It looks like a lot hackers in the underground community look up to him, and he may be the leader/alpha male of the group. (But) Maybe he should pick his targets more carefully--some of them will fight back. Globe and Smart aren't about to let them walk scot-free after breaking into their major money earner.

Its only a matter of time now. Let us see how good the Telco sys ads are at finding rebarz...and his ENTIRE crew. As they say, he who laughs last, laughs the best. 11/19/2004 7:13 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

It seems to me that Crayden could have used his position inside the Telco to sniff a lot of passwords. If the Telco is a big one, it would also mean that they have sniffed a lot of unprotected traffic and have gotten quite a lot of admin passwords in the process.

To those that are reading this post: if you regularly do remote administration, ftp, telnet, smtp etc AND you are passing thru this TELCO, better change your passwords and shift to IPSEC, ssh, ssl or some other more secure means of communications.

11/19/2004 7:19 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

From Peter A of Cendio.se:

With some variants of the MITM, such as with DNS spoofing, the
TCP connection will originate from the man in the middle. In this case,
the IP should be visible in the Terminal Services Manager, for example.

It is possible to create a transparent MITM attack, though. In this case,
it's not possible to "see" the man in the middle.

If you have a DNS-based MITM attack, the man in the middle can be located
basically anywhere.
11/19/2004 7:39 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

I use to work as an IT consultant for an online banking service.
About a year ago during one of our regular audits we found an account
created out of midair with a username of "rebarz99" and an address of
"Your system is insecure". This information was never made public as requested
by the bank administration. My point is, there seems to be a lot of talented
local hackers out there. Can't we find a legitimate output for their skills?

11/19/2004 6:40 PM | concerned

# re: Security Alert -- RDP Man in the Middle attacks

Actually, there are a lot of local, talented security guys out there... (not just rebarz) =) As I've seen roaming around IRC channels. There are tons of sites that are being 'owned' than you would normally estimate.

As far as I know, this all stirred up when ISAW started. Before it was all 'hush hush'. But when it blew up to be a pissing contest between ISAW and the local underground community. Then the truth between compromised boxes floated up. 11/19/2004 9:58 PM | r00tkitty

# re: Security Alert -- RDP Man in the Middle attacks

yep tama si r00tkitty kung napapadaan kayo sa IRC way back 1999 - 2002 nagkalat ang mga site na nahahack, ISP Accounts, Credit Cards etc... Before kasi walang nagsasabi sa Admin na kayang mahack ang mga box nila, pero ng dumating ang ISAW medyo nag iba ang ihip ng hangin kasi nagbibigay sila ng warning (thru e-mail and/or phone calls) dun sa mga taong concern. Medyo hindi lang nagustuhan ng mga underground hacker because of some reason. 11/20/2004 8:40 AM | Coologo

# re: Security Alert -- RDP Man in the Middle attacks

Other underground hackers inform admins by putting html files saying that they need to secure their site. Why will you call the admin if you dont have intensions of getting fame? or why will you inform the media if your not media whore? Its better for the admins to find out themselves if their site were compromised for to learn from their mistakes... Will you be there for them for "life"? Or will you ask something in return? Diba Frederic "Coologo" Cabayao?" 11/20/2004 10:46 AM | Cooloping

# re: Security Alert -- RDP Man in the Middle attacks

Cooloping

Mali spelling ng name ko :) dapat Frederick....

"Why will you call the admin if you dont have intensions of getting fame?"

First, wala pa kong tinatawagang admin, I just informed them thru e-mail. Second, If I really want fame, ibibigay ko ang full name ko sa mga admin.

"why will you inform the media if your not media whore?"

I never informed any media.

"Will you be there for them for "life"? "

Of course not :) I still have my private life to enjoy... tumutulong lang ako sa abot ng makakaya ko.

"will you ask something in return?"

I never asked and will never ask something in return. 11/20/2004 11:44 AM | Coologo

# re: Security Alert -- RDP Man in the Middle attacks

sir, rebarz99 is a student of Informatics. We saw bitstop files in the computer he was using. 11/20/2004 2:17 PM | i need money

# re: Security Alert -- RDP Man in the Middle attacks

interesting... which Informatics branch? i'm currently in manila, how do we get in touch with you? 11/20/2004 2:37 PM | i have money

# re: Security Alert -- RDP Man in the Middle attacks

and you are..? 11/20/2004 3:09 PM | i need money

# re: Security Alert -- RDP Man in the Middle attacks

someone who's interested in nailing this guy ;) 11/20/2004 3:26 PM | i have money

# re: Security Alert -- RDP Man in the Middle attacks

what bitstop files???

yung isaw papogi rin besides their noble purpose of exposing hacked boxes. hindi yan maiiwasan yang pagpapapogi lalo na sa media. 11/20/2004 3:57 PM | paltog

# re: Security Alert -- RDP Man in the Middle attacks

at least may naitutulong sila kahit papano kesa naman manira lang ng system ng iba. tama din yung sinabi mo na hindi maiiwasan ang pagpapa-pogi sa media, fame comes with a price. 11/20/2004 4:01 PM | i have money

# re: Security Alert -- RDP Man in the Middle attacks

if you're good at hacking, you're gonna get a reputation even if you don't run to the media eveytime you see a vulnerable site. 11/20/2004 7:44 PM | my 2 centavos

# re: Security Alert -- RDP Man in the Middle attacks

its just annoying na madami paring REAL-LIFE-KIDDIES na hacker-kuno na nde makapag post, comment, criticize PROFESSIONALLY... and what's worst... mga feeling God mode na kala mo kung sinong 100%-I-Know-this-hacking-stuffs... geez... get a life... A REAL LIFE guys.. masyado nyong career yang hackhack ek ek eh...

when can be this world we live in be a one-sided wall where in everyone wants peace and cleanliness.. anyway, i wish them God Bless and Good luck, to those crew(s) who sounds more like 'detractors' to us, ISAW contributors... 11/20/2004 10:30 PM | codepoet

# re: Security Alert -- RDP Man in the Middle attacks

Based on your recent postings on the ISAW blog, you seem to have done exactly what you accuse these "kiddies" of doing. Not everybody talks yuppie. Kahit salitang kanto mga "kiddies" I have the utmost respect for SOME of them. Some of them will be the best system administrators in the country someday. It's not the way you speak or post messages it's what technical information you know and, in regards to hacking, what you can do. 11/21/2004 7:24 PM | uhm

# re: Security Alert -- RDP Man in the Middle attacks

Here is a good discussion from:

15 Minute Guide to SSH Security
johnny@ihackstuff.com

It details how Man in the Middle could be used to compromise account credentials.

http://johnny.ihackstuff.com/security/premium/15%20Minute%20SSH.pdf but you need to register first to get this document. 11/22/2004 10:24 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

wow ang galing mo talaga wilson CEH chua.

palagi nalang kayong nagaaway.

isaw, sus, grow up.

if you all want to collaborate you need to contact the right people.

11/22/2004 11:26 AM | kumag lord

# re: Security Alert -- RDP Man in the Middle attacks

so who's the right people? 11/22/2004 2:05 PM | mcskuss maharishi

# re: Security Alert -- RDP Man in the Middle attacks

it's up to the admin's kung sino yung rigth people. 11/22/2004 3:00 PM | Coologo

# re: Security Alert -- RDP Man in the Middle attacks

=)

*gee... no comment... LOLZ* 11/22/2004 3:19 PM | r00tkitty

# re: Security Alert -- RDP Man in the Middle attacks

Dear I need money,

Can you email us at spg@bitstop.ph? 11/22/2004 4:46 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

Dear Sir (Kumag Lord),

While security credentials do help, it is sadly not enough. The vast field of security requires the security professional to be constantly studying. Alas, in some areas we can not keep fully abreast, as recent experiences have shown. What we do have is a willingness to keep on learning...

Being able to count on friends in the community is the biggest help we can count on. Making new friends is much better than creating enemies.

Who knows, one day, we may all be sitting somewhere sipping a cup of tea or beer (with my bro-in-law) and something better may come out of the crayden post in the near future. 11/22/2004 5:15 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

I'm currently doing research on the philippine cyber crime law. I need real life examples of this law being carried out. Can anyone recommend any good links or relate any personal experiences? Thanks in advance.. 11/22/2004 6:23 PM | estudyante blues

# re: Security Alert -- RDP Man in the Middle attacks

NBI cybercrime division, G-CSIRT, CIDG, DOJ, ISSSP.org.ph, www.phackers.org, IRC channels 11/22/2004 6:29 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

How's the witch hunt going? 11/22/2004 7:00 PM | Avelino

# re: Security Alert -- RDP Man in the Middle attacks

Dear Mr Avelino,

mums the word... :) 11/22/2004 9:17 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

Mr Chua,

my thoughts exactly.

K.L.

11/23/2004 12:43 PM | Kumag Lord

# re: Security Alert -- RDP Man in the Middle attacks

I will take the red pill. I want to know the truth.
Any online class for new wannabe? 11/24/2004 6:18 AM | mr anderson

# re: Security Alert -- RDP Man in the Middle attacks

Migs Paraz, is holding a vidcon today at 1 pm. You are welcomed to log in 11/24/2004 7:54 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

as Info tech all servers must be need a firewall with power of linux just to protect all your files in and out communications. if you have some questions just email me at caj042001@yahoo.com to make a simple advice to your network 11/24/2004 3:55 PM | caj

# re: Security Alert -- RDP Man in the Middle attacks

Why Linux? There's BSD! 11/24/2004 10:32 PM | jm

# re: Security Alert -- RDP Man in the Middle attacks

taenang attack attack na yan, ala na bang katapusang attack yan? hi kay wycoco! pag na kita! antay antay ka lng! babarilin kita! alam ko bahay nyu! hrhrhrh. 11/24/2004 10:34 PM | malaki_ETITS

# re: Security Alert -- RDP Man in the Middle attacks

Look ma, my first post! =)

I was trying to login to Migz's vidcon but work got in the way, tsk. Anyhow, I would like to share my own 2c's on this thread after reading caj's post above.

An enterprise's perimeter defense (be it anchored on a linux/open-source or otherwise f'wall) is only as good as the policies/rules with which it is rooted in. Many have this misconception that since their network has a firewall (single-, multi-tiered, or what have you), they are safe from hackers and/or malicious codes.

And don't get me started on threats from within (read: the mobile users and internal hackers); let's keep my first post short. =)

On ISAW's quixotic quest? Let's hope they don't hit the wrong windmill...
11/24/2004 10:56 PM | b-man

# S3.invisionfree.com Site

S3.invisionfree.com Site 11/25/2004 10:33 AM | Pingback/TrackBack

# re: Security Alert -- RDP Man in the Middle attacks

http://news.inq7.net/infotech/index.php?index=1&story_id=19049

Hackers specially the new ones, should be made to be fully aware of the consequences if/when they are caught. One of which is 150,000.00 penalty per hacking INCIDENT and a MANDATORY imprisonment of at least 6 months or more depending on the gravity of the crime!

Hacking is not a joke. For some of you, you may feel the noose tightening around you na. There is still a way out for you. Lets talk. You know how to contact us.

11/25/2004 11:03 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

The US houe of Representatives has just passed the Internet Spyware Prevention ACT to protect computer users from cirminals who aim to spy and steal information via the internet. Under the Legislation, anyone infecting a computer with spyware can be jailed for up to five years.--sophos newsletter 11/25/2004 11:07 AM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

Another interesting read on the topic of MITM:

http://www.microsoft.com/technet/technetmag/issues/2005/01/SessionHijacking/default.aspx 11/25/2004 4:05 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

to all Asianpride.. member
mga pre. oras na para ipakita uli na buhay ang groupo.. sa goverment nang pinas sana totoo kayo pag dating sa computerazation at dapat ninyo isipin din ang security prob.. lalo na in the internet problem.. sa amin kung anong attaack ang ginawa nang mga asianpride sana d ninyo masamain .. its a matter of security evaluation lang po yan para malaman ninyo na may mga security breaches problem kayo sa mga network server and etc.. d ninyo yan malalaman kung d yan subukan at i evaluate nang maayos. there a many attack type and techinique ... sa mga sys add namna sana wag ninyong pairalin ang pride .. its a matter of development of ur security skill and learning in crissis management and diasaster problem in your company hehehe.. pero..the points is to upgrade and secure. that all.. welcome back asianpride..

guardiandevilz...................................... 11/26/2004 10:51 AM | guardiandevilz..................

# re: Security Alert -- RDP Man in the Middle attacks

Dear Guardiandevilz,

Well said. We welcome all the help we can get. If you wish to do penetration/vulnerability test on our network, just email us in advance and please state the scope of the penetration test--time of tests, duration, ip block tested, and attack methods used. This will separate the white hats from the black hats.

Request lang namin that you also inform us of any holes that you can find...and dont leave any backdoors lying around after you have finished ha? :)

11/26/2004 1:32 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

"Hacking is not a joke. For some of you, you may feel the noose tightening around you na. There is still a way out for you. Lets talk. You know how to contact us. "

We agree, hacking is not a joke.

Catch us if you can. =) 11/26/2004 9:05 PM | phcore

# re: Security Alert -- RDP Man in the Middle attacks

http://www.skyinet.net/~bensan/core-2.txt 11/26/2004 9:12 PM | phcore

# re: Security Alert -- RDP Man in the Middle attacks

Now, why would the REAL hackers want to announce this pageto us? Maybe 'phcore', you're setting all of us (black ,grey and white hats) up for something else? 11/26/2004 9:29 PM | wilson

# re: Security Alert -- RDP Man in the Middle attacks

is this "war"? 11/27/2004 8:17 AM | mcskuss maharishi

# re: Security Alert -- RDP Man in the Middle attacks

perhaps war against incompetent people taking advantage of public funds particularly those manning or incompetently handling .gov.ph's! 11/27/2004 9:39 AM | P***** I**

# re: Security Alert -- RDP Man in the Middle attacks

"Now, why would the REAL hackers want to announce this pageto us? Maybe 'phcore', you're setting all of us (black ,grey and white hats) up for something else?"

No, we're not setting up anybody.

What we're saying is that you can't stop us.

You can't stop our passion to learn and push the boundaries which have been arbitrarily set up for us.

"Without Malice. Without Fear. Never for the Money. Never for the Fame. "

[ P H C O R E ]

Want to explore?

11/27/2004 1:41 PM | phcore

# re: Security Alert -- RDP Man in the Middle attacks

i was reading sa mga post i only realize na matalino talaga ang pinoy. dati akong liner and tuwang tuwa na ako ng ma access ko line ng PCIBank MAKATI for almost a mont . salamat s isang kaibigan. ngayon habang nagbabasa ako para akong naculture shock talaga palang marami ng hackers na pinoy.
lahat naman tayo nagsisimula as a "kiddie" as what dey call but those kiddies are now earning a lot, and the fact na malaking tulong din sila kasi sila ang mas nakakapinsala dahil masyado silang aggressive ang mas mahilig mag experiment. as a result sila ang mas nakakakita ng butas sa security ng isang network 12/1/2004 10:42 PM | _iskor_

# re: Security Alert -- RDP Man in the Middle attacks

hello guys,

think you what ur doing po, everyone of us has the responsibility and and make sure that we 're doing something for a cause and for the good of everybody, remember the 'Golden Rule!', if nalimutan nyo n, go to Google.com, ok :D 12/16/2004 12:49 PM | jayar

# re: Security Alert -- RDP Man in the Middle attacks

i just have a comment that sysads should not be focusing solely on one "part" of the network but should practice audits/manual checks at all known and published weak vector attack areas (if they have no costly IDS systems (e.g. hw/sw-based fw logs, AD logs, cisco routers/switches logs to name a few...etc) maybe after every week and should strive to cope up with zero-day vulnerabilities via a well-executed security practice (patching windows, etc.) backed up by their co.'s policies...

Good luck black/white/gray/....xN hat guys out there....

Ciao--
zero_one 2/16/2006 3:44 PM | zero_one

# re: Security Alert -- RDP Man in the Middle attacks

lolz! 7/4/2006 1:26 AM | rebarz99

# re: Security Alert -- RDP Man in the Middle attacks

Rebarz is one hell of a skiddie.. 11/23/2007 9:26 AM | kokokrunch

# re: Security Alert -- RDP Man in the Middle attacks

wala ako alam pls. paturo naman sa network na yan yung free kahit unti lang. hehehehe salamat 7/8/2008 9:29 AM | shyder

Bitstop Network Services, Inc.