Security Alert -- RDP Man in the Middle attacks

Bitstop wishes to thank PI_flashbulb and his crew (www.phackers.org) for alerting us to a hacker post about security breaches in our network. We have done steps to protect ourselves, but much is still needed to determine the extent of the intrusion. We would like to warn other sys ads that hackers are now teaming up with TELCO insiders to launch attacks against networks. Therefore, sys ads at other networks must be made to be aware that intervening ISP/TELCO networks must be looked upon as being compromised.

Man in the middle attacks are launched by placing rogue servers in between the remote user, and the server in your network. For it to be successful, the hacker must have access or authority to reroute packets. Typically this is done by manipulating the DNS entries to fool the remote user to connect to the rogue server. By teaming up with, or colluding, or corrupting telco security insiders, the hackers are now able to launch these types of attacks. This presents a whole new and potentially bigger threat to the Philippine Internet Community.

We need to be aware and take more serious precautions.

Print | posted on Tuesday, November 16, 2004 6:50 AM

Feedback

# re: Security Alert -- RDP Man in the Middle attacks

Left by anonymouse at 11/16/2004 4:58 PM
Gravatar http://s3.invisionfree.com/fildevnet/index.php?s=e9fde55b17ab918170c7b66ebcacef71&showtopic=3&st=15


This kind of attack can be done without manipulating DNS entries.

# re: Security Alert -- RDP Man in the Middle attacks

Left by helper friend at 11/16/2004 8:03 PM
Gravatar look for tm1.no-ip.com :)

# re: Security Alert -- RDP Man in the Middle attacks

Left by helper friend at 11/16/2004 8:04 PM
Gravatar h3h Crayden i buking kita sa boss mo!

# re: Security Alert -- RDP Man in the Middle attacks

Left by Coologo at 11/18/2004 12:45 PM
Gravatar "We would like to warn other sys ads that hackers are now teaming up with TELCO insiders to launch attacks against networks. Therefore, sys ads at other networks must be made to be aware that intervening ISP/TELCO networks must be looked upon as being compromised."

Sir medyo matagal na tong ganitong senaryo... i still remember na isang sys ad ng isang medyo kilalang ISP ang member ng isang underground hacker.... and this group of hackes claimed na na hack daw nila yung ISP namigay pa sila ng free account.

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/18/2004 3:01 PM
Gravatar Where were you , sir when i needed your info ? :) Email me privately for more tidbits ha?

# re: Security Alert -- RDP Man in the Middle attacks

Left by 31337-404 of India at 11/18/2004 6:25 PM
Gravatar http://tac.weblinq.com/main.htm


saw this when we hacked the server. This guy good.


31337-404 of India

# re: Security Alert -- RDP Man in the Middle attacks

Left by jt at 11/18/2004 6:34 PM
Gravatar

ISAW is a bunch of attention-hungry wannabe hackers without any credibility, intent on making a name for themselves by using and reporting the exploits of the pinoy hacker underground

# re: Security Alert -- RDP Man in the Middle attacks

Left by wannabe at 11/18/2004 8:15 PM

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/19/2004 7:13 AM
Gravatar Yup, 404-india. No question about it. Rebarz99 is skilled. It looks like a lot hackers in the underground community look up to him, and he may be the leader/alpha male of the group. (But) Maybe he should pick his targets more carefully--some of them will fight back. Globe and Smart aren't about to let them walk scot-free after breaking into their major money earner.

Its only a matter of time now. Let us see how good the Telco sys ads are at finding rebarz...and his ENTIRE crew. As they say, he who laughs last, laughs the best.

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/19/2004 7:19 AM
Gravatar It seems to me that Crayden could have used his position inside the Telco to sniff a lot of passwords. If the Telco is a big one, it would also mean that they have sniffed a lot of unprotected traffic and have gotten quite a lot of admin passwords in the process.

To those that are reading this post: if you regularly do remote administration, ftp, telnet, smtp etc AND you are passing thru this TELCO, better change your passwords and shift to IPSEC, ssh, ssl or some other more secure means of communications.

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/19/2004 7:39 AM
Gravatar From Peter A of Cendio.se:

With some variants of the MITM, such as with DNS spoofing, the
TCP connection will originate from the man in the middle. In this case,
the IP should be visible in the Terminal Services Manager, for example.

It is possible to create a transparent MITM attack, though. In this case,
it's not possible to "see" the man in the middle.

If you have a DNS-based MITM attack, the man in the middle can be located
basically anywhere.

# re: Security Alert -- RDP Man in the Middle attacks

Left by concerned at 11/19/2004 6:40 PM
Gravatar I use to work as an IT consultant for an online banking service.
About a year ago during one of our regular audits we found an account
created out of midair with a username of "rebarz99" and an address of
"Your system is insecure". This information was never made public as requested
by the bank administration. My point is, there seems to be a lot of talented
local hackers out there. Can't we find a legitimate output for their skills?

# re: Security Alert -- RDP Man in the Middle attacks

Left by r00tkitty at 11/19/2004 9:58 PM
Gravatar Actually, there are a lot of local, talented security guys out there... (not just rebarz) =) As I've seen roaming around IRC channels. There are tons of sites that are being 'owned' than you would normally estimate.

As far as I know, this all stirred up when ISAW started. Before it was all 'hush hush'. But when it blew up to be a pissing contest between ISAW and the local underground community. Then the truth between compromised boxes floated up.

# re: Security Alert -- RDP Man in the Middle attacks

Left by Coologo at 11/20/2004 8:40 AM
Gravatar yep tama si r00tkitty kung napapadaan kayo sa IRC way back 1999 - 2002 nagkalat ang mga site na nahahack, ISP Accounts, Credit Cards etc... Before kasi walang nagsasabi sa Admin na kayang mahack ang mga box nila, pero ng dumating ang ISAW medyo nag iba ang ihip ng hangin kasi nagbibigay sila ng warning (thru e-mail and/or phone calls) dun sa mga taong concern. Medyo hindi lang nagustuhan ng mga underground hacker because of some reason.

# re: Security Alert -- RDP Man in the Middle attacks

Left by Cooloping at 11/20/2004 10:46 AM
Gravatar Other underground hackers inform admins by putting html files saying that they need to secure their site. Why will you call the admin if you dont have intensions of getting fame? or why will you inform the media if your not media whore? Its better for the admins to find out themselves if their site were compromised for to learn from their mistakes... Will you be there for them for "life"? Or will you ask something in return? Diba Frederic "Coologo" Cabayao?"

# re: Security Alert -- RDP Man in the Middle attacks

Left by Coologo at 11/20/2004 11:44 AM
Gravatar Cooloping


Mali spelling ng name ko :) dapat Frederick....

"Why will you call the admin if you dont have intensions of getting fame?"

First, wala pa kong tinatawagang admin, I just informed them thru e-mail. Second, If I really want fame, ibibigay ko ang full name ko sa mga admin.

"why will you inform the media if your not media whore?"

I never informed any media.

"Will you be there for them for "life"? "

Of course not :) I still have my private life to enjoy... tumutulong lang ako sa abot ng makakaya ko.

"will you ask something in return?"

I never asked and will never ask something in return.

# re: Security Alert -- RDP Man in the Middle attacks

Left by i need money at 11/20/2004 2:17 PM
Gravatar sir, rebarz99 is a student of Informatics. We saw bitstop files in the computer he was using.

# re: Security Alert -- RDP Man in the Middle attacks

Left by i have money at 11/20/2004 2:37 PM
Gravatar interesting... which Informatics branch? i'm currently in manila, how do we get in touch with you?

# re: Security Alert -- RDP Man in the Middle attacks

Left by i need money at 11/20/2004 3:09 PM
Gravatar and you are..?

# re: Security Alert -- RDP Man in the Middle attacks

Left by i have money at 11/20/2004 3:26 PM
Gravatar someone who's interested in nailing this guy ;)

# re: Security Alert -- RDP Man in the Middle attacks

Left by paltog at 11/20/2004 3:57 PM
Gravatar what bitstop files???

yung isaw papogi rin besides their noble purpose of exposing hacked boxes. hindi yan maiiwasan yang pagpapapogi lalo na sa media.

# re: Security Alert -- RDP Man in the Middle attacks

Left by i have money at 11/20/2004 4:01 PM
Gravatar at least may naitutulong sila kahit papano kesa naman manira lang ng system ng iba. tama din yung sinabi mo na hindi maiiwasan ang pagpapa-pogi sa media, fame comes with a price.

# re: Security Alert -- RDP Man in the Middle attacks

Left by my 2 centavos at 11/20/2004 7:44 PM
Gravatar if you're good at hacking, you're gonna get a reputation even if you don't run to the media eveytime you see a vulnerable site.

# re: Security Alert -- RDP Man in the Middle attacks

Left by codepoet at 11/20/2004 10:30 PM
Gravatar its just annoying na madami paring REAL-LIFE-KIDDIES na hacker-kuno na nde makapag post, comment, criticize PROFESSIONALLY... and what's worst... mga feeling God mode na kala mo kung sinong 100%-I-Know-this-hacking-stuffs... geez... get a life... A REAL LIFE guys.. masyado nyong career yang hackhack ek ek eh...

when can be this world we live in be a one-sided wall where in everyone wants peace and cleanliness.. anyway, i wish them God Bless and Good luck, to those crew(s) who sounds more like 'detractors' to us, ISAW contributors...

# re: Security Alert -- RDP Man in the Middle attacks

Left by uhm at 11/21/2004 7:24 PM
Gravatar Based on your recent postings on the ISAW blog, you seem to have done exactly what you accuse these "kiddies" of doing. Not everybody talks yuppie. Kahit salitang kanto mga "kiddies" I have the utmost respect for SOME of them. Some of them will be the best system administrators in the country someday. It's not the way you speak or post messages it's what technical information you know and, in regards to hacking, what you can do.

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/22/2004 10:24 AM
Gravatar Here is a good discussion from:

15 Minute Guide to SSH Security
johnny@ihackstuff.com

It details how Man in the Middle could be used to compromise account credentials.

http://johnny.ihackstuff.com/security/premium/15%20Minute%20SSH.pdf but you need to register first to get this document.

# re: Security Alert -- RDP Man in the Middle attacks

Left by kumag lord at 11/22/2004 11:26 AM
Gravatar wow ang galing mo talaga wilson CEH chua.

palagi nalang kayong nagaaway.

isaw, sus, grow up.

if you all want to collaborate you need to contact the right people.

# re: Security Alert -- RDP Man in the Middle attacks

Left by mcskuss maharishi at 11/22/2004 2:05 PM
Gravatar so who's the right people?

# re: Security Alert -- RDP Man in the Middle attacks

Left by Coologo at 11/22/2004 3:00 PM
Gravatar it's up to the admin's kung sino yung rigth people.

# re: Security Alert -- RDP Man in the Middle attacks

Left by r00tkitty at 11/22/2004 3:19 PM
Gravatar =)

*gee... no comment... LOLZ*

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/22/2004 4:46 PM
Gravatar Dear I need money,

Can you email us at spg@bitstop.ph?

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/22/2004 5:15 PM
Gravatar Dear Sir (Kumag Lord),

While security credentials do help, it is sadly not enough. The vast field of security requires the security professional to be constantly studying. Alas, in some areas we can not keep fully abreast, as recent experiences have shown. What we do have is a willingness to keep on learning...

Being able to count on friends in the community is the biggest help we can count on. Making new friends is much better than creating enemies.

Who knows, one day, we may all be sitting somewhere sipping a cup of tea or beer (with my bro-in-law) and something better may come out of the crayden post in the near future.

# re: Security Alert -- RDP Man in the Middle attacks

Left by estudyante blues at 11/22/2004 6:23 PM
Gravatar I'm currently doing research on the philippine cyber crime law. I need real life examples of this law being carried out. Can anyone recommend any good links or relate any personal experiences? Thanks in advance..

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/22/2004 6:29 PM
Gravatar NBI cybercrime division, G-CSIRT, CIDG, DOJ, ISSSP.org.ph, www.phackers.org, IRC channels

# re: Security Alert -- RDP Man in the Middle attacks

Left by Avelino at 11/22/2004 7:00 PM
Gravatar How's the witch hunt going?

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/22/2004 9:17 PM
Gravatar Dear Mr Avelino,

mums the word... :)

# re: Security Alert -- RDP Man in the Middle attacks

Left by Kumag Lord at 11/23/2004 12:43 PM
Gravatar Mr Chua,

my thoughts exactly.


K.L.

# re: Security Alert -- RDP Man in the Middle attacks

Left by mr anderson at 11/24/2004 6:18 AM
Gravatar I will take the red pill. I want to know the truth.
Any online class for new wannabe?

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/24/2004 7:54 AM
Gravatar Migs Paraz, is holding a vidcon today at 1 pm. You are welcomed to log in

# re: Security Alert -- RDP Man in the Middle attacks

Left by caj at 11/24/2004 3:55 PM
Gravatar as Info tech all servers must be need a firewall with power of linux just to protect all your files in and out communications. if you have some questions just email me at caj042001@yahoo.com to make a simple advice to your network

# re: Security Alert -- RDP Man in the Middle attacks

Left by jm at 11/24/2004 10:32 PM
Gravatar Why Linux? There's BSD!

# re: Security Alert -- RDP Man in the Middle attacks

Left by malaki_ETITS at 11/24/2004 10:34 PM
Gravatar taenang attack attack na yan, ala na bang katapusang attack yan? hi kay wycoco! pag na kita! antay antay ka lng! babarilin kita! alam ko bahay nyu! hrhrhrh.

# re: Security Alert -- RDP Man in the Middle attacks

Left by b-man at 11/24/2004 10:56 PM
Gravatar Look ma, my first post! =)

I was trying to login to Migz's vidcon but work got in the way, tsk. Anyhow, I would like to share my own 2c's on this thread after reading caj's post above.

An enterprise's perimeter defense (be it anchored on a linux/open-source or otherwise f'wall) is only as good as the policies/rules with which it is rooted in. Many have this misconception that since their network has a firewall (single-, multi-tiered, or what have you), they are safe from hackers and/or malicious codes.

And don't get me started on threats from within (read: the mobile users and internal hackers); let's keep my first post short. =)

On ISAW's quixotic quest? Let's hope they don't hit the wrong windmill...

# S3.invisionfree.com Site

Left by Pingback/TrackBack at 11/25/2004 10:33 AM
Gravatar S3.invisionfree.com Site

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/25/2004 11:03 AM
Gravatar http://news.inq7.net/infotech/index.php?index=1&story_id=19049

Hackers specially the new ones, should be made to be fully aware of the consequences if/when they are caught. One of which is 150,000.00 penalty per hacking INCIDENT and a MANDATORY imprisonment of at least 6 months or more depending on the gravity of the crime!

Hacking is not a joke. For some of you, you may feel the noose tightening around you na. There is still a way out for you. Lets talk. You know how to contact us.

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/25/2004 11:07 AM
Gravatar The US houe of Representatives has just passed the Internet Spyware Prevention ACT to protect computer users from cirminals who aim to spy and steal information via the internet. Under the Legislation, anyone infecting a computer with spyware can be jailed for up to five years.--sophos newsletter

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/25/2004 4:05 PM

# re: Security Alert -- RDP Man in the Middle attacks

Left by guardiandevilz.................. at 11/26/2004 10:51 AM
Gravatar to all Asianpride.. member
mga pre. oras na para ipakita uli na buhay ang groupo.. sa goverment nang pinas sana totoo kayo pag dating sa computerazation at dapat ninyo isipin din ang security prob.. lalo na in the internet problem.. sa amin kung anong attaack ang ginawa nang mga asianpride sana d ninyo masamain .. its a matter of security evaluation lang po yan para malaman ninyo na may mga security breaches problem kayo sa mga network server and etc.. d ninyo yan malalaman kung d yan subukan at i evaluate nang maayos. there a many attack type and techinique ... sa mga sys add namna sana wag ninyong pairalin ang pride .. its a matter of development of ur security skill and learning in crissis management and diasaster problem in your company hehehe.. pero..the points is to upgrade and secure. that all.. welcome back asianpride..


guardiandevilz......................................

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/26/2004 1:32 PM
Gravatar Dear Guardiandevilz,

Well said. We welcome all the help we can get. If you wish to do penetration/vulnerability test on our network, just email us in advance and please state the scope of the penetration test--time of tests, duration, ip block tested, and attack methods used. This will separate the white hats from the black hats.

Request lang namin that you also inform us of any holes that you can find...and dont leave any backdoors lying around after you have finished ha? :)

# re: Security Alert -- RDP Man in the Middle attacks

Left by phcore at 11/26/2004 9:05 PM
Gravatar "Hacking is not a joke. For some of you, you may feel the noose tightening around you na. There is still a way out for you. Lets talk. You know how to contact us. "


We agree, hacking is not a joke.

Catch us if you can. =)

# re: Security Alert -- RDP Man in the Middle attacks

Left by phcore at 11/26/2004 9:12 PM

# re: Security Alert -- RDP Man in the Middle attacks

Left by wilson at 11/26/2004 9:29 PM
Gravatar Now, why would the REAL hackers want to announce this pageto us? Maybe 'phcore', you're setting all of us (black ,grey and white hats) up for something else?

# re: Security Alert -- RDP Man in the Middle attacks

Left by mcskuss maharishi at 11/27/2004 8:17 AM
Gravatar is this "war"?

# re: Security Alert -- RDP Man in the Middle attacks

Left by P***** I** at 11/27/2004 9:39 AM
Gravatar perhaps war against incompetent people taking advantage of public funds particularly those manning or incompetently handling .gov.ph's!

# re: Security Alert -- RDP Man in the Middle attacks

Left by phcore at 11/27/2004 1:41 PM
Gravatar "Now, why would the REAL hackers want to announce this pageto us? Maybe 'phcore', you're setting all of us (black ,grey and white hats) up for something else?"

No, we're not setting up anybody.

What we're saying is that you can't stop us.

You can't stop our passion to learn and push the boundaries which have been arbitrarily set up for us.


"Without Malice. Without Fear. Never for the Money. Never for the Fame. "

[ P H C O R E ]

Want to explore?




# re: Security Alert -- RDP Man in the Middle attacks

Left by _iskor_ at 12/1/2004 10:42 PM
Gravatar i was reading sa mga post i only realize na matalino talaga ang pinoy. dati akong liner and tuwang tuwa na ako ng ma access ko line ng PCIBank MAKATI for almost a mont . salamat s isang kaibigan. ngayon habang nagbabasa ako para akong naculture shock talaga palang marami ng hackers na pinoy.
lahat naman tayo nagsisimula as a "kiddie" as what dey call but those kiddies are now earning a lot, and the fact na malaking tulong din sila kasi sila ang mas nakakapinsala dahil masyado silang aggressive ang mas mahilig mag experiment. as a result sila ang mas nakakakita ng butas sa security ng isang network

# re: Security Alert -- RDP Man in the Middle attacks

Left by jayar at 12/16/2004 12:49 PM
Gravatar hello guys,

think you what ur doing po, everyone of us has the responsibility and and make sure that we 're doing something for a cause and for the good of everybody, remember the 'Golden Rule!', if nalimutan nyo n, go to Google.com, ok :D

# re: Security Alert -- RDP Man in the Middle attacks

Left by zero_one at 2/16/2006 3:44 PM
Gravatar i just have a comment that sysads should not be focusing solely on one "part" of the network but should practice audits/manual checks at all known and published weak vector attack areas (if they have no costly IDS systems (e.g. hw/sw-based fw logs, AD logs, cisco routers/switches logs to name a few...etc) maybe after every week and should strive to cope up with zero-day vulnerabilities via a well-executed security practice (patching windows, etc.) backed up by their co.'s policies...

Good luck black/white/gray/....xN hat guys out there....

Ciao--
zero_one

# re: Security Alert -- RDP Man in the Middle attacks

Left by rebarz99 at 7/4/2006 1:26 AM
Gravatar lolz!

# re: Security Alert -- RDP Man in the Middle attacks

Left by kokokrunch at 11/23/2007 9:26 AM
Gravatar Rebarz is one hell of a skiddie..

# re: Security Alert -- RDP Man in the Middle attacks

Left by shyder at 7/8/2008 9:29 AM
Gravatar wala ako alam pls. paturo naman sa network na yan yung free kahit unti lang. hehehehe salamat

Your comment:





 
Please add 7 and 8 and type the answer here:

Copyright © Bitstop Network Services, Inc

Design by Bartosz Brzezinski

Design by Phil Haack Based On A Design By Bartosz Brzezinski