| View previous topic :: View next topic |
| Author |
Message |
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
 Posted: Fri Mar 30, 2007 2:30 am Post subject: very odd location of ati drivers - security risk ? hacked ? |
 |
|
| Code: |
>>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
--22:20:45-- https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run
=> `/usr/portage/distfiles/ati-driver-installer-8.35.5-x86.x86_64.run'
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
Connecting to a248.e.akamai.net|24.153.19.217|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 57,314,907 (55M) [application/octet-stream]
|
can anyone verify that website is legit it is downloading the drivers off ?
akamai.net
Last edited by InsaneHamster on Fri Mar 30, 2007 2:42 am; edited 1 time in total |
|
| Back to top |
|
 |
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 2:41 am Post subject: |
|
|
22:36:21.932922 IP 192.168.0.2.52413 > unknown.Level3.net.http: . ack 28908 win 501 <nop,nop,timestamp 41540428 3239897022>
tcp 0 0 192.168.0.2:40182 unknown.level3.net:http ESTABLISHED penguin 5767734 31655/firefox-bin
tcp 0 0 192.168.0.2:40183 unknown.level3.net:http ESTABLISHED penguin 5767735 31655/firefox-bin
tcp 0 0 192.168.0.2:40181 unknown.level3.net:http ESTABLISHED penguin 5767728 31655/firefox-bin
tcp 0 0 192.168.0.2:40179 unknown.level3.net:http ESTABLISHED penguin 5767726 31655/firefox-bin
like what or who is this connection |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 2:42 am Post subject: |
|
|
penguin@whitepenguin ~ $ whois 24.153.19.208
OrgName: Rogers Cable Communications Inc.
OrgID: RCC-104
Address: One Mount Pleasant
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA
NetRange: 24.153.0.0 - 24.153.31.255
CIDR: 24.153.0.0/19
NetName: ROGERS-CAB-104
NetHandle: NET-24-153-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Assignment
NameServer: NS2.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS2.WLFDLE.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.WLFDLE.RNC.NET.CABLE.ROGERS.COM
Comment:
RegDate:
Updated: 2006-12-05
OrgTechHandle: IPMAN-ARIN
OrgTechName: IP MANAGE
OrgTechPhone: +1-416-935-4729
OrgTechEmail: ipmanage@rogers.wave.ca
# ARIN WHOIS database, last updated 2007-03-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
it says the ip address for the ati driver sis rogers cable ? (seems it is a well user account from my isp ?) |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 2:51 am Post subject: |
|
|
tarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 22:47 EDT
Interesting ports on a24-153-19-208.deploy.akamaitechnologies.com (24.153.19.208):
Not shown: 1663 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
443/tcp open https
445/tcp filtered microsoft-ds
500/tcp open isakmp
705/tcp filtered unknown
1080/tcp filtered socks
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http
8080/tcp filtered http-proxy
Nmap finished: 1 IP address (1 host up) scanned in 12.712 seconds
when i nmap 24.153.19.208 ? |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 2:55 am Post subject: |
|
|
whitepenguin penguin # tcptraceroute 24.153.19.208
Selected device eth0, address 192.168.0.2, port 43334 for outgoing packets
Tracing the path to 24.153.19.208 on TCP port 80 (http), 30 hops max
1 192.168.0.1 1.125 ms 0.443 ms 0.544 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 a24-153-19-208.deploy.akamaitechnologies.com (24.153.19.208) [open] 13.549 ms 17.896 ms 17.310 ms |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 5:30 am Post subject: so heres the delio |
|
|
i found that when i sync portage to update it from mirror server
slowly but shurely it gets over ritten once internet connection is seen in small steps to a mask of google
01:25:03.292298 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 59964:60093(129) ack 334009 win 33087
01:25:03.292712 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 334009:334808(799) ack 60093 win 63784
01:25:03.440787 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60093:60222(129) ack 334808 win 33087
01:25:03.441361 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 334808:335603(795) ack 60222 win 63784
01:25:03.607025 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60222:60351(129) ack 335603 win 33087
01:25:03.607457 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 335603:336402(799) ack 60351 win 63784
01:25:03.771038 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60351:60480(129) ack 336402 win 33087
01:25:03.773415 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 336402:337201(799) ack 60480 win 63784
01:25:03.919522 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60480:60609(129) ack 337201 win 33087
01:25:03.919931 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 337201:338002(801) ack 60609 win 63784
01:25:04.061905 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60609:60738(129) ack 338002 win 33087
01:25:04.064695 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 338002:338805(803) ack 60738 win 63784
01:25:04.202123 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60738:60867(129) ack 338805 win 33087
01:25:04.202557 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 338805:339606(801) ack 60867 win 63784
01:25:04.253575 IP bu-in-f91.google.com.http > 192.168.0.2.56238: P 16016:16145(129) ack 97642 win 32680
01:25:04.255055 IP 192.168.0.2.56238 > bu-in-f91.google.com.http: P 97642:98441(799) ack 16145 win 63784
01:25:04.357416 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60867:60996(129) ack 339606 win 33087
01:25:04.360291 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 339606:340413(807) ack 60996 win 63784
portage rootkit which updates it self is my conclusion |
|
| Back to top |
|
|
Xaid
Guru
Joined: 30 Oct 2004
Posts: 474
Location: Edmonton / Alberta
|
| Posted: Fri Mar 30, 2007 6:23 am Post subject: |
|
|
I could be wrong here, but I thought Akamai is used by many large companies to distribute the load on their networks.
You can get more information on http://www.akamai.com/
Those files will get checked against the digest thats in Portage, so unless you manually forced a rebuild of the digest, I'm pretty sure you'll get a warning the file has been tampered with (digest will not match whats in the manifest). |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 7:10 am Post subject: |
|
|
no clearly someone spoofed their website to make it seem that way to the average user. after i change mirrors and sync all the sudden tcpdump shows google round robin shit uploading files non stop and certain packages change if i update system before or after that sync depending on just leaving the connection in which runs to google for a while then stops. plus i have nsa and selinux security so i can watch files in logs which are denied access or changed some try to send to i address and gzip and tar doing sh and rm commands which want to send to certain ip address. my tripwire no longer works and logs show proof of hacking . slowly starting with simple over sized packets from my linux router which over time caused errors commands to be run and then today this
surely with no browser open there is no need for this corporation and google to be sending packets via dump console. snort doesnt seem to pick it up too well tough. |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 7:18 am Post subject: |
|
|
Invalid packet:IN=eth0 OUT= MAC=*** SRC=24.153.19.160 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=13906 DF PROTO=TCP SPT=80 DPT=53918 WINDOW=6391 RES=0x00 ACK FIN URGP=0
whitepenguin ~ # whois 24.153.19.160
OrgName: Rogers Cable Communications Inc.
OrgID: RCC-104
Address: One Mount Pleasant
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA
NetRange: 24.153.0.0 - 24.153.31.255
CIDR: 24.153.0.0/19
NetName: ROGERS-CAB-104
NetHandle: NET-24-153-0-0-1
Parent: NET-24-0-0-0-0
NetType: Direct Assignment
NameServer: NS2.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS2.WLFDLE.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.YM.RNC.NET.CABLE.ROGERS.COM
NameServer: NS3.WLFDLE.RNC.NET.CABLE.ROGERS.COM
Comment:
RegDate:
Updated: 2006-12-05
OrgTechHandle: IPMAN-ARIN
OrgTechName: IP MANAGE
OrgTechPhone: +1-416-935-4729
OrgTechEmail: ipmanage@rogers.wave.ca
# ARIN WHOIS database, last updated 2007-03-29 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
NMAP
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-30 03:14 EDT
Interesting ports on a24-153-19-160.deploy.akamaitechnologies.com (24.153.19.160):
Not shown: 1656 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp filtered smtp
80/tcp open http
98/tcp filtered linuxconf
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
161/tcp filtered snmp
162/tcp filtered snmptrap
383/tcp filtered hp-alarm-mgr
431/tcp filtered utmpcd
443/tcp open https
445/tcp filtered microsoft-ds
500/tcp open isakmp
705/tcp filtered unknown
844/tcp filtered unknown
897/tcp filtered unknown
1080/tcp filtered socks
1473/tcp filtered openmath
1720/tcp filtered H.323/Q.931
3128/tcp filtered squid-http
6588/tcp filtered analogx
8080/tcp filtered http-proxy
Nmap finished: 1 IP address (1 host up) scanned in 19.617 seconds |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 8:01 am Post subject: |
|
|
WEB-ATTACKS cpp command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:45295 -> 72.14.207.99:80
[1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 0.0.0.0:68 -> 255.255.255.255:67
(snort_decoder) WARNING: IP dgm len > IP Hdr len!
(spp_arpspoof) Ethernet/ARP Mismatch request for Destination
alot of shit in snort logs i dont wana post just wanted to show those (they wernt false positives either cause they were reclusive and persistant) and only started at certain points
the question is
what do i do (clearly i must format both router, as i found smb with security=share and guest account=root) and i never had or allowed smb on the router and infact never wanted no smb in the network at all plus all this grimy shit which points to several ip address within my ISP (so i assume its local)
i live in canada do i report is it possible to get their name or do i need someone inside my ISP to obtain that information because of privacy laws |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 8:03 am Post subject: |
|
|
| Mar 29 09:51:24 whitepenguin audit(1175176284.048:47): avc: denied { send } for pid=13667 comm="firefox-bin" saddr=192.168.0.2 src=39425 daddr=24.153.19.208 dest=80 netif=eth0 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=packet |
|
| Back to top |
|
|
Aurisor
Guru
Joined: 20 Sep 2003
Posts: 361
Location: Boston MA
|
| Posted: Fri Mar 30, 2007 3:46 pm Post subject: |
|
|
That is a fucking impressive catch.
l33t |
|
| Back to top |
|
|
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 4:08 pm Post subject: Re: very odd location of ati drivers - security risk ? hacke |
|
|
| UberLord wrote: | | InsaneHamster wrote: | | Code: |
>>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
--22:20:45-- https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run
=> `/usr/portage/distfiles/ati-driver-installer-8.35.5-x86.x86_64.run'
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
Connecting to a248.e.akamai.net|24.153.19.217|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 57,314,907 (55M) [application/octet-stream]
|
can anyone verify that website is legit it is downloading the drivers off ?
akamai.net |
http://ati.amd.com/support/drivers/linux64/linux64-radeon.html
Now examine the download link - here it is.
https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux/64bit/ati-driver-installer-8.35.5-x86.x86_64.run |
i know that akamai does hosting but why would residential ip address which are within my isp be the location of the resolving address
| Code: |
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
|
so anyways i WANT to find out who it is not just their ip address. i could give two fucks about their system. |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Fri Mar 30, 2007 4:12 pm Post subject: |
|
|
| Aurisor wrote: | That is a fucking impressive catch.
l33t |
no u know whats more impressive is some dude (cause i highly doubt its a women) hacks a home user box. which clearly if a male hacks another males computer only to see what they are doing is a Fagget for one, a stalker for second, and a creeper for third.
u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it. |
|
| Back to top |
|
|
madisonicus
Veteran
Joined: 20 Sep 2006
Posts: 1130
|
| Posted: Fri Mar 30, 2007 4:18 pm Post subject: Re: very odd location of ati drivers - security risk ? hacke |
|
|
| InsaneHamster wrote: | | UberLord wrote: | | InsaneHamster wrote: | | Code: |
>>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
--22:20:45-- https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run
=> `/usr/portage/distfiles/ati-driver-installer-8.35.5-x86.x86_64.run'
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
Connecting to a248.e.akamai.net|24.153.19.217|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 57,314,907 (55M) [application/octet-stream]
|
can anyone verify that website is legit it is downloading the drivers off ?
akamai.net |
http://ati.amd.com/support/drivers/linux64/linux64-radeon.html
Now examine the download link - here it is.
https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux/64bit/ati-driver-installer-8.35.5-x86.x86_64.run |
i know that akamai does hosting but why would residential ip address which are within my isp be the location of the resolving address
| Code: |
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
|
so anyways i WANT to find out who it is not just their ip address. i could give two fucks about their system. |
From Akamai's website: | Quote: | How it Works
We upload your content to a designated directory in the Akamai network, replicate it, and store copies at multiple locations in our worldwide storage centers. Using the global Akamai platform (20,000 servers in 71 countries), we distribute your content intelligently, placing it close to Web users, monitoring network problems, and routing it efficiently by identifying and using optimal paths. |
The whole point is that akamai reduces costs and increases delivery speed by syncing your content to servers all over the world. They select a nearby server based on the location of your IP address. It would in fact be surprising if Akamai did not have a server in your neighborhood.
_________________
Please add [SOLVED] to your message title if you feel that your question has been answered.
------
Intel Q9300 Core2 Quad * Gigabyte GA-EP35C-DS3R
Samsung x360
AMD64 x2 4200+ * TF7050-M2 * HTPC
ZOTAC ION A-U Mini-ITX * HTPC |
|
| Back to top |
|
|
Monkeh
Veteran
Joined: 06 Aug 2005
Posts: 1656
Location: England
|
| Posted: Fri Mar 30, 2007 4:38 pm Post subject: |
|
|
I see.. overly paranoid snort, normal HTTP access to google, and someone jumping at nothing..
akamai is real and legit, and I see nothing but someone implementing overly paranoid security without actually knowing how to use it.. |
|
| Back to top |
|
|
lpahdoco
n00b
Joined: 14 Oct 2005
Posts: 7
|
| Posted: Fri Mar 30, 2007 6:06 pm Post subject: |
|
|
| InsaneHamster wrote: | | Aurisor wrote: | That is a fucking impressive catch.
l33t |
no u know whats more impressive is some dude (cause i highly doubt its a women) hacks a home user box. which clearly if a male hacks another males computer only to see what they are doing is a Fagget for one, a stalker for second, and a creeper for third.
u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it. |
You doubt it's a woman because.....????
[EDIT] Removed deliberately antagonistic comment |
|
| Back to top |
|
|
RegularJoe
n00b
Joined: 20 Mar 2007
Posts: 5
Location: Poland
|
| Posted: Fri Mar 30, 2007 10:24 pm Post subject: |
|
|
| InsaneHamster wrote: |
u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it. |
u do know what digest algorithms or hash functions are right? So unless you force your portage to merge anything without checking its diggest signature or someone hacks portage mirrors you are pretty safe  Thats of course if this ugly dude of yours doesn't have root permissions on your machine yet but if he had i don't think he would do anything like you thought you spotted. But don't worry when it comes to computer security being suspicious is still far better than being ignorant (if only half of windows users were like u the world would be a better place) |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Sun Apr 01, 2007 3:30 am Post subject: |
|
|
| RegularJoe wrote: | | InsaneHamster wrote: |
u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it. |
u do know what digest algorithms or hash functions are right? So unless you force your portage to merge anything without checking its diggest signature or someone hacks portage mirrors you are pretty safe Thats of course if this ugly dude of yours doesn't have root permissions on your machine yet but if he had i don't think he would do anything like you thought you spotted. But don't worry when it comes to computer security being suspicious is still far better than being ignorant (if only half of windows users were like u the world would be a better place) |
i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing
if no browser is connected to the internet or running.
why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones.
i guess according to certain individuals on these forums i am stupid. not parnoid to the point of perception in finding these types of riddiculus hits i get almost on a monthly basis. i guess thats what happens when u piss off faggets via the internet. |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Sun Apr 01, 2007 3:31 am Post subject: |
|
|
| Quote: |
You doubt it's a woman because.....????
[EDIT] Removed deliberately antagonistic comment |
i think i can ballpark it i am more then confident about my assumption. |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Sun Apr 01, 2007 3:36 am Post subject: Re: very odd location of ati drivers - security risk ? hacke |
|
|
| madisonicus wrote: | | InsaneHamster wrote: | | UberLord wrote: | | InsaneHamster wrote: | | Code: |
>>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
--22:20:45-- https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run
=> `/usr/portage/distfiles/ati-driver-installer-8.35.5-x86.x86_64.run'
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
Connecting to a248.e.akamai.net|24.153.19.217|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 57,314,907 (55M) [application/octet-stream]
|
can anyone verify that website is legit it is downloading the drivers off ?
akamai.net |
http://ati.amd.com/support/drivers/linux64/linux64-radeon.html
Now examine the download link - here it is.
https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux/64bit/ati-driver-installer-8.35.5-x86.x86_64.run |
i know that akamai does hosting but why would residential ip address which are within my isp be the location of the resolving address
| Code: |
Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...
|
so anyways i WANT to find out who it is not just their ip address. i could give two fucks about their system. |
From Akamai's website: | Quote: | How it Works
We upload your content to a designated directory in the Akamai network, replicate it, and store copies at multiple locations in our worldwide storage centers. Using the global Akamai platform (20,000 servers in 71 countries), we distribute your content intelligently, placing it close to Web users, monitoring network problems, and routing it efficiently by identifying and using optimal paths. |
The whole point is that akamai reduces costs and increases delivery speed by syncing your content to servers all over the world. They select a nearby server based on the location of your IP address. It would in fact be surprising if Akamai did not have a server in your neighborhood. |
i know i have read and done research on akamai a long time ago so i know what their corporation is and does. but there is no need for them to be streaming me content and data when the browser is not even running nore are any what seem applications to the internet by me. if nothing is connected to the internet (application wise) how is that they are sending me data wen i view via tcpdump ?
its a spoof proxy for hacker to gain entry and use and work trying to be naked to the all seeing eye. however they fucked up and did not succeed. i guess this is what happens when u roll with 3 gentoo box and uclinux router. its not that hard to overlay portage or use something like layman. not fuckn hard at all, in a source based distribution. one of the easiest fuckn operating systems to hack and hide data in.
what i want to know is . i am pretty sure i didnt visit ANY (hopefully) shady websites and forums (i used to get hacked via shady forums i stopped going)
which would only mean that my router / gateway was hacked and they were somehow able to gain entry. which leads me to ask ? if u hack a network gateway or router. how hard would it be to gain entry into a box from IT . my conclusion is not fuckn hard at all. and with portage being very simple to fuck around with its only a matter of time.
the key is never in attempting to stop hackers. cause thats fuckn impossible. exploits are a daily routine everything is hackable. but to try and stop them before they are able to gain any subjective ground into obtain the classified information on you computer. |
|
| Back to top |
|
|
madisonicus
Veteran
Joined: 20 Sep 2006
Posts: 1130
|
| Posted: Sun Apr 01, 2007 1:34 pm Post subject: |
|
|
| InsaneHamster wrote: | | i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing |
I don't know what this means. Did this happen to you? sys-apps/file hasn't been at version 0.x for a long time.
| InsaneHamster wrote: | if no browser is connected to the internet or running.
why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones. |
Well, if you opened a connection to google via your web browser, google will attempt to keep it open, especially if you're checking gmail or looking at news, both of which get updated on a regular basis. Google will try to keep those connections open even after you close your browser or reboot your computer, since it has no idea what's happening at your end; it just knows it hasn't heard from you in a while.
The ports you reported the connections on are high-numbered and only assigned when a connection has already been established which comports with the idea that these are just keep alives or possibly refresh packets. If you'd like some more clarification on what/why, just ask.
In any case, it seems a pretty big leap to go from unknown, unexamined packets arriving at your IP address from two well-known companies, to asserting that your entire system has been subverted. Have you examined the packets with wireshark or something? At least then you'd know what was in them.
| InsaneHamster wrote: | | i guess according to certain individuals on these forums i am stupid. not parnoid to the point of perception in finding these types of riddiculus hits i get almost on a monthly basis. i guess thats what happens when u piss off faggets via the internet. |
You asked whether we thought what you were seeing was legitimate. We said yes and told you why. You're welcome to disagree. But, I think we'd all appreciate it if you kept your tone more professional.
-m
_________________
Please add [SOLVED] to your message title if you feel that your question has been answered.
------
Intel Q9300 Core2 Quad * Gigabyte GA-EP35C-DS3R
Samsung x360
AMD64 x2 4200+ * TF7050-M2 * HTPC
ZOTAC ION A-U Mini-ITX * HTPC |
|
| Back to top |
|
|
madisonicus
Veteran
Joined: 20 Sep 2006
Posts: 1130
|
| Posted: Sun Apr 01, 2007 2:16 pm Post subject: Re: very odd location of ati drivers - security risk ? hacke |
|
|
| InsaneHamster wrote: | | its a spoof proxy for hacker to gain entry and use and work trying to be naked to the all seeing eye. however they fucked up and did not succeed. |
That's an enormous claim and not at all supported by the information you've presented. If you think your local DNS has been poisoned, then switch temporarily or permanently to a possibly more trusted DNS like opendns. And, importantly, inform your ISP.
Keep in mind that ATi themselves point to an Akamai website to download their drivers. Are you suggesting that AMD/ATi have been hacked for days with no one noticing? If so, then you need to contact AMD/ATi. If you have a question about whether where that IP address is a legitimate Akamai mirror, then you should probably contact Akamai and ask. For reasons explained above, though, there's nothing out of the ordinary or suspicious about what you've reported.
Also, what does "naked to the all seeing eye" mean?
| InsaneHamster wrote: | | i guess this is what happens when u roll with 3 gentoo box and uclinux router. its not that hard to overlay portage or use something like layman. not fuckn hard at all, in a source based distribution. one of the easiest fuckn operating systems to hack and hide data in. |
I'm curious why you think this. Personally, I've never run into this claim and most everything I've seen says the opposite. If the source is openly available it's very unwise for an ill-intentioned programmer to try to subvert any code since we could all simply diff the two versions and see exactly what s/he was trying to do. Stuff hidden in binaries is of a much greater concern since it is much more difficult to reverse-engineer a binary than to diff two versions of source code.
Now it is true that a compromised mirror could provide bad links or hash info, but you've given no indication that that's the case. In fact, we've pointed out a few times that what you've reported seeing is normal behavior, is consistent with what ATi themselves are putting out, and very likely not a hack attempt. However, if you still believe the mirror you use has been compromised, I suggest you contact the Gentoo team so they can take that server off the rotation and that you contact the mirror admins so they can investigate your suspicions. You should probably also switch to a different mirror and see if you observe the same behavior.
However, given the relatively small number of total Gentoo users, the chances that anyone would spoof multiple Gentoo rsync mirrors from your ISP in hardly over-crowded Canada, seems pretty remote. There's not much to gain by doing so, not to mention that the process is fairly complex and would require intimate knowledge of how Gentoo works. Hacker man-hours would be far better spent working any of the dozens of unplugged Windows holes. That's not to say I think it's impossible, just very unlikely and, again, unsupported by the information you've given.
| InsaneHamster wrote: | | the key is never in attempting to stop hackers. cause thats fuckn impossible. exploits are a daily routine everything is hackable. but to try and stop them before they are able to gain any subjective ground into obtain the classified information on you computer. |
Again, I don't see any evidence at all that you've been hacked here. TCP/IP is a very complicated affair, and you might benefit from and even enjoy further research into how it all works.
-m
_________________
Please add [SOLVED] to your message title if you feel that your question has been answered.
------
Intel Q9300 Core2 Quad * Gigabyte GA-EP35C-DS3R
Samsung x360
AMD64 x2 4200+ * TF7050-M2 * HTPC
ZOTAC ION A-U Mini-ITX * HTPC |
|
| Back to top |
|
|
InsaneHamster
Guru
Joined: 02 May 2003
Posts: 435
|
| Posted: Sun Apr 01, 2007 5:34 pm Post subject: |
|
|
| madisonicus wrote: | | InsaneHamster wrote: | | i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing |
I don't know what this means. Did this happen to you? sys-apps/file hasn't been at version 0.x for a long time.
| InsaneHamster wrote: | if no browser is connected to the internet or running.
why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones. |
Well, if you opened a connection to google via your web browser, google will attempt to keep it open, especially if you're checking gmail or looking at news, both of which get updated on a regular basis. Google will try to keep those connections open even after you close your browser or reboot your computer, since it has no idea what's happening at your end; it just knows it hasn't heard from you in a while.
The ports you reported the connections on are high-numbered and only assigned when a connection has already been established which comports with the idea that these are just keep alives or possibly refresh packets. If you'd like some more clarification on what/why, just ask.
In any case, it seems a pretty big leap to go from unknown, unexamined packets arriving at your IP address from two well-known companies, to asserting that your entire system has been subverted. Have you examined the packets with wireshark or something? At least then you'd know what was in them.
| InsaneHamster wrote: | | i guess according to certain individuals on these forums i am stupid. not parnoid to the point of perception in finding these types of riddiculus hits i get almost on a monthly basis. i guess thats what happens when u piss off faggets via the internet. |
You asked whether we thought what you were seeing was legitimate. We said yes and told you why. You're welcome to disagree. But, I think we'd all appreciate it if you kept your tone more professional.
-m |
dude u can think what ever the FUCK u want, but listen when i run 3 gentoo boxs and one states that file-.019 has hash problem when downloading compared to file-.20 one another one which hasnt been compromised and was STAYING on that package, then looking up and finding that file-.19 has exploit. there is NO NEED for me to have file-19 on the hacked computer unless someone put it there forcing the file-.20 which would have been updaetd a long time ago.
im not fuckn stupid. i may be paranoid but im not fuckn stupid. do not belive for a secon that with no connections to the internet by application in any of my tests and scenarios i tried that google should be sending me that much fuckn information.
if u tcpdump now its possible u may see google every now and then plus ur router or cable modem dns HOWEVER not a fuckn file being downloaded in small bursts. u can think what ever the FUCK U WANT but someone has hacked my router. there is no need for samba to be running on it considering i disallowed it and even in firewall rules made sure that samaba ports windows networking and many things were NOT ALLOWED TO COMMUNICATE
oh whats this samaba is now running it seems to have root as share account. im not hacked im fuckn paranoid. listen its not amakai nore this level3.unknown. shit someone masked and spoofed their shit over top my router. wireshark is same as tcpdump. but a little more informative and has security holes. it pisses me off when i know for a fact iv been hacked (cause it happens once a month) i come here nobody belives it. but u know that fine.
i do not and never said it is rsync mirror. or any gentoo website which was compromised. because it is not. it is something on my network which was able to point and change my network traffic which allowed this come into play. a person is able to sign digests its not that fuckn hard to change a file in portage inject one or have one be hidden as in a layman overlay to be downloaded from a masked server. once u have a root kit or knowledge how to do this take u 10 minunets if u can obtain the right exploit.
stupid little shit that lead up to before this like tripwire no longer working working and ntop failing. its not like this happens over nite considering the type of security i have i can watch little things fail before something just leads me to conclusion that its already too late. and trust me before ANY MAJOR GROUND IS GAINED. i call it . nope i was hacked if u can PROVE to me i wasnt hacked ill belive u . but just saying that this is all coincident i will not belive. the way this attack came through is honestly a great way to hack people. those who see it prolly wont belive it is happening, and those who dont know about it will shrug it off with a forum article just like this about it. ill assume what i feel safe and and continue to do what i do when this happens. stage 1 a new system with mad security spend 2-3 weeks with hourly daily and weekly logs even mandatory access control wait it slowly degrade then fail by watching inconsistencies via logs and network maps. then come to a conclusion how far they got. once again. |
|
| Back to top |
|
|
|
Networking & Security
