22-06-07

fedpol.be and ecops hacked into history

after mil.be

the police and the digital cops

how good are the ecops

will they find the so-called 17 year old hacker

Can they do real forensics ?

Can they traceroute through proxies, botnets, hacked DNS and so on ?

 

the most funny thing is that they were hacked around 12u - they are not sure - so normally the security people would have been watching live - or would they be busy eating sandwiches and talking about the coming holidays ?

 

This is the reason why you should have real-time monitoring software on big monitors in your monitoring room with one looking at your servers and alerting about changes. (Hey somebody working at our site right now ? No ? Oké someone is getting root - get the logs there, put the sniffer on catch-all there, be sure to have the logs from the host intrustion detection software on a cd - do you already know which ISP - yes, call them - we' re gonna get that ....)

 

or is it

hey joe, had a phone call that our site has been hacked

our site hacked, no your are joking

look in my browser it still looks fine

maybe it is your cache

my what

oh I will refresh

oeeeepsie

 

Spycheck team is it called

for the joke, spycheck is an antiporn software

The names that are mentioned are not known like that in the public hackers world, spytech is intelligence technology so that is interesting

 

Maybe it is an insider joke

porn vamps against antiporn software that uses spytech

 

the journalist that took the screentest also lost much of his information

- he uses internet explorer

- he uses Yahoo toolbar

- he uses yahoo chat (exploits)

and no linkscanner or something of that kind

pretty naked

 

http://www.sudpresse.be/la_une/details/2007/06/22/article...

 

and the site is still down

laatst_006

 

laatst_007

 

 

17:45 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (2) |  Facebook |

fedpol.be and ecops hacked into history

after mil.be

the police and the digital cops

how good are the ecops

will they find the so-called 17 year old hacker

Can they do real forensics ?

Can they traceroute through proxies, botnets, hacked DNS and so on ?

 

the most funny thing is that they were hacked around 12u - they are not sure - so normally the security people would have been watching live - or would they be busy eating sandwiches and talking about the coming holidays ?

 

This is the reason why you should have real-time monitoring software on big monitors in your monitoring room with one looking at your servers and alerting about changes. (Hey somebody working at our site right now ? No ? Oké someone is getting root - get the logs there, put the sniffer on catch-all there, be sure to have the logs from the host intrustion detection software on a cd - do you already know which ISP - yes, call them - we' re gonna get that ....)

 

or is it

hey joe, had a phone call that our site has been hacked

our site hacked, no your are joking

look in my browser it still looks fine

maybe it is your cache

my what

oh I will refresh

oeeeepsie

 

Spycheck team is it called

for the joke, spycheck is an antiporn software

The names that are mentioned are not known like that in the public hackers world, spytech is intelligence technology so that is interesting

 

Maybe it is an insider joke

porn vamps against antiporn software that uses spytech

 

the journalist that took the screentest also lost much of his information

- he uses internet explorer

- he uses Yahoo toolbar

- he uses yahoo chat (exploits)

and no linkscanner or something of that kind

pretty naked

 

http://www.sudpresse.be/la_une/details/2007/06/22/article...

 

and the site is still down

laatst_006

 

laatst_007

 

 

17:45 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

Important Belgian mailservers becoming a spamrelay for infected clients of their ISP

Last week we wrote that some mailservers from Big Belgian ISP's were being identified by a honeypot network. Some of them were not yet identified as spammers worldwide. This is becoming the case. It becomes urgent now to do something.

 

please participate at this network - this is another proof that we need more honeypots to find problems before they escalate - if only administrators would DO something.

 

1. 81.169.105.17  Proximus

 

laatst_001

 

 

The second server    213.132.131.104  Chello.be

 

laatst_002

 

 

3. Tele2  83.182.176.169

 

laatst_003

 

 

4. 212.68.218.201   Brutele

 

laatst_004

 

 

And they all seem to have been used the last day in a spamstorm.

Maybe the days that you don't filter outgoing mail on virus, malware and pure spam are over, because otherwise you will become a relay for the botnets inside your network.

14:34 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

and the hacking goes on and on

The list of the newly hacked sites added to the archive (furl) can be found on

http://be-hacked.skynetblogs.be

 

Meanwhile some thoughts after 150 visits

* few but some try to use exploits against your machine or downloads

* many are just noise like putting hacked by in the title of a forum or as a message in the forum

* another popular technique is adding a page to a website (can't you log that folks ?)

* most are turks, hacking even their own domain

* Google blocks some but not all, even if it could block all hacked - so it could be sure that it would draw the attention of its owners

* free.fr a freepage provider in France has a problem because many of its pages have been repossessed

 

and the belgian .be sites are also being hacked and stay that way sometimes

 

 

13:00 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

BLogoloog liegt niet over de populariteit

Je moet als bloggertje bescheiden blijven. Je blijft maar de vlieg op de wand. En ondanks het feit dat bloggers en journalisten graag over elkaar schrijven (zoals vrouwen graag over elkaar babbelen - stomme grap) is de invloed en het belang van de bloggers in Vlaanderen toch maar beperkt.

 

http://www.blogoloog.be/popular.cgi  jazeg de eerste zijn met 4 links naar je site is nu toch niet echt populair zijn.... Oftewel zijn veel blogs helemaal niet bezig met actuele dingen maar met kat, kind, koers en kont

12:50 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (1) |  Facebook |

holiday

So I am going for a holiday for a few weeks

If you don't know what to do in the mean time

 

You can read more than 2000 links and articles in FURL

You can read more than 800 RSS feeds about security, politics and web2.0

You can read more than 800 online books (security, terrorism and literature)

 

or the list of blogs besides with video and freeware or make your own netvibes portal. See you back in august.

 

12:46 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |

19-06-07

Major mailservers from Belgian major ISP's used for spam

1. Proximus server - honeypot info

IP Information for 81.169.105.17

Location: Belgium Belgium Proximus-mi
Host: 17.105.169.81.in-addr.arpa. 3600 IN PTR 17-105-169-81.mobileinternet.proximus.be.
IP 81.169.105.17
Blacklist Clear  (for now)
inetnum:   81.169.96.0 - 81.169.111.255
netname:   BE-PROXIMUS-MI3

2. TVD Brussels ISP  honeypot info

 

IP Information for 213.132.131.104

IP Location: Belgium Belgium Brussels Tvd Internet - Upc Belgium - Chello
Revolve Host: 104.131.132.213.in-addr.arpa. 10800 IN PTR cable-213-132-131-104.upc.chello.be.
IP Address: 213.132.131.104
Blacklist Currently Listed (history)
inetnum:   213.132.128.0 - 213.132.143.255
netname:   TVD-INTERNET
descr:    TVD Internet - UPC Belgium - Chello
descr:    ISP - CATV operator Brussels/Leuven

3. UPC - TVD Brussels

 

87.244.155.113   Honeypot info

inetnum:    87.244.128.0 - 87.244.191.255
org:      ORG-TIUB1-RIPE
netname:    BE-TVD-20050805
descr:     UPC Belgium

4. Skynet.be  Honeypot information

IP Information for 195.238.4.116

 Location: Belgium Belgium Liege Belgacom Sa/nv
Host: 116.4.238.195.in-addr.arpa.3600INPTRoutmx017.isp.belgacom.be.
IP 195.238.4.116
Blacklist Clear

inetnum:    195.238.0.0 - 195.238.31.255
netname:    SKYNET-B
descr:     Belgacom SA/NV
descr:     Internet access provider

5. Tele2  Honeypot information

IP Information for 83.182.176.169

IP Location: Belgium Belgium Brussels Tele2 Belgium
Revolve Host: 169.176.182.83.in-addr.arpa.4969INPTRd83-182-176-169.cust.tele2.be.
IP Address: 83.182.176.169
Blacklist : Clear
inetnum:    83.182.128.0 - 83.182.255.255
netname:    BE-TELE2
descr:     TELE2 Belgium
descr:     Adsl
descr:     TELE2 / SWIPNET

En dit geldt ook voor

 

212.68.218.201    Brutele   Honeypot info   Blacklisted

 

You can find more on http://www.projecthoneypot.org and you can participate by placing some code on your websites.

 

But what does the above mean

It can mean that

*  They do no spamfiltering from their users to users outside their network

*   Their mailservers IP addresses are used by others because they use no keys or identification mechanism

*  Their mailservers are being used by others  (maybe the same trick as was used against the mailservers from Vlaanderen.be)

 

Who knows ? The administrators can and they should start to pay attention because already two servers are in an automated blacklist. This can mean that certain mails from their users won't be accepted without explanation by some mailservers that use these blacklists as such. These mailservers are used by thosuands of businesses and people. Who often don't have a clue.

16:49 Gepost door technology changes fast not a lot in Algemeen | Permalink | Commentaren (0) |  Facebook |