RDNS

Posted: Wed Sep 14, 2005 3:56 pm

Recently (pre-Sentinel which I have now installed) we were hacked by someone who was able to fake various IP addresses. Here's a couple of examples from the log file:

Quote:

24.194.120.122 - - [26/Aug/2005:07:58:17 -0700] "GET /v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=500&t=219&rdns=63.65.68.246 HTTP/1.1" 200 8485 "http://webmhcc.org/v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=500&t=219" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"
and
24.194.120.122 - - [26/Aug/2005:08:00:23 -0700] "GET /v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=506&t=219&rdns=dsl.dynamic8121572156.ttnet.net.tr HTTP/1.1" 200 8591 "http://webmhcc.org/v-web/portal/cms/modules.php?name=Forums&file=modcp&mode=ip&p=506&t=219&rdns=81.215.72.156" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6"

The hacker to "impersonate" both my IP (the 24.194.120.122 one) and the 63.65.68.246 IP address. I believe that the 81 address is his real one in Turkey.

Now my question is, I don't see RDNS showing up much in the logs and where it does I assume that there is a mismatch between what the server looks up and what the client claims to be? If that's true, does Sentinel attempt to deal with this? Or should it? Could there be a check in place that if a RDNS doesn't resolve the "right hand side" gets banned?

The 63... address is "owned" by a legitimate organization in our area and several members of our web site try to use it but it's banned and staying that way until I can be assured the hacker doesn't have access. I've offered to share my logs with the Data Processing Department but I'm wondering if anyone has other ideas about how hackers do this or how to proceed.

TIA

Posted: Wed Sep 14, 2005 6:41 pm

that looks like you were looking up ip info on a user that posted in the forums

example login you site as admin/forum admin
then visit this link and see [ Only registered users can see links on this board! Get registered or login! ]

Posted: Thu Sep 15, 2005 9:29 am

My concern is not where they are trying to hack into. My concern is that the hacker is making it appear that one IP is being used where he is really coming from another. I've been sitting here looking at the proxy blocker code and I've even put some echo's in to see the effect but that's only on my local system and it's hard to simulate what happens on the Net or to put it into production (and only the hacker would see the echoes anyway).

I guess what I'm asking for from the Sentinel experts is what the best way to block this type of attack is. Is there some level of proxy blocker setting that I should be using? Will it filter this attack but not keep out "legitimate" proxies? Could I use a string blocker and block on the string "rdns"? As far as I can see the rdns is only triggered when the real address doesn't match that the hacker is simulating. Will the proxy blocker compare the "right side" of what's on the rdns with the "claimed" IP and block on a mismatch. I don't see that in the code but I don't claim to be expert at reading it.

Any help would be appreciated as my hacker keeps trying. I just banned the whole 81.* domain but he uses "proxies" so he keeps coming in from domains I haven't banned and as soon as I see that I ban that too but it's what they call a p.i.t.a.

Posted: Fri Sep 16, 2005 12:57 pm

When the hack mentioned in the first post happened I had Forums 2.0.7 and no Sentinel. Now I have the latest Sentinel and latest Forums (2.0.17). But, I believe the "hack" can still happen.

The goose chase I was on was the "rdns" in the log string that I printed. One of the options in the older Forums was for a moderator or admin to change the IP address of a post. They would go into Forums/modcp.php to do this with a "case" set to a value of "IP". From reading the results of Google searches, I believe the BB folks may have removed the option to select the value of IP from the Forum screens but the IP case code is still in modcp.php. So, a hacker could put the value in and change the value of the IP assigned to a Post. Well not quite, I can get into the screen that displays the value of the IP's by "hacking" this code onto the address line but it doesn't change the address. Perhaps the older Forum versions also let the IP be changed, I don't know.

I'm not sure at this point, just didn't want people to go off searching for the wrong thing. Someone might try on their system to see if, as moderator or God admin they can get in to display or change the IP addresses on Forum postings and post the results here. At the very least a hacker shouldn't be able to enter something on the address line that you can't access thru the normal Forum programs.

Thanks.

Posted: Tue Sep 20, 2005 9:02 am

I will test the query string on a couple of sites and see if there needs to be an addition to NukeSentinel(tm) for it.