Welcome to HBH! If you had an account on hellboundhacker.org you will need to reset your password using the Lost Password system before you will be able to login.

Kaspersky... tsk, tsk.

  1. Home
  2. Forum
  3. Hacking in general
  4. Kaspersky... tsk, tsk.

jghgjb790's Avatar

jghgjb790

Member
0 0

So apparently Kaspersky makes FTP requests straight from our machines. After some sniffing, I discovered a FTP address (38.117.98.202). I tried connecting with a random password, and was told to use my email address. So I used a random string with an @ symbol in it, and oh, look, I'm in. I have NO idea what this is (I can't find the public pages) or what it is for, but I'm pretty sure I can download programs straight from there. Anyway, have a look around it, post if you find anything interesting, or you know what it is used for :)


ghost's Avatar

ghost

0 0

My guess is that this is the kaspersky updater at work. Doing a dig of "dnl-13.geo.kaspersky.com" I get a response of the IP you listed. Additionally, looking on their forums shows a user asking about the update process and specifically mentions this IP adddress[1]. I've seen other update services do similar things over FTP. Do you have a pcap of the traffic you can share?

[1]http://forum.kaspersky.com/lofiversion/index.php/t172952.html


goluhaque's Avatar

goluhaque

Member
0 0

jghgjb790 wrote: So apparently Kaspersky makes FTP requests straight from our machines. After some sniffing, I discovered a FTP address (38.117.98.202). I tried connecting with a random password, and was told to use my email address. So I used a random string with an @ symbol in it, and oh, look, I'm in. I have NO idea what this is (I can't find the public pages) or what it is for, but I'm pretty sure I can download programs straight from there. Anyway, have a look around it, post if you find anything interesting, or you know what it is used for :) Time to uninstall BitDefender.


jghgjb790's Avatar

jghgjb790

Member
0 0

only_samurai wrote: My guess is that this is the kaspersky updater at work. […] Do you have a pcap of the traffic you can share?

No, I was using Cain and it won't let me save them (as far as I know) or even copy them to save them… [edit] Here's the info: Time-stamp: 04/08/2010 - 12:57:18 (useless info) FTP server: 38.117.98.202 (Already mentioned) Client: 192.168.. (removed for privacy) Username: anonymous Password:ioB6kCioBm15n7Bl4OzBANNy4wLjEuMzIx@ (Not an email, not typed by human… Hmmmm…. Might be encrypted. I'll look it up and dictionary attack it)

Does anyone know about FTP servers? Can user permissions be set? I know that they can be for viewing them online (chmodding them) but can you restrict uploading, downloading, or deleting a file?


ghost's Avatar

ghost

0 0

jghgjb790 wrote: No, I was using Cain and it won't let me save them (as far as I know) or even copy them to save them…

Does anyone know about FTP servers? Can user permissions be set? I know that they can be for viewing them online (chmodding them) but can you restrict uploading, downloading, or deleting a file?

Really depens on the FTP dameon, some do it differently…. I know that pure-ftpd has a specified client side app to deal with all of that (pure-pw) others you might have to set up the folders and the permissions by yourself. Have you nmap'ed -sV 'ed that bitch?… post the results… That should give the software/version of what ftp dame0n its running… Then you can have an idea of what your up against.

edit: spellcheck!!!


stealth-'s Avatar

stealth-

Ninja Extreme
0 0

I think samurai hit this one right on the spot. If you look around it's just a bunch of patches and some other stuff. Most of the other stuff is already available over HTTP, too. There definitely is a lot of files there, and it looks like fun to sort through a bit, but I seriously doubt anything too interesting will be there.

As for security, they of course weren't actually stupid enough to leave anything open. It's all read-only for anonymous users. Nmap doesn't recognize the FTP service version, so maybe it's something custom.

Anyways, I just took a quick look at it, maybe I'll check it out a bit more in the morning. Oh, lol, and for sniffing, use wireshark for god's sake. ;)


GTADarkDude's Avatar

GTADarkDude

Member
0 0

I bet it shows the same content as ftp://ftp.kaspersky.com/

Open FTP server for downloading updates and patches and stuff. Nothing interesting. Or at least I haven't found anything worth mentioning.


ghost's Avatar

ghost

0 0

GTADarkDude wrote: I bet it shows the same content as ftp://ftp.kaspersky.com/

Open FTP server for downloading updates and patches and stuff. Nothing interesting. Or at least I haven't found anything worth mentioning.

I'd bet too… If you do a lookup of that domain, you get the following:

;; ANSWER SECTION:
ftp.kaspersky.com.      3546    IN      CNAME   ftp.kaspersky-labs.com.
ftp.kaspersky-labs.com. 846     IN      CNAME   dnl-geo.kaspersky-labs.com.
dnl-geo.kaspersky-labs.com. 3546 IN     CNAME   prd.geo.kaspersky.com.
prd.geo.kaspersky.com.  6       IN      A       38.117.98.196
prd.geo.kaspersky.com.  6       IN      A       38.117.98.199
prd.geo.kaspersky.com.  6       IN      A       38.117.98.202

ftp.kapersky.com actually points to the address in question, as well as a few others.


jghgjb790's Avatar

jghgjb790

Member
0 0

Okay, thanks for looking at it. I haven't had very much time in the past few days due to work…Side note, there are 2 hotels next to where I work, both with unsecured wifi! I'm thinking of teaching them a lesson and routing the DNS requests (nothing serious, silly stuff. Yahoo to Google, Myspace to Facebook), but first I'm going to look into the legality of it.

The reason I was using Cain is because it automatically filters the packets (very nicely, too), whereas with wireshark, it's manual (better in some cases). I'm going to find a tutorial on filtering with wireshark.


stealth-'s Avatar

stealth-

Ninja Extreme
0 0

MoshBat wrote: [quote]jghgjb790 wrote: legality of it.

No.[/quote]

Gaining unauthorized access to a private network for the sole purpose of disrupting services a business relies on? Why on earth wouldn't that be legal?


jghgjb790's Avatar

jghgjb790

Member
0 0

Gaining unauthorized access to a private network

They display a sign that says "Free Wifi", have no password on it, and broadcast well outside of their property. So it isn't exactly private. But the HBH members are usually right, so I'm not going to do anything. But still, having password free wifi advertised in a target rich environment like that… Probably not the smartest thing ever done. They could have at least put a simple password on it, and handed out the password to customers.

Side note, I've switched to wireshark, finally.


stealth-'s Avatar

stealth-

Ninja Extreme
0 0

jghgjb790 wrote: [quote] Gaining unauthorized access to a private network

They display a sign that says "Free Wifi", have no password on it, and broadcast well outside of their property. So it isn't exactly private. But the HBH members are usually right, so I'm not going to do anything. But still, having password free wifi advertised in a target rich environment like that… Probably not the smartest thing ever done. They could have at least put a simple password on it, and handed out the password to customers.

Side note, I've switched to wireshark, finally. [/quote]

Hotel wifi is sort of a bad situation right from the startup. A bunch of people you don't know very well all hanging around on the same network? Not the best idea. In my opinion, the ideal situation would be one where the clients have all been firewalled from each other and everyone of them is smart enough to tunnel home, but we all know that's never going to happen.

Also, I sent you a PM about the legality of that.