I am being probed by a machine which appears to be associated with H2K2 - http://www.h2k2.net/ - "H2K2 will take place July 12-14, 2002 in New York City "

http://www.h2k2.net/faq.html
Q: What is H2K2?

A: H2K2 is the 2002 Hackers On Planet Earth (HOPE) conference, a gathering for hackers of all types.


Be alert to this. The type of probe being run is testing for 'well known applications' being installed in your cgi-bin, among other places. No doubt many or all of these are compromised. Be aware...


eg:
- [13/Jul/2002:23:12:17 -0700] "HEAD / HTTP\\1.0" 400 0 "-" "-"
- [13/Jul/2002:23:12:18 -0700] "HEAD /// HTTP/1.0" 200 0 "-" "-"
- [13/Jul/2002:23:12:18 -0700] "HEAD ///server-info HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:18 -0700] "HEAD ///server-status HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:19 -0700] "HEAD /site/eg/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:19 -0700] "HEAD /doc/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:19 -0700] "HEAD /~nobody/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:19 -0700] "HEAD ///manual/ HTTP/1.0" 200 0 "-" "-"
- [13/Jul/2002:23:12:19 -0700] "HEAD /cgi-bin/ HTTP/1.0" 403 0 "-" "-"
- [13/Jul/2002:23:12:20 -0700] "HEAD /cgi-bin/ad.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:20 -0700] "HEAD /cgi-bin/aglimpse HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /cgi-bin/AnyForm2 HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /cgi-bin/bbs_forum.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /cgi-bin/bsguest.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /cgi-bin/bslist.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /cgi-bin/campas HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:23 -0700] "HEAD /// HTTP/1.0" 200 0 "-" "-"
- [13/Jul/2002:23:12:24 -0700] "HEAD ///carbo.ddl HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:24 -0700] "HEAD /cgi-bin/count.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:24 -0700] "HEAD /cgi-bin/cgforum.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:24 -0700] "HEAD /cgi-bin/faxsurvey HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:24 -0700] "HEAD /cgi-bin/gbook.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:27 -0700] "HEAD /cgi-bin/htsearch HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:27 -0700] "HEAD /cgi-bin/htmlscript HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:27 -0700] "HEAD /cgi-bin/jj HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:27 -0700] "HEAD /technote/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:27 -0700] "HEAD /cgi-bin/mmstdod.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:28 -0700] "HEAD /cgi-bin/newdesk HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:28 -0700] "HEAD /cgi-bin/register.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:28 -0700] "HEAD /cgi-bin/simplestguest.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:28 -0700] "HEAD /cgi-bin/statusconfig.pl HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:31 -0700] "HEAD /cgi-bin/webgais HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:31 -0700] "HEAD /iisadmpwd/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:34 -0700] "HEAD /cgi-bin/webgais HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:44 -0700] "HEAD /cgi-bin/infosrch.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:45 -0700] "HEAD /cgi-bin/rguest.exe HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:46 -0700] "HEAD /mall_log_files/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:47 -0700] "HEAD /cgi-bin/ezshopper2/loadpage.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:47 -0700] "HEAD /Admin_files/ HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:48 -0700] "GET ///quote.html HTTP/1.0" 404 282 "-" "-"
- [13/Jul/2002:23:12:48 -0700] "GET /cgi-bin/cal_make.pl?p0=../../../../../../../../../../../../etc/passwd%00 HTTP/1.0" 404 289 "-" "-"
- [13/Jul/2002:23:12:58 -0700] "HEAD /cgi-bin/dcboard.cgi HTTP/1.0" 404 0 "-" "-"
- [13/Jul/2002:23:12:58 -0700] "GET /cgi-bin/nph-maillist.pl HTTP/1.0" 404 293 "-" "-"
- [13/Jul/2002:23:12:58 -0700] "GET /cgi-bin/talkback.cgi?article=../../../../../../../../etc/passwd%00&action=view&matchview=1 HTTP/1.0" 404

How do you know it's from H2K2...

I'll be willing to bet some money it's not from them...
They almost always only play war games w/ machines inside their own network.

They actually have people watching the traffic for outbound attacks. Thats a serious no no....

What's the originating IP....

Originally posted by Studio64
How do you know it's from H2K2...

I'll be willing to bet some money it's not from them...
They almost always only play war games w/ machines inside their own network.

They actually have people watching the traffic for outbound attacks. Thats a serious no no....

What's the originating IP.... Actually h2k2.net appears to be hosted on NAC's network...

root [~]# host h2k2.net
h2k2.net has address 207.99.30.227
root [~]# whois 207.99.30.227@whois.arin.net
[whois.arin.net]
Net Access Corporation (NETBLK-NAC-NETBLK01)
1719b Route 10E, Suite 111
Parsippany, NJ 07054
US

Netname: NAC-NETBLK01
Netblock: 207.99.0.0 - 207.99.127.255
Maintainer: NAC

Coordinator:
Net Access Corporation (ZN77-ARIN) legal@nac.net
800-638-6336

Domain System inverse mapping provided by:

NS1.NAC.NET 207.99.0.1
NS2.NAC.NET 207.99.0.2

ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

* Reassignment information for this network is available
* at whois.nac.net 43

Record last updated on 22-Aug-2001.
Database last updated on 13-Jul-2002 19:59:28 EDT.
So I wouldn't rule out the possibility entirely. But as I told Mike, it does seem to be a little bit beneath the good people of h2k2 to be scanning for CGI exploits. Nevertheless, we have contacted NAC about the issue.

Nahh, looks like they are serious. I am shure they "don't hack around at peoples servers". They came up with an encryption software "easy to use for everybody" and this will be presented when their conference takes place. This software is supposed to replace PGP and even the most stupid person should be able to use it.

It appears to have come from H2K2's machine. I was awake while it was going on... and whatever they were doing with that box was causing ping response time to drop to > 300 - 400ms.

And its on the same 'lan' basically... should be more like .3 - .4 ms.

Conjecture - someone was doing something, probably running script attacks, at a fair number of hosts from that box, saturating their connection.

Perhaps its not H2K2 themselves ... maybe one of the 'HOPE' conference attendees was up to no good.

I wouldn't doubt if someone was faking the IP and making it look like it came from them.. To make them look bad...

Wouldn't be the first time its happend to them...

Originally posted by The Prohacker
I wouldn't doubt if someone was faking the IP and making it look like it came from them.. To make them look bad...

Wouldn't be the first time its happend to them...

Yeah, I really don't think h2k2 would have anything to do with scanning for common CGI exploits

I had thoughts about someone faking the IP, but noting the ping response time on the machine located at NAC - seeing that *way* off where it should be, at the same time as the scan for CGI exploits was happening -- too coincidental.

When was the last time you saw ping response of > 300ms, 4 hops away, on the same LAN for all intents?

Something was happening on that machine... not a faked IP is my guess.

Your machine would have to respond to the IP that is probing it, as would any others that are being probed. The slow ping response could be because the server is getting a bunch of bogus responses.

That's also a relatively old footprint (looks familiar to ones I've seen in the past) and most likely a script-kiddie tool.

Originally posted by Site5-Matt
Actually h2k2.net appears to be hosted on NAC's network...

root [~]# host h2k2.net
h2k2.net has address 207.99.30.227
root [~]# whois 207.99.30.227@whois.arin.net
[whois.arin.net]
Net Access Corporation (NETBLK-NAC-NETBLK01)
1719b Route 10E, Suite 111
Parsippany, NJ 07054
US

So I wouldn't rule out the possibility entirely. But as I told Mike, it does seem to be a little bit beneath the good people of h2k2 to be scanning for CGI exploits. Nevertheless, we have contacted NAC about the issue.

All that shows is where their webserver is located...

It doesn't show (nor do I know) who is providing them bandwidth at their conference... They probably had a few DSL or a T-1 )OC-192 :D) lines dragged in to the building....

And I doubt that their webserver is located on the inner of the LAN at the conference. Aside from the fact that they probably don't want to test their security that much and the site has been up much longer than the conference itself....

So showing a whois to their webserver shows nothing in relation to who or where the attack is coming from.... Also if you notice the IP resolved to NJ... The conference is at the Hotel Penn in NYC....

Hu in new york what do you expect them to be all hard?.Go get a few boys and knock all the geeks out.
If there was anything like that around here i would certainly go round there and kick sevens shades out of them.

Originally posted by Studio64
So showing a whois to their webserver shows nothing in relation to who or where the attack is coming from.... Also if you notice the IP resolved to NJ... The conference is at the Hotel Penn in NYC.... No... but I did see the logfiles, and the scans did appear to be coming from another IP within NAC. I was just pointing out that their webserver is on NAC's network anyway. I doubt it has anything to do with the bandwidth used for the actual conference itself.

yeah this just doesnt seem like the type of thing that the people at the conference would do.

You gotta ask yourself why they would try something like that...

Part of their goal is to educate people that not all hackers are script kiddies and do crap like the above...

Thats why I'm thinking some punk 13 y/o did it :D

Originally posted by The Prohacker
You gotta ask yourself why they would try something like that...

Part of their goal is to educate people that not all hackers are script kiddies and do crap like the above...

Thats why I'm thinking some punk 13 y/o did it :D

I completely agree... I've been a subsriber of 2600 (the group that is organizing the event) for years.... This is not their MO or objective. You've probably got someone else attacking your servers...

Im siding with them, i also have been a long time subscriber of 2600. 2600 (and most of its readers) would have nothing to do with such a attack. Infact 2600 had to take their IRC server down b/c of DoS attacks, so i doubt they would go and attack your server.

That reminds me, I need to email 2600 subscriptions department, my copy didn't come last quater....

Like I said, be aware. I didn't say panic.

But I love a good coincidental conspiracy theory.

And if someone has comprimised their machine I'm sure they would want to know about it.

No a conspiracy theory would be:

Someone spoofs the IP to make you post on WHT, then H2K gets an anonymous email, with the link to this post...

H2K responds by rooting your box to prove they are above the sort of thing like scanning...

And they get arrested for haxoring the box :D

And H2K is found to have secret photos documenting extra-terrestrials landing on earth in the fifties. I hear what you folks are saying about H2K2, their rep, etc, but sometimes a frog is a frog and not a princess. It is still worth noting and reporting such things. If H2K2 is innocent themselves, fine.

Its not a big deal to me, I have no compromised CGI scripts laying around !

Some hackers arent a bad thing. I mean imagine a world without people trying to find vunerablilites and one day you attempt it and find 100000000s of holes. Today patches come out fast and if they have a conference discussing topics related to hacking I think were all better off in the long run. Of course you can do all you can to stop them. :)

If it's from them, dont worry, you will be sent a list of your vulnerabilities that need to be fixed. If it's not from them, then you better be good at security, or hope nothing was found.

Originally posted by ned patter
Hu in new york what do you expect them to be all hard?.Go get a few boys and knock all the geeks out.
If there was anything like that around here i would certainly go round there and kick sevens shades out of them.


Heh, not all geeks look like the stereotyped geeks you know from the hollywood movies.
I know some "geeks" that you and your team wouldn't try to take on even when they where alone.

I guess you never went to a real hackers convention in the first place ;)