Post #176,191
9/24/04 12:33:13 PM
|
The reason I say...
pptp, mstse and microsoft-ds are all open ports.
Typically that does indicate a machine with a remote desktop capacity, and the fact it has 22, 25 and 80 open tells me it is some one allowing these kinds of services.
To me, there is enough to say: Norm took advantage of the service provided (prolly guest) and browsed here.
Look up what remote desktop is (as offered by Terminal Services in WindowsXP Professional)
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #176,195
9/24/04 12:39:01 PM
|
You think he has the 'skill' to do that?
-- Steve
|
Post #176,230
9/24/04 2:11:06 PM
|
Then tell me Steve...
Do you think Script kiddies have the skill to read a step by step and launch automated attacks?
All right then.
Hell *I* could be a brain surgeon with step by step procedures. Flow-charts are good enough too.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #176,242
9/24/04 2:52:31 PM
|
precisely my point
Most Script Kiddies are at least adept at getting a Linux system up.
-- Steve
|
Post #176,196
9/24/04 12:41:10 PM
|
Okay, I'll ask John to help me analyze the data later
He's the one who helped me before, I only know how to match IP numbers.
I'm sorry if he really has regressed, Greg, but he's really upset, since my Ex-fiance called him last night and accused me of violating a restraining order that never existed in the first place (so it appears), and he upset Norman a lot. That combined with the accident and stuff, and I think he's overwhelmed.
I'm trying to get some control of the situation before leaving, but I won't be here all day, so I apologize if I can't help much.
And yeah, I know, I know. He ended our friendship, but what can I say, I still give a damn. ;)
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,200
9/24/04 12:44:01 PM
|
You need to recite the Steve Martin incantation...
I break with thee... I break with thee... I break with thee... (throw dog poop on his shoes)
|
Post #176,201
9/24/04 12:46:18 PM
|
Hehehe!
Yeah, but that's hard when you've been friends with someone over 9 years.
Besides, if he hadn't told me what my Ex-fiance was up to, I wouldn't have known, so I consider that a good thing. :)
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,316
9/24/04 8:12:06 PM
|
Re: Okay, I'll ask John to help me analyze the data later
John just looked up the IP address and said it belongs to a machine in the Netherlands or the U.K. It's doubtful it's Orion unless someone gave him access.
OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: Singel 258 Address: 1016 AB City: Amsterdam StateProv: PostalCode: Country: NL
ReferralServer: whois://whois.ripe.net:43
NetRange: 217.0.0.0 - 217.255.255.255 CIDR: 217.0.0.0/8 NetName: 217-RIPE NetHandle: NET-217-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH00.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at [link|http://www.ripe.net/whois|http://www.ripe.net/whois] RegDate: 2000-06-05 Updated: 2004-03-16
# ARIN WHOIS database, last updated 2004-09-23 19:10
-----------------
Registrant: BRITISH TELECOMMUNICATIONS PLC (BTOPENWORLD-DOM) 81 NEWGATE STREET LONDON, GREATER LONDON EC1A 7AJ GB
Domain Name: BTOPENWORLD.COM
Administrative Contact, Technical Contact: British Telecommunications plc (BS38-ORG) dnsreg@BT.COM PP TKS/F18/01 Trunk Exchange Sth 109-117 Long Rd Cambridge, Cambs CB2 2HG UK +44 1223 840711 fax: - +44 1223 358474
Record expires on 20-Mar-2005. Record created on 20-Mar-2000. Database last updated on 24-Sep-2004 20:07:46 EDT.
We did a traceroute, and it's definitely going out to Europe.
Greg, is it possible to check those logs you mentioned to see if they lead back to him? If they don't lead back to him, I feel pretty sure it isn't him.
Nightowl >8#
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,327
9/24/04 8:56:08 PM
9/24/04 9:24:12 PM
|
Yes, I have already done the request for the router tween
his ISP and the machine in question. I have already gotten British Telecom's logs... And they have asked me to only review these logs, not to publish them. I see the entire conversation through the final router at btopen. I see the requests to *Z*, I also see requests from St. Loius to Port 3389 and the use of PPTP (port 1723) for the data channel. Remote Desktop was used from St Louis to the Machine Address in Question. BTW, BTopen said they will monitor the situation and see what happens. The request to Worldcom, said it will take a couple of days. But they will get it to me. And the route to and from excluding the ending addresses: #2 ATM.VVR26.MSP1.DSL.ALTER.NET\n #3 344.at-5-0-0.CL2.DET5.ALTER.NET\n #4 0.so-0-0-0.TL2.CHI4.ALTER.NET\n #5 0.so-0-2-0.TL2.DCA8.ALTER.NET\n #6 0.so-5-0-0.CL2.IAD8.ALTER.NET\n #7 POS7-0.GW4.IAD8.ALTER.NET\n #8 bt2-gw.customer.alter.net\n #9 t2c1-ge6-2.us-ash.eu.bt.net\n#10 t2c1-p4-0.uk-eal.eu.bt.net\n#11 t2c2-ge6-1.uk-eal.eu.bt.net\n#12 166-49-168-34.eu.bt.net\n#13 core1-pos15-3.ealing.ukcore.bt.net\n#14 interconnect5-pos7-0.ealing.fixed.bt.net\n#15 inh3cs01-455.imsnet3.btopenworld.com\n#16 inh3br01-570.imsnet3.btopenworld.com\n#17 host213-1-119-39.imsnet3.btopenworld.com
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
Edited by folkert
Sept. 24, 2004, 09:24:12 PM EDT
|
Post #176,350
9/24/04 10:09:05 PM
|
Thanks, please keep me posted with the results
I'm trying to give him the benefit of the doubt at this point, but finding out it came to St. Louis makes me slightly skeptical.
But I can't confront him with it on speculation, I need the concrete proof to get anywhere.
Thanks.
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,378
9/25/04 1:20:01 AM
|
You know...
It really doesn't matter.
The fact that it happened or not is of no concern anymore. I have shelved any concern for his well being.
Unless you REALLY REALLY want to pursue this...
Please send an e-mail to the e-mail address in the signature to request info.
-- [link|mailto:greg@gregfolkert.net|greg], [link|http://www.iwethey.org/ed_curry|REMEMBER ED CURRY!] @ iwetheyNo matter how much Microsoft supporters whine about how Linux and other operating systems have just as many bugs as their operating systems do, the bottom line is that the serious, gut-wrenching problems happen on Windows, not on Linux, not on Mac OS. -- [link|http://www.eweek.com/article2/0,1759,1622086,00.asp|source]Here is an example: [link|http://www.greymagic.com/security/advisories/gm001-ie/|Executing arbitrary commands without Active Scripting or ActiveX when using Windows]
|
Post #176,393
9/25/04 6:58:52 AM
|
Thank you.
If you push something hard enough, it will fall over. Fudd's First Law of Opposition
[link|mailto:bepatient@aol.com|BePatient]
|
Post #176,410
9/25/04 1:00:39 PM
|
Will do
Thanks Greg.
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,207
9/24/04 1:04:08 PM
|
Orion insists it isn't him
He says he uses a different ISP and a different software, he uses Knoppix not SuSE and he uses SWB.
I don't know enough to verify it isn't him, but I'm trying to take him on faith.
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,210
9/24/04 1:19:05 PM
|
Ultimately, it don't really matter
I might suggest that Orion not post replies to any new user account, as it's likely to be suspicious, especially in the confines of the flame forum.
|
Post #176,212
9/24/04 1:21:42 PM
|
Great suggestion, Chris
He said if anyone wants to talk to him about this mess, or anything else, they can come to IWT Yahoo and do it.
[link|http://groups.yahoo.com/group/iwethey|http://groups.yahoo.com/group/iwethey]
He also said Greg is welcome to check all the logs and routers, and he thinks they will vindicate him. That's up to Greg.
Only other thing I can suggest is if he does come in here (he said he would try to stay away again for a little bit), and act crazy, maybe just ignore him.
He really is trying, despite what anyone might believe, and the proof can be read in the Yahoo group.
Catch you all later... good luck.
Brenda
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
|
Post #176,211
9/24/04 1:19:27 PM
|
Don't bother taking anything on faith
If you want to be generous, mark it as an incident waiting for later confirmation or disproof. Don't make a big deal about it, but be very up front about how you'll react if you get direct evidence that he was lying.
Given past history, I'd be inclined right now to not be generous. That is I'd assume at this point that he's probably lying. It is up to you how you would react to that. If that assumption turns out to be bad, then you can apologize later.
My philosophy is that a trust that has been repeatedly broken should not be lightly given again.
Ben
About the use of language: it is impossible to sharpen a pencil with a blunt axe. It is equally vain to try to do it with ten blunt axes instead. -- Edsger W. Dijkstra
|
Post #176,214
9/24/04 1:25:18 PM
9/24/04 1:25:58 PM
|
Correction, "on faith till proved otherwise"
If you want to be generous, mark it as an incident waiting for later confirmation or disproof. Don't make a big deal about it, but be very up front about how you'll react if you get direct evidence that he was lying. That's more or less what I did Ben, I told him as of now, I don't see proof, but if I do, I'm gonna be upset. I didn't make a big deal, I hope. Given past history, I'd be inclined right now to not be generous. That is I'd assume at this point that he's probably lying. It is up to you how you would react to that. If that assumption turns out to be bad, then you can apologize later. True, but I've been watching him post in the Yahoo group, and I've been watching him improve there and in mine. I also know he got terribly upset last night from my Ex-fiance, and that may have unbalanced him some. But there is real evidence out there that he is trying hard. And I also feel kinda like I owe him a little, because he did warn me about my Ex's accusations. My philosophy is that a trust that has been repeatedly broken should not be lightly given again. And I agree. We haven't fixed the friendship Ben, as far as he is concerned, we still aren't "friends" in that sense, but we're still communicating, and obviously there is still a caring feeling on both sides, or he wouldn't have warned me last night. Have a good day. :) Brenda Edit: corrected subject line
"It's not where a person stands in time of comfort and security, but rather where they stand in times of strife and controversy that determine true friends." (Quote sent to me by a true friend, author unknown).
Edited by Nightowl
Sept. 24, 2004, 01:25:58 PM EDT
|