# very odd location of ati drivers - security risk ? hacked ?

## InsaneHamster

```

>>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'

--22:20:45--  https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run

           => `/usr/portage/distfiles/ati-driver-installer-8.35.5-x86.x86_64.run'

Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ...

Connecting to a248.e.akamai.net|24.153.19.217|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 57,314,907 (55M) [application/octet-stream]

```

can anyone verify that website is legit it is downloading the drivers off ?

akamai.netLast edited by InsaneHamster on Fri Mar 30, 2007 2:42 am; edited 1 time in total

----------

## InsaneHamster

22:36:21.932922 IP 192.168.0.2.52413 > unknown.Level3.net.http: . ack 28908 win 501 <nop,nop,timestamp 41540428 3239897022>

tcp        0      0 192.168.0.2:40182       unknown.level3.net:http ESTABLISHED penguin    5767734    31655/firefox-bin   

tcp        0      0 192.168.0.2:40183       unknown.level3.net:http ESTABLISHED penguin    5767735    31655/firefox-bin   

tcp        0      0 192.168.0.2:40181       unknown.level3.net:http ESTABLISHED penguin    5767728    31655/firefox-bin   

tcp        0      0 192.168.0.2:40179       unknown.level3.net:http ESTABLISHED penguin    5767726    31655/firefox-bin   

like what or who is this connection

----------

## InsaneHamster

penguin@whitepenguin ~ $ whois 24.153.19.208

OrgName:    Rogers Cable Communications Inc. 

OrgID:      RCC-104

Address:    One Mount Pleasant

City:       Toronto

StateProv:  ON

PostalCode: M4Y-2Y5

Country:    CA

NetRange:   24.153.0.0 - 24.153.31.255 

CIDR:       24.153.0.0/19 

NetName:    ROGERS-CAB-104

NetHandle:  NET-24-153-0-0-1

Parent:     NET-24-0-0-0-0

NetType:    Direct Assignment

NameServer: NS2.YM.RNC.NET.CABLE.ROGERS.COM

NameServer: NS2.WLFDLE.RNC.NET.CABLE.ROGERS.COM

NameServer: NS3.YM.RNC.NET.CABLE.ROGERS.COM

NameServer: NS3.WLFDLE.RNC.NET.CABLE.ROGERS.COM

Comment:    

RegDate:    

Updated:    2006-12-05

OrgTechHandle: IPMAN-ARIN

OrgTechName:   IP MANAGE 

OrgTechPhone:  +1-416-935-4729

OrgTechEmail:  ipmanage@rogers.wave.ca

# ARIN WHOIS database, last updated 2007-03-29 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

it says the ip address for the ati driver sis rogers cable ? (seems it is a well user account from my isp ?)

----------

## InsaneHamster

tarting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-29 22:47 EDT

Interesting ports on a24-153-19-208.deploy.akamaitechnologies.com (24.153.19.208):

Not shown: 1663 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

25/tcp   filtered smtp

80/tcp   open     http

135/tcp  filtered msrpc

137/tcp  filtered netbios-ns

138/tcp  filtered netbios-dgm

139/tcp  filtered netbios-ssn

161/tcp  filtered snmp

162/tcp  filtered snmptrap

443/tcp  open     https

445/tcp  filtered microsoft-ds

500/tcp  open     isakmp

705/tcp  filtered unknown

1080/tcp filtered socks

1720/tcp filtered H.323/Q.931

3128/tcp filtered squid-http

8080/tcp filtered http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 12.712 seconds

when i nmap 24.153.19.208 ?

----------

## InsaneHamster

whitepenguin penguin # tcptraceroute 24.153.19.208  

Selected device eth0, address 192.168.0.2, port 43334 for outgoing packets

Tracing the path to 24.153.19.208 on TCP port 80 (http), 30 hops max

 1  192.168.0.1  1.125 ms  0.443 ms  0.544 ms

 2  * * *

 3  * * *

 4  * * *

 5  * * *

 6  * * *

 7  a24-153-19-208.deploy.akamaitechnologies.com (24.153.19.208) [open]  13.549 ms  17.896 ms  17.310 ms

----------

## InsaneHamster

i found that when i sync portage to update it from mirror server

slowly but shurely it gets over ritten once internet connection is seen in small steps to a mask of google 

01:25:03.292298 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 59964:60093(129) ack 334009 win 33087

01:25:03.292712 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 334009:334808(799) ack 60093 win 63784

01:25:03.440787 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60093:60222(129) ack 334808 win 33087

01:25:03.441361 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 334808:335603(795) ack 60222 win 63784

01:25:03.607025 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60222:60351(129) ack 335603 win 33087

01:25:03.607457 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 335603:336402(799) ack 60351 win 63784

01:25:03.771038 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60351:60480(129) ack 336402 win 33087

01:25:03.773415 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 336402:337201(799) ack 60480 win 63784

01:25:03.919522 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60480:60609(129) ack 337201 win 33087

01:25:03.919931 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 337201:338002(801) ack 60609 win 63784

01:25:04.061905 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60609:60738(129) ack 338002 win 33087

01:25:04.064695 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 338002:338805(803) ack 60738 win 63784

01:25:04.202123 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60738:60867(129) ack 338805 win 33087

01:25:04.202557 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 338805:339606(801) ack 60867 win 63784

01:25:04.253575 IP bu-in-f91.google.com.http > 192.168.0.2.56238: P 16016:16145(129) ack 97642 win 32680

01:25:04.255055 IP 192.168.0.2.56238 > bu-in-f91.google.com.http: P 97642:98441(799) ack 16145 win 63784

01:25:04.357416 IP bu-in-f91.google.com.http > 192.168.0.2.56237: P 60867:60996(129) ack 339606 win 33087

01:25:04.360291 IP 192.168.0.2.56237 > bu-in-f91.google.com.http: P 339606:340413(807) ack 60996 win 63784

portage rootkit which updates it self is my conclusion

----------

## Xaid

I could be wrong here, but I thought Akamai is used by many large companies to distribute the load on their networks.

You can get more information on http://www.akamai.com/

Those files will get checked against the digest thats in Portage, so unless you manually forced a rebuild of the digest, I'm pretty sure you'll get a warning the file has been tampered with (digest will not match whats in the manifest).

----------

## InsaneHamster

no clearly someone spoofed their website to make it seem that way to the average user. after i change mirrors and sync all the sudden tcpdump shows google round robin shit uploading files non stop and certain packages change if i update system before or after that sync depending on just leaving the connection in which runs to google for a while then stops. plus i have nsa and selinux security so i can watch files in logs which are denied access or changed some try to send to i address and gzip and tar doing sh and rm commands which want to send to certain ip address. my tripwire no longer works and logs show proof of hacking . slowly starting with simple over sized packets from my linux router which over time caused errors commands to be run and then today this 

surely with no browser open there is no need for this corporation and google to be sending packets via dump console. snort doesnt seem to pick it up too well tough.

----------

## InsaneHamster

Invalid packet:IN=eth0 OUT= MAC=*** SRC=24.153.19.160 DST=192.168.0.2 LEN=52 TOS=0x00 PREC=0x00 TTL=57 ID=13906 DF PROTO=TCP SPT=80 DPT=53918 WINDOW=6391 RES=0x00 ACK FIN URGP=0

whitepenguin ~ # whois 24.153.19.160

OrgName:    Rogers Cable Communications Inc. 

OrgID:      RCC-104

Address:    One Mount Pleasant

City:       Toronto

StateProv:  ON

PostalCode: M4Y-2Y5

Country:    CA

NetRange:   24.153.0.0 - 24.153.31.255 

CIDR:       24.153.0.0/19 

NetName:    ROGERS-CAB-104

NetHandle:  NET-24-153-0-0-1

Parent:     NET-24-0-0-0-0

NetType:    Direct Assignment

NameServer: NS2.YM.RNC.NET.CABLE.ROGERS.COM

NameServer: NS2.WLFDLE.RNC.NET.CABLE.ROGERS.COM

NameServer: NS3.YM.RNC.NET.CABLE.ROGERS.COM

NameServer: NS3.WLFDLE.RNC.NET.CABLE.ROGERS.COM

Comment:    

RegDate:    

Updated:    2006-12-05

OrgTechHandle: IPMAN-ARIN

OrgTechName:   IP MANAGE 

OrgTechPhone:  +1-416-935-4729

OrgTechEmail:  ipmanage@rogers.wave.ca

# ARIN WHOIS database, last updated 2007-03-29 19:10

# Enter ? for additional hints on searching ARIN's WHOIS database.

NMAP

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2007-03-30 03:14 EDT

Interesting ports on a24-153-19-160.deploy.akamaitechnologies.com (24.153.19.160):

Not shown: 1656 closed ports

PORT     STATE    SERVICE

22/tcp   open     ssh

25/tcp   filtered smtp

80/tcp   open     http

98/tcp   filtered linuxconf

135/tcp  filtered msrpc

137/tcp  filtered netbios-ns

138/tcp  filtered netbios-dgm

139/tcp  filtered netbios-ssn

161/tcp  filtered snmp

162/tcp  filtered snmptrap

383/tcp  filtered hp-alarm-mgr

431/tcp  filtered utmpcd

443/tcp  open     https

445/tcp  filtered microsoft-ds

500/tcp  open     isakmp

705/tcp  filtered unknown

844/tcp  filtered unknown

897/tcp  filtered unknown

1080/tcp filtered socks

1473/tcp filtered openmath

1720/tcp filtered H.323/Q.931

3128/tcp filtered squid-http

6588/tcp filtered analogx

8080/tcp filtered http-proxy

Nmap finished: 1 IP address (1 host up) scanned in 19.617 seconds

----------

## InsaneHamster

WEB-ATTACKS cpp command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 192.168.0.2:45295 -> 72.14.207.99:80

 [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [Classification: Potentially Bad Traffic] [Priority: 2]: {UDP} 0.0.0.0:68 -> 255.255.255.255:67

 (snort_decoder) WARNING: IP dgm len > IP Hdr len!

(spp_arpspoof) Ethernet/ARP Mismatch request for Destination

alot of shit in snort logs i dont wana post just wanted to show those (they wernt false positives either cause they were reclusive and persistant) and only started at certain points

the question is 

what do i do (clearly i must format both router, as i found smb with security=share and guest account=root) and i never had or allowed smb on the router and infact never wanted no smb in the network at all plus all this grimy shit which points to several ip address within my ISP (so i assume its local)

i live in canada do i report is it possible to get their name or do i need someone inside my ISP to obtain that information because of privacy laws

----------

## InsaneHamster

Mar 29 09:51:24 whitepenguin audit(1175176284.048:47): avc:  denied  { send } for  pid=13667 comm="firefox-bin" saddr=192.168.0.2 src=39425 daddr=24.153.19.208 dest=80 netif=eth0 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=packet

----------

## Aurisor

That is a fucking impressive catch.

l33t

----------

## UberLord

 *InsaneHamster wrote:*   

> 
> 
> ```
> 
> >>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
> ...

 

http://ati.amd.com/support/drivers/linux64/linux64-radeon.html

Now examine the download link - here it is.

https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux/64bit/ati-driver-installer-8.35.5-x86.x86_64.run

----------

## InsaneHamster

 *UberLord wrote:*   

>  *InsaneHamster wrote:*   
> 
> ```
> 
> >>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
> ...

 

i know that akamai does hosting but why would residential ip address which are within my isp be the location of the resolving address

```

Resolving a248.e.akamai.net... 24.153.19.217, 24.153.19.201, 24.153.19.208, ... 

```

so anyways i WANT to find out who it is not just their ip address. i could give two fucks about their system.

----------

## InsaneHamster

 *Aurisor wrote:*   

> That is a fucking impressive catch.
> 
> l33t

 

no u know whats more impressive is some dude (cause i highly doubt its a women) hacks a home user box. which clearly if a male hacks another males computer only to see what they are doing is a Fagget for one, a stalker for second, and a creeper for third. 

u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it.

----------

## madisonicus

 *InsaneHamster wrote:*   

>  *UberLord wrote:*    *InsaneHamster wrote:*   
> 
> ```
> 
> >>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
> ...

 From Akamai's website: *Quote:*   

> How it Works
> 
> We upload your content to a designated directory in the Akamai network, replicate it, and store copies at multiple locations in our worldwide storage centers. Using the global Akamai platform (20,000 servers in 71 countries), we distribute your content intelligently, placing it close to Web users, monitoring network problems, and routing it efficiently by identifying and using optimal paths.

 The whole point is that akamai reduces costs and increases delivery speed by syncing your content to servers all over the world.  They select a nearby server based on the location of your IP address.  It would in fact be surprising if Akamai did not have a server in your neighborhood.

----------

## Monkeh

I see.. overly paranoid snort, normal HTTP access to google, and someone jumping at nothing..

akamai is real and legit, and I see nothing but someone implementing overly paranoid security without actually knowing how to use it..

----------

## lpahdoco

 *InsaneHamster wrote:*   

>  *Aurisor wrote:*   That is a fucking impressive catch.
> 
> l33t 
> 
> no u know whats more impressive is some dude (cause i highly doubt its a women) hacks a home user box. which clearly if a male hacks another males computer only to see what they are doing is a Fagget for one, a stalker for second, and a creeper for third. 
> ...

 

You doubt it's a woman because.....????

[EDIT]  Removed deliberately antagonistic comment

----------

## RegularJoe

 *InsaneHamster wrote:*   

> 
> 
> u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it.

 

u do know what digest algorithms or hash functions are right? So unless you force your portage to merge anything without checking its diggest signature or someone hacks portage mirrors you are pretty safe  :Smile:  Thats of course if this ugly dude of yours  :Smile:  doesn't have root permissions on your machine yet but if he had i don't think he would do anything like you thought you spotted. But don't worry when it comes to computer security being suspicious is still far better than being ignorant  (if only half of windows users were like u the world would be a better place) :Smile: 

----------

## InsaneHamster

 *RegularJoe wrote:*   

>  *InsaneHamster wrote:*   
> 
> u do realize that source build linux distributions are the easiest hacked operating systems in the world right. so its not really an impressive catch. just annoying and time waste on a Fagget who was too fuckn stupid to get away with it. 
> 
> u do know what digest algorithms or hash functions are right? So unless you force your portage to merge anything without checking its diggest signature or someone hacks portage mirrors you are pretty safe  Thats of course if this ugly dude of yours  doesn't have root permissions on your machine yet but if he had i don't think he would do anything like you thought you spotted. But don't worry when it comes to computer security being suspicious is still far better than being ignorant  (if only half of windows users were like u the world would be a better place)

 

i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing 

if no browser is connected to the internet or running. 

why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones.

i guess  according to certain individuals on these forums i am stupid. not parnoid to the point of perception in finding these types of riddiculus hits i get almost on a monthly basis. i guess thats what happens when u piss off faggets via the internet.

----------

## InsaneHamster

 *Quote:*   

> 
> 
> You doubt it's a woman because.....????
> 
> [EDIT]  Removed deliberately antagonistic comment

 

i think i can ballpark it i am more then confident about my assumption.

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *InsaneHamster wrote:*    *UberLord wrote:*    *InsaneHamster wrote:*   
> 
> ```
> 
> >>> Downloading 'https://a248.e.akamai.net/f/674/9206/0/www2.ati.com/drivers/linux//ati-driver-installer-8.35.5-x86.x86_64.run'
> ...

 

i know i have read and done research on akamai a long time ago so i know what their corporation is and does. but there is no need for them to be streaming me content and data when the browser is not even running nore are any what seem applications to the internet by me.  if nothing is connected to the internet (application wise) how is that they are sending me data wen i view via tcpdump ?

its a spoof proxy for hacker to gain entry and use and work trying to be naked to the all seeing eye. however they fucked up and did not succeed. i guess this is what happens when u roll with 3 gentoo box and uclinux router. its not that hard to overlay portage or use something like layman. not fuckn hard at all, in a source based distribution. one of the easiest fuckn operating systems to hack and hide data in.

what i want to know is . i am pretty sure i didnt visit ANY (hopefully) shady websites and forums (i used to get hacked via shady forums i stopped going)

which would only mean that my router / gateway was hacked and they were somehow able to gain entry. which leads me to ask ? if u hack a network gateway or router. how hard would it be to gain entry into a box from IT . my conclusion is not fuckn hard at all. and with portage being very simple to fuck around with its only a matter of time. 

the key is never in attempting to stop hackers. cause thats fuckn impossible. exploits are a daily routine everything is hackable. but to try and stop them before they are able to gain any subjective ground into obtain the classified information on you computer.

----------

## madisonicus

 *InsaneHamster wrote:*   

> i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing 

  I don't know what this means.  Did this happen to you?  sys-apps/file hasn't been at version 0.x for a long time.

 *InsaneHamster wrote:*   

> if no browser is connected to the internet or running.
> 
> why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones. 

 Well, if you opened a connection to google via your web browser, google will attempt to keep it open, especially if you're checking gmail or looking at news, both of which get updated on a regular basis.  Google will try to keep those connections open even after you close your browser or reboot your computer, since it has no idea what's happening at your end; it just knows it hasn't heard from you in a while.

The ports you reported the connections on are high-numbered and only assigned when a connection has already been established which comports with the idea that these are just keep alives or possibly refresh packets.  If you'd like some more clarification on what/why, just ask.

In any case, it seems a pretty big leap to go from unknown, unexamined packets arriving at your IP address from two well-known companies, to asserting that your entire system has been subverted.  Have you examined the packets with wireshark or something?  At least then you'd know what was in them.

 *InsaneHamster wrote:*   

> i guess  according to certain individuals on these forums i am stupid. not parnoid to the point of perception in finding these types of riddiculus hits i get almost on a monthly basis. i guess thats what happens when u piss off faggets via the internet.

 You asked whether we thought what you were seeing was legitimate.  We said yes and told you why.  You're welcome to disagree.  But, I think we'd all appreciate it if you kept your tone more professional.

-m

----------

## madisonicus

 *InsaneHamster wrote:*   

> its a spoof proxy for hacker to gain entry and use and work trying to be naked to the all seeing eye. however they fucked up and did not succeed. 

 That's an enormous claim and not at all supported by the information you've presented.  If you think your local DNS has been poisoned, then switch temporarily or permanently to a possibly more trusted DNS like opendns.  And, importantly, inform your ISP.

Keep in mind that ATi themselves point to an Akamai website to download their drivers.  Are you suggesting that AMD/ATi have been hacked for days with no one noticing?  If so, then you need to contact AMD/ATi.  If you have a question about whether where that IP address is a legitimate Akamai mirror, then you should probably contact Akamai and ask.  For reasons explained above, though, there's nothing out of the ordinary or suspicious about what you've reported.

Also, what does "naked to the all seeing eye" mean?

 *InsaneHamster wrote:*   

> i guess this is what happens when u roll with 3 gentoo box and uclinux router. its not that hard to overlay portage or use something like layman. not fuckn hard at all, in a source based distribution. one of the easiest fuckn operating systems to hack and hide data in.

 I'm curious why you think this.  Personally, I've never run into this claim and most everything I've seen says the opposite.  If the source is openly available it's very unwise for an ill-intentioned programmer to try to subvert any code since we could all simply diff the two versions and see exactly what s/he was trying to do.  Stuff hidden in binaries is of a much greater concern since it is much more difficult to reverse-engineer a binary than to diff two versions of source code.

Now it is true that a compromised mirror could provide bad links or hash info, but you've given no indication that that's the case.  In fact, we've pointed out a few times that what you've reported seeing is normal behavior, is consistent with what ATi themselves are putting out, and very likely not a hack attempt.  However, if you still believe the mirror you use has been compromised, I suggest you contact the Gentoo team so they can take that server off the rotation and that you contact the mirror admins so they can investigate your suspicions.  You should probably also switch to a different mirror and see if you observe the same behavior.

However, given the relatively small number of total Gentoo users, the chances that anyone would spoof multiple Gentoo rsync mirrors from your ISP in hardly over-crowded Canada, seems pretty remote.  There's not much to gain by doing so, not to mention that the process is fairly complex and would require intimate knowledge of how Gentoo works.  Hacker man-hours would be far better spent working any of the dozens of unplugged Windows holes.  That's not to say I think it's impossible, just very unlikely and, again, unsupported by the information you've given.

 *InsaneHamster wrote:*   

> the key is never in attempting to stop hackers. cause thats fuckn impossible. exploits are a daily routine everything is hackable. but to try and stop them before they are able to gain any subjective ground into obtain the classified information on you computer.

 Again, I don't see any evidence at all that you've been hacked here.  TCP/IP is a very complicated affair, and you might benefit from and even enjoy further research into how it all works.

-m

----------

## InsaneHamster

 *madisonicus wrote:*   

>  *InsaneHamster wrote:*   i am paranoid but its not like when i emerge sync then update a system it states package digest doesnt match (of package called file-0.19 i think) then i looked up and found that file-0.19 has exploit causing arbitary code to be able to be executed which would stay within the privillages of the user doing it. this is nothing   I don't know what this means.  Did this happen to you?  sys-apps/file hasn't been at version 0.x for a long time.
> 
>  *InsaneHamster wrote:*   if no browser is connected to the internet or running.
> 
> why would tcpdump show traffic of google amd this amamki shit. to the average user they may or may not trust all this shit that is happening. but clearly akami.net that its downloading the file from shouldnt be binded to an ip address of someone that is in my country running a what seems like home account from my isp. anyways its not that hard to have portage be changed. causing i synced with a mirror unplugged the eth0 (watching all on tcp dump) then did emerge system and several files were to be updated which were not before. so then therefor i plug in eth0 (with no browser open mind u) and google starts sending me files with amaki. it stops after a while . and then i do emerge puv world and the packages change to different ones.  Well, if you opened a connection to google via your web browser, google will attempt to keep it open, especially if you're checking gmail or looking at news, both of which get updated on a regular basis.  Google will try to keep those connections open even after you close your browser or reboot your computer, since it has no idea what's happening at your end; it just knows it hasn't heard from you in a while.
> ...

 

dude u can think what ever the FUCK u want, but listen when i run 3 gentoo boxs and one states that file-.019 has hash  problem when downloading compared to file-.20 one another one which hasnt been compromised and was STAYING on that package, then looking up and finding that file-.19 has exploit. there is NO NEED for me to have file-19 on the hacked computer unless someone put it there forcing the file-.20 which would have been updaetd a long time ago. 

im not fuckn stupid. i may be paranoid but im not fuckn stupid. do not belive for a secon that with no connections to the internet by application in any of my tests and scenarios i tried that google should be sending me that much fuckn information. 

if u tcpdump now its possible u may see google every now and then plus ur router or cable modem dns HOWEVER not a fuckn file being downloaded in small bursts. u can think what ever the FUCK U WANT but someone has hacked my router. there is no need for samba to be running on it considering i disallowed it and even in firewall rules made sure that samaba ports windows networking and many things were NOT ALLOWED TO COMMUNICATE

oh whats this samaba is now running it seems to have root as share account. im not hacked im fuckn paranoid. listen its not amakai nore this level3.unknown. shit someone masked and spoofed their shit over top my router. wireshark is same as tcpdump. but a little more informative and has security holes. it pisses me off when i know for a fact iv been hacked (cause it happens once a month) i come here nobody belives it. but u know that fine. 

i do not and never said it is rsync mirror. or any gentoo website which was compromised. because it is not. it is something on my network which was able to point and change my network traffic which allowed this come into play. a person is able to sign digests its not that fuckn hard to change a file in portage inject one or have one be hidden as in a layman overlay to be downloaded from a masked server. once u have a root kit or knowledge how to do this take u 10 minunets if u can obtain the right exploit. 

stupid little shit that lead up to before this like tripwire no longer working working and ntop failing. its not like this happens over nite considering the type of security i have i can watch little things fail before something just leads me to conclusion that its already too late. and trust me before ANY MAJOR GROUND IS GAINED. i call it . nope i was hacked if u can PROVE to me i wasnt hacked ill belive u . but just saying that this is all coincident i will not belive. the way this attack came through is honestly a great way to hack people. those who see it prolly wont belive it is happening, and those who dont know about it will shrug it off with a forum article just like this about it. ill assume what i feel safe and and continue to do what i do when this happens. stage 1 a new system with mad security spend 2-3 weeks with hourly daily and weekly logs even mandatory access control wait it slowly degrade then fail by watching inconsistencies via logs and network maps. then come to a conclusion how far they got. once again.

----------

## Monkeh

 *Quote:*   

> i guess this is what happens when u roll with 3 gentoo box and uclinux router.

 

I have half a dozen Gentoo machines, and a FreeBSD router. I've not been compromised yet..

 *Quote:*   

> one of the easiest fuckn operating systems to hack and hide data in.

 

Only if it's not run properly..

 *Quote:*   

> which would only mean that my router / gateway was hacked and they were somehow able to gain entry. which leads me to ask ? if u hack a network gateway or router. how hard would it be to gain entry into a box from IT

 

You realise how difficult it actually is to compromise a firewall anyway? I wouldn't be at all surprised if you have weak passwords and externally accessible ssh..

 *Quote:*   

> dude u can think what ever the FUCK u want, but listen when i run 3 gentoo boxs and one states that file-.019 has hash problem when downloading compared to file-.20 one another one which hasnt been compromised and was STAYING on that package, then looking up and finding that file-.19 has exploit. there is NO NEED for me to have file-19 on the hacked computer unless someone put it there forcing the file-.20 which would have been updaetd a long time ago.

 

I have no idea what you're trying to say here. Especially as there is no file-.19 or file-.20..

 *Quote:*   

> it pisses me off when i know for a fact iv been hacked (cause it happens once a month) i come here nobody belives it.

 

Y'know, it really might help if you try and make sensible posts. Use correct grammar, spelling, and STOP SWEARING.

----------

## InsaneHamster

 *Monkeh wrote:*   

>  *Quote:*   i guess this is what happens when u roll with 3 gentoo box and uclinux router. 
> 
> I have half a dozen Gentoo machines, and a FreeBSD router. I've not been compromised yet..
> 
>  *Quote:*   one of the easiest fuckn operating systems to hack and hide data in. 
> ...

 

fuckn people and fuckn web forums , some of us dont have grammer or sentance or spelling. i rely on firefox spelling to get 60% of my shit prolly written in the correct fuckn standard so i could give two fucks sys-apps/file-4.19 btw

----------

## codergeek42

InsaneHamster, please calm down. 

We are all in this to help you; but if you continue simply being rude and not trying to maturely discuss these matters with us, then we cannot do so.

----------

## zeek

Was this some kind of early April Fools?

Rogers use downloads from Akami and is directed to Akami's Rogers servers.  Sounds like Akami's system is working perfectly.

I've seen so many FP from Snort that I've turned it off.  Honestly, Snort sucks and its a huge security risk -- long exploit history.

----------

## InsaneHamster

oh this is priceless i tought wait maybe they are right

so i sit on it a couple of days watching with tcpdump as usual in console and wireshark the packets with no web applications which faulted every now and then . 

noticed that coreutils nsa linux 6.9 finally was able to compile with nsa security after certain update (i was running nsa selinux with no coreutils + selinux flag until day ago)

the google round robins and the akami shit stopped downloading random shit after that update

then atidrivers needed to be updated i said sure why not

today xorg server 

after update 

ROFL ssh agent gets installed in user account ROFL

after restarting my x-server for some odd fuckn reasons now 2 Xorgs are loaded up (ps aux)

the hacker didnt expect me to be running beryl with ati drivers (which makes running 2 x-servers damn near impossible and having xgl accertaion )

ROFL if only i trusted what people said 

this would prolly wouldnt happen once a month as it does (cause now i have to re-source from stage one my entire network) 

i would prolly just be sitting with the hacker in bed

thank u all for being so ignorant

(ps in situations like this when im in heat i rsync 5 times a day to compare)Last edited by InsaneHamster on Fri Apr 06, 2007 5:07 am; edited 3 times in total

----------

## InsaneHamster

 *codergeek42 wrote:*   

> InsaneHamster, please calm down. 
> 
> We are all in this to help you; but if you continue simply being rude and not trying to maturely discuss these matters with us, then we cannot do so.

 

i found people to be rude to me i was rude back to them 

for them being rude to me i apologize for me being rude to them they should apologize to me

----------

## InsaneHamster

 *zeek wrote:*   

> Was this some kind of early April Fools?
> 
> Rogers use downloads from Akami and is directed to Akami's Rogers servers.  Sounds like Akami's system is working perfectly.
> 
> I've seen so many FP from Snort that I've turned it off.  Honestly, Snort sucks and its a huge security risk -- long exploit history.

 

without snort+inline how else what else would be good IPS/IDS ?

----------

## InsaneHamster

oh this is fuckn VERY nice

if i kill the ssh-agent on the user account

and su root in console

then start my x-server within that 

ssh starts up again ROFL

which means i now have 3 /usr/bin/ssh-agent running ROFL because i tried it many times it stays running for each one 

thanks to my router beeing spoofed and somehow my portage being taken over

i wish to know how they are able to do this so i could prevent it (system is of course unplugged from internet)

so feel free to post comments if u want me to trace this through with u 

as far as the router goes its a uclinux with httpd (samaba now runs with root as share account )  :Very Happy: Last edited by InsaneHamster on Fri Apr 06, 2007 5:08 am; edited 1 time in total

----------

## InsaneHamster

i have checked amaki and it didnt state if rogers was their consumer

how ever 

i have never (after using for the past 6 years ONLY ATI CARDS)

i have never till this have had ati drivers download from akami with rogers ip address (i have ocd btw) i can spot this shit like taking a piss with one hand

----------

## InsaneHamster

i also have noticed no ~/.ssh/ directory for this ssh

only /tmp/ssh pid

----------

## Fitzsimmons

Dear InsaneHamster,

http://linuxmafia.com/~rick/pictures/stfu-big.png

There's nothing else that needs to be said in this thread.

Thanks.

----------

## InsaneHamster

 *Fitzsimmons wrote:*   

> Dear InsaneHamster,
> 
> http://linuxmafia.com/~rick/pictures/stfu-big.png
> 
> There's nothing else that needs to be said in this thread.
> ...

 

how about u go fuck ur self

----------

## codergeek42

Behave yourselves please. Thread locked...

----------

## Earthwings

 *InsaneHamster wrote:*   

>  *Fitzsimmons wrote:*   Dear InsaneHamster,
> 
> http://linuxmafia.com/~rick/pictures/stfu-big.png
> 
> There's nothing else that needs to be said in this thread.
> ...

 

And InsaneHamster banned, guidelines

----------

