serversniff

Transfer Files and Data via DNS-Requests

2011-02-03T23:44:00.000-08:00

Most of you might know dnstunnel. Johannes Ullrich from Sans lists a poor mans dns-filetransfer using xxd which i think is a nice idea working on most unix boxes for xxd seems to be commonly installed.

How Egypt cut itself off - and how it got back

2011-02-02T05:13:00.000-08:00

Heise.de hosts a nice video derived from bgplay showing how the egyptian BGP-Routes vanished.

http://www.heise.de/newsticker/meldung/Aegypten-Massenproteste-gehen-weiter-Update-1181273.html (sorry - much german text, but the video speaks for itself...)

Ripe also has some static infos here: http://stat.ripe.net/egypt/

Egypt is currently coming back on the internet, see a video of the newly announced routes here:
http://www.heise.de/newsticker/meldung/Aegypten-ist-wieder-online-Update-1182195.html

The situation in Egypt and the currently proposed "Internet-Kill-Switches" throughout Europe made me think. In the days before Trumpet Winsock i used to be a FIDO-Net-Point, polling twice per day via modem. Maybe it's time to wipe the dust of the old sportsters and see, if we can remember the basics of the AT Commandset and if the boxes are still working, even without a serial card with a 16550-FIFO.

I wonder if FroDo2.02/FastEcho still run within a WinXP Commandshell. And if there is any local Fido-Node supporting Modem Calls left...

For those willing to try: http://www.softeq.de/old/Download/download.html

tom

Why unsolicited reporting of vulnerabilities is a bad idea

2011-02-02T02:59:00.000-08:00

Almost all young hackers come at some point of their hacker-life to the conclusion that finding and unsolicited reporting of vulnerabilities would be a fine idea:

The owner of the website might be thankful or even hire the young hacker to check the site further or fix the vulnerabilities.

Almost everyone in the IT-Sec-Business I know had this idea - and most of us learned the more or less hard way, that it is in fact a bad one. Not all potential customers are nice people. And be honest: Would you really hire someone who did an unsolicited hack of your infrastructure?

Some "IT-Sec-Professionals" take longer to learn their lessons - I remembered my own experiences when I read about Chris Russo and his plentyoffish-hack.

In my opinion both partys made mistakes and are leaving a really bad impression in this case. Maybe something to learn from, regardless on which side of the net you work?

Some of the comments over at slashdot http://slashdot.org/story/11/01/31/1856202/PlentyofFish-Hacked-Founder-Emails-Hackers-Mom are worth reading.

tom

Passwordlists with John the Ripper

2010-12-16T02:54:00.000-08:00

Creating Passwordlists with John the Ripper

Whilst bringing hashcrack.com back up to work i had to create passwordlists for checking the scripts and the database. For those that don't know: John the Ripper does quite a good Job creating passwordlists out of the blue or mangling existing lists. The --stdout-parameters are somewhat tricky:

john --i --stdout

creates passwords up to the length configured in MaxLen (and MinLen) in john.conf.

john --i --stdout:2

creates password up to the length of 2 chars.

If it comes to working with existing password-lists according to the defined rules, you can use

john --stdout --wordlist=file.txt

to echo the plain wordlist.

To mangle the list according to john's rules, you might use

john --stdout --wordlist=file.txt --rules

With a plain john-config this increases your amount of passwords by a factor of approximately 7, mangling "password" to stuff like Password, Password1, 1password etc.

tom

Rather useful E-Book

2009-10-20T00:59:00.000-07:00

Those of you readers who occasionaly do pentests, vulnerability checks or network analyses might be interested in this E-Book. Unlike most other free ebooks there is no advertising stuff and not the 101th description of nmap-switches, but a bunch of (imho) genuine and up to date information about few not so well known tools and methods. 316 colored Sites packed with information. Definitely a recommendation.

http://inverse.com.ng/sadv/Security_Analysis_and_Data_Visualization.pdf

tom

My hotmail-account is hacked. And now?

2009-10-13T06:28:00.000-07:00

You're lost.

Not really. Microsoft set up a form to regain access to your inbox. I just tried to find it - took me (and I consider myself to be a routined google-hacker) about 5 minutes to find.

I doubt that a normal user would find it (btw: it's here: https://support.live.com/eform.aspx?productKey=wlidvalidation&ct=eformcs&scrx=1).

Now I'm curios what yahoo did to enable users to reclaim their inbox. Any hints or links? - Post a comment if you can help.

tom

slashdotted

2009-10-13T02:09:00.000-07:00

due to massive media-echo on our check of compromised accounts serversniff is currently almost non-avaiable. slashdotted. twittered. heised. media-ddos. bear with us, times will get better and serversniff will be respond again when the massive load (traffic is currently >100 times over average) will decrease.

tom

Check for compromised account

2009-10-10T15:02:00.000-07:00

I hacked a quick check together to check a mailaccount if it is compromised. All you have to enter is the first part of the mailadress - no password, no complete mailadress.

http://beta.serversniff.de/mailaccounts

tom

Is your mailaccount compromised?

2009-10-09T05:07:00.000-07:00

I got quite a few questions to look up peoples mailaccounts in the list of compromised accounts.

I created a lookup-interface for anybody to look up if a mailaccount belongs to the compromised accounts, i'll set this live on serversniff in a few hours.

cheers,

tom

How security-teams deal with leaking passwords

2009-10-08T14:43:00.000-07:00

Finally: I have "The List" - I even posted where it is to find, for what I read was, that the security-teams of the major providers affected did their work properly deactivating all the affected accounts.

http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619

http://news.bbc.co.uk/2/hi/technology/8292928.stm

This is currently, three days after (early October 9th) NOT true. I removed the links from the previous posting, even if it is not so hard to find the lists using your favorite searchengine.

First of all, a bit of statistics:

The one BIG list is around 24.530 lines long, hosting a few double accounts. A quick check reveals (amongst many others):

592 gmail.com-accounts with password
22 googlemail.com-accounts with password
13.098 hotmail.com-accounts with password
~800 other hotmail-tld-accounts with password
477 msn-com-accounts with password
3.717 yahoo.com-accounts with password
971 aol.com-accounts with password
347 comcast.net-accounts with password
41 facebook-accounts with password
2 amazon-com accounts with password
6 ebay-accopunts with password

A phishing-scam is likely to be the source, lines like

Not Telling! michelle!

indicate that at least a few victims were clever enough not to enter their real mailadress.

The bad guys obviously checked the at least some of the victims inboxes and extracted facebook, amazon, ebay and bulletinboard-stuff manually to put it on the list. This is very incomplete and only done for a handful of the listed accouts.

Tonight I took some time to dig deeper, i couldn't resist to check a few accounts. I found the results quite interesting:

Google did a fine work. None of the gmail-accounts checked did work. And i checked quite a few.

Surprisingly Ebay did a fine work too. All checked ebay-accounts had either the password changed or the account locked. This looks like this:

I checked further. Major media told that microsoft did suspend or otherwise protect the affected hotmail-accounts.

This is obviously not completely true, for i found a few of the hotmail-accounts still working, funny enough many of them swedish!

Hence whats to be found in the inbox of the poor guys:

A security-warning with account-suspension from facebook.com. Good guys, too. But ugly, if the warning is sent to a Mailaccount that is also compromised.

I got really disturbed when i checked the yahoo-accounts: A huge load of them is working.

Many of these InBoxes are stuffed with password-resets, security-hints or abuse-reports from other sites: Onlineshops, Bulletin-Boards, Web20-stuff. This leads to the conclusion that the accounts are circulating and actively exploited: Not only the mails, but also all other accounts depending on these inboxes. Password-Reset-Mails get sent there...

Yahoooooo. Wakeup-Call. Any security or customer service-stuff left at your offices?

I censored the links in my earlier blogposting, for i realized that so many accounts still work.

To sum it up:

Some, even if not really affected, acted fast and complete: Ebay suspended the accounts. Facebook sent warnings. Google seems to have fixed all accounts listed.

Security-guys over at Microsoft did a rather incomplete work, while the company pretends to have blocked all of the accounts listed.

Yahoo seems to have done nothing. (Did anybody at yahoo do anything in the last 2 years??)

Compliments go to google, facebook and ebay: I admit that i don't like the whole trio, but they silently did a fine job where others failed.

Note: This data is only gathered by examining ONE of the two lists mentioned by the bbc-article.

The second list has 10.030 lines and is also still publicly available. It hosts accountnames in alphanumeric order starting with A and B (ending with blan____13@hotmail.com:an_____ey) - this leads to the suggestion that there must be more HUGE lists containg accounts with C to Z.

Tom

List of passwords for Gmail, Hotmail & co

2009-10-08T04:47:00.000-07:00

As told in the previous posting: the passwordlists start to leak ...

~25.000 hotmail/gmail & others here: self-censored

Others here: self-censored

More locations to be found up to your imagination.

This list mentioned here will disappear at the mentioned location and pop up elsewhere. Dissapear there and pop up somewhere else. The internet won't ever forget. Welcome, you arrived in modern times.

cheers,

tom

Passwords on the Web

2009-10-08T02:09:00.000-07:00

Somebody tried to post some 10.000 mailaccounts with passwords to pastebin.com. Bad idea, the post was truncated after ~ 10.000 lines, making the alphanumerically sorted list ending with B***.

Paul Dixon, aka Lordelph, the owner of pastebin.com (great idea for a website, btw) posted a blogentry about this here: http://blog.dixo.net/2009/10/07/pastebin-com-and-password-lists, you might get the rest of the story out of major media coverage.

While i really like the pastebin-concept i also like making fun of users contents: Doing a google-search for mailaccounts or password does reveal quite a few posts hosting passwords of different origins: There is are bulletin-boards complete userdatabase-dump, published by hacker-kids dissing other hacker-kids. There are gmail-accounts with passwords stored in scripts using the account for automatically sending emails or attachments.

I found a working facebook-account in another script.

And finally i found that google is not only indexing, but also caching the pastebin-entrys. So if you tag your pastebin-text with a lifetime of one day, or if you delete your pastebin-entry it is rather likely that searchengines have already indexed and cached your entry, thus totally subverting the TTL-concept of pastebin.

Seems like pastebin.com and its sisterprojects in other tlds (Thanks Paul for making the source available!) would be a nice place to spend the next procrastrinated afternoon.

Back to work now.

tom

Perltweak: fast and easy matching text with index()

2009-09-14T14:26:00.000-07:00

The best tool in Perl for finding exact strings in another string (scalar) is not the match operator m//, but the much faster index() function. Use it whenever the text you are looking for is straight text. Whenever you don't need additional metanotation like "at the beginning of the string" or "any character," use index():

$index = index($T, $P); # T is the text, P is the pattern.

The returned $index is the index of the start of the first occurrence of $p in the $T. The first character of $T is at index 0. If the $P cannot be found, -1 is returned.

If you want to skip early occurrences of $P and start later in $T, use the three-argument version:

$index = index($T, $P, $start_index);

If you need to find the last occurrence of the $p, use rindex(), which begins at the end of the string and proceeds leftward.

If you do need to specify information beyond the text itself, use regular expressions.

Why do I tell you this?

Large parts of Serversniff use perl for its backend - be it the site-analyzer or the domain-database. Like most of us I never really learned perl - i was thrown right into a project using eperl and and a bulletin-board-system based on perl and had to maintain and evolve the projects code out nothing. While have used I use perl since then for more than 10 years now I still do find simple tweaks making my perl-life easier almost every week.

Thanks to O'Reilly's "Mastering Algorithms with Perl" for this one.

tom

Extracting Files from a tcpdump

2009-08-28T08:20:00.000-07:00

I'm working as consultant, pentester and sometimes still as second-level-security guy for a rather huge company.

Occasionally I have to analyze tcp-streams, and occasionally I came to a point where i had to extract files out of huge dumps. What I found during my last research about a year ago was not really usable - i hacked together a few lines of perl to extract exactly what i wanted - this didn't deliver exact files, but was enough to help me solve a problem.

Jim Clausing, one of the more practical guys over at ISC described the same problem recently and asked the readers of the ISC-Blog for software that is able to extract files from pcap-dump. People came out with a load of promising solutions:

* NetworkMiner http://networkminer.sourceforge.ne/

* tcpxtract http://tcpxtract.sourceforge.net/)

* bro http://www.bro-ids.org/

* tcpflow http://www.circlemud.org/~jelson/software/tcpflow/

* foremost http://foremost.sourceforge.net/

* dsniff http://www.monkey.org/~dugsong/dsniff/

* Chaosreader http://chaosreader.sourceforge.net/

* pyflag http://www.pyflag.net/cgi-bin/moin.cgi

* tcptrace http://www.tcptrace.org/

* tcpick http://tcpick.sourceforge.net/

* xtract.py http://www.malforge.com/npeid/xtract.py

Not all of them might do exactly what you want - but this is defintely the best overview on pcap-file-extractors I ever came across.

Tom

Network-Cheatsheets

2009-08-27T08:20:00.000-07:00

I'm on my way to become a friend of cheatsheets. A nice suite of network-related sheets is here: http://packetlife.net/cheatsheets/

Tom

How to find Elite-Security-People

2009-08-04T02:20:00.000-07:00

Ever wondered where to find those real elite-security-people?

Maybe look for those who did their cissp-certification years ago: http://attrition.org/misc/ee/20050426-cissp.txt

~4.700 Names, employers, functions, addresses etc pp. of all those early CISSPs.

Real elite? - look for those who have an account at osvdb.org - especially check their id - the smaller the ID, the more 4337 they are. Get the (huge!) db here: https://www.metricscenter.net/amCharts/osvdb-metrics/raw/osvdb-csv.latest

Around 5.000 names here - but it reads like a who's who of those it-security-swamp. Also look here if you look for a human security-contact at some soft- or hardware-company - you find quite a few in those database.

Ever wondered how to find elite-security-guys, the leading edge security professionals?

You know other security-pro-listings? - Write a comment.

"The reason people search for themselves is that they're curious about what other people see when they search for their name," says Joe Kraus, Google's director of product management. (here)

Funny, those public databases.

tom

How to check a site for E-Mail authentication

2009-08-02T06:00:00.000-07:00

Working as a pentester, i often check webshops and well-established brands. I expect them to have some kind of E-Mail-Authentication in place - be it Domain-Keys or an SPF-Record.

Not because I want to make the world a spam-free-place - I believe mail-authentication a worthwile measure against phishing-scams abusing a company-brand. I a company has mail-authentication like SPF in place, almost all spam-filters are able to and will separate legitimate company-mail and newsletters from phishing-scams, that are usually sent via untrusted ip's or without proper DKIM.

I was recently asked how to check this in a realworld-scenario. SPF is fairly easy - just get TXT and SPF-record for the domain in question. DIG is your friend, or just use serversniff's dns-report.

DKIM is more complicated: You need a realworld mail from the customer - be it a newsletter or an errormessage or anything else.

But how to verify SPF-Records and Domain-Key-Sigs?

I found it the easiest to use googlemail for this task - open an email in question, press the small arrow up right (next to the upper "reply") and select "Show Original". GMail will show you the complete Mail-Headers then, including validated SPF- and DKIM-Records. These might look like this:

SPF pass: Google verified an SPF-Record for this mail.

SPF neutral: Google can't verify an SPF-Record for this mail.

SPF pass by "best guess": There is no SPF-Record, but google was able to verify that the originating machine belongs to the originating domain.

And now for different DKIM-Headers:

I'm still not sure what google's spamfilter means with these headers, but it seems to be fairly accurate with even detecting a domain in "test-mode".

I'd be happy to hear from any other solution for verifying Mail-Authentication - write a comment or drop me a mail to tom@serversniff.net.

tom

DNS-Redirects

2009-07-30T01:09:00.000-07:00

Nobody likes DNS-Redirects. Even IETF said recently (http://www.icann.org/en/committees/security/sac041.pdf):

The redirection and synthesizing of DNS responses by TLDs poses a clear and significant
danger to the security and stability of the domain name system. The consequences of
synthesized DNS responses range from erosion of trust relationships to the creation of
new opportunities for malicious attacks, without the ability of the affected party(ies) to mitigate these problems.

Serversniff stumbles over this shit, too. Currently the TLDs .mobi, .jobs and .asia use this - they answer every dns-request with an ip, even if a domain won't exist.

They don't dare to present a http-landing-page (like e.g. t-online.de does) - but in fact they resolve every query to an IP, misleading quite a few of serversniff's scripts. We're workin to fix this - but this takes time, for we need to fix every ip-lookup-routine.

totally useless shit.

tom

to be unique or not

2009-07-21T03:17:00.000-07:00

Way back in 2004 I created serversniff
* to help myself managing and doing my pentests
* to help others checking their sites
* to help myself understanding stuff. cryptology, protocols etc
* to help others understanding stuff. cryptology, protocols etc

and finally, to create something unique and new.

Why should i reinvent the wheel, why invest time to offer services that others already offer for free?

I'm a bit puzzled about the occasional inquirys to "donate" sourcecode for somebody's public site. People are not ashamed to ask for ready-to-run code to implement serversniff's functions on their sites. And no, it's not just one or to mails coming in with such requests. Anyway, i still see serversniff as more or less academic, and primary educational stuff. I give out advice, concepts and snippets of code as long as the request is friendly and nice.

But still: It wouldn't come to my mind to ask anybody to donate code of his website so that i can implement it in any of my sites. I'm still eager to learn necessary stuff before i start coding php-scripts, i'm still committed to create unique services that aren't to be found anywhere else in this flavour or quality.

While serversniff's script use crappy php-code and the server itself is unstable like a one-legged stool i'd never try to release a service unless i'm convinced that it has something unique or does its job better than all other sites.

Maybe there's just somehting wrong with my mind.

tom

Serversniff on Twitter

2009-07-21T03:03:00.000-07:00

We're implementing and fixing quite a lot on what we call "Serversniff 2.0", currently hosted on http://webwiki.de. Since it's plain to much to blog it all in detail, we decided to put the updates and fixes on a twitter-feed hosted at http://twitter.com/serversniff.

Follow there if you want to stay tuned about news and fixes concerning serversniff.

tom

Site-Analyzer: Added Page-Rank detection - http://webwiki.de/taglists/pagerank-8

2009-07-15T03:00:00.001-07:00

Added a page-rank-detection for sites.
If a site has a page-rank, it is displayed at site-analyzer.
Page-Ranks of 5 and higher get tagged, so we'll build up a list of
sites with high-pageranks. Since the feature is brand new, there is
not really much in there right now - but you might try to list all
sites having a Google-Page-Rank of 8 here:
http://webwiki.de/taglists/pagerank-8

tom

New links in Site-Analyzer

2009-07-14T14:43:00.001-07:00

I just implemented links to Symantec/Norton's SafeWeb-Analyzer
(https://safeweb.norton.com/), McAfee's SiteAdvisor
(https://www.siteadvisor.com/) and Googles SafeBrowsing
(http://google.com/safebrowsing/diagnostic?site=www.bayern.de).

If you're in doubt wether to trust a site you might check it first on
these sites.

Do you know any other relevant malware-checks?

Comment here or drop me a mail:

tom@serversniff.net

experiment: switched from http://thumbshots.com to http://shrinktheweb.com

2009-07-14T14:28:00.001-07:00

we switched the site-image-hosting from thumbshots.com to
http://shrinktheweb.com
pictures are bigger and it seems faster. shrinktheweb.com has tighter
limits for the free version - we'll see if this is enough.

tom

added wp-post-ratings and wp-quotes-collection

2009-07-14T09:16:00.001-07:00

Added support for random Wordpress-Plugins.

bugfix: fixed site-analyzer-api-output with multiple site-analyzers

2009-07-14T09:04:00.001-07:00

i can't imagine why anybody wants to use more than one tracking-pixel....
anyway, i fixed the api-output as well.

implemented statcount.com-tracker. poc: http://webwiki.de/i/ik/ikb/www.ikbenanders.nl/htmlreport

2009-07-14T08:56:00.001-07:00

Implemented the http://statcount.com tracking-script.
Example here: http://webwiki.de/i/ik/ikb/www.ikbenanders.nl/htmlreport

tom

fixed site-analyzer-bug (mutliple site-statistics)

2009-07-14T08:54:00.001-07:00

Identified and fixed a site-analyzer bug that prevented multiple
site-statistics to be parsed when google-analytics was involved.
Multiple-Stats are working now. Example (google-analytics AND
statcount.com) here: http://webwiki.de/analyze/www.simonwakeman.com

Cheers,

tom

todo: add statcounter at site-analyzer - http://www.statcounter.com

2009-07-14T06:49:00.001-07:00

example-site using statcounter (www.statcounter.com, my.statcounter.com):
http://www.ikbenanders.nl

Nice tools: http://www.gwebtools.com/

2009-07-14T01:02:00.001-07:00

Nice Tools on gwebtools.com. Not really much unique stuff, and not
really "Amazing tools to increase your Network and Website
performance", but still fast and with some nice ideas.
Personally i don't like totally anonymous sites like gwebtools without
any name on it - but the author might have his/her reasons.

http://webwiki.de/g/gw/gwe/www.gwebtools.com/htmlreport
http://webwiki.de/b/bl/blo/blog.gwebtools.com/htmlreport

Be sure to check out the hosts-on-ns-function. It supports only
.com/.net, but it's using the .com/.net-zonefiles and is therefore
much more complete than Serversniffs NS-Catalog at
http://serversniff.net/nscatalog when it comes to these two tlds.

tom

We're getting faster

2009-07-12T05:35:00.000-07:00

We are into tuning and speeding up Serversniff 2.0.
* The SiteReport got a new section: Other Hosts on this ip
* The DomainReport is half-optimized and now much faster
* We changed the directory-structure to waste less space and make it easier for you to see what information is already there about a host.

tom

Crypt-Functions are back

2009-07-07T04:26:00.000-07:00

Some might have noticed: The Crypto-Functions didn't work for some time.
I'm happy to announce that most hashes and checksums are back online at our new beta-site:

Some checksums are still missing - bear with us, we will expand functionality there soon. Both checksums and hashes are faster, for we switched the implementation from jonelos great java-application jacksum to a binary implementation eating far less ram and cpu-power.

Currently the NIST-Competition for a new SHA3-Algorithm is in a hot phase, there are several candidates pending. We implemented two of them, SKEIN and MD6 (in fact: just one, for md6 is already withdrawn from the competition) in Serversniff's Hash Calculator and will implement the other candiates soon.

If you want to check out what an MD6 Hash looks like, check our Online Hash Calculator.

tom

Serversniff 2.0

2009-02-27T05:41:00.000-08:00

After serveral tries: Serversniff 2.0 is on its way. As we believe it is better than Serversniff.net as we know it, we put the beta online: We will add functionality as we build it. Check it out: http://dw.serversniff.de/start

another dead day

2008-10-15T14:47:00.000-07:00

somewhere on the raid-array something crashed - two disks went offline, don't know why. cables? mice? no clue.
took a few hours until i found the time to fix this and import the old config again.

stuff's up and running again since about an hour.

tom

Answer from PriceWaterhouseCoopers

2008-09-04T02:24:00.000-07:00

I sent an EMail to PwC asking about my data and my account that may have leaked from their career-site. I wonder if only the login and password leaked, or if all my personal data, cv etc leaked as well.

The answer i got from PwC (sorry again: german only) speaks for itself:

Sehr geehrter Herr Springer,

vielen Dank für Ihre Anfrage. Wir werden Ihnen in Kürze Informationen zur Verfügung stellen können und Sie umgehend unterrichten.
Bis dahin bitten wir Sie, das Passwort, das Sie für die Jobdatenbank bei PwC benutzt haben, umgehend zu ändern, um einem potentiellen Missbrauch von Daten vorzubeugen.

Wir danken für Ihr Verständnis.

Mit freundlichen Grüßen

-------

tom

Update: finally they published a press-release: http://www.presseportal.de/pm/8664/1258775/pwc_pricewaterhousecoopers

And the Winner is:

2008-09-03T13:47:00.000-07:00

And the Winner is: Price Waterhouse Coopers.

Some people believe that the account-database of their carreer-site leaked mailaccounts and passwords, causing the mail issued by ZDF cited in my previous posting. I don't know if this is true. I don't state that this is the case. Others do. It is possible: I have an account there. PWC might believe this as well: their carreer-login-page is currently closed.

Funny.

Tom

funny email from ZDF

2008-09-03T13:13:00.000-07:00

Sorry - German only. No fake - the passwort was a real password i used ages ago for useless boards and sites.

I'd have to send thousands, sometimes even millions of E-Mails like this around twice a month if i'd react on every userbase i get access to. (update: I don't do this. usually because i stumble upon this data whilst pentesting on behalf of the affected company itself). anyway - nice to read.

from	Zweites Deutsches Fernsehen / Redaktion WISO
to		tom@serversniff.net
date		Wed, Sep 3, 2008 at 5:27 PM
subject		Hinweis auf Datenmissbrauch

Hallo, Eigentümer der E-Mailadresse tom@serversniff.net

Sie erhalten diese Mail von uns, weil wir auf einen datenschutzrechtlich problematischen Sachverhalt aufmerksam gemacht wurden, der Ihre E-Mail-Adresse betrifft.

Ihre E-Mail-Adresse und das Passwort *xundat* (Zu Ihrer Sicherheit wurde das Passwort gekürzt) befinden sich nach unseren Recherchen auf einem im Internet frei zugänglichen, in China beheimateten Server.

Die Daten scheinen aus einem Datendiebstahl zu stammen, die Datendiebe haben versucht, sich mit Hilfe dieser Kombination aus Mail-Adresse und Passwort Zugang zu Online-Bezahldiensten zu verschaffen.

Die Daten selbst stammen nach ersten Erkenntnissen aus einer Datenbank, die nichts mit Finanzdienstleistungen zu tun hat und bei der Sie sich in der Vergangenheit einmal angemeldet haben.

Möglicherweise nutzen Sie diese Kombination aus E-Mail-Adresse und Passwort für weitere Internet-Dienste, etwa für Ihren Mail-Account, zum Anmelden bei Online-Shops oder auf anderen Webseiten. In diesem Fall raten wir Ihnen dringend, auf jeder einzelnen dieser Seiten Ihr Passwort unverzüglich zu ändern, bevor irgendjemand aus dem Vorhandensein dieser Daten im Internet einen Vorteil ziehen kann.

Hinweise zur Verwendung von Passwörtern und für die sichere Passworterstellung erhalten Sie untenstehend.

Diese Mail geht zurück auf Recherchen der ZDF-Sendung WISO, die am Montag den 8. September ausführlich über diesen Datendiebstahl berichten wird. Informationen erhalten Sie spätestens dann auch unter http://www.wiso.de/ Bitte beachten Sie, dass wir keine Einzelfallberatung durchführen können - E-Mails an diese Versandadresse werden nicht beantwortet.

Wir werden die uns vorliegenden Daten nach Ausstrahlung des Beitrags löschen, Sie erhalten keine weitere Mail von uns an diese Adresse (es sei denn, Sie haben sich bei einem ZDF-Informationsdienst angemeldet.) Wir informieren das vom Datendiebstahl betroffene Unternehmen sowie die entsprechende für den Datenschutz zuständige Behörde von dem Vorfall. Allerdings haben wir keinen Einfluss darauf, die auf einem chinesischen Webserver liegenden Daten zu löschen.

Um über die Brisanz des Datendiebstahls qualifiziert berichten zu können bittet Sie die WISO-Redaktion, an einer kurzen Umfrage zum Datendiebstahl teilzunehmen, selbstverständlich anonym (Beachten Sie die Hinweise am Ende der Mail).
Ihre Angaben können dabei helfen, dass die Zuschauer der Sendung für Probleme rund um die Datensicherheit im Internet sensibilisiert werden.
http://vote.wiso.zdf.de/

Mit freundlichen Grüßen

Zweites Deutsches Fernsehen / Redaktion WISO

Hier die Tipps zu einem sicheren Umgang mit Passwörtern, entnommen der Webseite http://www.bsi-fuer-buerger.de/ mit freundlicher Genehmigung des Bundesamtes für Sicherheit in der Informationstechnik.

1. Ein gutes Passwort
... sieht so aus: Es sollte mindesttens acht Zeichen lang sein. Tabu sind allerdings Namen von Familienmitgliedern, des Haustieres, des besten Freundes, des Lieblingsstars usw. Und wenn möglich sollte es nicht in Wörterbüchern vorkommen. Zusätzlich sollte es auch Sonderzeichen (?!%...?) und Ziffern enthalten. Dabei sollten allzu gängige Varianten vermieden werden, also nicht 1234abcd usw. Einfache Ziffern am Ende des Passwortes anhängen oder eines der üblichen Sonderzeichen $, !, ?, #, am Anfang oder Ende eines ansonsten simplen Passwortes ist auch nicht empfehlenswert.

Aber wie merkt man sich ein solches Passwort? Auch dafür gibt es Tricks. Eine beliebte Methode funktioniert so: Man denkt sich einen Satz aus und benutzt von jedem Wort nur den 1. Buchstaben (oder nur den 2. oder letzten, etc.). Anschließend verwandelt man bestimmte Buchstaben in Zahlen oder Sonderzeichen.
Hier ein Beispiel:
"Morgens stehe ich auf und putze meine Zähne." Nur die 1. Buchstaben: "MsiaupmZ". "i" sieht aus wie "1", "&" ersetzt das "und": "Ms1a&pmZ".
Auf diese Weise hat man sich eine gute "Eselsbrücke" gebaut. Natürlich gibt es viele andere Tricks und Methoden, die genauso gut funktionieren.

2. Passwörter regelmäßig ändern
Jedes Passwort sollte in regelmäßigen Zeitabständen geändert werden. Viele Programme erinnern Sie automatisch daran, wenn Sie das Passwort z. B. schon ein halbes Jahr benutzen. Diese Aufforderung nicht gleich wegklicken - sondern ihr am besten gleich nachkommen! Natürlich ist es da schwer, sich alle Passwörter zu merken. Womit wir beim nächsten Punkt sind.

3. Passwörter nicht notieren
Auch wenn es bei selten genutzen Zugangsdaten schwerfällt - grundsätzlich sollten Sie sich Passwörter nicht aufschreiben.

4. Keine einheitlichen Passwörter verwenden
Problematisch ist die Gewohnheit, einheitliche Passwörter für viele verschiedene Zwecke bzw. Zugänge (Accounts) zu verwenden. Denn gerät das Passwort einer einzelnen Anwendung in falsche Hände, so hat der Angreifer freie Bahn für Ihre übrigen Anwendungen. Das können z. B. die Mailbox oder alle Informationen auf dem PC sein.

5. Voreingestellte Passwörter ändern
Bei vielen Softwareprodukten werden bei der Installation (bzw. im Auslieferungszustand) in den Accounts leere Passwörter oder allgemein bekannte Passwörter verwendet. Hacker wissen das: Bei einem Angriff probieren sie zunächst aus, ob vergessen wurde, diese Accounts mit neuen Passwörtern zu versehen. Deshalb ist es ratsam, in den Handbüchern nachzulesen, ob solche Accounts vorhanden sind und wenn ja, diese unbedingt mit individuellen Passwörtern abzusichern.

6. Bildschirmschoner mit Kennwort sichern
Bei den gängigen Betriebssystemen haben Sie die Möglichkeit, Tastatur und Bildschirm nach einer gewissen Wartezeit zu sperren. Die Entsperrung erfolgt erst nach Eingabe eines korrekten Passwortes. Diese Möglichkeit gibt es nicht umsonst. Deshalb: Nutzen Sie sie! Ohne Passwortsicherung können unbefugte Dritte sonst bei vorübergehender Abwesenheit des rechtmäßigen Benutzers Zugang zu dessen PC erlangen. Natürlich ist es ziemlich störend, wenn die Sperre schon nach weniger Zeit erfolgt. Unsere Empfehlung: 5 Minuten nach der letzten Benutzereingabe. Zusätzlich gibt es die Möglichkeit, die Sperre im Bedarfsfall auch sofort zu aktivieren (z.B. bei einigen Windows-Betriebssystemen: Strg+Alt+Entf drücken).

Hinweise zu unserer Umfrage:
Die Teilnahme erfolgt anonym, persönliche Daten werden durch das Webformular nicht erhoben. Aus technischen Gründen protokollieren Webserver allerdings, von welchen IP-Adressen aus das Formular aufgerufen wurde - das Erstellen dieser Logdateien lässt sich nicht unterbinden. Diese Daten werden allerdings nicht zusammen mit den Umfrageergebnissen protokolliert, eine Rückverfolgung der Daten wäre nur sehr aufwendig möglich. Wer seine Anonymität beim Besuch von Webseiten wie dieser Umfrage umfassender gewahrt sehen möchte, der kann die folgenden Web-Anonymisierer nutzen. Für diese Dienste und deren Nutzung übernimmt das ZDF keine Haftung:

http://www.megaproxy.com/freesurf/
http://anonymouse.org/anonwww.html
http://www.anonymsurfen.com/surfen.htm

cracking hashes

2008-09-03T03:04:00.000-07:00

we updated our servers recently - the db is running on an intel quadcore, and there is plenty of computingpower for adding new hashes to the database for our site hashcrack.com. a friendly guy sent me a rather huge wordlist created mainly out of several wikipedia-dumps which we are importing since a few days. we limited speed to around 1 million words per day, but i consider the figures with 31.000.000 words and 189.405.954 known hashes rather impressive yet - the database is still running fast with this load.

I don't know any other hashcrack-base offering more words AND supporting more than md5 and sha1. In fact i do support md5 and lm-hashes only to be complete. If you want to look up md5 or lm-hashes, you should really use one of the few sites offering rainbow-tables. They know alomst every lm-hash and at least all md5-hashes up to 7 or 8 characters. When it comes to reverse-lookup NTLM-Hashes for Windows NT or Mysql-Password-Hashes for mysql3, mysql4 and mysql5, hashcrack.com is still the biggest database i know of. I'd be happy to link to any other database knowing more hashes!

tom

murphy 2

2008-08-07T01:52:00.000-07:00

no, not only did the database pass away, file-info also died despite having nothing to do with the database at all.

the reason here was our provider strozzo updating their crappy virtuozzo-hosts, which cutted for some crazy reason the balls of our perl-core.
no more perl-modules left.
no more file-info there, for this relies in parts on Phil Harveys Image::Exifinfo, a really great piece of software.

thanks to an anonymous comment moaning about the nunfunctional file-info. the perl-modules are reinstalled, file-info is working again as it did.

tom

murphys law

2008-08-04T06:41:00.000-07:00

some might have noticed: serversniffs half dead since 72 hours.
the ups failed, power failed and the raid got corrupt. time to restore from a db-dump.

and time to upgrade: our postgresql-database did run on windows 2000, which is rather fine unless your database won't grow to bloated. postgresql won't eat more than ~ 6o0MB Shared Memory on windows 2000, wich is fine, unless your database wont grow to bloated... - because the vacuum-process needs more RAM. So I ended up with an ever increasingly fragmented database.

time to switch to linux. i tried to build the system as guest on VMWare ESXi - which i was able to manage - but there must have been something horribly wrong with the filesystem: all disk-transfers were slow as hell, usually below 10MByte/s. After 60 hours of setting up ESXi, a Linux-Guest and the database i threw the stuff away and started all over installing plain Linux Sunday evening, 48 hours after the database initially crashed.

Since then i installed linux on the machine, prepared raid-array, database and everything else. currently the data is restored from a dump and the indexes are generated - 6 of ~20 are already done, the rest might be finished by tomorrow. to what i see right now the database is considerably faster using linux and 1 GB of Shared RAM.

I apologize for the downtime, especially to the folks at blackhat.

tom

Camellia

2008-07-29T13:27:00.000-07:00

Firefox 3.0 no longer uses AES256 as default-cipher for https - it's using camellia instead. I can't imagine why the mozilla-developers changed this - but a few weeks ago I updated Serversniffs SSL-scripts to support camellia and a few others (idea again, and seed) as well.

tom

How to check SSH and SSL Certificates for the debian flaw

2008-05-30T01:19:00.000-07:00

I had quite a few questions from people how to check their SSH- and SSL-certificate for the recent debian-flaw. As i had to check a few hundred customer-sites too, i did a little webinterface for checking SSHCerts and SSLCerts for the PRNG-Bug.

See them at work at http://serversniff.net/sshreport.php and http://serversniff.net/sslcert.php

No magic behind - just debians ssh-vulnkey and a php-rippoff from the chksslkey-shellscript written by Michael Holzt. Maybe this will help the average rootserver-admin checking their sites.

Both scripts use standard-sets for verifying the keys, checking only standard-dsa/rsa-keys for ssh and 1024/2048-bit-keys on the ssl-check. Drop me a line to tom@serversniff.net if you really need to check for any different keysizes.

tom

tom

Mapped the net... in parts.

2008-05-16T02:54:00.000-07:00

"Mapping the net" did we call our little project to map as many known hosts, ips and domains as possible some two years ago. Some laughed, others smiled. And we mapped. Thousands of hosts daily, running into a steadily growing postgresql-database built out of junk-hardware, running on a single cheap dsl-connection.

I started some bencharking using search-engines to see how many hosts we really know, and i was surprised to see that we already know between 70 and 80 percent of all known hosts of major international hosts indexed on rank 1-1000 in common search-engines. And we've still far more than 10 million hostnames listed to sort in. I didn't expect to get so far when i started this funny project.

tom

Whois dropped

2008-03-08T05:57:00.000-08:00

Some germans consider whois via serversniff

a breach of law
a breach of privay.

No more whois. I have to do better than argueing with any [censored] about obvious stuff.
Get your whois-info at one of the thousands of sites around the net hosted somewhere outside germany or directly at the nic listed on serversniffs-domain-report.

For the breach of privay: There was a guy, amongst others, writing me an email to "immediately remove my Name from the page http://serversniff.net/dnr-webmasterinformation.<censored>. He didn't like the realname to show up in the whois-information. Hey - I deeply understand this request: If I'd operate a site like http://www.webmasterinformation.xx, I wouldn't want to have my name assigned to it, too. LOL!

Maybe somebody's williing to tell him about whois at all?

The net's a crazy place.

Cheers,

tom

offlinetime while rebuilding db

2008-02-23T08:21:00.000-08:00

we switched the domain-database to new, hopefully faster hdd's sponsored by roelof temmingh (and me).
since postgresql still denies a parallel installation i took the opportunity to rebuild the database, update the server and switch the stuff to the new sata-raid. it'll take a few hours until the database is rebuilt and restarted, but it's weekend - you don't work anyway, do you?

we'll be back again soon.

tom

facts and figures

2008-02-23T00:42:00.000-08:00

our current lookup-lag: 237.405 days.
current number of known domains: 39.163.435

still sorting in ~100.000 domains per day from queues, mainly generic .com-domains.

tom

facts and figures

2008-02-06T01:23:00.000-08:00

For the historic records:
we still lag with re-lookups of our hostnames - current time between a renewal of the IP-Lookup for a hostname is 238,749 days.

We know 36.314.321 domains, the queue with hostnames to sort in decreased to 71.000.000.
The "offline-queue" with not yet queued hostnames is around 5 million hosts.

We're still on an SCSI-Array straight out of the hardware-museum with 8 hdds, 31 of 141 GB free. Over ten year old hardware, still working fine and reasonably fast.

tom

Cuill

2008-02-05T12:53:00.000-08:00

Cuill started crawling Serverniff a few days ago. It does crawl slow, but very steady.

I don't know if this is good news for serversniff, but they have a friendly and steady crawler.
I wonder, when and if they go public - and i'd bet whatever you hold against me that they will be bought by a major company (there are not too many of them left) maximum 6 months after they open their search to the general public.

Anybody willing to bet against?

If you don't know cuill - google and teccrunch will tell more.

tom

Kick-Ass Feedback

2008-01-22T01:20:00.000-08:00

A swedish user kicked my ass to remind me that serversniff's AS-Report is not always reporting hat it should report.

Yah. I ceased working on the stuff to get the domain-database fixed way back in Oktober 2007. Some of the mess is fixed now. Data is up-to-date again, I added more than 17.000 new subnets and i'm goin to build a complete BGP-Parser soon. I reactivadted the daily updates after i fixed database and scripts to work again.

We're currently analyzing BGP-Tables from routeviews.org and LINX once a day, we might implement KIX and DE-CIX as well.

I'd be happy to get more feedback - but it seems that most of you are plain happy with serversniff or just to bored to bother if something doesn't work out at all.

tom

outage

2007-12-09T14:05:00.000-08:00

our chinese little ups does a nice job: its shutting down the database after 10 minutes whithout electricity. this means, the database and its raid-array will stay in sync. but it also means, half of serversniff is dead, until i'm @home to restart the server. hours, usually.
still this is way faster and less time-consuming than rebuilding raid array and database.

tom

Now Reports

2007-11-11T11:37:00.000-08:00

I added a new line of functions to serversniff: Reports. Currently there are NS-Reports, AS-Reports and, new today, Domainreports.

While the domain-report is still under heavy development i feel like its just perfect for visualizing the host- and network-structure of a domain. Try it out with stuff like http://serversniff.de/dnr-norge.no. You can easily identify external hosts or specialized routing. Try it out and have fun and insights.

tom

New: AS-Report

2007-10-28T04:06:00.000-07:00

I've been rather busy the last weeks - at home, at work, everywhere, i didn't have much time to pet serversniff. I just finished a new script: asreport. This shows you infos about an AS.

You feed it with an IP, a hostname or an AS-number, and serversniff tells you

Uplink-ASses
Downlink-ASses
Known subnets on this as

Those of you familiar with AS-geography might argue that there is no real way to determine, which of the peered AS are uplinks and downlinks. You are right: We are guessing. But try it out: We're usually guessing right.

Like always, this is not entirely my own work.
Serversniff has a routing-database that relys on routing-table from de-cix and routeviews. Thanks to those guys for providing the routes. The routing data is parsed with Marco d'Itri's Zebra-Parser. Thanks Marco! The uplink/downlink-guess is relying on Geoff Hustons CidrReport. Thanks Geoff.

Please note that we do cache whois-data for the networks shown, and the routing-data might also be rather outdated, though we usually update the routing-table once a day.

I tried to fix what annoyed me on other AS-related sites:

Robtex seems to work on new, yet unlinked scripts, see http://www.robtex.com/asmacro/as-tiscalicust.html.

What's left to do is some graphs (i'm working on these) and a maybe bit of speed (it's fast enough for me, though).

If you know any other as-analyzers or if you feel i missed something: drop me a note at thomas.springer@serversniff.net or leave a comment.

tom

finally graphs

2007-09-28T14:33:00.000-07:00

I was always jealous on robtex.com for those crazy graphs that took me a few hours to understand completely.

I herby confess publicly: i did a wrapper long time ago for just reaping the robtex-graphic for a domain, to use them for my daily work.

and finally, serversniff comes up with those crazy graphs, too. as i'm always trying to make things better i did split rob's big picture in several smaller graphs, for they are easier to understand.

serversniff uses graphwiz like rob and many others do. seems that there is not really much more there on the market for those directed graphs.

crazy syntax, lousy docs, but works like a charm.

tom

new styles

2007-09-07T11:08:00.000-07:00

we're tryin to revamp serversniff a little bit and we started out with a little mascot. dave decided to name it chuchu, and i'm fine with that. no more need to have jealous looks over to the snort-guys, for i always wanted serversniff to have sth like their old mascot snorty. thanks, dave.
serversniff will stay as simple as it is - we're working to make it even simpler. really, a glance over to the guys at whois.sc makes me feel funny: am i really the only one feeling totaly lost with five (!) menubars, different colors and even different font-familys on one page?
i'll keep serversniff mostly black and white. like it or not, i still do.

tom

donations and raisins...

2007-08-30T14:47:00.000-07:00

for somebody asked for an adress to donate: i have a paypal-account, its thomas.springer@gmail.com.

i'd be glad for anything i can get - it will be spent on hardware, connectivity and electricity anyway.

tom

back online again

2007-08-30T13:02:00.000-07:00

the domain-database took almost two days outtime - and its back online again. a few scripts like ip-info are still down, but will be online again soon.

i did not only rebuild the database, but also rewired the whole thing and drilled loads of wholes throughout my house to do the network. things take time here, for its not only the network that needs some attention, but also the kids and them.

tom

downtime

2007-08-29T07:21:00.000-07:00

The domain-database is currently unavailable for i pulled the plug accidentally. I'm on my way to rebuild the db - and i used the opportunity to triple the server's ram. Maybe stuff gets faster this way.

tom

SEO with serversniff

2007-08-27T10:20:00.000-07:00

Search-Engine-Spammers discovered that Serversniff.net is a lovely site where they can produce a page with links to their pages to be optimized. How does this work?

If you call a page like FileInfo you get an output with a link to your page or at least with a http://somedomain/file, that google will interpret as link to follow. The spammer do exactly this.

Serversniff uses google-adds to get at least a few bucks supporting the servercosts. Google-Bot does follow every customer, indexing the called page a few seconds later. The spamers use serverfarms or, more likely trojanized machines to call their page 5 times in a row from different machines all over the world. Crazy.

I dropped the links on some pages, and I will put on a noindex-Header in the metatags of all relevant Serversniff-pages, hoping to stop these totally useless crapsters from abusing my machine. Seems like nothing is too crazy on the internet.

tom

I still don't like solaris.

2007-08-19T10:03:00.000-07:00

I recently did a pentest. Whilst torturing a webapplication i came across a file-inclusion-vulnerability, allowing me a glance on /etc/passwd via opening http://tortured-site.xx/safe.php?file=/index.php.
I tried /etc/shadow, but no luck, apache was not running as root. I poked around to see that i was on a solaris-machine. F*ck.
I remembered that years ago, when i used to work as a webmaster, they gave me a sun E something. A horrible fast machine, but i had no clue from solaris. After two weeks I gave up with the awful thing and got a copy of the first beta-version of Suse-Linux for Sun. I don't like Suse either, but after installing Linux on it the Sun turned from a constant source of anger and stress into a horrible fast database-machine. I decided that solaris an me will never get friends.
So, what now? I knew i had to come up with something reasonable, not just a list of accounts to make the customers webmasters really aware of the problem. I tried to find other logs - but no way. Solaris' not Linux, and the Apache was homegrown installed in some funny directory i couldn't find.
Finally I came up with a promising solution: I had the accounts from /etc/password, and it was written there, that they all used /bin/bash. I went for /home//.bash_history. No luck on the first two accounts, but then, bingo, there it was: the admin deploying new software-versions, connecting to the database with user and password on the commandline and finally grepping through the apache-logs.
The webapp suffered from another minor vulnerability: All https-transactions were done via GET-Requests. I already pointed this out in my report that it's a really bad idea to transfer bank-account details and creditcard-numbers and cvcs in an URL, even if it is transferred via HTTPS.
From there on stuff was easy: I used the file-inclusion to download a days logfile, filtered the relevant requests via get and had lovely stuff to present:

A list with thousands of CreditCards with CVC, Dates and Names.
A nice record of what the various admins did over the last years. Some proved to be knowledgable and exact, even verified md5-sums of uploaded files to ensure their integrity, some proved to be unix-analphabets like me.
A few passwords for accounts and the locations of ssh-keyfiles i didn't bother to download.

What we can learn from this is:

It is a nice idea to make sure your webserver can't read anywhere on your partition outside the webroot.
It is a nice idea to keep your bash_history-file small. Putting "export HISTFILESIZE=0" in your ~/.bashrc will do the trick.
Consider all user input as dirty.

The vulnerable safe.php proved to be a quick-and-dirty solution: 6 lines of custom code killing an otherwise really good webapp. Safe.php is fixed now, but hey, the site is huge, consists of many servers and I'm still keen on getting access to more user-data. Pentesting sometimes reminds me on an interactive version of mistery-stories and whodunits like "The three investigators" when i was young. I still like this part of my job. And, for i'm using zsh instead of bash, err, anybody can tell me how to disable .zsh_history on my machines?

tom

How nice

2007-07-08T13:17:00.000-07:00

Usually people use serversniff. And they complain, when somethings completely not workin. Otherwise they don't give a shit. Really.

Ok, no real matter - serversniff is a hobby and the API is there to ease my daily work. Nothing more. But really, sometimes i wish people would care more.

Roelof Temmingh does care occasionally, for he uses parts of serversniff for his evolution. He contributed valuable code and (unknowingly) many many ideas and thoughts, and he's constantly begging for new functions. Roelof, if i had the time, i'd implement far more of your requests.

I had somebody asking for an API-Password recently - and a day after i had a bugreport. I was so glad that someone cared about the bugs that i fixed them right away. When I started with serversniff i had a dream of people bringing great ideas and great scripts helping me earn big $$$. Serversniff's live for around 2 years now - about 98% of the code is still mine, and the $$$ still don't pay for hardware, electricity and servercosts. Maybe i should stop ranting here.

Have a nice week,

tom

Statistics B

2007-06-22T05:34:00.000-07:00

We're far from complete, but getting better:

The DB knows ns/mx-records for 12.829.155 domains. More is added daily until we're complete.
The DB knows currently 1.074.097 nameservers (counted by hostname, not ip!).

tom

Statistic-Figure A: 19.155.784

2007-06-22T04:45:00.000-07:00

I'm not really into statistics and i don't do them regurlarly. But i'd like to remind myself that serversniff.net currently knows more than 19.155.784 unique domains with at least one resolving host. This should be around 15 percent of all known domains on the internet.

we're still adding around 100.000 new domainnames per day, focussing on domains outside of the .com/.net-space. To get a glimpse of domains added take a look at http://tomdns.net - there you can see the newest domains added in realtime.

tom

Spam from serversniff.net

2007-06-22T03:55:00.000-07:00

Some asshole sent out a spam-wave with random Serversniff.net-Senderadresses. The little sucker put in a return-path and a sender with @serversniff.net. Since i have defined a "catch-all"-mailaccount for serversniff.net, i get all those nice complaints and returned mails. Hundreds of them! Argh.

And yes Sir, no M'am, neither my webserver nor my mailservers are hacked, take a look at the mailheaders:

Return-Path: <stasIsaev@serversniff.net>
Received: (qmail 25562 invoked by uid 0); 22 Jun 2007 12:17:06 +0300
Received: from 220.125.204.181 by post (envelope-from <stasIsaev@serversniff.net>, uid 92) with qmail-scanner-2.01
(clamdscan: 0.90/2659.
Clear:RC:0(220.125.204.181):.
Processed in 0.239443 secs); 22 Jun 2007 09:17:06 -0000
Received: from unknown (HELO ?220.125.204.181?) (220.125.204.181)
by post.ziniur.lt with SMTP; 22 Jun 2007 12:17:04 +0300
Received: from [220.125.204.181] (183.178.25.193)
by stasIsaev@serversniff.net with SMTP;
for <gvitkauskasd@ziniur.lt>; Fri, 22 Jun 2007 19:17:22 +0100
MIME-Version: 1.0

None of these sender-IPs belong to serversniff.net's infrastructure. Seems that it's time to drop the catch-all-adress for serversniff.net.

tom

For the records

2007-06-18T11:12:00.001-07:00

For the records: Our update-lag with domainnames is at 443,017 days, and it's increasing. It will continue to increase for some time, for 450 days back was a time where we did bulk-updates: inserting many many new hosts from big lists at once, without to much handling of domains and ips at all. There wasn't too much data or trigger-overhead, and the database was not yet public. I hope to catch up the update-lag to 400 days in about a month and be around 200 days by the end of the 2007. I don't really believe than we can get smaller update-cycles with our current network-bandwidth. But you always have the option to filter outdated records from beeing displayed, regardless if you use serversniff.net, tomdns.net or serversniffs api.

tom

Serversniff deLux

2007-06-17T10:12:00.000-07:00

If you ever wondered what serversniff looks like:

Its located in the attic upstairs from the garage, where it's hot in the summer and cold in the winter. Its made of a cheaposystem with an Athlon 3Something with one Gig RAM and an old Perc2-sc-scsi-controller ripped from a Dell-server and a Proliant-HDD-array from ebay.

I suffered occasional blackouts when lightning stroke, doing damage to the database - so i ordered a brandnew UPS, the small thingy standing right, coming straight from china. We're prepared now.

tom

crazy ideas

2007-06-02T00:54:00.000-07:00

around 500 days ago i had a crazy idea: mapping the net in a database. all domains, all hostnames, all relations of ns- and mx-servers.

i knew a few sites who should have this data but would not really let you look it up - whois.sc and netcraft.com were amongst them. that was all i knew. oh and yes, i knew mysql, i worked with sqlite and microsofts sql-server for years.

i expected this to be an adventure. a textadventure, fun.

and hence, it was fun. the database crashed, servers got blocked, i had errors in my harvesting scripts and i was overwhelmed when i got around 100 million domains with even more hosts at once.

and now i'm sitting on a bunch of data that gets older. my time is limited, my hardware-ressources are as well. data is getting old. i started updating the hostname/IP-entries these days. I should have done this earlyier, i know - but i didn't. time is limited - remember?

a bit frustrating: the "update-lag", the time between the last update of a hostentry is currently exactly at 427,167 days. most frustrating: it's still increasing.

hmpf.

tom

China blocks serversniff.net

2007-05-29T06:21:00.000-07:00

Maybe this is something we shouldn't be proud of: Chinese authorities block serversniff completely at their "great firewall of china" - even a few totally passive vhosts with a few pics and texts sitting on serversniff's ip-address get blocked by chinese censorship.

Check yourself here.

Language-Flags and a new check

2007-05-21T03:49:00.000-07:00

Occasiónally we see english users referring to the german version of Serversniff and vice versa, germans using the english version. Both versions are functionally identic for most of hour language-specific stuff is stored in a language-file. I added a language-button next to the logo - maybe this will help people getting serversniff in a language that fits their needs best.

I can't really say that i had a lazy weekend, but i ended up throwing together another check: DNS-Report will do a few checks on all nameservers that are in charge for a domain. Basically this is a fraction of Scott Perrys great dnsreport.com - but with added zonetransfer-functionallity. We'll add more functionality some day, doing cache-checks and stuff you won't really find on other sites.

tom

New: Filesearch

2007-05-19T23:14:00.000-07:00

It's a sunny sunday and i burned my back yesterday working outside building a wooden house for the kids. Time for an indoor-day and a few words.
We recently released a new script sitting in the webserver-part of serversniffs menu: FILE-SEARCH.
FileSearch is a companion to our FILE-INFO: Imagine you want to see all .DOCs on a webserver and you even want to have a look if there is any interesting stuff hidden in these files.
Have a look at this demo showing DOCs on blogspot-blogs.
This script (ab)uses major search-engines. You scriptkids might end up seeing nothing if you (ab)use it too often searching for sites hosting phpBB-security-holes.

I limited the script to 100 results. Drop me a friendly line if (and why!) you feel that this number is too low for your personal needs and i might tell you the secret switch to increase the max-result-count to googles maximum of 1.000 results.

tom.

New AS-Lookup

2007-05-17T03:56:00.000-07:00

Serversniff offers a new script and API-script doing lookups for the Autonomous-System of an IP or hostname.

Backend for this script is currently team cymrus very fine AS-Lookup - this should be fine unless we see a really huge demand for this. We used to operate a pwhois-like BGP-Parser that offered a bit more information, but the work/requestcount-ratio brought us to drop this service. Finally, we brought it back on using the cymru-backend.

tom

Back to the net

2007-05-10T04:31:00.000-07:00

The database is back, t-offline was kind enough to send a technician fixing the DSL-line. Seems that the DSL-Splitter died. I still think about a colocation in a datacanter for database-machine.
The database is currently readonly. I took the offline-time to do some database-maintenance and found a bad block in a 17GB-sized table.

I'm working to identify the affected rows and will then decide wehter to restore the old backup or restore all but the affected rows.

cheers

tom

Serversnoffline

2007-05-09T02:00:00.000-07:00

Deutsche Telekom is still on strike. No technician yet, day 7 without phone, dsl and internet. Did i mention that i just hate monopolist-companys?

No real wonder, that they are the owners of t-offline.de:

Domain:      t-offline.de
Nserver:     support.mesch.dtag.de
Nserver:     pns.dtag.de
Nserver:     secondary006.dtag.net
Status:      connect
Changed:     2007-03-06T22:35:34+01:00

[Holder]
Type:         ORG
Name:         Deutsche Telekom AG, Domainmanagement
Address:      Friedrich-Ebert-Allee 140
Pcode:        53113
City:         Bonn
Country:      DE
Changed:      2005-06-07T10:29:07+02:00

[Admin-C]
Type:         PERSON
Name:         Marion Schoeberl
Address:      Deutsche Telekom AG, Domainmanagement
Address:      Friedrich-Ebert-Allee 140
Pcode:        53113
City:         Bonn
Country:      DE
Changed:      2004-08-24T10:10:06+02:00

[Tech-C]
Type:         PERSON
Name:         Wolfgang Linke
Organisation: T-Systems CSM GmbH
Address:      Feldstr. 34
Pcode:        59872
City:         Meschede
Country:      DE
Phone:        +49 291 90227 7575
Fax:          +49 291 90227 7609
Email:        domain@mesch.telekom.de
Changed:      2006-01-25T10:52:53+01:00

[Zone-C]
Type:         PERSON
Name:         Wolfgang Linke
Organisation: T-Systems CSM GmbH
Address:      Feldstr. 34
Pcode:        59872
City:         Meschede
Country:      DE
Phone:        +49 291 90227 7575
Fax:          +49 291 90227 7609
Email:        domain@mesch.telekom.de
Changed:      2006-01-25T10:52:53+01:00

Frustrated,

tom

t-offline

2007-05-07T01:35:00.000-07:00

Parts of Serversniff.net are offline. Lightning stroke friday evening.

The Domain-Database and some Utilities are hosted at my attic - a diskarray and a desktop-pc running beteween stored camping-equipment, Skates, old books and old electronics and cables, all connected via DSL, operated by german monopolist-telco Deutsche Telekom.

I live in a rural area with occasional thunderstorms and lightning strikes near my house every now and then. I might have got a bad line: Whenever a lightning strikes near my line, i'm offline. No Phone, no DSL, no Internet. It's dead, Jim.

No, don't even think about Telekom monitoring the lines functionality. You'll have to contact their callcenter - by phone or internet. If you're lucky, you get a nice phone-computer, and after repeating "STÖRUNG" again and again unless the shitty machine understands, you will hear that all lines are busy. I had this Friday, i had this Saturday, i had this Sunday - about a hundred calls, unless i finally got through sunday afternoon.

The phone-computer-odyssee continues: you have to enter your phone-number twice. Again, you have to confirm the number by yelling YESYESYES and you have to confirm the AreaCode by yelling YESYESYES and then you get a nice lady that is able to tell you, yeah, the line is dead ("lady, thats why I am calling!!"), and yeah, she will appoint this to a technician, but , oh well, Deutsche Telekom is on strike. Yeah, Tuesday morning.

It'll be like it was the times before: The technican will replace a fuse in the local switch-unit, call in to say that everything's fine again, and the familiy will have phone and internet again.

I do pay around €100 a month for phone and internet - this is defintely not the service i expect for ~1.000 Bucks a year - but since Telekom is still the only one to provide infrastructure where i live, things will stay like this until i find a place to colocate serversniffs backend for electricity-costs only. If you can offer space (no need for a rack, just around 1 MBit connectivity) you're welcome to drop me a mail at thomas.springer@serversniff.net.

Until then you might experience a few outages during thunderstorm-season in our german summer. If you're annoyed by the outage, please keep in mind: It's a free service.

tom

abuse won't pay

2007-04-27T00:58:00.000-07:00

Dear indian guy,

this is a view on our internal log-display.

You're simply wasting bandwith and router-resources. Yours, and ours.

The requests behind the ABUSE-Lines simply result in an ASCII-Page beeing displayed instead of real results. A(b/m)used,

tom

Automated use...

2007-04-26T11:47:00.000-07:00

It took two years, but now people start to use serversniff.net automated - despite the crazy redirect-mechanism. Some indian guy or gal put effort into doing a script to milk serversniff.net.

I expected this much earlier. Until now we had only very rudimentary abuse-checks to prevent serversniff.net beeing used for a denial of service against a host or a network. Now we tightened our abuse-checks to catch automated use on some scripts.

We encourage automated use of serversniffs functionalities, sites like www.paterva.com do this already - but please guys, talk to us before. We can make stuff easier for you. No need to write crazy perl-scripts or ugly curl-commandlines. We won't bite, really.

tom

Fletcher-Checksums added

2007-03-25T09:27:00.000-07:00

Following a user-request I added fletcher-checksums (8Bit-Fletcher and 16Bit-Fletcher) to http://serversniff.de/crypt-checksum.php.
I couldn't find any ready-to-use implementation, so recoded it in php. for the sake of having a fletcher-implementation in php online:

# 8 bit-fletcher
# codes an 8bit-fletcher-hash out of an
# hexencoded input-string
# consider this code public domain
#
$x="10111214" #hexecoded input-string
$twochunks=str_split($x,2); # split string into chunks
$lastleft=1; $lastright=0; # init
$modulo=65535; # fletcher-modulus
foreach($twochunks as $char)
{
$lastleft=fmod(($lastleft+hexdec($char)),$modulo); #left
$lastright=fmod(($lastright+$lastleft),$modulo); #right
}

$hexright=dechex($lastright); # make a hexval out of the old dec-val
$hexleft=dechex($lastleft); # make a hexval out of the old dec-val
$fletcher8="$hexright"."$hexleft"; # combine the two
print $fletcher8;
exit;

Twisting and Tuning

2007-03-25T08:16:00.000-07:00

We tweaked the ip-info-script: It's working properly with icmp now, while a bug prevented it from workin correctly with icmp. Reinhard tweaked it to add a few flags, but until now i'm not really sure if they do make any sense. We'll see from the log or comments.
We also got rid of the redirect, which seemed to have prevent the page beeing used with konqueror. May there be no more bugs in there...

cheers,

tom

spinnoffs, volume one or "size DOES matter"

2007-03-23T07:31:00.000-07:00

We're currently working on some small serversniff-spinoffs. Very focussed microsites with limited functionality. The first to be launched a few days ago was www.hashcrack.com, a site dedicated to reverse-lookups for several hashtypes.

We know quite a lot of hash-crackers and reverse-lookup-sites - but none of them was the thing we really wanted. Most of them have a limited count of hashes - the biggest we found were >200.000.000 words. There are a few bigger ones supporting crackers like john the ripper or rainbow-tables.

But almost all are limited to MD5-Lookups. Hey guys, it's 2007 and we do it-security. Occasionally i need to reverse other unsalted hashes: MySQL, SHA1 or plain old Windows, be it NTLM or LanMananger. Computingpower and harddrives are cheap - so were working on the ultimate site for database-driven hashlookus, supporting

MD5
SHA1
LanManager
NTLM
MySQL 3
MySQL 4

We were looking for wordlists. We gathered what we could get hold of, threw it together and did a little sorting. We ended up with 250MB of plaintext. We used john the ripper to create a list with all possible character-combinations for 1-4 chars length. Another 410 MB plaintext. I did want more, so i downloaded almost all wikipedia-databases, threw them together in a huge textfile, sorted out very long and very short strings, sorted out some wiki-formatting, sorted out all the millions of dupes and ended up with a gzipped file with a size of 202 MB that we simply call the mother of all wordlists. We're in the process of importing all three lists into our hash database.
Hashcrack.com currently lists 11.000.000 Words with ~ 65.000.000 Hashes on a (nearly) static database for we needed some data to experiment with. When we're finished with creating all those hashes we'll simply upgrade hashcrack.com to far more than 1.000.000.000 known hashes, hoping that it'll be of any use.
We welcome any opinions, comments and listings of your favourite reverse-lookup-sites.

tom

encryption is online again

2007-03-21T07:51:00.000-07:00

our encrypter/decrypter is online again. while reinhard is workin hard to learn cryptography for his ceh-exam he fixed the script and put it online again. thanks reinhard!
reinhard also promised to work on new dns-scripts, too! go boy, go!

and, how nice: spammers read our blog - there were no new requests asking to sell our domainbase to obscure partys during the last week.

cheers,

tom

domainnames for sale....

2007-03-02T02:59:00.000-08:00

we got quite a few requests to sell our domain-database during the last weeks. we continue to refuse almost all of them.

please: don't bother to ask unless you agree to serversniff's terms of use.
don't bother to ask unless you can't prove in any way that you are willing to abide by this terms.

like anyone else having an emailadress we get more than enough email-spam. we're not really interested in domainname-business and SEO (which would better be spelled SESpam) and we do not consider this business to create any added value for internet-security or the internet itself.

maybe i won't make the world any better, but i'll keep tryin not to make it any worse than it already is.

cheers,

tom

Back to "normal" operation

2007-02-21T02:19:00.000-08:00

We're back to normal operation, all tools should work fine now. Still missing are the "Crypt-Decode", Crypt-Encrypt/Decrypt and the Virus-Check.

Crypt-Decode will come back in a few days. Crypt-Encrypt/Decript too. The Virus-Check will be implemented into the new File-Info-Tool we're working on.

We're currently developing new tools and improving old ones.
The crypto- and encoding-Scripts already support a few new Hash/CRC/Encoding-Algorithms, more will follow.
The SSL-Check will soon support even more ciphers, making it the best SSL-Check we know, checking more ciphers and functionality than any other SSL-Check, be it offline or online.
We're currently working on a sort of "decompiler" for unpacking and decompiling a bunch of different formats ranging from macromedia flash (.swf) or Microsofts Winword (including macros and plaintext) to fullblown java-applets.
We consider a bunch of other applications making live of security-guys easier - but we'd love to have your input: can you think of a (not yet available) tool to ease your work? - Drop us a mail or write a comment - we're open to anything.

tom

serversnoffline

2007-02-19T07:26:00.000-08:00

Serversniff was down, and is up again. With a reduced toolset, still. I kicked the old installation in a fit of rage when a bunch of tools failed to compile due to Suse's crazy path-structure.

I always hated Suse, and since years \me refuses to work with any non-debian-system whenever possible. We had to choose Suse for Serversniffs hoster Strato didn't offer anything else a year ago.

Things have changed, Strato offers other distributions. We set up a new system on debian sarge, updated from sid to be more up2date. We did a restore from backup, which worked quite well, despite some upgrade-hassle with mysql (4->5) or some changed network-functionalities or text-output from commandlinetools like ping.

We're still missing the SSL- and the Crypto-Functions, and many API-Functions still fail or behave a bit strange - We will restore these during the next few days - they had to be revamped anyway, so expect more api-functions and public stuff to run a bit smoother when it's all restored. We apologize for any inconvinience.

tom

Showing hidden Meta-Information in DOC, PDF and more than 100 other file-formats

2007-02-15T02:29:00.000-08:00

Did you hear about hidden information in formats like Microsofts .doc?

We did. Yeah. You too. For most of us this is old news. Read here or here, or ask your favourite ~~big brother~~search-engine.
Everybody should know this - but people everywhere, from government to No Such Agencys keep publishing winword-documents on their websites.

During our penetration tests (and during our internal FileInfo-tests) we came across quite many websites with chatty files, especial .doc. We were fed up to explain this again and again and created a nifty little tool to analyze as many file-formats as possible. If you want to give it a beta-try, check by at Serversniffs "FileInfo". Currently this does ONLY files on webservers, this means the file to be checked has to be on some public webserver. Beware: The check is more than slow and supports only files with a size smaller than 1 MB. It also fails on filenames with blanks or %20. It's BETA. Stuff will get better with our next serverupgrade, which will finally kick SuSe-Linux into /dev/nul.

Examples in Winword, containing a bit of hidden information (and no, we won't post any files with hidden text here!)

It's not only winword that is chatty - we also found loads of PDF-files on websites containing Windows-Usernames of the people who created them. This might get dangerous when you are able to determine the user-structure and naming-convention of an organisation. While many pdfs are clean, there seem to a few PDF-Creator-Tools that we found to be vulnerable by default.

Especially Acrobat Distiller puts realnames or Windows-Usernames into the PDFs Meta-Information: (examples: http://www.verfassungsschutz.de/download/SHOW/symp_2006_abstract_pet.pdf or http://www.nsa.gov/publications/publi00010.pdf, both showing usernames in "Author" and "Creator"-Fields.
This seems to be configurable: Google did a better job, see http://www.google.com/ads/techb2b_news.pdf, while Yahoo puts usernames in many files, like this here http://publisher.yahoo.com/rss/RSS_whitePaper1004.pdf.

Feel free to experiment. FileInfo will display internal Meta-Information for more than 100 File-Formats.

Please drop us a mail you're stumbling over something funny or if you just like the tool- we'll do our best trying to fix stuff or add more file-formats and functionality, and we're waiting for any user-input.

tom

The Big Big AXFR

2007-02-14T00:52:00.000-08:00

I like the global AXFRS posted in one of the comments to my previos posting. Have a look at Maximilian Dornseifs well-hidden blogentry at http://blogs.23.nu/disLEXia/stories/10092/ to get an idea on how to automate this. Maximilian missed, that there is a hell of secondary-TLDs like co.uk, ac.uk etc. etc.
He also missed that there are a few real big hosters and providers who return far more entrys than many TLDs.

But all in all this blogentry was one of the reasons to create tomdns.net.

Thanks, Maximilian.

tom

Where do i get domains....

2007-02-13T00:52:00.000-08:00

Dear kids,

I understand completely that you ask me where to download a list of 100.000.000 domains.

I did, and this drove a few GB traffic to a website. Can you imagine what would happen if i'd post any such url here? Boys, i guess you can. So please, have a look at http://johnny.ihackstuff.com/ and try to have fun with our favourite search-engine as well.

Another option: Since most of the URLs listed on the site are .com/.net, you might also get them directly from verisign. The TOS there are roughly the same as the TOS at www.serversniff.net, in fact i derived serversniffs Terms of Service from Versign, for the last what i wanted to do is support f*cking spammers.

Or: Create something on your own. Something to offer, me or the "community". Then come back on me and ask. I'd be happy to support you with a list of domains if you're able to explain what you're workin on. I'd be happy to team up with you if there is any win-win-situation.

If you're working for a company: I'd be happy to support you with hostnames, domainnames or known IP's, filtered by whatever you want, given that you're willing to agree to our ToS. Drop me a mail and I'm quite sure we'll negotiate a reasonable agreement.

Tom

before the flood....

2007-02-05T01:52:00.000-08:00

We are in the process of updating our domain-database: we just started an insert of roughly 150.000.000 hostnames, bringing our db-system to the limit.

We ceased "regular" spidering and updates for a while to catch up with this bulk-data. Currently we run at a rate of about 1.000.000 new domains per day, which we consider not really bad, but still unsatisfying. We are currently testing a NAS-Array running on 6 SCSI-Disks (currently as an experiment - we will invest in more hardware if this proves to be faster than the current system).

thomas

Encryption added

2006-12-22T02:37:00.000-08:00

Its christmas and we are working on extending and finetuning serversniff.net. We added a bunch of encryption-functions recently to check how common ciphers treat your text. While this is not designed to be used in a productive environment, it might be useful to check some other implementation of these ciphers.

Please be aware of possible keylengths and used blockmodes!

We are currently workin with the mcrypt-lib and support AES (Several Modes), Blowfish, CAST, DES, 3DES (TripleDES), GOST, LOKI97, RC2, RC4, Saferplus, Serpent, Twofish, Wake and XTEA.

Expect more Ciphers (and Blockmodes) to come when we gathered some experience with the current set.

tom

Encryption

2006-12-20T10:12:00.000-08:00

We changed our hash-pages and updated stuff:

We do support Hashes (Strings, Files), Checksums (Strings), Several Encodings (Strings) and finally a bunch of cryptographic function. Just have a look at the new "Crypto"-Submenu on serversniff.net.

tom

Yes, we are...

2006-12-06T04:15:00.000-08:00

we got a request to sell serversniff.net. hey, we are bribable. direct your offers to sales@serversniff.net - we'll negotiate all the rest.
If you just find serversniff to be useful or want to implement functions in your website, there is no need to buy the whole stuff. Just drop us a mail to get access to our api-functions. We still don't charge nothing for its use as long as you are using it reasonably.

tom

Finetuning and cleaning up

2006-12-05T03:42:00.000-08:00

We started finetuning serversniff a little bit - fixing the ton of bugs still laying around, adding a bit of sorting or optics here and there or extend the explanations of a few scripts. Switched a few scripts from a generic approach to using serversniff's API - stuff like that. Not really noticable at all, but eating up enough time on our side.
We're dreaming of many many new functions to come - if only time would allow...

Tom

New HTTP-API-Functions

2006-10-26T04:32:00.000-07:00

We updated our HTTP-checks and added new API-Funktions. You can craft your own HTTP-requests now, e.g. do a GET with HTTP 1.0 with or without Host-Header and check the response, either only the HTTP-Servers header-info or the complete file, you can even filter for some special lines e.g. to get only the Server-Header or so.
This check does support servers listening on multiple IPs and is also capable of doing https.
We started implementing this backend to Serversniffs frontend - you might expect more HTTP-Checks based on this backendscript to come.

tom

New Scripts

2006-10-07T07:50:00.000-07:00

The IP-Scripts are coming back.

We are on our way to extend serversniff with some new IP-Scripts. We started today with a simple icmp-ping, that simply sends 4 ICMP-Echo-Requests to a given host.

Additionally, for a simple ping would be quite lame, we implented what we call a "Ping-Row", that sends about 16 ICMP-Echo-Requests with increasing packetsizes. You'll be surprised how many sites allow small pings, while their routers or firewalls sort out the hugeICMP-Packets.

tom

Extending the API

2006-09-25T04:13:00.000-07:00

Our domain-database seems to be up and running: the scripts run very stable, we run a few background-tasks that are feeding the database with around 50.000 new domains per day.

We are working on further extensions of our API in combination with our checkomatik. Although we missed owasp's "automn of code" we are confident that we will release a full-featured version of checkomatik by the end of this year.

While we are using it internally since months, it still lacks a real user-dependent interface, security, translation and, most important, automation.

We got a few steps up the ladder with creating more api-functions, stuff like the "pingrow" or a complete ssl-check.

tom

Domain Kiting - how many hosts fit on one ip?

2006-08-06T12:02:00.000-07:00

Bob Parson wrote in his noteworthy blog about Domain-Kiting - see http://www.bobparsons.com/DomainKiting.html - and i thought it should be possible to identify kited domains easily by querying Serversniff.net's host-database: A kited domain i thought will share its IP with many many other hosts. So i started gathering a list of known ips sorted by the count of known hostnames living on this ip. I ended up with the following list:

Known
Hostnames - IP
---------------------
142643 | 194.159.245.16
132972 | 64.72.112.11
123455 | 127.0.0.1
59117 | 67.108.253.121
46819 | 66.165.220.18
40765 | 213.29.7.212
36617 | 70.84.80.195
34971 | 81.94.227.213
32697 | 219.153.13.42
32415 | 203.36.59.60
31617 | 134.58.241.14
29830 | 66.102.15.101
29142 | 209.163.113.99
27024 | 217.76.128.34
25405 | 70.84.48.227
23997 | 212.227.34.3
22636 | 70.85.132.35
19653 | 209.249.170.10
19553 | 216.200.145.43
19543 | 216.200.145.44
19168 | 209.185.12.47
19036 | 195.117.6.10
18994 | 70.86.121.3
18387 | 66.220.2.7
18311 | 66.220.2.9
17638 | 211.239.151.191
17459 | 61.142.254.216
17360 | 66.98.195.129
17132 | 205.178.189.131
17018 | 203.74.57.13
16961 | 82.208.4.213
16677 | 65.98.98.75
16253 | 70.86.143.154
15815 | 134.58.126.198
15807 | 134.58.126.199
13998 | 209.25.170.64
13952 | 64.202.189.170
13597 | 213.29.7.211
13565 | 217.116.0.144
13142 | 213.21.186.51
13131 | 65.98.98.59
12883 | 213.4.134.161
12711 | 213.239.203.47
12458 | 207.217.96.28
12444 | 207.217.96.29
12439 | 207.217.96.30
12437 | 207.217.96.32
12437 | 207.217.96.31
12436 | 207.217.96.33

So the Hostnames hosted at 127.0.0.1 might not be kited but the rest: the impressive figures for 64.72.112.11 e.g.: 132972 hostnames. Kited? - No, not at all. Whatever host- and domainname we checked on this domain was not kited, not even parked, but operational. It might be a loadbalancer behind - but i find this count of hostnames for one single IP still impressive.

Checking the other hosts we found a lot of parked and not too many kited domains. By explicitly checking known kited domainnames like namenddomain.com we found, that most kited domains live together with parked domain-names on one host - often with as less as 4.000 known hostnames for this special ip. But still: on the named IPs you might (or might not) found a lot of kited domains. If you bring a few minutes of patiences, you might use the "host-on-ip"-function on http://serversniff.net to check these ips for hostnames living there.
Restart your query if you don't get an answer after about a minute - it'll be faster then, for the database has stuff in its cache.

tom

Statistics

2006-07-31T04:23:00.001-07:00

We know:

20.032.470 Hosts
5.357.250 Domains
7.812.218 IPs
224.337 Nameservers
39.914 Mailservers

(We just started with sorting in Mail- and Nameservers - we are sorting in MX- and NS-Records for around 200.000 Domains per Day, so MX- and NS- figures will continue to increase for about 20 to 30 days.)

5 Million Domains

2006-07-26T03:59:00.000-07:00

We cracked the 5-Million-Mark on our domain-database. Serversniff know knows more than 5 million unique domain-names, which should represent around 5 percent of all globally registered domainnames.

We will keep inserting new hosts and domains daily, and the more you look up the more we will know. The update-speed might decrease slightly for we are on the run to update our data with NS- and MX-records. We might finish this in a few months and serversniff will offer many new functions then.

A domainsearch is implemented, a hostnamesearch looking up hosts in our 35-million-hostnames-db will be in place soon - both functions are available via our API only at the moment. Access to our API-services is free, but requires a formless registration - send an EMail to thomas.springer@serversniff.net to get a free personal account.

tom

Unstable Server

2006-07-06T04:30:00.000-07:00

Serversniff doesn't like virtuozzo. You might imagine that we call a lot of backend-programms to let serversniff do it's job. When there are too many background-processes and not enough (shared) RAM, the apache-process is silently dying and can't be restarted, it can't even be killed.

Virtuozzo is nice, but is nothing compared to stuff like VMWare. Providers like virtuozzo, for it make every virtual machine on a host run on only one system-installation, while each vmware-engine has its own os and eats therefore much more ram and hd-space.

We decided that we don't like virtuozzo - so serversniff will (again) move to another server with the old one simply acting as some kind of proxy. while we move we will do some quality assurance and internal updates, it might take a few weeks until everything is moved completely.

tom

hacked

2006-06-20T00:11:00.000-07:00

nice.

serversniff has a bunch of security-holes, and we are watching closely what people are doing here - and really, someone noticed that it was quite easy to get a glimpse of the mysql-log-database.

the evil hacker might have been a scriptkid, for he obviously got acces to the mysql-db, used an unkown (at least to major search-engines) mysql-exploit-script trying to create files on the system. the mysql-db died on the way to his goal.

the attacker created (and then deleted or emptied) several tables in the db mysql:

"SNOWHILL"
"db" - nice - contains all passwords from table "user" in cleartext!
"dat" - used to execute commands on the host
"fm" - contains php-code to upload files and execute commands
local - slightly different from "dat"
sploitdb - slightly different from "dat"
wip3r - slightly different from "dat"

It seems, that the guy used at least 4 slightly different exploits targeting to the same problem.

Better luck next time.

tom

sorting it all in

2006-05-20T11:17:00.000-07:00

we're still importing hosts, this time from zonetransfers from toplevel-domains.
in parallel we're sorting in domains - expect more functions to come.
we crosschecked our data with whois.sc - while we still lack many .com-domains, it seems that we have many hostnames that they don't have.

fixing bugs

2006-05-09T02:15:00.000-07:00

I'm pleased to announce that a simple forum-posting at dnsstuff.com made me finally fix a few bugs in the subdomain-lookup that were resultin from the migration of serversniff to the f*cking virtuozzo-server.

The migration of our Hostname-DB nearly comes to an end - we are around 18 million known hostnames now with around 1 million hosts left in the queue. After this we have a few million hostnames from zonefiles waiting to get in. In parallel we started to build a domain-database, but this will take some time - we are around a million known domains by now, adding around 70.000 new domains each day. Expect more functions to come when we extracted broader data from our database.

And hey, we are still looking for Postgresql/Perl-Geek willing to speed up things here.

tom

News

2006-05-08T00:48:00.000-07:00

I did a few Bugfixes, mostly relating to the fact, that the crazy virtuozzo-system of our shared-server acts silly and resolves nonexisting hostnames as localhost or with it's own ip-number. i had to adjust many errorhandlers to this.

A User noticed some "can't write to log"-errors on the IP-Stack-check. These are noncritical, in fact we don't really need the log anymore for the check does it's job quite well. We'll fix em by removing the detailed-logging that was initally used for debugging-purposes. Please be aware that the IP-Check is sitting on a separate host that is rather slow, for the above mentioned virtuozzo-stuff won't interact with hping2, the programm this check is based upon.

We expanded our API to many with many new serverchecks. We are offering 16 different, configurable checks now - a list is available at http://www.serversniff.de/wiki_en/index.php/API. Send us an E-Mail to get free access to the API. We want to know who's using our resources, but we're still offering all this for free.

We also expanded Serversniffs capabilities and are offering scripts to show HTML-Sourcecode of webpages, HTML-Comments inside webpages, Hyperlinks inside of weppages, Cookies set when visiting a Site and a websites robots.txt.

Have fun and stay secure,

tom