Skip to main content

Posts

Showing posts from December, 2016

Joined #TOKUGAWA

The first track-back (reversal) I did was on some Japanese hackers who staged out of South America. Here's an excerpt from the log of the server they attacked:

200.165.33.242 - - [18/Jun/2006:19:16:50 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 51
200.165.33.242 - - [18/Jun/2006:20:32:28 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 62
200.165.33.242 - - [18/Jun/2006:20:32:34 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6568
200.165.33.242 - - [18/Jun/2006:20:33:04 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:08 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6564
200.165.33.242 - - [18/Jun/2006:20:33:14 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.242 - - [18/Jun/2006:20:33:19 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 6574
200.165.33.242 - - [18/Jun/2006:20:33:25 -0500] "GET /cgi-bin/ikonboard.cgi HTTP/1.1" 200 34
200.165.33.24…

Guesswork

Dear Mr. Perez, the CIA does not engage in "guesswork." To say on national news (CNN 12/12/2016, 12:02PM Pacific, COX channel 1031) that the CIA used "guesswork" to conclude that "Russians" were engaged in cyber-espionage to influence our electoral process is insulting to an army of people who have dedicated their lives protecting your right to say that they are engaged in "guesswork."

This national concern with the FBI and CIA and their "counter" analysis of the cyber activity around the DNC/RNC "hacking," is a clear show of how the American public has lost trust in its intelligence community. I wonder when the mistrust of these organizations started. Could it be the way in which Hollywood has depicted them? I can't remember the last movie I saw where FBI cyber operations was portrayed in a positive manner.

The FBI investigates crime. For crime to happen there has to be a victim. You could argue "liberty" and &…

Tyranosaurus'rex'

Today I discovered REX. This is the regular expression extract tool for splunk. As I stared at these syslog records I wonders, how can I get the IP addresses of that shiznit? rex was the answer.

A simple rex for a WatchGuard log to get the allow/deny on a report:

[the search] | rex field=_raw ".(?Allow|Deny)."

Yes, that's a pipe, because you are piping the results through rex. Splunk just gets more and more fantastic.

Alas, I am at 82% of my license. I'm going to have to fork over another G-note to expand my collection. It's worth it because I love to bask in the orgy of denial.

Chrome and Google DNS

You should lock down your DNS. No machine should be calling out to the DNS upstream. You should setup a local DNS relay so that all DNS goes through that, and that machine can then relay upstream to the ISP DNS.

That said, you may find one day that your box is calling out to DNS on 8.8.8.8 or 8.8.4.4. A quick ARIN lookup on those and you see it's Google. Turns out, if you are using Chrome, then you will see these DNS requests appear in your logs.

Chrome calls up to 8.8.8.8 and 8.8.4.4 to check "internet" health. If it can't get a connection to those IP addresses then it boldly proclaims there is no internet connection.