[ale] More on ssl hijacking attempt...

John Wells jb at sourceillustrated.com
Tue Jun 25 14:02:10 EDT 2002


It happened again.  This time, it happened while using the Opera browser
(I was using mozilla yesterday).  I have my squirrelmail client
automatically refresh every two minutes, and when I maximized the browser
window the certificate window was already popped up, so I'm assuming it
happened during one of these refreshes.

This is getting annoying.  Is there no way I can tell who/what is doing
this?  The way I understand it, someone would have to first arpspoof my
machine here at work into thinking he was the router, then dnsspoof my
machine into thinking he was the DNS.  That would seem a bit difficult
from the outside world, since I'm on a non-masqed address space behind a
firewall.  Does this mean he/it is somehow inside our network?  We were
indeed compromised around a month ago...is it possible whoever did it left
a program behind to attempt to hijack ssl sessions?

Or is this in someway related to my home machine?

Thanks for any input...I'm getting frustrated in trying to track this down.

I've attached a screen shot of the certificate verification screen to this
email.  I've also added the certificate information contents from the
browser window and my machines netstat output...

The adsl box in the netstat output is my dsl modem....the
logic.phpwebhosting.com is more interesting, because that is my hosting
provider for another site I have.  However, I haven't accessed anything on
that box today...

Detail from certificate screen:

https://myemailbox.homelinux.org/qs/src/left_main.php

Connection : TLS v1.0   128 bit C4 (RSA/SHA)



Certificate version: 1
Serial number: 0
Not valid before: Dec  5 23:15:33 2001 GMT

Not valid after: Dec  5 23:15:33 2002 GMT
Fingerprint: 72 85 3E 10 16 F4 06 62 ED C6 D6 35 67 15 DB F6

Public key algorithm:rsaEncryption

  Public-Key (1024 bit):

  Modulus:

    00: B1 3C F3 55 92 74 41 7B AE 38 1A 7C DE 35 39 1D

    10: A8 FD DF 8F 82 AB 04 06 44 C3 3F 32 62 C3 E4 25

    20: B1 3F 53 1D 3F B8 E8 6C A3 7A 9B A6 36 AB CF 0F

    30: 73 9D 6A FB 9D B8 9D 27 8C EB E5 1B 60 40 F3 D2

    40: 4D 96 FF BE 19 87 A2 72 26 E3 FA 6F F8 5B 3D D9

    50: 11 84 A9 2D E8 A8 9C 2B 7A 89 2F 55 C4 8B FD 36

    60: F4 77 8E D8 36 20 A9 86 51 00 8B BD 0F C7 3C 5D

    70: 50 3A 07 20 49 93 99 8D 7B 45 85 28 A4 3B E0 B1



  Exponent:

     01 00 01



Signature algorithm: md5WithRSAEncryption

    00: AE 2C 9D 98 22 15 4A D9 72 F6 63 BD 2C C4 E2 9E

    10: FF 46 7D F0 1D 42 9B 9A 90 B9 96 04 6C 65 79 5A

    20: A1 D5 D5 E4 76 3F DA 74 79 2B 6B 1B 88 95 7B 06

    30: 1E 12 2A 28 BD 2A 46 A0 69 46 90 EA 2A C3 64 0F

    40: 78 C3 C0 4B F7 29 FF 7E 88 3E 81 74 EC DA 57 2A

    50: 74 A7 72 DA E7 17 27 07 92 A5 A4 6C FA 34 E1 8B

    60: 5A 02 A7 87 B1 8C 8D E9 B8 A8 EE 2C 03 2B 23 29

    70: CC EC 45 23 54 85 E3 41 AE 38 63 00 BF 11 55 61


$ netstat -a

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:32768                 *:*                     LISTEN
tcp        0      0 jbw-p1000.synergi:32769 *:*                     LISTEN
tcp        0      0 *:printer               *:*                     LISTEN
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 *:x11                   *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0      0 jbw-p1000.synergis:smtp *:*                     LISTEN
tcp        0      0 jbw-p1000.ata.am.:33650 adsl-17-115-187.a:https
ESTABLISHED
tcp   106456      0 jbw-p1000.ata.am.:33089 logic.phpwebhostin:http
ESTABLISHED
tcp        0      0 jbw-p1000.ata.am.:33715 207.153.203.114:http    TIME_WAIT
tcp        0      0 jbw-p1000.ata.am.:33716 207.153.203.114:http    TIME_WAIT
udp        0      0 *:32768                 *:*
udp        0      0 *:sunrpc                *:*



 verysign.jpg

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.




More information about the Ale mailing list