[ale] More on ssl hijacking attempt...
John Wells
jb at sourceillustrated.com
Tue Jun 25 14:02:10 EDT 2002
It happened again. This time, it happened while using the Opera browser
(I was using mozilla yesterday). I have my squirrelmail client
automatically refresh every two minutes, and when I maximized the browser
window the certificate window was already popped up, so I'm assuming it
happened during one of these refreshes.
This is getting annoying. Is there no way I can tell who/what is doing
this? The way I understand it, someone would have to first arpspoof my
machine here at work into thinking he was the router, then dnsspoof my
machine into thinking he was the DNS. That would seem a bit difficult
from the outside world, since I'm on a non-masqed address space behind a
firewall. Does this mean he/it is somehow inside our network? We were
indeed compromised around a month ago...is it possible whoever did it left
a program behind to attempt to hijack ssl sessions?
Or is this in someway related to my home machine?
Thanks for any input...I'm getting frustrated in trying to track this down.
I've attached a screen shot of the certificate verification screen to this
email. I've also added the certificate information contents from the
browser window and my machines netstat output...
The adsl box in the netstat output is my dsl modem....the
logic.phpwebhosting.com is more interesting, because that is my hosting
provider for another site I have. However, I haven't accessed anything on
that box today...
Detail from certificate screen:
https://myemailbox.homelinux.org/qs/src/left_main.php
Connection : TLS v1.0 128 bit C4 (RSA/SHA)
Certificate version: 1
Serial number: 0
Not valid before: Dec 5 23:15:33 2001 GMT
Not valid after: Dec 5 23:15:33 2002 GMT
Fingerprint: 72 85 3E 10 16 F4 06 62 ED C6 D6 35 67 15 DB F6
Public key algorithm:rsaEncryption
Public-Key (1024 bit):
Modulus:
00: B1 3C F3 55 92 74 41 7B AE 38 1A 7C DE 35 39 1D
10: A8 FD DF 8F 82 AB 04 06 44 C3 3F 32 62 C3 E4 25
20: B1 3F 53 1D 3F B8 E8 6C A3 7A 9B A6 36 AB CF 0F
30: 73 9D 6A FB 9D B8 9D 27 8C EB E5 1B 60 40 F3 D2
40: 4D 96 FF BE 19 87 A2 72 26 E3 FA 6F F8 5B 3D D9
50: 11 84 A9 2D E8 A8 9C 2B 7A 89 2F 55 C4 8B FD 36
60: F4 77 8E D8 36 20 A9 86 51 00 8B BD 0F C7 3C 5D
70: 50 3A 07 20 49 93 99 8D 7B 45 85 28 A4 3B E0 B1
Exponent:
01 00 01
Signature algorithm: md5WithRSAEncryption
00: AE 2C 9D 98 22 15 4A D9 72 F6 63 BD 2C C4 E2 9E
10: FF 46 7D F0 1D 42 9B 9A 90 B9 96 04 6C 65 79 5A
20: A1 D5 D5 E4 76 3F DA 74 79 2B 6B 1B 88 95 7B 06
30: 1E 12 2A 28 BD 2A 46 A0 69 46 90 EA 2A C3 64 0F
40: 78 C3 C0 4B F7 29 FF 7E 88 3E 81 74 EC DA 57 2A
50: 74 A7 72 DA E7 17 27 07 92 A5 A4 6C FA 34 E1 8B
60: 5A 02 A7 87 B1 8C 8D E9 B8 A8 EE 2C 03 2B 23 29
70: CC EC 45 23 54 85 E3 41 AE 38 63 00 BF 11 55 61
$ netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 *:32768 *:* LISTEN
tcp 0 0 jbw-p1000.synergi:32769 *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
tcp 0 0 *:x11 *:* LISTEN
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 jbw-p1000.synergis:smtp *:* LISTEN
tcp 0 0 jbw-p1000.ata.am.:33650 adsl-17-115-187.a:https
ESTABLISHED
tcp 106456 0 jbw-p1000.ata.am.:33089 logic.phpwebhostin:http
ESTABLISHED
tcp 0 0 jbw-p1000.ata.am.:33715 207.153.203.114:http TIME_WAIT
tcp 0 0 jbw-p1000.ata.am.:33716 207.153.203.114:http TIME_WAIT
udp 0 0 *:32768 *:*
udp 0 0 *:sunrpc *:*
verysign.jpg
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list