Skip to content or view screen version

indy spys no reply

Dingo | 19.02.2007 22:27

repost

Indymedia Spying

Dingo | 02.02.2007 13:15
Firewall logs Indymedia portscan



My firewall is set for stealth.On the Shieldsup website this computer does not exist on the web.For Indymedia to scan it they must have had the IP address.But they say they don't keep them.Explain this Indymedia?See attached screen grab.

Dingo
Comments

Hide the following 29 comments
Want to know more?

02.02.2007 14:11
e mail  worldwarfree@riseup.net of course they trace your isp have been doing for a while watch this post be hidden ill bookmark and will re post come on indy why are the sooks in charge of our media time to out and name them do you not think.

Mark Mozaz Wallis.

Mark Mozaz Wallis
mail e-mail:  worldwarfree@riseup.net
i'm out of here

02.02.2007 15:17
shitheads

Fuck em
caveat emptor

02.02.2007 15:18
Buyer beware ... first, most servers today automatically log all user IPs, get over it if you believe what you read! Second so-called portscan alerts are common fare on MS firewalls.

Due to the high level of spamming, intentional or otherwise Indy servers has been logging everyone's details for a while -- caveat emptor, buyer beware -- the responsibility is yours; stop it at your end disable ICMP codes and responses etc and make your system invsible on the net -- further to that you can spoof a number of IPs that are not yours to confuse loggers. The FBI have been busy on the net of late too -- all illegal i might add -- but what isn't these day, Oil war anyone?

Note, the above Upper case "Dingo" is not to be confused with or mistaken for the lower case 'dingo', who happens to be an associate.

happy surfing lamers -- anyone who uses Windows deserves to be hacked.

PS It is about time that Indy came clean with logging -- we've known it for ages -- the internet sword cuts both ways!

wild dog
Silly hobbit

02.02.2007 15:20
Err there's nowhere near enough information there for anyone to accuse indymedia of anything.

All I see is that your firewall blocked a single packet from an indymedia server. That's certainly not suggestive of anything particularly untoward. Your screenshot doesn't even show which TCP port was plinked, which might have given someone a small clue as to what was going on.

It could easily be that the packet hit your server as part of the normal network traffic (like those security certificates, for example) when you were browsing indymedia, but your firewall policies were just overly restrictive.

Or it could just as easily be that you quit your web browser while indymedia was still sending you a packet, causing your software firewall to think that there was no trusted application to receive it and therefore this single packet got blocked and listed as such.

My router blocks hundreds of packets every day, just purely from normal internet usage, most of which are perfectly benign, and even the malicious packets are mostly harmless.

There's nothing here that suggests anyone is trying to hack you. There's nothing here that suggests that indymedia is keeping logs. There's nothing here that looks anything like a portscan. Most of the portscans I receive are perfectly benign anyways, from IRC servers or ISPs checking to make sure I'm not running open mail proxies.

There's a term that ISPs use for people like you: GWF. 'Goober With Firewall'. Try learning about how the net works before making yourself look foolish by bandying about lurid and unsubstantiated accusations, in future.

Aim Here
comes out their gobs

02.02.2007 15:53
sounds like a defensive stand spook

Hobbitshit
Port numbers

02.02.2007 16:19


quite persistent as well

Digger
it should read spooks.

02.02.2007 16:32
Silly hobbit we have proven time again that indy track isp and i think they should to be frank and should go like here  http://scotland.indymedia.org/ you will see you have Add a new comment you have to do an anti spam ie Enter the following number into the box example  http://scotland.indymedia.org/newswire/display/3720/index.php why do i say this?

indy has been taken over by spooks and the far right and in these orwellian times would it not be cool
that this slogan (pointless at the momenet) A network of individuals, independent and alternative media activists and organisations, offering grassroots, non-corporate, non-commercial coverage of important social and political issues. was true of course it is not do you not think indy should come clean i know mir the program for here and will be frank the way it is used at present is only to aid the spooks and let the far right use here for propaganda and why would that be, to divide and rule.is Mark Mozaz Wallis talking shit? e mail me i'll give you more info and you decide.

Mark Mozaz Wallis
mail e-mail:  worldwarfree@riseup.net
"Aim" is correct but evasive

02.02.2007 16:32
agreed, nothing worse than a MS lamer with a firewall package who knows jack about network theory .. however, you have also evaded the issue of indy logging its arse off lately .. actually its amusing to think that people are frightened of posting to Indy sites ... they are quite tame -- especially when the mods censor half the content like that twit at Portland IMC .. what a dickhead power tripper he turned out to be ,,, not to mention NYC and Seattle.

But we'll stick with the issue of logging for now! Come clean and there's no need to poop pants kiddies ... a number of cases have already been lost due to the existence of 'zombies', 'bots' and the impossibility of proving the owner of the computer actually sent the msg ... impossible!!

wild dog
Blueyonder at it too

02.02.2007 16:38
My gosh, looks like your Blueyonder mail server is trying to hack you too, and Google! I suggest you disconnect from the internet and don't come back - somebody's obviously out to get you.

Stephen
tuppence

02.02.2007 17:25
Okay, I didn't want to join in this debate. We seem to be divided between people who'd regard this as genuine and people who regard this as serious. I'd be in the camp that if this is genuine then this is serious. I know sites like Google and Blueyonder host ad's that'll trigger a port-scan. IM doesn't. So why the hit ? I've never had one.

1) It is a fictitious, malevolent graphic - but dingo has posted lot's under that name. Has dingo posted anything controversial or personal lately ? Not that I can see.

2) It is a stray volunteer playing around with IP addresses. Although they claim not to record IP addresses anyone technical on a server when a post comes in can check the IP address of the post at the time. If this is the case then the volunteer should be given a good beating as even innocently they are risking the good reputation of the site.

3) It is a private company or the security services masquerading as IM. This sort of thing happens and is the most likely explanation. There isn't enough informaion in the graphic to properly identify IM even if it is true. Numbers are needed.

Further, I know from personal experience that IM is safe to post on. I've admitted crimes here and never been done for them. I'm guessing 3.

dp
Safe oh yes and one is paranoied then?

02.02.2007 18:20
Come on dp you know as much as i do and more and you know imc state there is no trace of isp logs etc but we know it to be also bullshit come clean please do not defend the spooks on here who are the admin and fucking up a good project that once was indymedia it is not safe to post here other than comments such as this m15 have enough on me so this will just feed them more hence using me real name and so fourth nothing to hide but a lot to declaire how i hate the present order why i do do demos outside of the north they have evry reson to watch me because i have every reason to desire a better world and ris us all of this new world order parnoid yes right but for good reason.

Mark Mozaz Wallis.

Mark Mozaz Wallis
mail e-mail:  worldwarfree@riseup.net
Mark

02.02.2007 19:13
I have called for assasinations here and posted addresses and had no come back. And the posts incriminating myself weren't even hidden. I know - like you know - that there are spooks that post disinformation here and even 'get involved' check out the 'Con Coughlin' thread at the foot of this page. Don't give them too much credit though, they are idiots ( although publishing your name probably wasn't a good idea, even idiots get lucky ).

Dingo hasn't published enough technical info to identify IM as the culprit in this case. Now if he can provide an IP or MAC address and get someone we all trust to verify it, then we'd have to assume IM has at least one admin who is an infiltrator or an idiot. It wouldn't be too surprising that this place is targetted. I know two idiots who have IM admin rights but they aren't spies. You claim to know one IM spy and having met the guy, you could well be right, he certainly blew a stunt of mine by mouthing off too much. That doesn't mean the whole world-wide group is to blame or should be distrusted.

My main point, have you been arrested cause of anything you've said here ? Has anyone ? If not, and unless Dingo can provide better info, I'd still declare this site safer than anywhere else.

Don't declare yourself paranoid Mark, leave that to your enemies. Just be even more careful. Keep yourself out of jail, keep yourself active, and don't let the bastards grind you down.

pd
I'm no computer expert.

02.02.2007 19:38
my firewall is the default setup from when it got put on for me.If anyone can tell me what i should use to get more info i'll be only too happy to do it.

Dingo
IMCistas

02.02.2007 19:38
I know we are bad mouthing you but I think you should remove Marks name from his post. He had no need to post it and no good can come from it. I appreciate you have no 'delete' button and missing posts were simply 'time-delayed' between the visible and hidden threads, but you've also proved you can edit posts to remove names when necessary. Mark will call me a patronising bastard but I think this is one of those times. Do this for me and I'll send you £20 on Monday. And can some techie check out Dingos claims ?

dp
Dingo,

02.02.2007 19:53
For a start, show the whole of the IP address in your graphic, it is partially obscured.

Secondly, IP addresses can be faked, it's called spoofing, so try and find more info on it and look out for other occurences in your log. Your computer has utilities called ARP and IPConfig built in. If you don't know how to use them, well, they are a bit complex and I'm really not in a state to train you, but search on them, they provide useful data. Don't print it here though. If you want to take a risk, then email me on movementof2 at yahoo.com and I'll look at it tommorow, but chances are you know some computer techie that you trust, ask them before trusting me.
I hate it when strangers trust me. And if you don't know about ARP then you should bite your tongue bfore identifying any person or group - do any techies disagree ?

PS Lots of people hate your firewall (  http://www.computergripes.com/keriofirewall.html)- consider getting a better one and if you have a spare PC then use it as a standalone firewall. I'd recommend this -  http://sourceforge.net/projects/ipcop - but I don't use it and wouldn't recommend or talk about the one I do in public.

dp
Thats how the ip shows

02.02.2007 20:10
but heres the full number 208.99.202.124

Dingo
Thanks DP

02.02.2007 20:19
for the e mail we know we are right and imc people this fool is fucking up a good thing for us all one is also sure here is safe much of the time and as said no problem in you tracking isp,s but come out and say so.

but then it could be said fool as DP has said and we have had the misfortune in meeting them what a wanaker they are indeed why the fuck is this person with admin rights even though the prove is mounting there still here.

i have used my real name to show i have nothing to hide though you have my comments on other post keep being hid do you think one is alone on this?

make sure you know what the fuck you are talking about befor you comment and this time i have just this not one comment should be hidden names removed etc just a reply will do.

i do respect much of the imc admin people but this wanker is fucking shit up big time along with the use of here by the far right for there propaganda.

act now.

Mark Mozaz Wallis
mail e-mail:  worldwarfree@riseup.net
Odd, but I don't use Windoze...

02.02.2007 21:13
The Indymedia publishing server (traven.indymedia.org) is running debian, the primary, community, free (as in freedom), Linux OS, it's running a free (as in GPL'ed) CMS, Mir -- the code to all this is open, if you don't trust it then READ IT and please tell us about any security holes you find.

The server is colocated with the Seattle Community Colo,  http://www.seaccp.org/ where a lot (perhaps too much) activist hardware is colocated -- it's sponsored by Riseup, we know them and trust them, they know us and trust us.

The server is managed by long term, and trusted activists, it does have nmap installed but the suggestion that the sysadmins would use it to port scan users is absurd (and even if they wanted to do, which they don't, they would be a bit more clever about how they did it, they are not stupid).

Apache is set up to not log IP's, I just checked the logs, and, of course there are no IP's there, this is an issue that IMC techies do take seriously because the state keeps taking our servers to get access to the logs, so these are the methods that are used to ensure that there are no IP's in the apache logs:

 https://docs.indymedia.org/view/Sysadmin/ApacheLogsWithoutIPs

In additon all publishing is done via HTTPS and the cert is on an encrypted partition so if someone did sniff all the traffic for a period and then take the server with the idea of getting the private key to decrypt all the traffic they have logged they would be dissapointed -- they couldn't access the private key without the key to decrypt the partition that it's on and of course the key isn't on the server, it's encrypted on encrypted disks of trusted techies... And we are not being paranoid by taking measures like this -- the Italian state has done this.

In terms of the specific accusation here, what port do you think was scanned? This isn't clear from you screen shots. Also, I haven't used Windoze for years and know nothing about this software so it's hard to comment, but I can think of three possibilities:

1. It's some kind of false alarm, you seem to be using software you don't fully understand on an OS that can't be trusted.

2. Some 3rd party did port scan you and spoofed the Indymedia IP.

3. One of the people with root on the server (you need root to read what IP's are connected at any time, this info isn't logged and it's unaviodable that the server knows your IP's -- how else could it send you pages...!?) ran a port scan against you.

The second possibility above seems really unlikley, but who knows, the third is well beyond the relm of possibilities.

My suggestion to you is to start using Tor, then you will never have a direct connection with any server you are requesting web pages from:

 http://tor.eff.org/

More info on this on the security page, which is linked to from all pages...

 https://www.indymedia.org.uk/en/static/security.html

root
root ?! ROOT ?

02.02.2007 22:45
Okay, first, thanks for responding. Most often websites bury this sort of thing. Which is why we don't post there.

Can you safetly confirm 208.99.202.124 is an address you use ? Can you confirm any outgoing traffic at that time ?

Your post just woke me up. I hav coffee in my hand. Lets not jump to the default computer position of 'blame the user'. Unlike you I know Microshaft quite well, I'm an MCSE. I also have 20 years UNIX experience. So talk to me and not to my hand. You seem competent, that's meant to be a compliment. So lets run with your options.

"1. It's some kind of false alarm, you seem to be using software you don't fully understand on an OS that can't be trusted."

I'd guess Dingo wouldn't be too offended by such a suggestion. But if the IP addresss is right ? Are you suggesting a set-up to incriminate an admin ? That'd sem to trust to Dingo noticing it which was unlikely.

"2. Some 3rd party did port scan you and spoofed the Indymedia IP."

Okay, the malicious remote spook scenario. That is still pretty serious though isn't it ? That does have implications. Third parties spying upon us ? A virus on his PC or serious infringements of his privacy ?

"3. One of the people with root on the server (you need root to read what IP's are connected at any time, this info isn't logged and it's unaviodable that the server knows your IP's -- how else could it send you pages...!?) ran a port scan against you. "

I don't know what guidelines are passed out to IM volunteers but I'd rate this scenario as worst case. An IM volunteer with the root password ran a port scan on a contributer ? Can you think of any credible reason that they would ? Doesn't the fact that you can speculate about this happening justify some sort of crisis meeting in IM ?


Again, I'd choose option three as the most likely.

Why would an admin scan a user ? Why would you even admit such a thing could have occurred ? Don't you have procedures to prevent that ? Disable the relevant functions ! Number three does imply an infiltrator doesn't it ?

I don't know your name, and I don't know what just occurred, but you seem rational and honest. I for one am asking you personally to investigate this fully, check whatever logs you have and check whatever people had root access at the time. I'd suggest you hide this entire thread until you have answers, and I'd like to be informed of what those answers are the address I previously mentioned.

YOU CANNOT EVER PORT-SCAN YOUR CONTRIBUTORS ! - Agreed ?

Sure, it could have been scanned remotely. But unless you prove that is the only option then the users here have every right to be fearful, which mans silent.

I'd suggest you have a face-to-face meeting with Dingo and check out his PC if the IP matches, and if he/she is happy with that. I'd suggest Dingo has a third party techie present.


Escalate or defuse this now.


Dingo, you seem to have stumbled upon something important. If you want a techie on your side and don't know any others, email me. You'd be better off with the best geek at your local uni though.

By the fucking way, nobody should have the root password. Nobody. It should be locked down in a safe and forgotten. You don't seriously hand that out to everyone who 'seems okay' do you ? Oh fuck. Okay, I saw your ad looking for volunteers, so who needs a UNIX 101 ?

dp
Hmm...

02.02.2007 23:16
You are right, I don't have root, I have full sudo access like some other trusted techies who need access.

"Can you safetly confirm 208.99.202.124 is an address you use ?"

You didn't think to construct a URL like this?

 http://208.99.202.124/

Senario 3 is as far fetched as anything I can think of, it was only put in so that all possibilities I could think of were listed, none of the techies would do such a thing and according to auth.log nobody was logged into the machine at the times above apart from me.

In any case what would the point of port scanning users be?

If you want to find out their OS you can do thing using passive tools, but most users don't hack their User-Agent strings in any case so there is no need to do anything fancy to see what OS is being used, but why would we and why would we care?

Dingo -- has anyother web site you have ever visited tried to "hack" you or is it just the UK IMC publishing server that keeps attacking you?

sudo'er
Only

02.02.2007 23:40
other is google and only once.But Traven.indy was persistent

Dingo
What ports?

03.02.2007 00:31
What ports were scanned? What packets were sent?

The only ports the server will send you data on are the standard HTTP ports, 80 and 443, and then only after you request it -- there is no need to open these ports on your firewall since no traffic would be sent by Apache unless it's requested by you.

Why don't you install Wireshark:

 http://www.wireshark.org/

And capature the packets that you are concerned about and post them here?

I also suggest you start using Firefox if you are not already and start using Tor.

sudo
Sudo can equate to root

03.02.2007 00:44
"Senario 3 is as far fetched as anything I can think of, it was only put in so that all possibilities I could think of were listed, none of the techies would do such a thing and according to auth.log nobody was logged into the machine at the times above apart from me."

Sorry was watching 'Ugly Betty ' and beating my mum at Scrabble for money. Proof there is always someone sadder than you. Let's start here :

"none of the techies would do such a thing"

Yeah, I hope not. Suppositions like that are why I'd suggest you take this entire thread off the visible wire except to contact Dingo. I'm still backing the third-person/org scenario but according to Dingo someone port-scanned him. Maybe he is a liar, probably someone else spoofed you, but until you take this seriously I suggest you take it off the wire. You have my email address, get Dingos too. Dingo, make up a new email address and post it here.

"In any case what would the point of port scanning users be? "

Identity theft ? Personal grudge ? God knows. All sorts of reasons. Mild curiousity. It doesn't matter the reason, you said yourself it shouldn't happen. If you are the only techie on board at this point in time them you have to deal with it. Listen, I'm sorry, I do empathise, when I was doing your job for a corporate employer I was earning serious money for the same responsibility, probably less responsibility since I didn't care for my employer. Now I'm poorer than a church mouse and happier than anyone, not a care in the world. This is why I have never volunteered for IM. But Bud, you are left holding the can tonight / this weekend.
If you can't sort Dingo's concern on your own then at least flash it up to your compadres and consider hiding this until Dingo has responded to you. This isn't a minor problem - reputation is everything. Phone people tonight.

I have no fucking idea why anyone genuine at IM would port-scan him. I have no idea if he is a genuine person who was genuinely port-scanned, this could all be a set-up to discredit you. What would discredit you equally is if you don't take this seriously. If someone alleges a security breach on a site like this it is important to more people than just the IMCistas. And it is fairly important to confidence that you hide ths article until you personally know. If you are the only techie who could scan him, and if you can't refute he was scanned, do the decent thing, wake someone up to take over from you.

I mean no offence, that's just what happens in high-security corporate support systems. And if you doubt me, feel free to scan me or ask for an eyeball, I'm only offering you 'business' advice.

dp
Dingo

03.02.2007 00:52
Make up an email address and email these people directly. You have made a serious report that could be damaging. Don't turn off your PC tonight, just remove the network cable.

dp
Please raise this on imc-uk-tech

03.02.2007 08:53
This is not news, please raise this issue on the tech list:  http://lists.indymedia.org/imc-uk-tech

techie
Nothing to see here, move along.

03.02.2007 09:54
Sorry, Dingo, I got my own email address wrong, which has to tell you you can surely find better techies for advice than me. movementof2 at yahoo.co.uk Try Start/Run/Cmd and then Arp -a - does the IM address appear ? Either contact the list above or publish a new email address since this is fairly serious.

Sudo, an allegation IM or someone pretending to be IM scanned, fingered or pinged a user is big news to me, not just a minor techie quibble. I think you'd have to investigate this and let us know the score. I know you probably haven't hidden this thread so you don't get accused of a cover-up, but you really should. Not that it's not news, just that it is damaging. You can justify hiding this since you've been requested to by me or by following your 'not news' guideline.

dp
Sigh. Give us a well-formed portscanning allegation

03.02.2007 10:11
Good god, save us from paranoids and computer illiterates and computer-illiterate paranoids.

Until this goober with firewall can actually learn enough about his own software to compile a list of what ports were scanned (you'd think that would be an essential part of any portscan allegation, yes?) then these allegations are still utterly worthless, and the most likely explanation is still the most benign, that this guy's firewall is dropping entirely innocent packets.

Now when there's a firewall log that actually shows indymedia probing ports that indymedia has no business probing then there might be some questions to answer, but until then, get a grip on yourselves, and read a book on basic networking, guys.

To get things in perspective, my router log currently shows 208 blocked TCP connections, 54 of which are probably automated windows viruses poking my ports for windows vulnerabilities without the knowledge or consent of the user at the other end, 1 probe to see whether I was running a SOCKS proxy server (there are both good and bad reasons for checking that, but from the source, I'd guess this one was malicious), and the remaining 143 are just dropped connection packets and the like, attempting to connect to ports which would almost never be running vulnerable services that a hacker would want to exploit. Some of those show the same level of 'persistence' that the second screenshot complains about. 78 of the innocent packets come from one single source, and I'm fully aware of the reasons for him being in my logs.

I'm all for people keeping a wadder eye on their computer security, but lay off the hysteria until you know enough about your firewall and about networking to actually make a well formed accusation. I'm still at a loss as to WHY indymedia, even if it was run entirely by spooks, would go out of it's way to probe you. If the spooks really felt the urge to do such a thing, then surely they'd put your IP addresses into the MI5 computer and then nmap you from some random spot on the net rather than hax0r your netz0rz from their precioussss honeypot and discredit their own operation. Sounds stupid to me.

Aim Here
Go on give us the ports

03.02.2007 10:42
The manual for the 'personal firewall' is here  http://www.sunbelt-software.com/documents/sunbelt_kerio_personal_firewall_user_guide.pdf
logs and alerts section is what you want to find out how to give us the Ports being 'scanned'.

geek
go and finger yourself

03.02.2007 11:19
"For Indymedia to scan it they must have had the IP address.But they say they don't keep them.Explain this Indymedia?"

Dingo, not logging your IP is different from not having it - any computer you connect to, and all the routers in between, have your IP or you wouldn't see this site.


"and the most likely explanation is still the most benign, that this guy's firewall is dropping entirely innocent packets."

It must've taken you longer to write your post that it would've to test your theory. I've just downloaded and tested it and dropped packets don't produce false hits on the version I've downloaded (4.3.268) . Why would you state such a thing without at least pulling a cable to test it ? You're attitude is hardly reassuring. Do you have any IM hits in your log ? Is the 'most likely explanation' you are a smug little twat with a couple of Dummies books who hasn't done anything arrestable for so long it just doesn't matter to you ? As for the patronising paranoia and hysteria crap, fuck off and die. Some of us do shit you know. So stop speculating as to WHY and start trying to recreate it assuming that Dingo has got scared and buggered off.

dp

Dingo

Additions

hey dingo you still don't have a clue

21.02.2007 00:35

as to what you're crappy firewall is doing or how to use it or how to interpret the results. You've been asked again and again and again to provide details of the actual ports but you're just too stupid to be able to do this preferring to carry on firing off wild accusations and jerking your knee instead. There should be laws preventing paranoid idiots like you from ever connecting to the internet. You've been egged on by the completely deranged dp (desperately paranoid) and mark (barking) wallis and you actually believe what those nutters are telling you! There's no helping morons like you. Take your computer in for recycling tomorrow.

more sorted than you


Comments

Display the following comment

  1. WTF! — yes