Sullivan's Travels: FQAs

Frequently Questioned Answers to Sullivan's Travels

  1. where does "FQAs" come from?

  2. what tools do you use in the investigation?
    traceroute, telnet, nslookup, whois, nmap, ftp, binfo, finger, and sometimes firewalk. More info is available from rain forest puppy, at Unix Insider, and in books.

  3. where does the title "Sullivan's Travels" come from?
    A 1941 film, a "marvellously sustained tragi-comedy which ranges from pratfalls to the chain gang and never loses its grip or balance." (Halliwell)

  4. why did the film's star, Veronica Lake, change her trademark hairstyle during World War II?
    Female factory workers were copying her peek-a-boo hairstyle, raising safety concerns.

  5. why investigate a particular machine?
    Because it is frequently attempting to put a file on our machine without authentication (or even permission). Or because it is misusing one of our internetworking services.

  6. what authentication do you require for SMTP/mail?
    A reverse lookup of their IP address must have a hostname, which in turn must resolve to the original IP. If not, they're still free to visit our website.

  7. is that authentication reasonable?
    For putting a file on our machine, it's pretty minimal. But at least it's something. (We're not requiring ssh/digital-certificate authentication.) It gives us a little protection against forged DNS entries.

  8. is the file spam? is it a mail bomb? is it a mailer exploit?
    We don't want to find out. At the very least, it disrupts the intended use of the Internet and wastes resources -- and we do get a lot less spam now.

  9. what is the lamest form of cracking?
    Spamming.

  10. what services did the Morris worm exploit in 1988?
    BSD "r" commands, finger, and sendmail

  11. what is your mail setup?
    After an intense encounter with a Hong Kong box, we changed to exim-as-a-daemon from smail-under-tcpd (which seems a bit strange in retrospect, but would be fine for the low number of SMTP connection attempts we should be getting). We also reject attempts with bad syntax and attempts by RBL'd sites, but hosts with DNS errors are far more common: 
    typical stats for 10 days (and 7 usernames):      5 years later:
  542 "normal" bounces (using 370 incorrect usernames)     5892 (922)
  115 hosts w/ DNS errors (or from banished domains)      54837
    1 banished domains, IP blocks, countries                482
   25 hosts w/ header/syntax errors                         555
    3 RBL'd hosts                                           132
    6 hosts w/ DNS_errors_with_frequent_attempts              ?
  12. what was the first machine you nmap'd?
    203.85.169.229 (pc229.eprotel.com.hk?)

  13. why do you port scan as part of the investigation?
    Just checking the "doors and windows", ma'am, for further signs of a compromised machine. At no time do we enter or damage the "building". (We've never even used an exploit script.)

  14. are you doing this for financial benefit?
    No. We just want to see the problem fixed, and we try to contact a hostmaster. Admittedly, we do derive an unexpected intensity from our investigations.

  15. from where do you investigate and document?
    A legitimate account on a legitimate machine (with proper DNS entries, of course).

  16. why do you publish your findings on the web?
    The web doesn't seem to mind.

--- spectral rule ---

Suggestions on how to improve Sullivan's Travels are welcome (tools, extra steps, etc.): 

traceroute
  country codes
telnet 25
  check banner for hostname
  vrfy postmaster

double-check logs for abuse

nslookup
  double-check DNS entries
  set q=any to get nameservers and contact info
  check reverse zone of nameservers
may need to use:
  whois/InterNIC
  whois -h {whois.arin.net whois.ripe.net whois.apnic.net}

if (nmap -P0 -sS -O -F) doesn't work,
  try firewalk or one of nmap's advanced scans
    e.g, firewalk -pTCP -S21,25,53,79,80 bindIP hostIP

if (auth) nmap -P0 -I -p 'public ports'
  public ports = ftp, smtp, domain, finger, http
for public ports, use:
  ftp (check banner and anonymous login -- and /pub)
  telnet 25 (... smtp already done above)
  binfo (version of BIND on domain)
  finger (who's there)
  telnet 80 (check webserver banner and content)

nmap -P0 -sS -sR -p 'sometimes-rpc ports'

if firewall/proxy or port forwarding
  bounce email and inspect headers

Travelogue pre-alpha (Portugal; GNU/Linux; 6/5/2000)

Copyleft 2000 ABL Research, Inc.

Last modified: 1/22/2005