==Phrack Inc.== Volume 0x0b, Issue 0x3c, Phile #0x03 of 0x10 --[ Contents ... 2 - Watching Big Brother ... --[ 2 - Watching Big Brother by da_knight Have you ever wanted to be the one doing the watching? If you are a system administrator of UNIX / Linux servers, then you may be aware of a product called Big Brother, which can be downloaded from 'http://bb4.com/'. This article is by no means technical, simply because it doesn't need to be. It is divided into two sections, so bear with me for the briefing on Big Brother (BB). BB is a program that will monitor various computer equipment; things it can monitor are connectivity, cpu utilization, disk usage, ftp status, http status, pop3 status, etc. As you might imagine, this information is very important to an organization. BB is your standard client / server setup. The server software can run on various flavors of UNIX, Linux and NT. The client software is available for UNIX, Linux, NT, Mac, Novell, AS/400, and VAXEN; some client software is provided by 3rd-party vendors and not supported by BB4 Technologies. The cool thing about this is all of this information is viewed on a web page. So, if you have multiple servers that you have to maintain, with this product you would be able to go to one web page and quickly get a status of all of those servers - pretty handy. When everything is fine your status is "green", major problems are indicated by "red". Example: The connectivity (conn) status is done by pinging the equipment in question; if the ping fails then it would appear as a red zit on the web page. When tests such as this fail, BB can be configured to automatically page the administrator. Here is a quick run down of the statuses, listed in order of severity: red - Trouble; you've got problems. purple - No report; the client hasn't responded in the last 30 minutes. yellow - Attention; a threshold has been crossed. green - OK; take the day off. clear - Unavailable; the test has been turned off. blue - Disabled; notification for this test has been turned off. The status is also reflected in the title of the web page, so it only takes one red zit to cause the web page title to start with "red:Big Brother"; we're going to get into this in a minute. A common thing for administrators to do is to monitor their most important systems with this product, as well as the most important aspects of each system. If you have a web server, you would want to monitor the http and conn statuses just to make sure people are still able to connect to the server. Other tests I have seen are to check Oracle, or to list all connected users. Hell, they even have a way to add weather reports. The point is, it's pretty limitless what can be monitored, it just depends on what you deem important. Now that you have a little bit of an understanding what BB can do, I want to quote two things from BB4 Technologies (BB4) FAQ - Section 5: Security Considerations (http://bb4.com/bb/help/bb-faq.html#5.0). Everything in that section of the FAQ should be considered, but we'll focus on these two. "BB does not need to run as root. We suggest creating a user 'bb' and running bb as that user." "We recommend password-protecting the Big Brother web pages" So, you ask yourself, why are these things important to me? Well, one, you know that administrators who run this software probably have it setup using the user 'bb', and that they may also be running it with root level access. This gives you a valid user account on a system and this account probably wouldn't be used by a human very often so the password could be something simple. But that's not the point of this article. The second thing is that BB4 realizes the information on these web pages is extremely important and they recommend password-protecting them. Following this logic you then say these are web pages, so it's running on a web server and if they're not password-protected and the server is visible to the WWW, then...that's right search engines will find these pages and serve them up when you know what to look for. What are you waiting for? Go to 'http://www.google.com' and search for "green:Big Brother" (include the quotes; it makes it more refined). You will get about 16,200 matches. Now that doesn't mean that those are all unique because it will have numerous pages from the same site, but you get the point. I would estimate that there are over 200 sites that can be viewed this way. Remember to search for all the other statuses too, just change the name of the color. One more thing, I chose Google for a reason. Some of these sites no longer run the BB product, but Google has a nice ability to view cached pages, so you can still glean information from them. After you scroll through the list of sites you will realize that the majority of them are either small ISP's or colleges. I'm going to pick on a college, an Ivy League one, no less. I can tell you from looking at this particular BB site that the BB server is running on a computer called 'artemis.cs.yale.edu' and the IP address is '128.36.232.57'. Also the computer 'rhino.zoo.cs.yale.edu' is having some serious issues. How did I find the IP address? Simple; if you click on the "green" or whatever color button under the "conn" column, you will see a web page that has information similar to this: --------------------------------------------------------- rhino.zoo.cs.yale.edu - conn --------------------------------------------------------- green Sun Jun 30 01:33:15 EDT 2002 Connection OK PING 128.36.232.12 (128.36.232.12) from 128.36.232.57 : 56(84) bytes of data. 64 bytes from 128.36.232.12: icmp_seq=0 ttl=255 time=379 usec --- 128.36.232.12 ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max/mdev = 0.379/0.379/0.379/0.000 ms --------------------------------------------------------- Right there you know that the ping command was trying to ping '128.36.232.12', in this case, 'rhino.zoo.cs.yale.edu' and that it came from '128.36.232.57' or 'artemis.cs.yale.edu'. Let's see what else we can find out. I can see that almost all of their servers run Tripwire, so they are UNIX systems, and you probably would have a hard time creating a backdoor account on these systems. On another page, we get to see the users who are currently logged in. Currently we have 33 users logged in, and seeing as it's 1:33 AM, I think some people left their computers logged in. I want to get more information about Yale's servers, so let's go back to Google and look for another page from Yale, but this time look for 'zelda.cs.yale.edu'. Now we can get some good information. When this site is displayed you will see quite a few servers, listed as well as several departments. If you want to know what software 'plucky.cs.yale.edu' is using to run it's HTTP services just click on the 'green' button: ---------------------------------------------------- plucky.cs.yale.edu - http ---------------------------------------------------- green Sun Jun 30 01:45:21 EDT 2002 http://plucky.cs.yale.edu - Server OK HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Content-Location: http://plucky.cs.yale.edu/index.html Date: Sun, 30 Jun 2002 05:45:21 GMT Content-Type: text/html Accept-Ranges: bytes Last-Modified: Tue, 12 Jan 1999 20:49:40 GMT ETag: "54b4ec126d3ebe1:4051" Content-Length: 2226 Seconds: 0.01 ---------------------------------------------------- What the hell? They're actually running IIS 4.0? Don't they know how insecure that is? But I digress. From that information you know that the server is some version of Windows NT and it has IIS 4.0 running, that could be handy. Zelda is also showing they monitor printers. Now that can be fun; what if the message "I think therefore I hack!" is sent to the printer 'philo-printer.philosophy.yale.edu'? And in case you're wondering, the printer is an 'HP LaserJet 4050 Series'; I just had to click on the button under the "printer" column to find that out. Elsewhere on this same site, I find that several servers are running TELNET, POP3, Oracle, FTP, and IMAP. Most of these services will gladly tell you what version of the software they are running. Oracle, for instance, is even nice enough to show you all of the connected users. How can you thank them enough for this valuable information? Also, it seems only the geologists at Yale feel they have data that is of great importance. I wasn't able to view what they monitor because of access permissions on their web site, but I do know that they are running their web server on Apache version 1.3.26. As you can see, I would be able to gather an enormous amount of vital infrastructure data in a few minutes. Plus, I didn't break any laws. These web pages are posted in a manner that the entire world can view them. It might take someone 10 minutes or more to find out a few facts about 1 particular system, but in that amount of time I found numerous facts about over 40 systems at the same organization. Thanks Big Brother! I feel it should be mentioned that the information found on these web pages is information that most organizations don't even let employees outside of the IT department see. I guess I should feel special since Yale must feel that I'm not a security risk, otherwise they would have made me authenticate to their web sites. Imagine this; an ISP that lists all of their routers complete with IP's and model information. If you had that, you could possibly rely on vulnerabilities in SNMP discovered earlier this year, or better yet, rely on the default accounts / passwords setup on these types of devices. I only bring this up because I know I did come across an ISP that did list routers and the majority of the sites returned by Google seemed to be smaller ISPs. Also, about searching on Google, I would recommend searching for "red:Big Brother", because these pages will always give you more information than when the system is running perfectly. Finally, I didn't write this article to condone breaking into systems and providing a means to that end. I wrote this because security is extremely important; with the information that is found because of this one product your environment could be compromised. If you are a system administrator for a site that shows up on Google you may want to secure your BB web pages, because by the time you read this the world is going to know your infrastructure.