mailing list archives
Bypassing Black Ice PC protection?
From: "Curt Wilson" <netw3_security () hushmail com>
Date: Mon, 10 Mar 2003 01:14:06 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.
Windows 2000 pro, all service packs/hotfixes, legit install of Serv-U FTP server.
Black Ice PC Protection,
Product version 3.6.cbd
blackice.exe version 3.6.32
blackd.exe version 3.6.32
blackdll.dll version 3.6.28
BlackDrv.sys version 3.6.28
iss-pam1.dll version 3.6.06
From Serv-u FTP log file:
 Sat 08Mar03 19:09:07 - (000008) Connected to 184.108.40.206 (Local address 192.xxx.x.x)
 Sat 08Mar03 19:09:07 - Connection denied to IP-number 220.127.116.11
Black Ice is set to PARANOID and set to block all FTP access except specified IP ranges. This IP 18.104.22.168 is NOT
Black Ice did generate an alert to indicate a block, 4 seconds earlier:
Time, Event, Intruder, Count
3/8/2003 7:09:03 PM, TCP_Probe_Ftp, 22.214.171.124, 1
Severity timestamp (GMT)issueId issueName intruderIp victimIp parameters count responseLevel intruderPort VictimPort
4 2003-03-09 01:09:03 2003004 TCP_Probe_Ftp 126.96.36.199 192.168.x.x port=21&reason=Firewalled 1 A 3392 21 0x22d06
What did the attacker do 4 seconds later to bypass Black Ice? I don't see how Serv-U should have known about this
persons IP if Black Ice was doing it's job. I see these FTP probes all the time but this is the first one that's
actually appeared in my FTP server log. Unfortunately, I don't have the log*.enc file for more in-depth analysis.
Any ideas, or inside information about a Black Ice bypass technique?
Curt R. Wilson
GSEC, GCFW, GEEK(!)
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
- Bypassing Black Ice PC protection? Curt Wilson (Mar 10)