Thursday, December 29, 2011

Ubee Interactive Owners


All users of these cable modems should immediately change their passwords.
If you are connected to the LAN interface (wired or wireless), connect to Default LAN address, default username is "user" and the default password is "user", also "admin" and "cableroot". By default these cable modem/gateways are shipped with two ports open to the Internet: TCP/64623 and TCP/64680. The former offers remote users access to a telnet console and the latter exposes the web GUI.

The oldest post I've found revealing this issue so far is here:
http://cyberfeen.wordpress.com/category/system-administration/

An additional post concerning an older version of this device and confined to a different ISP is here:
http://seclists.org/fulldisclosure/2010/Aug/120
This gentleman deserves real credit for his patience in dealing with security at the ISP and for realizing the scope of this problem. I suspect that particular provider merely filters traffic on these ports now, rather than actually fixing the underlying issue or shipping different modems to its customers. Upon cursory examination, the users in the address space listed in this post do seem to unreachable on these ports.

This vulnerability is exacerbated by the fact that these newer devices are combination wireless router/cable modems - meaning that many users do not even have the protection offered by a basic consumer firewall and those that do are still vulnerable to man in the middle exploits which redirect and sniff their outbound traffic.

I can't claim any credit; however, the scope of the number of homes and small offices effected by this demands further attention. I have attempted to contact some of the ISPs whose clients are rendered vulnerable by this equipment and will continue to do so; however, I will shortly publish a list of IP addresses and a script to exploit vulnerable systems if no action is taken.

Monday, October 3, 2011

Detect And Display A Visitor's I.P. Address


I've used derivations of this code to display visitor IP/hostname/User Agent information on my websites.


This is my PHP/JS without any MySQL backend:

<?php
Header("content-type: application/x-javascript");
date_default_timezone_set('CST6CDT');
$date = date(DATE_RFC822);
$hostname = gethostbyaddr($_SERVER['REMOTE_ADDR']);
$serverIP = $_SERVER['REMOTE_ADDR'];
$ref = $_SERVER['HTTP_REFERER'];
$useragent =  $_SERVER['HTTP_USER_AGENT'];
echo "document.write(\"We See You: <br><b>" . $serverIP . "<br>" . $hostname . "<br>" . $date . "</b>\")";
?>


I have named this script 'ip.php' and placed it on my web server (A Debian/Apache LAMP system in this case).
The following is a snippet from my index page into which I write the output of my 'ip.php' file:
<table>
<tr>
<td>
<script type="text/javascript" src="http://ADDRESS.EXAMPLE.COM/ip.php"></script>
</td>
</tr>
</table>




I have presented this deliberately spartan example that you may more easily work it into your own sites.

Notice the '$ref' and '$useragent' lines in the PHP do not appear in this output? You might choose to modify this code to display them to your visitors.









I have also built a MySQL database to do more detailed record keeping on my sites' traffic. If your site is hosted, your provider is probably doing this anyway and there are many packages out there which do much more elaborate recording/analysis of site traffic Webalizer comes to mind.




www.it-huntsville.com