1. Forum
  2. Usenet
  3. COMP.SECURITY.MISC

  • Anyone know what this is?

    From Anonymous@21:1/5 to Anonymous on Tue Aug 18 07:15:47 2015
    XPost: alt.privacy.anon-server, comp.security.firewalls, alt.computer.security

    In article
    <8c8c6371cb906bf68dbed6ee6b15da07@remailer.paranoici.org>
    Anonymous <nobody@remailer.paranoici.org> wrote:

    On 08/17/2015 07:35 AM, Nomen Nescio wrote:

    Caught these records that actually got an ACK and returned an OK:

    103 2015-08-16
    20:37:37.831756 198.15.216.135 me.net HTTP 274 5270 GET >> http://www.msftncsi.com/ncsi.txt HTTP/1.1

    104 2015-08-16
    Seq=1 Ack=221 Win=15544 Len=0

    105 2015-08-16
    20:37:37.832683 me.net 198.15.216.135 HTTP 1259 6583 HTTP/1.1 200
    OK (text/html)

    Went on the try a GET /HNAP1/ which I had already blocked. The
    http://www.msftncsi.com/ncsi.txt is a Microsoft site that returns a
    page containing this:

    Microsoft NCSI


    Explained here: http://blog.superuser.com/2011/05/16/windows-7-network-awareness/

    -SEC3 Pinger

    That was quite interesting. Looks like another way the MS can
    track you. I set the value in the register to zero as suggested,
    it was 1 - on.

    I am not sure what is going on with such a hit, but it seems like
    they actually used my Linux server to go to msftncsi.com.

    I block this request from someone hitting my Linux server with
    this request using these. Only one is probably necessary.

    Both on single line:

    iptables -I INPUT 1 -p tcp -m multiport --dports 80,443 -m string --
    string "msftncsi"
    --algo bm --to 300 -j DROP

    iptables -I INPUT 2 -p tcp -m multiport --dports 80,443 -m string --
    string "HNAP1"
    --algo bm --to 300 -j DROP

    No paranoia here.

    "The TechNet webpage describing NCSI mentions:

    IIS logs are stored on the server at www.msftncsi.com. These
    logs contain the time of each access and the IP address recorded
    for that access. These IP addresses are not used to identify
    users."

    Are you fucking insane or what?

    AT&T has been happily volunteering your information to world
    governments on every single pipe they own - without even being
    asked. I don't care who you think you have for an ISP - AT&T is
    providing the primary pipe.

    Where is your objection to that behavior?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)