This page has been archived and commenting is disabled.
From GE Commercial Finance to Zero Hedge, With Love
GE Commercial Finance, Stamford Connecticut:
On behalf of the Zero Hedge staff, I want to take a minute to apologize for our filtering your 439 packets today at our firewall. It's a bit touchy, and being the keen judge of character that it is, decided it no longer had to tolerate your toxic packet underwriting. In the future, we ask that you refrain from sending innocuous requests to random ports on our boxes in search of things clearly beyond your grasp.
Further, if this is a desperate ex-girlfriend attention ploy from the likes of CNBC carried out third party: we'll kindly remind you high school is over.
tcp connect log:
07/28/2009 13:47:26 Host: 8.4.8.12/8.4.8.12 Port: 21 TCP Blocked
fw connect log:
pkts bytes target prot opt in out source destination
439 25460 DROP all -- any any 8.4.8.12 anywhere
traceroute:
16 GE-COMMERCI.hsa1.Stamford1.Level3.net (63.208.150.2) 103.728 ms !X * *
»
- 10041 reads
- Printer-friendly version
- Send to friend
- advertisements -
Interesting. Is there any explanation for this, other than someone within their network scanning for vulnerabilities on ZH servers?
There's always an explanation, it's just whether you buy it.
TD must be new to owning servers.... Its called a computer flirting... My servers get hundreds a day...
In short... It probably was a simple port scan. Nothing to worry about and probably was done by a network admin to see what your technical abilities are..
"vulnerabilities on ZH servers". LOL.
As if...
Trust me when I tell you this is not the way it's done. Sounds like a ploy for attention by someone.
Maybe it's the scary GoldenSac HFT program taking a cigarette break. She's bored so she spoofed GE's MAC/IP's and called her old bedfellow Nmap for a little romp on the stack.
Hmm....someone trying to connect to your FTP port...wonder why? Perhaps a means to examine the packets to determine the OS you are running? Or try to determine the version of FTP ( I hope the hell you are running SFTP at the least!) so they can compromise it. Or they did this to have YOU block all of their employees from seeing the truth on your website. Perhaps opening up port 80 for all (assuming your http daemon is hardened!) so GE employees can peruse your site. Most likely explanation is the packets were spoofed to see if you are monitoring...
-Silence
There are any number of progs you can run to spoof a from address probe; nmap comes to mind.
hat tip to fyodor
yeah, it's like planting evidence. scanning ports, or sending syn's though is all you can really do, unless you already own the network you're trying to attack. if you can somehow predict the sequence numbers, you might get a connection open by blindly sending an ack with a lucky time delay, but that's as far as you'd get. you'd be hard pressed to get any response from spoofed source ips. (Though it can be done, it's not likely from a script kiddie or a person just dicking around with nmap.)
like crash override vs. the plague?
Being a GE Capital management employee, I can assure you it's attempt to block employees from reading ZH. GE likes only happy news, it's why they employ clowns like Liesman for their TV shows.
Just watching Beaker.
His message of hope somewhat undermined by the 'emergency liquidation' ads by auction.com in the commercial break.
None of those 5/3.5 houses at $499 will sell anywhere near that.
Hahaha, dissing the blogs now!!!!!
Ha fucking ha...Rot in hell GE!!!
It's gonna happen sooner or later. At least it's not like wikipedia where certain entries are modified by corporate entities to reflect only a favorible faxsimile to their real selves.
I will go out of my way for the rest of my life to never buy an American car or a GE product!!! That includes undergoing a scan with one of their machines for a medical procedure...Bwaaahhaaa
smiller, they are watching you.
umm, what does this mean to us non computer geeks
17651....i'm with you on this re non computer guy.....that said, I will say that there was a point today when the ZH servers were desperately slow....the first thing I wondered was if there was some kind of attack. I'm hoping someone can at least list the various scenarios of what might have been occurring. thanks.
No. We moved from ZH1 completely. We had to adjust the webserver settings for the increased load so things were slow for a bit this afternoon. I'm pretty sure there wasn't any kind of attack.
interesting stuff, miss marla. fyi, i was running netscape while browsing the site earlier today and, on three different attempts, it went all "not responding" on me when i tried to open the original gecc page in a new tab. i was forced to ctrl-alt-del and start over each time.
samiam6, dito, I thought it was my connection at first, but google and msn came up right away... interesting to note, at the same time this issue occured with ZH, I had the same problem with bloomberg.com, for about 5 minutes, but no other websites...peculiar indeed...
I was wondering about a ddos. piss off anyone lately?
Thank you Marla...glad to hear that. I was also concerned that perhaps chainey was screwing around with the computers while you and TD were out fly fishing.
Marla, that doesn't mean they were well intentioned. Maybe GECC was setting up their own geek PPT in case you guys decide at some future time to post something that might seriously harm them. For example, a DDoS attack needs to be planned well ahead as it cannot be done on the fly.
Could be a 15 yo script kiddy or could be a dude who spend the last 10 years 24/7 with Greg Hoglund (Defcon fame). You just never know... That's the problem with the interwebs mi amour.
Looks like someone over at GE Commercial Finance was trying to find the secret access numbers to our secret safe deposit box secretly containing our secret gold depository bearer certificates. Or just looking for open services to hack browse.
Thank you Marla..... I hope you guys are in a position to take some action on this.
Sure they could report a criminal complaint; this is exactly the evidence used to catch naughty 15 year olds.
But ZH would have to put their real names and provide police access to their logs.... something tells me GE counted on that.
If they were trying to bait anyone on, it would have to be much more nefarious of an action than this. This is simply like 'oops, I typed the wrong ip address, and I didn't get in.' Sort of like trying to go to the wrong directory in a website by mistyping the url. There is no way this is anywhere near qualified to be a criminal action, unless it was persistent and some other symptoms were evident. For example, if you hit some fake website and tack on the name admin_page.php to the end of the url, the chances that you'll get anything meaningful are very slim, and that it would let you do anything if it were a real address are even slimmer. But still, there would be no grounds for a criminal charge for simply knocking on the door like that.
sorry to reply to my own post, but if you want another example, type ftp://whitehouse.gov into your browser's address bar. That's exactly what someone did to zerohedge.com in this example, or at least, what it could have been.
I means that GE rang ZH's back door bell and no one answered. Nothing to worry about.
Luckily ZH runs
[ELIDED - Let's not talk about ZH network configurations please. :) -- Marla]
That mean anyone who installs a rootkit will be detected. Well, almost anyone. LoL.
http://www.grsecurity.net
Your comments are safe for now.
Server config is very different from network config. :)~
It wasn't me, man.
I was with a buddy...er...from outta town, yeah, yeah that's right and all day too.
On a more serious note.
These Jackals seem to stop at nothing. You must be really on too something.
My bad.
What I meant to say wuz..."You must be really on something. Like, Adderall®.
How do you do it?
A friend needs to know.
Signed
MCD
A bit of advice...If you put porn on instead of watching CNBS, you'll get a lot more out of your day! ;)
You'll get a lot more out of something anyway...
it all depends if Becky Quick is on or not ... she is definitely a porn material ... the rest of them ... blah ... maybe tits Cabrera fits into that picture, but she is more of a MILF material ....
With a name like that, how could she not be porn material?
Sounds like the end of the relationship between GE/CNBC and ZeroHedge is going to be rocky... appears like GE/CNBC is interested in some bad 'breakup sex' which as we all know will only lead to regrets... just move on GE/CNBC... your boyfriend has dumped you.
It would be really stupid to do it from a GE IP address.
They may have been snooping undetected on Blogger.
just SYNs or what?
Stay safe, ZH.
filtering packets huh tyler? my , my. has it come to this?
ha ha
What is the big deal? I can get on ZH and browse away and see everything right here in the open. Are you insinuating that someone wanted "inside" the hallowed halls and thought you were a few novice morons posting the most inteligent facts on the web? Or did you mean they wanted to see up Marla's skirt? We'll if that is the case, more power to 'em (and send photo please).
Didn't you know ZH runs a completely free SVN repository for sourcecode hosting. Some told me that GS keeps their codebase one the ZH SVN servers along with Microsoft OS source code.
I also heard that ZH lost control of their SVN server once, someone stole the Microsoft XP source code and http://www.reactos.org (React OS) was born. I think this is still in litigation. :(
But the point is that the is a huge amount of IP stored on those Swedish ZH servers. It's worth billions of US dollars (yes even now when the USD is flirting with the 70's ).
Marla and TD are right. This is a federal case for sure. I for one am going to stay tuned to this drama.
Quick idea for the ZH logo - My Cognitive has a full eclipse for photo. This would make a really cool O to put the H in. Kind of doomsdayish and end of timesish that fits the theme. IMO of course. It would make for a really cool black t-shirt with the eclipse with the H in the middle.
Between Beaker and Calc Risk...the free advertising must be sending over increased traffic for sure.
What's calculated risk been sayin?
he has been talking about green shoots lately. not sure what's up with that? ritholtz has been on his case about it too as of late.
Green shoots? That's soooo early July. Haven't we moved on? The recession is over. Green shoots are now green trees. Dow to 36,000 and all that. Fuck, I wish the smoke-shop downstairs hadn't gone bankrupt on the weekend. I'd like to celebrate our new, improved prosperity with a cigar!
you should make all requests originating from that domin redirect to some porn site with lots of autoplay sound.
It's not a guy in a cubicle that is doing it. =D
Probably some of their guys in IT with or without permission from management. IT guys have the porn, video games and all those toys they don't let you have, on all day
Ugh. I give up. There is no reason for some stupid conflict between ZH and CR. Both have a niche, and some of it is crossover. How many folks here read Denninger (sp?), and others?
We're short everything, we're long everything.
I know only that it means caveat emptor, but still...
No need for this when the info battle needs to be won. In my personal opinion, of course.
Seize all assets of Duke & Duke Commodity Brokers, as well as all personal holdingsof Randolph and Mortimer Duke.
We're ruined!
This is an outrage, I demand an investigation.
You can't sell our seats. A Duke has been on this exchange since it was founded. We founded this exchange. It's ours. It belongs to us.
We'd better call your brother an ambulance.
Fuck him! I want trading reopened, right now. Get those brokers back in here. Turn those machines back on.
Best ZH post, ever. You know who I am.
Yeah, you're the guy who made the post in the first place. Self congratulatory post...not cool.
Actually, I'm not. Any suggestions as to the login name I should create so you can keep track of me?
Eddie Murphy?
I don't really care who you are -- create a login if you wish; the features are better.
And thanks for the support!
By the way, I first used the Trading Places analogy weeks ago. Not the same anonymous as anonymous above :)
That anonypuss who originated this thread was me and I am going to logon 'cause i am getting tired of having a bag over my head.
Hey, I've seen you without the bag. Just some advice from a friend. Keep the bag on.
I wouldn't worry too much about this. Port scanning
happens everyday to almost any sight. Script kiddies looking
for easy vulnerabilities, any 5 yr old can download this stuff
from http://astalavista.box.sk/ As long as you ain't running really
old un-patched versions, you should be ok.
You guys rock....glad you covered your tracks:
Whois RecordRegistrant:
Arx Anstalt
[ELIDED --- Let's not encourage them.... yes its public info but please do not discuss details of network configuration here, thanks! -- Marla]
I think I went to college with an Arx Anstalt in the mid 70's. We tripped together at a few Grateful Dead concerts.
Hey the new layout kinda blows. The ad banner is bigger than the Zero Hedge name/logo, and the site is too cluttered in general.
Well, Marla needs to pay for her cigarettes somehow, don't you think?
The answer is both more "innocent" and more funny that other commenters have conceived. A machine at GE Financial most likely has contracted a virus that is now scanning ports over blocks of addresses on the Internet, looking for a place to spread itself.
Very unlikely given all the information on the box.
Thanks!
High School is over!
What...huh...Who?
HOW COME I'M ALWAYS THE LAST TO KNOW THESE THINGS!!!
i just wanted to do teh math problem
Oooh! Oooh! I finally got one of them right!! Been trying all day. Them's too tricky for just regular postin...
Could be a virus but since it's coming from a corporate site, it seems *suspicious* to me. GE hackers at work IMO.
I personally wouldn't treat as a conspiracy. Try hosting any server out of your basement, and immediately you get millions of random requests a day scanning your ports. There are umpteen people scanning networks for Ports 21 and immediately attacking it, trying to guess an admin password. You don't have to be a Zero Hedge star to receive that kind of attention. Any IP/URL will be sufficient enough to be noticed by automatic scanners.
Welcome to the Internet!
Priceless, was it the reason the loading of this site was slow this morning? And one would think that with their "imagination & innovation at work" someone would do a better job, or at least hired some Russian hackers to look clean.
Naughty sugar high!
p.s. just saw the Moon movie, amazing it stresses how far we could go to sacrifies an idnividual (or dozen) for the "common" good of humanity, etc. Wonder, how many sacrifices our government is willing to take (almost said make, fat chance....)
Been looking to see if anyone has torrented Moon yet, but it sounds like it might be worth the theater price for once.
Dude, I'm glad that you've got the new digs but put the fucking ZERO HEDGE prominently on the top of this fucking site man. It's good to make money, but don't lose your signature!!!
Congrats, and I love the damn math question. hahahahaha.
Any btw, Anon at 21:56 is Prescient11, don't even have my fucking razorback sign in. lol.
TD,
Any insight into whya UBS has halted trading of leveraged ETFs? per Bloomberg
B/C 75% LOSE MONEY IN THEM
Since when do banks care if you make money?
Since when do banks care if you make money?
man, those Chinese stocks are SO CHEAP
The IPO values State Construction at 51.3 times 2008 earnings, the company said. The benchmark Shanghai Composite Index of 896 companies trades at 36 times earnings after surging 83 percent this year.
Looks like someone in Shanghai read your post, as the market there did not behave particularly well today. Good thing the US market will never have another similar correction!
I wonder how BAC is going to be able to smooth its quarterlies in the future when CCB blows up and doesn't allow them to sell a packet (at -20% to last close) and book the "gain"? A look at CCB's aggressive lending over the last six months, while I am certain it will be backstopped by Uncle Wen, is disturbing.
One of the clowns on Fast Money is arguing that China will pull the US out of recession. I can't figure how $580 billion in stimulus that has gone mostly to copper stockpiling, redundant factory construction, BMW buying, and stock speculation is going to lead us all to Nirvana, much less the Middle Kingdom, but then again I do not have my own seat on a CNBC Game Show.
How liquidity was supplemented in days of yore, from Nat Geo:
51 Headless Vikings Found in English Execution Pit
Seriously people? First, GE's firewall would pick up a virus randomly scanning. Second, you think GE is stupid enough to maliciously scan from a corporate IP? You think someone within GE is stupid enough to so blatantly attempt illegal activity on their own from work?
A reader from GE was curious about the site and checked for an ftp. Nothing to see here.
Shhhh....keep it down.
This stuff always makes for a good story. People love conflict.
Though your explanation is one of the most reasonable, it doesn't allow much room for overreaction.
The two most probable reasons for the number of packets are simultaneous connects to multiple ports, or repeated http requests made after the fact. Both are funny.
I would delete your post. It's unnecessary information for the people.
If I understand your test, I don't like your setup.
So... someone tried to connect to the ftp once, and then you blocked multiple connection attempts from GE readers sharing the same NAT gateway?
Call the FBI immediately.
"A reader from GE was curious about the site and checked for an ftp. Nothing to see here."
Of all the explanations, that's the most idiotic I've read. You must be an IT retard. Read the blog post again.
Either it was an infected computer on their internal network (very possible), combined with the IT staff at GE not blocking outgoing (not likely) or....
It was a malicious attempt to find out a little more about the ZH.
Any server on the net gets hit with these all the time. But 99.9% of them can't be traced, certainly not to a major corporate subnet like that.
"You think someone in GE is stupid enough...."
I just took a good look at the BS at GECC and can now answer your question: Yes.
Fighting ZH is like fighting the 'War on Terror'. Motherfuckers need to get with the techno-age and realise that this shit ain't fixed nor containable. Long live truth!
Why does the GE IP address trace back to a corn field in Kansas?
Why does the GE IP address trace back to a corn field in Kansas?
Because that's where the host IP is. It's not quite that simple, but close enough.
you're using prq in sweden.
if you have resources, that's a lot of information.
TYLER,
BRING BACK THE FUCKING HUGE HEADER OF ZERO HEDGE. IT ALWAYS MADE ME FEEL WARM AND SAFE TO KNOW SOMEONE SMARTER THAN ME WAS WATCHING THESE FUCKING BASTARDS.
NOW IT'S WIMPY AND TO THE SIDE WITH A FAGGY GREEK SYMBOL AND I HAVE TO GET OUT BIFOCALS TO READ THE DAMN TAG LINE.
BRING IT BACK MY FRIEND!!!!!!!!!!!!!!
FOR ALL OF US OUT THERE.
Agreed, while your at it can you expand the text on the main page to include all text and video embeds. Having to click on each separate article is tiresome. But yeah Big Banner ftw.
Trader on Bloomberg says markets are manipulated and volumes 'ficticious'.
http://www.youtube.com/watch?v=V4cRYI2x60Q&feature=player_embedded
Deleted
Oh, and I know you have to make money but run them down the sides or something or side by side the big ZERO HEDGE intro.
A packet sniffer should be able to decode the contents of the packets.
TD, please don't run another story like this. It's foolish.
Some PC tries to connect to 21 and it's satan coming to shut the site down.
Please move along. Nothing to see here.
However, your admin is one of a very small number people who *actually* check their logs. Boring as hell, but worth a once-over.
Network Sniffers are FUN... view those IPs/packets!
better yet... where's that NSA fiber splice box? They both effective at information gathering.
Port 21? Maybe they were gonna upload a copy of Serg's HFT Erlang hack.
Just open it up and see what they drop. Anon FTP is a beautiful thing.
cougar
Just FYI - I was unable to connect to ZH this morning (10:00 AM????)
It seems odd that someone with the wherewithal to "ring the back door bell", would be foolish enough to not ping off of an anonymous IP... either they wanted you to know it was them, or someone else wanted you to think it was them...
Either way, seems like project mayhem is going exactly as planned sir...
Probably some entry-level unix admin playing games while his co-workers smoke cigarettes:
JerkoffShell@GenitalElectric.cpff.tlgp%man nmap|grep amateur
No manual entry for Fuck You Keith Olbermann
Those were flash packets. They wanted to detect what the new articles were before they were posted, so rebuttals would be instantly available.
Tyler/Marla,
One of the hats I wear is as a high level Info Sec kinda guy. I have no doubt YOU know this but for the rest of the IT neophytes out there to 'prove' the packets came from GE, you would damn near have to get logs (via court orders) and collected in a secure manner of every device and up to including the external gateway routers of GE. Moreover, with this you MIGHT get a court order demanding GE's logs. They have good attorneys, good luck there. Additionally, the state wont do this so this would have to be a federal investigation. OH, did I mention that the servers would most likely have to be in the US for the FBI's NIPC to investigate and over $5,000 in lost "value"...and more likely a minimum of $10,000 and certain pre-reqs must be met. Did you have a AUP...blah blah kinda stuff but if you don't have disclaimers (including ones if folks try to login via FTP, ...etc) then they won't take the case either. My STRONG guess is this is someone who spoofed GE's IP address, did a port scan on your servers just to fuck with you. Now these folks know you can detect port scans. Let me tell you...IF THEY WANT IN THEY WILL GET IN. Unless you have a team of highly skilled blue and red teams to not only test your servers but to protect them 24/7 a highly skilled cracker will blow right thru your security. To counter this ensure that you continue keeping your servers redundant, and ensure to have round robin DNS with many servers to help kills DDOS attacks. If you have control over your border routers you can quickly block DDOS attacks at the gateway vs having to do anything crazy with your webserver. Now what do YOU have Corporate Crackers or very motivated government crackers (THEY EXIST!!)..I would argue it is NOT your shopping cart as that is small time game and that isn't even processed by you. WHAT YOU POTENTIALLY HAVE are IP addresses of annonymous AND pseudononymous posters. Your webserver as do your border routers tends to log (via RDNS) this data to your web server and other network device log files. By getting this data, information can be gleaned to determine not only WHO YOU ARE but everyone else here that sends e-mail to or thru your SMTP/POP servers and/or visits or posts on your site. I would ensure your techno geeks know to sanitize (or securely encrypts!) all server/router IP addy visit logs, sanitizes (or securely encrypts!) your e-mail logs...etc. Those are what a corporate or government cracker would want. The fact they did this and YOU CAUGHT THEM means it could have been a test OR most likely some stupid script kiddie playing with software on mommy and daddys computer checking to see if they can mess with your heads. They did just that... Just my 2 cents...
-Silence
Copper in both respects...
thank you for taking the time to write about this Silence. I'm one of the IT neophytes and appreciate the explanation.
I hope that the government gets my emails to ZH as they will shudder when they discover what an important person I am (lol!).
I'm not so sure proving they're GE is paramount, it's just kinda fun enough to assume they are (based on effort expended to hide simple port scan vs. risk of action by zh to authenticate vs. gain of spoofing GE's router).
> Let me tell you...IF THEY WANT IN THEY WILL GET IN.
I dunno, zero day today does have meaning, but call me a betting man to say roo^h^h^hSacrilege is on his game and knows a port scan when he sees one.
Pressed, if you were "high level Info Sec kinda guy" you'd know better (*cough* dmca *cough*) than to flap in caps about their setup, risks, etc.
When ankle bitin' port scans register in (never mind mess with) the BOFH cranium, I'll give up on learning *nix.
Layne would sing; Again.
GE has too much time on their hands, after all they suck off the taxpayer's tit and don't actually have a functional business model outside of toxic asset hobbyist and collector anymore.
It is a federal offense to port scan anyone... good luck getting the FBI's attention unless you are part of the system... that said, everyone is under constant attack 24x7, which is what makes the net such a lovely place
ZH, be ready, because i'm afraid your site will be attacked, probably sooner rather than later (this is not a threat, rather a prediction)
Its not a 'federal offense' to port scan. Jeez, any idiot can do it for free via
3rd party websites, e.g.
http://www.t1shopper.com/tools/port-scanner/
In fact, I just port scanned the GE site in this article
and i just bought a new dehumidifier, but *not* a GE model.
let me know if electrolux starts scanning your ports.
Maybe the bigger point is Cyberwarfare from China, N Korea and Russia. What happens when people can't access accounts on line or via telephone?...
Probably just a script kiddie playing on ZH's paranoia and willingness to turn everything into a conspiracy.
They succeeded.
You guys are such dickheads!
I love this post. Who else would assiduously read their daemon logs, let alone post the shit they find!
Sail on, o ship of state, sail on....