Interesting, as @reversemode on twitter has pointed out 74.50.135.51 is the ip for the scada system as pointed out, and found by SHODAN
http://www.shodanhq.com/?q=Ft.+Sumner+SCADA Not the 160.x.x.x IP as indicated in the original email. On Sun, Apr 17, 2011 at 12:41 PM, Benji <[email protected]> wrote: > so wait? Let me humor you.. > > > SSH was running and publically accessible so it was actually legal for me > to login to <something>,gov, as if they didnt want me to connect it wouldnt > be a publically accessible service? > > > On Sun, Apr 17, 2011 at 12:39 PM, Jeffrey Walton <[email protected]>wrote: > >> > so how long do you give yourself before you're in prison? >> lol.... >> >> To pay devil's advocate here: FPL placed those hosts on a public internet. >> In addition, FPL also configured the hosts to advertise services. If FPL did >> not want the services accessed, the company would have removed the hosts >> from the public internet, shut down the services, or used leased [private] >> lines. Where's the leap to a criminal offense? >> >> Jeff >> >> On Sun, Apr 17, 2011 at 6:29 AM, Benji <[email protected]> wrote: >> >>> so how long do you give yourself before you're in prison? >>> >>> On Sat, Apr 16, 2011 at 4:22 PM, Bgr R <[email protected]> wrote: >>> >>>> Here comes my revenge for illegitimate firing from Florida Power & Light >>>> Company (FPL) >>>> ... ain't nothing you can do with it, since your electricity is >>>> turned off !!! >>>> >>>> Secure you SCADA better! Leaked files are attached ... >>>> >>>> 1) http://img838.imageshack.us/i/49986845.png/ >>>> 2) http://img718.imageshack.us/i/24380855.png/ >>>> 3) http://img24.imageshack.us/i/58868342.png/ >>>> 4) http://img228.imageshack.us/i/85258364.png/ >>>> 5) http://img163.imageshack.us/i/90736853.png/ >>>> 6) http://img217.imageshack.us/i/55439027.png/ >>>> 7) http://img40.imageshack.us/i/87526089.png/ >>>> 8) http://img864.imageshack.us/i/94061747.png/ >>>> ------------------------------------------------------------ >>>> >>>> 161.154.232.65 >>>> >>>> HTTP/1.0 401 Unauthorized >>>> Date: Sat, 05 Feb 2011 23:43:13 GMT >>>> Server: VTS 9.0.05 >>>> Content-Type: text/html >>>> Content-Length: 622 >>>> Cache-Control: no-cache >>>> WWW-Authenticate: Basic realm="Ft. Sumner SCADA" >>>> Cache-control: no-cache="set-cookie" >>>> Cache-control: private >>>> Set-Cookie: VTS=9.0005;Version=1;Path=/ >>>> Set-Cookie: SessionID=0;Version=1;Path=/Ft. Sumner >>>> SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c3576a >>>> Set-Cookie: >>>> SessionID=0;Version=1;Path=/Ft%2e%20Sumner%20SCADA/cc8620ba-ad1a-4ae9-96ed-036c22c.. >>>> >>>> NetRange: 161.154.0.0 - 161.154.255.255 >>>> CIDR: 161.154.0.0/16 >>>> OriginAS: >>>> NetName: FPL2 >>>> NetHandle: NET-161-154-0-0-1 >>>> Parent: NET-161-0-0-0-0 >>>> NetType: Direct Assignment >>>> RegDate: 1992-12-17 >>>> Updated: 2008-10-10 >>>> Ref: http://whois.arin.net/rest/net/NET-161-154-0-0-1 >>>> >>>> OrgName: Florida Power & Light Company >>>> OrgId: FFPL-1 >>>> Address: 700 Universe Blvd >>>> Address: P.O. Box 14000 >>>> City: Juno Beach >>>> StateProv: FL >>>> PostalCode: 33408-0420 >>>> Country: US >>>> RegDate: 1997-06-03 >>>> Updated: 2007-06-29 >>>> Ref: http://whois.arin.net/rest/org/FFPL-1 >>>> >>>> OrgAbuseHandle: INFOR40-ARIN >>>> OrgAbuseName: Information Security >>>> OrgAbusePhone: +1-305-552-3727 >>>> OrgAbuseEmail: [email protected] >>>> OrgAbuseRef: http://whois.arin.net/rest/poc/INFOR40-ARIN >>>> >>>> OrgTechHandle: DHE37-ARIN >>>> OrgTechName: Hertzog, Dean >>>> OrgTechPhone: +1-305-552-4080 >>>> OrgTechEmail: [email protected] >>>> OrgTechRef: http://whois.arin.net/rest/poc/DHE37-ARIN >>>> >>>> OrgNOCHandle: DHE37-ARIN >>>> OrgNOCName: Hertzog, Dean >>>> OrgNOCPhone: +1-305-552-4080 >>>> OrgNOCEmail: [email protected] >>>> OrgNOCRef: http://whois.arin.net/rest/poc/DHE37-ARIN >>>> >>>> >>>> ------------------------------------------------------------------------------- >>>> Configuration file from the central Cisco Router and Security Device >>>> Manager: 161.154.232.2 (FPL - FFPL-1) >>>> >>>> Building configuration... >>>> >>>> Current configuration : 8467 bytes >>>> ! >>>> ! Last configuration change at 18:01:57 UTC Mon Oct 25 2010 by ro5810 >>>> ! NVRAM config last updated at 18:01:59 UTC Mon Oct 25 2010 by ro5810 >>>> ! >>>> version 12.2 >>>> no service pad >>>> service timestamps debug datetime localtime >>>> service timestamps log datetime localtime >>>> service password-encryption >>>> service udp-small-servers >>>> service tcp-small-servers >>>> ! >>>> hostname cpr622i00bct >>>> ! >>>> logging buffered 65000 debugging >>>> logging rate-limit all 10 except critical >>>> enable secret 5 $1$7uN5$Ok9fYku/HC/KNqWQkHoWP. >>>> ! >>>> aaa new-model >>>> aaa authentication login default group tacacs+ enable >>>> aaa authentication enable default group tacacs+ enable >>>> aaa authorization exec default group tacacs+ none >>>> aaa accounting exec default start-stop group tacacs+ >>>> aaa accounting commands 15 default start-stop group tacacs+ >>>> ! >>>> aaa session-id common >>>> ip subnet-zero >>>> no ip source-route >>>> ip routing >>>> ! >>>> no ip domain-lookup >>>> ip host cs00noc 172.16.0.132 >>>> ip host cs01noc 172.16.0.133 >>>> ip host cs00noc-pub 209.215.34.12 >>>> ip host cs01noc-pub 209.215.34.11 >>>> ip name-server 205.152.132.23 >>>> ip name-server 205.152.144.23 >>>> vtp domain Core >>>> vtp mode transparent >>>> ! >>>> mls qos >>>> no mpls traffic-eng auto-bw timers frequency 0 >>>> ! >>>> ! >>>> no file verify auto >>>> spanning-tree mode pvst >>>> spanning-tree extend system-id >>>> ! >>>> ! >>>> ! >>>> vlan internal allocation policy ascending >>>> ! >>>> vlan 1578 >>>> name FPL >>>> ! >>>> policy-map SHAPER1 >>>> class class-default >>>> shape average 250000000 >>>> ! >>>> ! >>>> ! >>>> interface FastEthernet1/0/1 >>>> ! >>>> interface FastEthernet1/0/2 >>>> ! >>>> interface FastEthernet1/0/3 >>>> ! >>>> interface FastEthernet1/0/4 >>>> ! >>>> interface FastEthernet1/0/5 >>>> ! >>>> interface FastEthernet1/0/6 >>>> ! >>>> interface FastEthernet1/0/7 >>>> ! >>>> interface FastEthernet1/0/8 >>>> ! >>>> interface FastEthernet1/0/9 >>>> ! >>>> interface FastEthernet1/0/10 >>>> ! >>>> interface FastEthernet1/0/11 >>>> ! >>>> interface FastEthernet1/0/12 >>>> ! >>>> interface FastEthernet1/0/13 >>>> ! >>>> interface FastEthernet1/0/14 >>>> ! >>>> interface FastEthernet1/0/15 >>>> ! >>>> interface FastEthernet1/0/16 >>>> ! >>>> interface FastEthernet1/0/17 >>>> ! >>>> interface FastEthernet1/0/18 >>>> ! >>>> interface FastEthernet1/0/19 >>>> ! >>>> interface FastEthernet1/0/20 >>>> ! >>>> interface FastEthernet1/0/21 >>>> ! >>>> interface FastEthernet1/0/22 >>>> ! >>>> interface FastEthernet1/0/23 >>>> ! >>>> interface FastEthernet1/0/24 >>>> ! >>>> interface GigabitEthernet1/0/1 >>>> ! >>>> interface GigabitEthernet1/0/2 >>>> ! >>>> interface GigabitEthernet1/1/1 >>>> switchport trunk allowed vlan 1578 >>>> switchport mode trunk >>>> switchport nonegotiate >>>> ip access-group 112 in >>>> service-policy output SHAPER1 >>>> load-interval 30 >>>> speed nonegotiate >>>> ! >>>> interface GigabitEthernet1/1/2 >>>> no switchport >>>> ip address 161.154.232.2 255.255.255.0 >>>> ip access-group 115 in >>>> load-interval 30 >>>> keepalive 10 >>>> speed nonegotiate >>>> mls qos trust dscp >>>> no cdp enable >>>> no clns route-cache >>>> hold-queue 100 in >>>> hold-queue 100 out >>>> ! >>>> interface Vlan1 >>>> no ip address >>>> shutdown >>>> ! >>>> interface Vlan1578 >>>> ip address 65.14.117.30 255.255.255.252 >>>> load-interval 30 >>>> no clns route-cache >>>> ! >>>> ip classless >>>> ip route 0.0.0.0 0.0.0.0 65.14.117.29 >>>> ip route 155.109.5.0 255.255.255.0 161.154.232.1 >>>> ip route 155.109.19.0 255.255.255.0 161.154.232.1 >>>> ip route 155.109.29.0 255.255.255.0 161.154.232.1 >>>> ip route 155.109.29.204 255.255.255.255 65.14.117.29 >>>> ip route 155.109.29.214 255.255.255.255 65.14.117.29 >>>> ip route 155.109.66.0 255.255.255.0 161.154.232.1 >>>> ip route 155.109.88.0 255.255.255.0 161.154.232.1 >>>> ip route 155.109.95.0 255.255.255.0 161.154.232.1 >>>> ip route 161.154.0.0 255.255.0.0 161.154.232.1 >>>> ip route 170.55.0.0 255.255.0.0 161.154.232.1 >>>> ip route 204.238.236.0 255.255.255.0 161.154.232.1 >>>> no ip http server >>>> ip http secure-server >>>> ! >>>> ! >>>> ! >>>> access-list 98 permit 205.152.144.226 >>>> access-list 98 permit 205.152.132.250 >>>> access-list 98 permit 205.152.132.226 >>>> access-list 98 permit 205.152.144.250 >>>> access-list 98 permit 205.152.144.165 >>>> access-list 98 permit 205.152.37.19 >>>> access-list 98 permit 205.152.37.20 >>>> access-list 98 permit 205.152.144.163 >>>> access-list 98 permit 205.152.37.26 >>>> access-list 98 permit 205.152.37.27 >>>> access-list 98 permit 205.152.132.163 >>>> access-list 98 permit 205.152.132.165 >>>> access-list 98 permit 205.152.37.250 >>>> access-list 98 permit 205.152.37.226 >>>> access-list 98 permit 205.152.132.27 >>>> access-list 98 permit 205.152.132.26 >>>> access-list 98 permit 205.152.144.20 >>>> access-list 98 permit 205.152.37.163 >>>> access-list 98 permit 205.152.37.165 >>>> access-list 98 permit 205.152.144.19 >>>> access-list 98 permit 205.152.144.27 >>>> access-list 98 permit 205.152.144.26 >>>> access-list 98 permit 139.76.53.0 0.0.0.255 >>>> access-list 98 permit 139.76.68.0 0.0.3.255 >>>> access-list 98 permit 139.76.88.0 0.0.1.255 >>>> access-list 98 permit 139.76.228.0 0.0.3.255 >>>> access-list 98 permit 139.76.240.0 0.0.1.255 >>>> access-list 98 permit 172.16.0.0 0.0.1.255 >>>> access-list 98 permit 205.152.6.0 0.0.0.255 >>>> access-list 98 permit 205.152.66.0 0.0.0.255 >>>> access-list 98 permit 205.152.204.0 0.0.0.255 >>>> access-list 99 permit 68.153.6.0 0.0.1.255 >>>> access-list 99 permit 172.16.0.0 0.0.1.255 >>>> access-list 99 permit 139.76.53.0 0.0.0.255 >>>> access-list 99 permit 139.76.68.0 0.0.3.255 >>>> access-list 99 permit 139.76.88.0 0.0.1.255 >>>> access-list 99 permit 139.76.228.0 0.0.3.255 >>>> access-list 99 permit 139.76.240.0 0.0.1.255 >>>> access-list 99 permit 205.152.6.0 0.0.0.255 >>>> access-list 111 permit ip 65.14.117.28 0.0.0.3 any >>>> access-list 111 permit ip 74.175.105.64 0.0.0.31 any >>>> access-list 111 permit ip 205.152.17.0 0.0.0.255 any >>>> access-list 111 permit ip 155.109.0.0 0.0.255.255 any >>>> access-list 111 permit ip 161.154.0.0 0.0.255.255 any >>>> access-list 111 permit ip 205.152.161.0 0.0.0.255 any >>>> access-list 111 permit ip 204.238.236.0 0.0.0.255 any >>>> access-list 111 permit ip 170.55.0.0 0.0.255.255 any >>>> access-list 112 deny ip 204.0.0.0 0.0.255.255 any >>>> access-list 112 deny ip 204.1.0.0 0.0.255.255 any >>>> access-list 112 deny ip 204.3.0.0 0.0.255.255 any >>>> access-list 112 deny ip 69.22.0.0 0.0.192.255 any >>>> access-list 112 permit ip any any >>>> access-list 115 deny 53 any any >>>> access-list 115 deny 55 any any >>>> access-list 115 deny 77 any any >>>> access-list 115 deny pim any any >>>> access-list 115 permit ip any any >>>> no cdp run >>>> snmp-server community Ty#Qr53b RO 98 >>>> snmp-server community R5t3bF5c RW 98 >>>> tacacs-server host 172.16.0.132 >>>> tacacs-server host 209.215.34.12 >>>> tacacs-server host 172.16.0.133 >>>> tacacs-server host 209.215.34.11 >>>> tacacs-server timeout 10 >>>> tacacs-server directed-request >>>> tacacs-server key 7 010703174F >>>> ! >>>> radius-server source-ports 1645-1646 >>>> ! >>>> control-plane >>>> ! >>>> banner motd ^CC >>>> ###################################################################### >>>> # # >>>> # ***PRIVATE/PROPRIETARY*** # >>>> # # >>>> # ANY UNAUTHORIZED ACCESS TO, OR MISUSE OF BELLSOUTH # >>>> # SYSTEMS OR DATA MAY RESULT IN CIVIL AND/OR CRIMINAL # >>>> # PROSECUTION, EMPLOYEE DISCIPLINE UP TO AND INCLUDING # >>>> # DISCHARGE, OR THE TERMINATION OF VENDOR/SERVICE CONTRACTS. # >>>> # # >>>> # BELLSOUTH MAY PERIODICALLY MONITOR AND/OR AUDIT SYSTEM # >>>> # ACCESS/USAGE. # >>>> # # >>>> # # >>>> ###################################################################### >>>> # # >>>> # <VERSION TEMPLATE DATE@TIME> # >>>> ###################################################################### >>>> ^C >>>> privilege exec level 1 traceroute >>>> privilege exec level 1 ping >>>> privilege exec level 1 terminal monitor >>>> privilege exec level 1 terminal >>>> privilege exec level 1 show line >>>> privilege exec level 1 show snmp >>>> privilege exec level 1 show arp >>>> privilege exec level 1 show accounting >>>> privilege exec level 1 show service-module >>>> privilege exec level 1 show version >>>> privilege exec level 1 show reload >>>> privilege exec level 1 show debugging >>>> privilege exec level 1 show controllers >>>> privilege exec level 1 show users >>>> privilege exec level 1 show sessions >>>> privilege exec level 1 show access-lists >>>> privilege exec level 1 show privilege >>>> privilege exec level 1 show interfaces >>>> privilege exec level 1 show startup-config >>>> privilege exec level 1 show >>>> privilege exec level 1 clear line >>>> privilege exec level 1 clear counters >>>> privilege exec level 1 clear >>>> ! >>>> line con 0 >>>> exec-timeout 5 30 >>>> password 7 070C285F4D06 >>>> line vty 0 4 >>>> access-class 99 in >>>> exec-timeout 30 0 >>>> password 7 03075218050061 >>>> line vty 5 15 >>>> access-class 99 in >>>> exec-timeout 30 0 >>>> password 7 03075218050061 >>>> ! >>>> end >>>> >>>> ---------------------------------------------------- >>>> Fort Sumner wind turbines: >>>> http://www.flickr.com/photos/30325073@N02/4113855086/ >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>> >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
