www.ComputerHQ.com: A Brief Analysis

Back in January...

Prior to my client's order on the 10th of January, I had spent a little time in search of a suitable vendor. So it was that on the 7th of January, I ran the Network Tracer on www.computerhq.com. The record of that trace reveals a handful of facts of interest:

Tracing: www.computerhq.com

The IP address of ComputerHQ.com at that time is identical to its present address. This fact does not conclusively refute Joe's assertion that ComputerHQ.com was recently moved to a new server. But it shows that no major change has occurred with respect to the site's hosting arrangements.

The server responded to the Tracer's query with this enormous amount of information:

NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- CHQ-WEBSERVER <00> UNIQUE Registered LJ <00> GROUP Registered CHQ-WEBSERVER <03> UNIQUE Registered CHQ-WEBSERVER <20> UNIQUE Registered CHQ-WEBSERVER$ <03> UNIQUE Registered LJ <1E> GROUP Registered ADMINISTRATOR <03> UNIQUE Registered INet~Services <1C> GROUP Registered IS~CHQ-WEBSERVE<52> UNIQUE Registered LJ <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-E0-18-02-15-80 Hardware vendor code: Asustek Intel 82558-based Integrated Fast Ethernet for WIM Error 5: You do not currently have access to this file. The file may be marked read-only, or it may be part of a shared resource such as a folder, a named pipe, a queue, or a semaphore. You can use the ATTRIB command to change the read-only attribute, or try again later when the file may be available.

In terms of security, there is a lot of information here.

First of all, we know NetBIOS is enabled on the server, which fact alone has a lot of implications. Among them are:

This line is especially significant:


It tells us that file sharing is enabled on the server. Why on Earth would that be? On a server that should hold customer records secure, this is not wise.

The only good news is this:

Error 5: You do not currently have access to this file.

... which means that when the Tracer asked, in effect, "Whatcha sharing?", the server said "I'm not telling"; probably because it wants a password.

This password requirement may not be adequate protection. If the server is unpatched, it could possibly be vulnerable to a simple exploit that gets past NetBIOS passwords, and provides access to all shared files.

These intriguing possibilities, so visibly evident, can make a server tempting bait for a cracker.

The exposure of the NetBIOS services also indicates the server is probably not behind a firewall.

COMPUTERHQ.com nameserver = FW.WEBMERCS.com

It took me some time to take notice of this line above. When I did, it finally led me to resolve a nagging question about LJ Systems.

The domain record for ComputerHQ.com shows that the name belonged to Ted Chen at that time as it does now; and it reveals what was probably a former business name used by Ted: Bay Area Micro Systems LLC.

network:IP-Network-Block: - network:Organization;I:LJ Systems Corporation network:State:CA network:Country-Code:US network:Tech-Contact;I:joe@ljsystems.com

Here we see a network address assignment showing that the IP address occupied by ComputerHQ.com is on a block of 8 addresses owned by "LJ Systems Corporation". (Which, incidentally, is not a corporation.)

Server: Microsoft-IIS/5.0

Microsoft's IIS servers have been plagued for years with a seemingly endless train of vulnerabilities. More on that later.

The 19th of June

On Tuesday the 19th, I ran another trace on www.ComputerHQ.com.

A comparison of the traces shows a slight change in DNS server arrangements, but no change of the server's address; no change in the IIS version number but the addition of some functions. By that time, thankfully, they had disbled disclosure of the NetBIOS name table.

The data does not support Joe's statement that the website had been moved to a new server.