Slashdot Mirror

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/A...

http://www.theregister.co.uk/2...

http://yro.slashdot.org/story/...

http://www.dshield.org/diary/M...

http://www.theregister.co.uk/2...

http://www.scmagazineus.com/ne...

http://www.dshield.org/diary/S...

https://threatpost.com/en_us/b...

http://it.slashdot.org/story/1...

http://it.slashdot.org/story/1...

* "Read 'em & weep" more are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/A...

http://www.theregister.co.uk/2...

http://yro.slashdot.org/story/...

http://www.dshield.org/diary/M...

http://www.theregister.co.uk/2...

http://www.scmagazineus.com/ne...

http://www.dshield.org/diary/S...

https://threatpost.com/en_us/b...

http://it.slashdot.org/story/1...

http://it.slashdot.org/story/1...

* "Read 'em & weep" more are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

http://www.dshield.org/diary/N...

http://www.dshield.org/diary/A...

http://www.theregister.co.uk/2...

http://yro.slashdot.org/story/...

http://www.dshield.org/diary/M...

http://www.theregister.co.uk/2...

http://www.scmagazineus.com/ne...

http://www.dshield.org/diary/S...

https://threatpost.com/en_us/b...

http://it.slashdot.org/story/1...

http://it.slashdot.org/story/1...

* "Read 'em & weep" more are coming... & that's only SOME of the exploits DNS has experienced, I don't have them all but those will do!

(Simply facts supporting my former post as I promised in it, to show the RAMPANT EXPLOITABILITY of DNS vs. my program AND WINDOWS protecting hosts perfectly...)

APK

P.S.=> You can't win, accept it... apk

More times ads have infected MILLIONS of users http://www.webroot.com/blog/20...
http://nakedsecurity.sophos.co...
http://dshield.org/diary/Malic...
http://slashdot.org/story/1964...
http://it.slashdot.org/story/1...

APK

P.S.=> Now, what's that you said about "they don't hurt that much"? They've INFECTED MILLIONS dozens of times over the past decade which I've shown evidences of ontop of those above, here http://developers.slashdot.org... & here too http://developers.slashdot.org... !!! apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (& EAT THOSE WORDS) - They're ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW lmao - "eating your words"! - You? You should improve your diet (lol), & not even speak - you'd lose weight too since "The Fool Chatters, while the wise man listens"... quit being a fool lmao, or, you'll die of obesity related causes from your 'eating your words' diet, rotflmao - it's turning you into an inflated balloon full of "hot-air" that MUST 1 day, go 'pop', lmao... Today was that day, for you - read more closely next time & face fact: YOU did this, to yourself - "Ya got played - ya played yerself", lol...

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (& EAT THOSE WORDS) - They're ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW lmao - "eating your words"! - You? You should improve your diet (lol), & not even speak - you'd lose weight too since "The Fool Chatters, while the wise man listens"... quit being a fool lmao, or, you'll die of obesity related causes from your 'eating your words' diet, rotflmao - it's turning you into an inflated balloon full of "hot-air" that MUST 1 day, go 'pop', lmao... Today was that day, for you - read more closely next time & face fact: YOU did this, to yourself - "Ya got played - ya played yerself", lol...

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (& EAT THOSE WORDS) - They're ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW lmao - "eating your words"! - You? You should improve your diet (lol), & not even speak - you'd lose weight too since "The Fool Chatters, while the wise man listens"... quit being a fool lmao, or, you'll die of obesity related causes from your 'eating your words' diet, rotflmao - it's turning you into an inflated balloon full of "hot-air" that MUST 1 day, go 'pop', lmao... Today was that day, for you - read more closely next time & face fact: YOU did this, to yourself - "Ya got played - ya played yerself", lol...

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (& EAT THOSE WORDS) - They're ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise."." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW lmao - "eating your words"! - You? You should improve your diet (lol), & not even speak - you'd lose weight too since "The Fool Chatters, while the wise man listens"... quit being a fool lmao, or, you'll die of obesity related causes from your 'eating your words' diet, rotflmao - it's turning you into an inflated balloon full of "hot-air" that MUST 1 day, go 'pop', lmao... Today was that day, for you - read more closely next time & face fact: YOU did this, to yourself - "Ya got played - ya played yerself", lol...

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

* CLUE/New News/NewsFlash (for your illiterate big-mouth dull brain):

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (guess again & EAT THOSE WORDS) - They were ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU? Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW!

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

* CLUE/New News/NewsFlash (for your illiterate big-mouth dull brain):

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (guess again & EAT THOSE WORDS) - They were ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU? Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW!

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

* CLUE/New News/NewsFlash (for your illiterate big-mouth dull brain):

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (guess again & EAT THOSE WORDS) - They were ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU? Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW!

... apk

Tell us: How'd they TASTE, chump -> http://www.dshield.org/forums/diary/SSH+Brute+Force/11215

http://www.dshield.org/forums/diary/SSH+brute+force+password+guessing+AKA+SShellPhishing/5047

http://www.dshield.org/forums/diary/New+odd+SSH+brute+force+behavior/11956

http://www.dshield.org/forums/diary/A+Couple+of+SSH+Brute+Force+Compromises/16228

---

* CLUE/New News/NewsFlash (for your illiterate big-mouth dull brain):

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

See above (guess again & EAT THOSE WORDS) - They were ALL in my 1st post you REPLIED to's 2nd link - AND - EACH DEALS IN BRUTE FORCING PASSWORDS!

---

"You should read your own links moron." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

Ahem: OTHER WAY AROUND, ILLITERATE MORON (see above), lol... take your OWN shitty advice (while you eat those words, yet again, lmao!).

---

"None of your links say otherwise." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

LMAO - "Guess again": They were in the 2nd link in my original post - It's YOUR FAULT that your ILILITERATE CHUMP SELF missed them, bigmouth!

(Guess what: YOU? Fail... badly!)

APK

P.S.=> Now, shut your piehole since it's NOT POLITE TO TALK WITH YOUR MOUTH FULL - & yours CERTAINLY is full... lol - FULL OF YOUR VOMIT YOU HAVE TO EAT NOW!

... apk

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

WRONG: They've been doing it for AGES & still do -> http://www.dshield.org/diary/Low%2C+slow%2C+distributed+SSH+username+brute+forcing/5114

( E.G.-> Here's 30++ more just to "start the show" -> http://www.dshield.org/search.html?q=brute+force ranging from 2 months ago, up to 3++ yrs. ago, no less - so much for YOUR b.s.!)

---

PERTINENT QUOTE/EXCERPT:

"Koos writes in with some logs of distributed SSH scanning with the following characteristics. Usernames are being brute forced starting at "aaa" and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour."

---

* For BOTH usernames AND password cracking, + more - & that's from 2008 - Want more current examples to go with it? Just ask...

APK

P.S.=> Before you "talk out of your ass"again, putting down your betters while you were @ it? Get your facts straight - in fact - brute force gets used when dictionary attacks fail, nearly every time...

... apk

"His argument is based totally on pure brute force, which nobody does." - by man_of_mr_e (217855) on Friday October 18, 2013 @09:59AM (#45164093)

WRONG: They've been doing it for AGES & still do -> http://www.dshield.org/diary/Low%2C+slow%2C+distributed+SSH+username+brute+forcing/5114

( E.G.-> Here's 30++ more just to "start the show" -> http://www.dshield.org/search.html?q=brute+force ranging from 2 months ago, up to 3++ yrs. ago, no less - so much for YOUR b.s.!)

---

PERTINENT QUOTE/EXCERPT:

"Koos writes in with some logs of distributed SSH scanning with the following characteristics. Usernames are being brute forced starting at "aaa" and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour."

---

* For BOTH usernames AND password cracking, + more - & that's from 2008 - Want more current examples to go with it? Just ask...

APK

P.S.=> Before you "talk out of your ass"again, putting down your betters while you were @ it? Get your facts straight - in fact - brute force gets used when dictionary attacks fail, nearly every time...

... apk

Join and contribute ssh/firewall logs to DShield or another collaboration system so that others can benefit from the information you are collecting.

http://dshield.org/howto.html

If you want to report unwanted activity against your network your ISP may be able to help. Try opening a ticket with their Abuse team.

"Random" attacks can be reported to DShield.org . They have a number of scripts to automatically submit firewall logs (including from Linux firewalls). See http://www.dshield.org/howto.html . Once set up, it just "runs" and DShield aggregates the data, uses it for research and reports worst offenders to ISPs and other contacts.

https://secure.dshield.org/diary.html?storyid=4133

The specific implementation is: Checkpoing disk encryption with Windows Integrated Login and pre-boot authentication disabled. I know for a fact that this is widely deployed in very large organizations, and that it can be bypassed with memory alteration attack (to get around Windows login).

While it's been pointed out that fail2ban isn't effective against this particular attack, I wanted to point out a similar utility called BruteForceBlocker.

It was written as a reactive firewall that parses pf logs on OpenBSD and FreeBSD (pf is "the iptables of BSD"). The coolest feature IMO is that it's a community effort, in that each participating host can elect to share its logs with a centralized server. That server then publishes a list of recently reported SSH attackers which you can script into your firewall rules, even if you aren't running the client. It's like a Vipul's Razor for SSH bruteforce reports.

Since I still use ipfw instead of pf on FreeBSD, I rolled my own implementation, but it still contributes back to the master database of recent attackers.

As an aside, for those who aren't familiar with DShield, it's a community effort where thousands of people submit their IDS logs to create aggregate statistics about intrusion attempts worldwide. And if you happen to run FreeBSD with ipfw as your firewall, check out FreeBSDShield, my DShield reporting client for FreeBSD.

Shouldn't it be the other way around?
There's nothing of substance in the article.

My guess is this was related to the MPACK issue, but us nerds knew about that over the geekend.

And the last virus batch I received was a zip file, password protected. This required the user to unzip, enter a password, and then execute.

http://www.dshield.org/diary.html?storyid=2612

They already require the user to go through the steps you suggest, and they ARE DOING IT!

It's not just the OS, it is the USERS.

IE7 on Vista is protected, but what about Vista Mail? Dshield lists Vista as being vulnerable, even when it's set to read as plaintext:

http://www.dshield.org/indexd.html

http://www.dshield.org/ collaboratively collected ip addresses that were showing up in log files. At first you could search broadly but probably due to the various worms with backdoors such as CodeRed, they switched it to just looking up 1 ip address at a time.

While OSSEC HIDS looks like the beginnings of a good solution (aside from the name - sheesh - sounds like a sneeze) I'd like to see integration of projects like DShield.org and maybe some community-maintained updates for rootkit definitions and such. APF/BFD does this - why not OSSEC HIDS?
Gesundheit.

From the http://handlers.dshield.org/jullrich/wmffaq.html article, I noticed this comment:

"Will unregistering the DLL (without using the unofficial patch) protect me?

It might help. But it is not foolproof. We want to be very clear on this: we have some very stong indications that simply unregistering the shimgvw.dll isn't always successful. The .dll can be re-registered by malicious processes or other installations, and there may be issues where re-registering the .dll on a running system that has had an exploit run against it allowing the exploit to succeed. In addition it might be possible for there to be other avenues of attack against the Escape() function in gdi32.dll. Until there is a patch available from MS, we recommend using the unofficial patch in addition to un-registering shimgvw.dll."

This is a fine idea, and one that could be done at little cost save for the 'global honeypot network' part. Why not use info from an existing distributed log source like Dshield?

www.shield.org maintains a database of sources of malicious network traffic. Many organizations submit firewall logs to dshield, so they have a pretty good global view of who the bad apples are on the network. For anyone who administers network connected machines, it's a good idea to periodically look up your IP(s) or subnet(s), and see if anyone has generated any complaints about any of your own boxes.

Caveat: This will probably only identify the most aggregious zombies, and only the ones that are doing things that firewalls can identify as malicious. Just because your IPs don't show up on dshield, doesn't mean they aren't zombies.

Mynetwatchman is a similar service, there may be others as well.

You moderators may think that's funny, but there's more than a grain of truth in there. The current estimate by the ISC's DShield for how long it takes for a random computer to get infected after it's connected to the Internet is 26 minutes.

Think about that for a moment... and then ask yourself why we actually take this for granted instead of suing Microsoft into oblivion. Would a car company get away with cars breaking down on real-life roads an average 26 minutes after they're purchased? The thought is totally ridiculous, yet we accept the same from Microsoft. Why?

Take a look here for a list that's created by the automated dshield database...

DShield.org Top-10 block list

Hmm. According to that database, my current IP has two traits: one, it has never been used to send spam etc. (as far as they know); and two, it is "suspicious".

Makes you wonder. If nothing ever came from this IP, then shouldn't it be "unsuspicious" or something like that (or at least "unknown")?

That being said, I wouldn't really trust a company, whose prime motivation is to make money, with things like this anyway. There's already DShield, which is a community effort, so what do we need this for?

I guess someone over at ISC had to blow the dust off the colo(u)r sensor (grins), but seriously, not much on the radar to panic anyone right now. Still, if you aren't awake you really ought to add ISC to your
morning newspaper (wakeup + gallon of coffee) along with some others, so for the sake of people who don't grok the need to be aware (but: go read doug adams and don't panic as well!):

Here goes: (sometimes costs me an hour in the morning, but it's worth the effort...).

http://www.dshield.org/ http://secunia.com/ http://vitalsecurity.org/ http://www.f-secure.com/weblog/ - gossip and just
plain fun (cough) dilbert (cough).
(many others, but i'm tooo lazy on a sunday morning to write em...).

Oh, and be sure to replace the windows task manager with the wonderful (process explorer)
over at the always splendid Mark Russinovich's sysinternals.com (it'll save you when your friends machine gets pwn3d). (hint: it shows tcp/ip connections so you can see if ET is phoning home).

Finally, no list would be complete without a pointer to "comp.risks" (google groups ok?). Laugh. It helps...

cheers all,
Andy.

We do receive reports from about 500-700k IP addresses each day.
Including the full list would be hard (or make for a very large worm).
In addition, many of these IPs are dynamic, so you have to exclude
networks rather then individual IPs.

To put it down bluntly: If every IP is a sensor, there is nobody left to
attack ;-)

We do receive reports from about 500-700k IP addresses each day.
Including the full list would be hard (or make for a very large worm).
In addition, many of these IPs are dynamic, so you have to exclude
networks rather then individual IPs.

To put it down bluntly: If every IP is a sensor, there is nobody left to
attack ;-)

Let me add to that. I keep track at the following sites:

http://rssnewsapps.ziffdavis.com/tech.xml

http://www.microsoft.com/technet/security/bulletin /secrss.aspx

http://www.mozilla.org/news.rdf

http://feeds.dshield.org/news.xml

http://www.sans.org/newsletters/newsbites/rss/

http://www.sophos.com/virusinfo/infofeed/tenalerts .xml

You can get the OPML of my feed list at http://www.shokk.com/opml.opml

This is just a report about the general issue that all USB drivers have to be secure or a hardware device can be made to exploit the machine.

There's many specifications (IPV4 springs to mind) that weren't designed with security in mind. It's the responsibility of the OS writers to design their OS to handle such insecurities. There's nothing in the USB specs that say that the OS must run the USB driver at ring 0.

It is in no way about Windows, but actually about any operating system than implements USB.

The article gives two specific cases:

1. The ability to unlock locked systems (say, while the user is at lunch). This gives far more than just owning a system physically. You now have access to all of their network priviledges and everything else that relies on their single-sign on accounts. This is meaningless to Joe home user or most small businesses, but vastly significant to enterprise level situations. With physical access to my work Windows desktop, you could gain access to some e-mail and word processing. With access to my system logged in as me on the Active Directory, you would have access to my AD OU, networked drives, SSO enabled applications, etc. See the difference?

2. A USB drive that automagically copies the last used files onto a flash drive. The ability to subtly plug a drive in and retrieve it later opens all kinds of espionage capabilities.

it is not really worse than just inserting a boot CD that copies the relevant data to a secure server or so.

Beyond the statements I made above, rebooting a system in a secured environment can easily trigger monitoring systems' alerting capability.

It can also of course easily be fixed by disallowing loading of USB drivers without confirmation from the user.

For anyone interested, here's instuctions on how to (theoretically) disable USB entirely under Windows. Note that I've not tried the above process described, so it may or may not work. And another one discussing how to disable USB storage devices, although that may not be enough to prevent the exploit in question from working.

This has been mentioned elsewhere in a comment - it might be worth looking into, as it seems to do pretty exactly what you want.

Outside of that, if you're not doing so yet, why not contribute those logs to DShield? More data is always good for them. :)

You might want to consider DShield -- it works very nicely once scripts are set up to download fresh lists and upload filtered logs for redistribution. Plus, it's free.

DShield is apparently used to throwing hundreds of false-postives, making the tool useless for actual production work.

I just checked my IP, and it says my IP appears 413 times in the db as an "attacker", which is utter garbage, since I run a very tightly locked-down Linux/FreeBSD farm behind that IP, and no "attacker" put any trojans on the boxes. Every single installed package matches the checksum that came with it.

Looks like they need to fix their tool a bit.

I can't find it on his site, but the guy who runs DShield was under a DDOS attack a few years ago and he managed to crack into the IRC channel the attacker used to control his bot network.

Apparently the attacker about crapped his drawers when instead of the usual bot replies to his commands an actual person started talking to him in his IRC channel.

http://dshield.org/

These days it's pretty hard to spoof a tcp connection. UDP/ICMP/Weird,rare, connectionless protocol, sure.

But if they are loading a page over and over via http like in a recent massive DDoS (http://www.dshield.org/pipermail/intrusions/2005- January/008739.html)
you can be sure that the zombies' source ip is what it says it is. These days zombies are not worth the trouble of hiding, anyway.

I wouldn't retaliate, but I would especially not retaliate unless the completed tcp handshake gave me assurance the source wasn't spoofed.

How about this?

http://dshield.org/block_list_info.php

While there are plenty of good reasons to have an all in one little box that does this. I like my current linux box setup for flexibility. Like Running a dynamic dns client on the router or a script to do dshield reports. Anyway, you can do all the qos stuff pretty easily event if you are fairly new to linux. Just install your favorite linux distro, use the shorewall firewall, grab the wondershaper, and follow these directions to adjust the shaper to your needs. Like lowest priority bittorrent and ftp and highest priority ssh, http, and your games. Its probably free if you have an old box laying around too.

Your DNS does not have it cached for nslookup. According to DShield it resolves to hell.pl
See?
Ping hell.pl and then do a nslookup. It will work then.

Hear Hear!

cynical side notes:
There is no technical reason why I should not be able to walk into compusa, ask for a computer that by design doesn`t "get viruses" and not get laughed at. The orange book described what a secure computer system should look like, multics shows what a secure OS and computer system look like in reality... and they did so thirty f$%#ing years ago! (Also the morris worm was in 88) There is only one conclusion possible, everyone who can fix these problems once and for all has been abducted by aliens for twenty years now and noone noticed... or whatever. Their excuse better be good!

The fact that noone goes into compusa to ask for a computer that does not spend most of its time spreading worms and ddos might also be a small factor. This is ofcourse not going to change until the raporting on computer security moves on from spreading symantec FUD to doing real reviews of the stuff on the market. This would interfere with the megahurts/marchitecture "benchmarks" though...

To be fair this rapport isn`t all bad. It has the usual vaguely defined growing graphs, percentages only, no absolute numerbs and everything "Source: Symantec coorporation". You wont find those in honeynet and SANS data and analysis. Being ductape salesmen the symantecs of this world need their FUD...

However to the end the rapport has some real data from what looks like an impressive honeynet. You will have to go through the usual "number of rapported vulnerabilities" graphs comparing mozilla and internet explorer first though.

and at least notifiy the owners of these machines?

Something like that already exists.
Feel free to contact any of the infected and cross them out.

I hope that Verizon decides to start kicking the spammers off their network, because I shudder to think what one of them could do with that sort of bandwidth. That's not the only problem, either. I can only imagine the fun kiddies will have with armies of cracked computers on Fios connections. Verizon certainly doesn't care. Perhaps the damaged caused by drone armies on higher speed connections will result in enough backlash to make Verizon become part of the solution for a change...

-jim

-jim

Yep, have gotten them all over. From my home ADSL line and on friends ADSL lines as well, to the server at work (where the firewall redirect them to our fake server).
The graph at dshield, reflects very well when I started seeing it.(in the middle of July)

Isn't that what DShield does?

I ran a tarpit under OpenBSD at a large university to protect our subnet. Hardly any department's subnet was protected--fair game to any outside crackers/scanners (or inside zombies). We put LaBrea tarpit on the first (x.x.x.1) address so all scanners got tripped up at our very first address, for hours or sometimes days at a time!

Want to automatically report the offending IP addresses to their ISPs? Check out DShield and and their free FightBack program where they notify the ISPs--not you. See some FightBack results.

There are scripts and clients to report the intrusion logs collected from dozens of IDSs, firewalls, routers and log utilities (e.g. Snort, Linksys routers, IPCHAINS, LaBrea). DShield has Linux and UNIX Client Scripts, as well as Windows Clients.

If the script kiddie/scanners are automatically trying to break in, why not automate the abuse reporting, too? Even if the scanner is a cracked zombie, at least they could be notified--could lead to them securing their machine(s).