Slashdot Mirror

I learned backdoor are stupids ~20 years ago when Id Software put a backdoor in Quake. http://insecure.org/sploits/qu...

Because /. editors seem to have inconvenient hollidays I'll just spam this topic with the bahaviour of their mother company:

From http://seclists.org/nmap-dev/2...:

From: Fyodor
Date: Wed, 3 Jun 2015 00:56:23 -0700

Hi Folks! You may have already read the recent news about Sourceforge.net
hijacking the GIMP project account to distribute adware/malware.
Previously GIMP used this Sourceforge account to distribute their Windows
installer, but they quit after Sourceforge started tricking users with fake
download buttons which lead to malware rather than GIMP. Then Sourceforge
took over GIMP's account and began distributing a trojan installer which
tries to trick users into installing various malware and adware before
actually installing GIMP. Of course this goes directly against Sourceforge
CEO Michael Schumacher's promise less than two years ago:

"we want to reassure you that we will NEVER bundle offers with any project
without the developers consent"
--http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

So much for that promise! Anyway, the bad news is that Sourceforge has
also hijacked the Nmap account from me. The old Nmap project page is now
blank:

http://sourceforge.net/project...

Meanwhile they have moved all the Nmap content to their new page which only
they control:

http://sourceforge.net/project...

You can see at the top that the owners of the Nmap page are now
'sf-editor1', and 'sf-editor3'. You can click on those to see other
projects they have hijacked.

So far they seem to be providing just the official Nmap files (as long as
you don't click on the fake download buttons) and we haven't caught them
trojaning Nmap the way they did with GIMP. But we certainly don't trust
them one bit! Sourceforge is pulling the same scheme that CNet
Download.com tried back when they started circling the drain:

http://insecure.org/news/downl...

We will ask Sourceforge to remove the hijacked Nmap page, but more
importantly we want to reiterate that you should only download Nmap from
our official SSL Nmap site:

https://nmap.org/download.html

If you don't trust SSL by itself (and we don't blame you), you can also
check the GPG signatures: https://nmap.org/book/install....

Cheers,
Fyodor

PS: Ars Technica has a good article about the Sourceforge/GIMP fiasco:
http://arstechnica.com/?p=6734...

PPS: Sourceforge now claims they will stop trojaning software without the
developer's permission, but they've broken that exact promise before.

http://insecure.org/stf/smashs...

Scroll down to the update section: http://insecure.org/news/download-com-fiasco.html

But they didn't do anything illegal. They're basically just using their own download application that comes with extra stuff.

Yes, but Download.com still assures users that they will never bundle that "extra stuff". Their Adware & Spyware Notice says:

In your letters, user reviews, and polls, you told us bundled adware was unacceptable--no matter how harmless it might be. We want you to know what you're getting when you download from CNET Download.com, and no other download site can promise that.

Also, they make it look like a download link for the real installer (which it used to be), and then the user gets this CNET crap. But they still used our name liberally in the trojan installer as if we were somehow responsible for or involved in this abomination. I've got screen shots on my Download.com fiasco page.

Also, this "apology" rings hollow because they aren't fixing the problem along with it. In particular:

1) He claims that bundling malware with Nmap was a “mistake on our part” and “we reviewed all open source files in our catalog to ensure none are being bundled.” Either that is a lie, or they are totally incompetent, because tons of open source software is still being bundled. You can read the comments below his post for many examples.

2) Even if they had removed the malware bundling from open source software, what about all of the other free (but not open source) Windows software out there? They shouldn't infect any 3rd party software with sketchy toolbars, search engine redirectors, etc.

3) At the same time that Sean sent the “apology” to users, he sent this very different note to developers. He says they are working on a new expanded version of the rogue installer and “initial feedback from developers on our new model has been very positive and we are excited to bring this to the broader community as soon as possible”. He tries to mollify developers by promising to give them a cut (“revenue share”) of the proceeds from infecting their users.

4) You no longer need to register and log in to get the small (non-trojan) “direct download” link, but the giant green download button still exposes users to malware.

5) The Download.Com Adware & Spyware Notice still says “every time you download software from Download.com, you can trust that we've tested it and found it to be adware-free.” How can they say that while they are still adding their own adware? At least they removed the statement from their trojan installer that it is “SAFE, TRUSTED, AND SPYWARE FREE”.

Nothing really interesting there. It's an smtp server. Those JUST GUESSING entries are what other nmap users submitted to the nmap website:
http://insecure.org/cgi-bin/submit.cgi?corr-os

Might I suggest a tutorial and a simulator...maybe an LC-3 simulator and stack smashing exercise to demonstrate a method of exploiting poorly written code? See the well written document Smashing the Stack for Fun and Profit.

http://www.insecure.org/stf/scoville_unix_as_literature.txt Sums up my feelings very nicely. Sure the GUI is good for some things, but after hours it leaves me lacking in understanding, since I have been essentially reacting to my computer instead of telling it when I want it to do.

I could knit-pick your grammar, but is this overall claim based in empirical research? Linux certainly has it's flaws and while it's not susceptible to WINDOWS malware, it certainly is to a variety of others. Perhaps take a look at http://insecure.org/ or http://www.packetstormsecurity.org/. Both of these sites maintain lists of exploits to various version of Linux and many other types of GNU software as well. Rootkits most generally fall into the realm of 'malware' and once you've got root, baby, you've got the world.

Um... its a LAPTOP. In an AIRPORT. Won't be running a web server, or any other common "server" on this puppy. I don't even have the software loaded.

I have run nmap against it (and do so occasionally) when running the limited software I use. Passes:

[user@ariel bin]$ nmap 192.168.1.16

Starting Nmap 4.52 ( http://insecure.org/ ) at 2009-07-19 14:34 EDT
All 1714 scanned ports on ariel.lan (192.168.1.16) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.230 seconds
[user@ariel bin]$ nmap localhost

Starting Nmap 4.52 ( http://insecure.org/ ) at 2009-07-19 14:34 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1713 closed ports
PORT STATE SERVICE
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.195 seconds
[user@ariel bin]$

This is with all application software I use running -- nothing there.

My servers? Dedicated SEPARATE firewall. All I'm saying is that mandating firewall SOFTWARE is kind of silly for most rational users. I don't even have the kernel module for firewalling loaded on this system.

Um... its a LAPTOP. In an AIRPORT. Won't be running a web server, or any other common "server" on this puppy. I don't even have the software loaded.

I have run nmap against it (and do so occasionally) when running the limited software I use. Passes:

[user@ariel bin]$ nmap 192.168.1.16

Starting Nmap 4.52 ( http://insecure.org/ ) at 2009-07-19 14:34 EDT
All 1714 scanned ports on ariel.lan (192.168.1.16) are closed

Nmap done: 1 IP address (1 host up) scanned in 0.230 seconds
[user@ariel bin]$ nmap localhost

Starting Nmap 4.52 ( http://insecure.org/ ) at 2009-07-19 14:34 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 1713 closed ports
PORT STATE SERVICE
631/tcp open ipp

Nmap done: 1 IP address (1 host up) scanned in 0.195 seconds
[user@ariel bin]$

This is with all application software I use running -- nothing there.

My servers? Dedicated SEPARATE firewall. All I'm saying is that mandating firewall SOFTWARE is kind of silly for most rational users. I don't even have the kernel module for firewalling loaded on this system.

OMG... it's fyodor!
Praise the almighty creator of nmap !!!

Can you guarantee that the fix will be rolled out to everyone at the same time?

The fix has already been rolled out long ago.

Do you know what the fix is? Source address level filtering. It's that simple.

This attack is less of a threat than SYN flooding attacks, because the attacker's address can't be spoofed. More information from Fyodor.

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

For more details, see the announcement at http://insecure.org.
-Fyodor

The "Ping O' Death" was a glitch that affected a lot of operating systems-- every single UNIX-like, Mac System 7, Windows 95, Netware, DOS, and others. Even embedded devices like routers, scanners, and printers were susceptible. Basically, if you sent an IP address a "ping" packet that was larger than the legal size, whoever had that IP address would experience anything from a graceful reboot to an instant kernel panic or BSOD. There was a patch available for Linux only 2 hours, 35 minutes, and 10 seconds after an alert was posted to the mailing list. It took months for Microsloth to get its act together and fix the bug. During that time, pranksters had endless fun crashing computers with the click of a button. http://insecure.org/sploits/ping-o-death.html

You can start here:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/principles/358-BSI.html

And for specifically for web apps:

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/assembly/639-BSI.html

Then you frighten yourself by playing with the toys here:

http://insecure.org/

There was also the Stealing the Network series of short stories. I've only read the two short stories by Fydor, the author of Nmap who released them free at http://insecure.org/stc/sti.html and http://insecure.org/stc/. Quite enjoyed the first one. Not exactly well written from a literature point of view, but still interesting to read.

There was also the Stealing the Network series of short stories. I've only read the two short stories by Fydor, the author of Nmap who released them free at http://insecure.org/stc/sti.html and http://insecure.org/stc/. Quite enjoyed the first one. Not exactly well written from a literature point of view, but still interesting to read.

"The 1962 song Wipe Out , with its energetic drum solo started, was the impetus for many people to take up playing the drums. Similarly, Nmap, the legendary network scanner, likely interested many in the art of hacking, and for some, started a career for security professionals and hackers. Nmap and its creator Fyodor need no introduction to anyone on Slashdot. With that, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning, is a most useful guide to anyone interested in fully utilizing Nmap."

Have they included a network mapping function yet? They announced it as a GSoC project last year I think, did they get around to hack some graphical map output?

Good question--and yes, we have! Full details on this feature, including screen shots, are provided in Section 12.5, "Surfing the Network Topology" starting on page 317. That section is also available free online. The code has been integrated into the latest version (4.76) of Nmap, available here.

-Fyodor
Insecure.Org

-Fyodor
Insecure.Org

Yeah, everyone remembers Windows as the OS that could be completely pwned if the user installed and ran Quake or Quake II. Shit, that hack works on Linux too, sorry. Let me try again.

We all remember how Windows boxes were used to admin huge botnets of Windows computers. Ah, dammit, they were cracked Linux boxes doing the admin work. One more try.

You can bet your money on there never having been a rootkit for Linux!

Damn, I was so close.

I'll let you work out the moral of this story, but I can steer you onto the right track - next time you're going to prattle about the security of something, try picking something that has had more than only 6 vulnerabilities found in 2 years of release, none of which allow privilege escalation and all of which have been patched.

Fyodor of nmap fame writes an article on his site following up on this: http://insecure.org/stf/tcp-dos-attack-explained.html

Hey! Fyodor! They need your number!

Fyodor spent much of this summer scanning tens of millions of IPs on the Internet (plus collecting data contributed by some enterprises) to determine the most commonly open ports. Nmap now uses that empirical data to scan more effectively.
Zenmap Topology and Aggregation features were added, as discussed in the next news item.
Hundreds of OS detection signatures were added, bringing the total to 1,503.
Seven new Nmap Scripting Engine (NSE) scripts were added. These automate routing AS number lookups, "Kaminsky" DNS bug vulnerability checking, brute force POP3 authentication cracking, SNMP querying and brute forcing, and whois lookups against target IP space. Many valuable libraries were added as well.
Many performance improvements and bug fixes were implemented. In particular, Nmap now works again on Windows 2000.

With just nmap, my old buddies at Farm9 could have sussed this out in a few hours. I think they are still around - as Red Siren / Getronics.

Ahh. I miss running netcat at 3 AM!

Actually Farm9 was purchased by SecurePipe which was subsequently swallowed by Trustwave

Hey! Fyodor! They need your number!

Fyodor spent much of this summer scanning tens of millions of IPs on the Internet (plus collecting data contributed by some enterprises) to determine the most commonly open ports. Nmap now uses that empirical data to scan more effectively.
Zenmap Topology and Aggregation features were added, as discussed in the next news item.
Hundreds of OS detection signatures were added, bringing the total to 1,503.
Seven new Nmap Scripting Engine (NSE) scripts were added. These automate routing AS number lookups, "Kaminsky" DNS bug vulnerability checking, brute force POP3 authentication cracking, SNMP querying and brute forcing, and whois lookups against target IP space. Many valuable libraries were added as well.
Many performance improvements and bug fixes were implemented. In particular, Nmap now works again on Windows 2000.

With just nmap, my old buddies at Farm9 could have sussed this out in a few hours. I think they are still around - as Red Siren / Getronics.

Ahh. I miss running netcat at 3 AM!

iblis% sudo nmap -A -T4 beta.slashdot.org

Starting Nmap 4.53 ( http://insecure.org/ ) at 2008-05-23 15:00 CDT
SCRIPT ENGINE: rpcinfo.nse is not a file.
SCRIPT ENGINE: Aborting script scan.
Interesting ports on beta.slashdot.org (216.34.181.45):
Not shown: 1704 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
25/tcp filtered smtp
80/tcp open http Apache httpd 1.3.41 ((Unix) mod_perl/1.31-rc4)
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open ssl/http Apache httpd 1.3.41 ((Unix) mod_perl/1.31-rc4)
445/tcp filtered microsoft-ds
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 4.X (91%)
Aggressive OS guesses: OpenBSD 4.1 (x86) (91%), OpenBSD 4.0 - 4.2 (90%), OpenBSD 4.0 (88%), OpenBSD 4.0 (x86) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 10 hops

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.25 beta.slashdot.org (216.34.181.45)

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.605 seconds

iblis% sudo nmap -A -T4 beta.slashdot.org

Starting Nmap 4.53 ( http://insecure.org/ ) at 2008-05-23 15:00 CDT
SCRIPT ENGINE: rpcinfo.nse is not a file.
SCRIPT ENGINE: Aborting script scan.
Interesting ports on beta.slashdot.org (216.34.181.45):
Not shown: 1704 closed ports
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
25/tcp filtered smtp
80/tcp open http Apache httpd 1.3.41 ((Unix) mod_perl/1.31-rc4)
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
443/tcp open ssl/http Apache httpd 1.3.41 ((Unix) mod_perl/1.31-rc4)
445/tcp filtered microsoft-ds
Device type: general purpose
Running (JUST GUESSING) : OpenBSD 4.X (91%)
Aggressive OS guesses: OpenBSD 4.1 (x86) (91%), OpenBSD 4.0 - 4.2 (90%), OpenBSD 4.0 (88%), OpenBSD 4.0 (x86) (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 10 hops

TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 0.25 beta.slashdot.org (216.34.181.45)

OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 32.605 seconds

My employer has explicitly reserved the right to monitor all emails and all web access. All computers have LanDesk suite (PDF), which inventories and reports on all software installed on a pc, and allows remote admins to monitor and control a pc. Of course they also install anti-virus software, and have extremely restrictive firewall settings, and a web-page net-nanny to let you know when you've clicked on an innocent-looking Google link to a prohibited site, like this one (insecure.org - home of NMAP).

They're trying to protect the company assets from unauthorized, illegal, or inappropriate use, and thereby keep the company out of court.

• Nmap Reference Guide
• Nmap Install Guide
• Nmap Scripting Engine
• Remote OS Detection
• Version Detection
• Zenmap User's Guide

And I hope to free more chapters in the coming week. Amazon may not care about losing my Nmap book, but I hope enough people stand up to Amazon that they really feel the effect!

-Fyodor

$ nmap -v -sS -O world
Starting Nmap 4.20 ( http://insecure.org/ ) at 2008-04-02 14:30 EDT
Failed to resolve given hostname/IP: world. Note that you can't use '/mask' AN\
D '1-4,7,100-' style IP ranges
WARNING: No targets were specified, so 0 hosts scanned.
Nmap finished: 0 IP addresses (0 hosts up) scanned in 0.106 seconds
                              Raw packets sent: 0 (0B) | Rcvd: 0 (0B)


If you can even find it!

I agree that exposing the extent of this could definitely help. When I received multiple FBI subpoenas in 2004 for Insecure.Org web logs, I notified Nmap users and it was posted to various web sites, including Slashdot.

After all of that press four years ago, the subpoenas stopped and I haven't received another one since. Maybe it is just a coincidence, but I'm happy about it nonetheless.

In other Nmap news, version 4.60 was just released. You might want to download it with Tor though, just to be on the safe side in case the subpoenas resume :).

-Fyodor

The Nmap Security Scanner project has now participated in Summer of Code all three years—and mentored 25 students. So I'm pleased that Google has accepted us for a fourth year. This really is a great program, so I hope many Slashdotters apply (or at least spread the word to your student friends who may be too busy with school to read Slashdot). There aren't many opportunities available to get paid to work on free software of your choice. Your work makes a big difference for projects and their users as well. You can read about the successful Nmap SoC students in 2007, 2006, and 2005. No Nmap user can read those lists without recognizing features and improvements they use.

Of course part of the purpose of this post is to shamelessly plug the Nmap SoC ideas page for people trying to choose a project. We'd love to have you. But honestly, I recommend applying for multiple projects if you really want to get in. Don't just spam a bunch of crappy boilerplate applications, but submit as many carefully-considered ones as you have time to write. Also, I've written up some tips for preparing a great SoC application.

-Fyodor

The RIAA has restored RIAA.org, although whether it's any more secure than
before remains open to question, TorrentFreak reports.

/* Deleted content */

TCP Sequence Prediction: Difficulty=0 (Trivial joke)
IPID Sequence Generation: All zeros
OS and Service detection performed. Please report any incorrect results at
http://insecure.org/
Nmap finished: 1 IP address (1 host up) scanned in 97.560 seconds
Raw packets sent: 3595 (166.500KB) | Rcvd: 1082 (50.154KB)
root@fosters:/home/kevin#

Apparently not

http://insecure.org/stf/scoville_unix_as_literature.txt --- one of my favorites

From what I have been told, there are more jobs for Java and Data Warehouse development teams compared to lower-level programmers.

For $1K, you can buy nmap from me. For $10K, I may consider you for a site license. For $100K, well maybe an enterprise license. That will solve your problem and even make the tool look respectable.

seriously, if you have such tools and are working for a major consultancy (which has probably already made its contributions to the electoral slushfund, then you will have no problem. If you are a smaller company or an independent you need CYA paperwork for the entire period that you are using the toolset.

Thanks for the notes, and I'm delighted to hear about the successes that OLPC is having (even if you haven't yet met your initial distribution goals). It is great to read articles like this one about improving the lives of thousands of kids in Peru.

Given the network capabilities of this machine, we are working to ensure that the Nmap Security Scanner continues to work well on the OLPC. Maybe someday it can be included, though that raises the issue of kids using it responsibly. Still, it can be quite useful for debugging network connectivity issues as well as testing that their own machines are secure. A side effect of this work is that keeps Nmap lean and working well on low-resource PCs, phones, and PDAs besides the OLPC.

On Friday we received the three units we ordered through give-one-get-one and I've been playing with mine ever since! Yesterday I took and posted a bunch of pictures of the device.

Keep up the good work!
Fyodor

Thanks for the notes, and I'm delighted to hear about the successes that OLPC is having (even if you haven't yet met your initial distribution goals). It is great to read articles like this one about improving the lives of thousands of kids in Peru.

Given the network capabilities of this machine, we are working to ensure that the Nmap Security Scanner continues to work well on the OLPC. Maybe someday it can be included, though that raises the issue of kids using it responsibly. Still, it can be quite useful for debugging network connectivity issues as well as testing that their own machines are secure. A side effect of this work is that keeps Nmap lean and working well on low-resource PCs, phones, and PDAs besides the OLPC.

On Friday we received the three units we ordered through give-one-get-one and I've been playing with mine ever since! Yesterday I took and posted a bunch of pictures of the device.

Keep up the good work!
Fyodor

Thanks for the notes, and I'm delighted to hear about the successes that OLPC is having (even if you haven't yet met your initial distribution goals). It is great to read articles like this one about improving the lives of thousands of kids in Peru.

Given the network capabilities of this machine, we are working to ensure that the Nmap Security Scanner continues to work well on the OLPC. Maybe someday it can be included, though that raises the issue of kids using it responsibly. Still, it can be quite useful for debugging network connectivity issues as well as testing that their own machines are secure. A side effect of this work is that keeps Nmap lean and working well on low-resource PCs, phones, and PDAs besides the OLPC.

On Friday we received the three units we ordered through give-one-get-one and I've been playing with mine ever since! Yesterday I took and posted a bunch of pictures of the device.

Keep up the good work!
Fyodor

That's not quite what I get. Higher-up post must have some funny routing or something going on upstream from them:

~$ nmap -A -T4 -F -P0 www.microsoft.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-12-13 11:32 MST
Warning: Hostname www.microsoft.com resolves to 4 IPs. Using 207.46.193.254.
Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254):
Not shown: 1254 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
443/tcp open https?

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 38.963 seconds

That's not quite what I get. Higher-up post must have some funny routing or something going on upstream from them:

~$ nmap -A -T4 -F -P0 www.microsoft.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-12-13 11:32 MST
Warning: Hostname www.microsoft.com resolves to 4 IPs. Using 207.46.193.254.
Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254):
Not shown: 1254 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http?
443/tcp open https?

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 38.963 seconds

They *do* have a firewall, or at least nmap says so:

# nmap -p22 www.microsoft.com

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-12-13 09:26 PST
Warning: Hostname www.microsoft.com resolves to 4 IPs. Using 207.46.193.254.
Interesting ports on wwwtk2test2.microsoft.com (207.46.193.254):
PORT STATE SERVICE
22/tcp filtered ssh

Nmap finished: 1 IP address (1 host up) scanned in 0.458 seconds

See? It says filtered, not closed. The packet was dropped.

What's the source for your statement that TCP RST is not the proper response to a closed port? I've literally never seen a Type 3 code 13 in response to a TCP SYN, and wonder if you're not confusing TCP and UDP somewhat.

NMAP's docs indicate that a TCP RST in response to a SYN is a determination that a port is 'CLOSED', and any ICMP response will flag it as 'filtered' including an ICMP type 3 code 1,2, 3, 9, 10, or 13. See the -sS (TCP SYN scan) section of http://insecure.org/nmap/man/man-port-scanning-techniques.html In practice, I've never seen any firewall which will report an ICMP error in response to a filtered TCP port, and only rarely have I seen one which gives any response at all, but if it does respond, that response would be a RST.

Now, for UDP packets, the proper response to a connection request destined for a port on which you're not listening is indeed an ICMP type 3, code 3. Obviously, there's no connection state here, and thus no way to RST a session so ICMP is used to notify the requestor.

I tried to find an RFC to reference, but honestly the TCP RFCs are pretty complicated, revised several times, etc.. so I couldn't find a definitive reference. If you have a source that backs your statement about ICMP responses to TCP connection attempts, I'd love to see it... in my experience, every protocol stack I've ever encountered operates by replying with a RST.

Users who want to raise their security level might choose the option "Block all incoming connections" - in the hope that this really will reject all incoming queries to network services.

The initial tests looked promising. The SSH server activated for testing purposes and the primitive demo backdoor could no longer be accessed from outside. The firewall even blocked access to a test server on a UDP port:

Oct 29 11:26:49 Qf98e Firewall[44]: Deny nc data in from 193.99.145.XXX:28524 uid = 0 proto=17

However, a simple port scan was enough to destroy our misplaced optimism:

# nmap -sU 192.168.69.21
PORT STATE SERVICE
123/udp open|filtered ntp
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
631/udp open|filtered unknown
5353/udp open|filtered zeroconf
MAC Address: 00:17:F2:DF:CD:B3 (Apple Computer)

Depending on how sophisticated their probe detection systems are. Maybe you could use another host with sequential IP ID to trigger a DDoS? See http://insecure.org/nmap/idlescan.html If, so please scan Storm's CNC's through other CNC's, perhaps they will DDoS themselves? That would be cool...

Nobody knows yet because Deimos hasn't said anything. But from what I see in an nmap scan:

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-09-26 09:54 Eastern Daylight Time
Initiating Parallel DNS resolution of 1 host. at 09:54
Completed Parallel DNS resolution of 1 host. at 09:54, 0.00s elapsed
Initiating System CNAME DNS resolution of 1 host. at 09:54
Completed System CNAME DNS resolution of 1 host. at 09:54, 0.00s elapsed
Initiating SYN Stealth Scan at 09:54
Scanning demonoid.com (209.44.123.21) [1697 ports]
SYN Stealth Scan Timing: About 6.25% done; ETC: 10:03 (0:07:43 remaining)
Completed SYN Stealth Scan at 10:01, 401.57s elapsed (1697 total ports)
Warning: OS detection for 209.44.123.21 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against demonoid.com (209.44.123.21)
Host demonoid.com (209.44.123.21) appears to be up ... good.
Interesting ports on demonoid.com (209.44.123.21):
Not shown: 1690 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
80/tcp closed http
123/tcp closed ntp
443/tcp closed https
8000/tcp closed http-alt
8080/tcp closed http-proxy
Device type: general purpose
Running: Linux 2.6.X, OpenBSD 4.X, Sun Solaris 10|8|9
OS details: Linux 2.6.17.13 (Slackware 11.0, x86), OpenBSD 4.0 (CURRENT) macppc, OpenBSD 4.0 (sparc64), Sun Solaris 10 (SPARC), Sun Solaris 8 (SPARC), Sun Solaris 9 (SPARC), Sun Solaris 9 (x86), Sun Solaris 9 or 10

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 405.503 seconds
                              Raw packets sent: 5164 (229.400KB) | Rcvd: 76 (3496B)


It looks like all the ports are firewalled off by the ISP. So while it's not confirmed, it's pretty obvious to anyone knowledgeable in network admin that the ISP firewalled off all the ports at someone's behest. Perhaps the CRIA, perhaps even Deimos himself.

Nobody knows yet because Deimos hasn't said anything. But from what I see in an nmap scan:

Starting Nmap 4.20 ( http://insecure.org/ ) at 2007-09-26 09:54 Eastern Daylight Time
Initiating Parallel DNS resolution of 1 host. at 09:54
Completed Parallel DNS resolution of 1 host. at 09:54, 0.00s elapsed
Initiating System CNAME DNS resolution of 1 host. at 09:54
Completed System CNAME DNS resolution of 1 host. at 09:54, 0.00s elapsed
Initiating SYN Stealth Scan at 09:54
Scanning demonoid.com (209.44.123.21) [1697 ports]
SYN Stealth Scan Timing: About 6.25% done; ETC: 10:03 (0:07:43 remaining)
Completed SYN Stealth Scan at 10:01, 401.57s elapsed (1697 total ports)
Warning: OS detection for 209.44.123.21 will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Initiating OS detection (try #1) against demonoid.com (209.44.123.21)
Host demonoid.com (209.44.123.21) appears to be up ... good.
Interesting ports on demonoid.com (209.44.123.21):
Not shown: 1690 filtered ports
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
80/tcp closed http
123/tcp closed ntp
443/tcp closed https
8000/tcp closed http-alt
8080/tcp closed http-proxy
Device type: general purpose
Running: Linux 2.6.X, OpenBSD 4.X, Sun Solaris 10|8|9
OS details: Linux 2.6.17.13 (Slackware 11.0, x86), OpenBSD 4.0 (CURRENT) macppc, OpenBSD 4.0 (sparc64), Sun Solaris 10 (SPARC), Sun Solaris 8 (SPARC), Sun Solaris 9 (SPARC), Sun Solaris 9 (x86), Sun Solaris 9 or 10

OS detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap finished: 1 IP address (1 host up) scanned in 405.503 seconds
                              Raw packets sent: 5164 (229.400KB) | Rcvd: 76 (3496B)


It looks like all the ports are firewalled off by the ISP. So while it's not confirmed, it's pretty obvious to anyone knowledgeable in network admin that the ISP firewalled off all the ports at someone's behest. Perhaps the CRIA, perhaps even Deimos himself.

Of course, exploitable programs are all Microsoft's fault - which must be why the remote root exploits for Quake 1 and 2 for Linux must be all Linus' fault!

Let's be honest, exploitable applications are OS independent. Though I guess honesty never really comes into it with you, hmm?

The article title says he "faces 20 years in prison" to be sensational, and maybe that is the theoretical maximum. But the last line of the article says that "the plea agreement contemplates a sentence ranging from probation to six months in custody". The judge gets the final decision, but he is much more likely to get probation than a 20yr sentence.

Fyodor

The man page for nmap is more detailed than their paraphrasing of it. Some of the article is flat out wrong.

Since there's no overhead of a TCP handshake, the UDP scan is inherently less "noisy."

Yeah right.

If you don't have nmap installed, just go here - http://insecure.org/nmap/man/