Slashdot Mirror

For what it's worth, looking at the recent 404 errors on my site, I've notice many (failed fortunately) requests related to Ajax File And Image Manager 1.0 Final Code Execution

http://packetstormsecurity.org/ surely some people would have learned some lessons.

Never trust Windows Server, and as the saying goes, any Linux or BSD is good as long as you harden it; however should you be a lazy system administrator as I am sure there are plenty frequenters to /. who are entirely that; then one has no rights being a system administrator in the first place.

I agree with others, this is not a Microsoft issue, it's an issue for all sysadmins.

Anyway, from http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt is this helpful bit to reduce your susceptibility to attack, if you're using PHP:

The maximal POST request size is typically limited to 8 MB, which when
filled with a set of multi-collisions would consume about four hours of
CPU time on an i7 core. Luckily, this time can not be exhausted because
it is limited by the max_input_time (default configuration: -1,
unlimited), Ubuntu and several BSDs: 60 seconds) configuration
parameter. If the max_input_time parameter is set to -1 (theoretically:
unlimited), it is bound by the max_execution_time configuration
parameter (default value: 30).

Just to make it clear - this affects a whole lot of systems and is based on a flaw in the design of hash-tables:

http://packetstormsecurity.org/files/108209/n.runs-SA-2011.004.txt

Basically you can pre-calculate a huge set of POST parameter names which will all be hashed to the same value. Since these are stored in a hash-map by most web-frameworks - this will lead to a o(n) lookup time instead of a o(1) lookup time, when testing the hash-map for a given parameter name.
This will max out your cpu quite quickly depending on how many lookups you perform per request.

Since the attack has "script kiddie" difficulty, this needs to be patched ASAP by all vendors ... or we will see a lot a downtime on many public servers.

DES? NSA owns the patent on that one. Better use something else.

Heh, I remember using Computer Narcotics back in the 90's. At the very least there's a nice placebo effect. The guy who wrote CN was actually blind and had a BBS. Cool guy.

It's still on some shareware sites, but you need dosbox to run it on your modern win/mac/linux computer.

I found this list of more sound and light fun. Music and visuals are definitely a mental stimulant. But Oklahoma is off their rocker ;) They should ban whisky and cousins instead.

It will probably be a honey pot. Eitherway Cult of the Dead Cow or pulltheplug have already r00ted the target in 60 seconds. Not that I have anything to do with CDC or know anyone that does such matters and locks out lazy sys admins. Get your proxy servers ready and chain them ladies and gentleman. Nmap at the ready insecure.org http://www.sec-tools.org/ or maybe check http://www.packetstormsecurity.org/ (Evolve or Die) *chuckle*

I could knit-pick your grammar, but is this overall claim based in empirical research? Linux certainly has it's flaws and while it's not susceptible to WINDOWS malware, it certainly is to a variety of others. Perhaps take a look at http://insecure.org/ or http://www.packetstormsecurity.org/. Both of these sites maintain lists of exploits to various version of Linux and many other types of GNU software as well. Rootkits most generally fall into the realm of 'malware' and once you've got root, baby, you've got the world.

There's actually nine rootkits out there for Linux?

The rootkits in question are:

• adore-ng 0.56
• eNYeLKM 1.2
• sk2rc2
• superkit
• Phalanx b6
• mood-nt 2.3
• override
• Sebek 3.2.0b
• hideme.vfs

Some of them are in the wild an some are just for research. For more information, I would check out this page.

Is there some sort of exploit code I can run to check if my system is vulnerable? I tried to find some online, but I only came up with some code for SCO Unix and some code that is so horrendously long that I don't dare running it for fear it might do something I don't want to happen on my system.

It's really very simple, but it's a small technical detail that seems minor at first sight.

When you connect to a Gopher server it waits for you to send a string (just like HTML) this string is the name of the item you want. HTML is almost the same, except you put a command (GET, POST...) in front of it. This is not important because you can easily run an HTTP site with just GETs.

The difference is that Gopher immediately gives you the file, whereas http gives you a status code and file type then the file.

Why is this important? Well it's not, if the world is perfect, but in the real world things change so the "selector" that was valid yesterday and pointed to an image might not be valid today. But the server doesn't know it used to point to an image so it goes and returns the main site page which isn't an image. At this point the client throws a tantrum.

This means that the only links you can reasonably do are to your own site or to the root of someone else's, no deeplinking, no "intergophers". OTOH, because http returns the status and type there are lots of options if things move, but none of them are a client program crash (normally!). This also applies to links you make, ie no bookmarks, so you don't remember where that important document was on the gopher server, but you a (safe) bookmark directly to the http location.

HTTP wins, html comes along for the ride, Ooops!.

Looking at the article, (and having skimmed but not read all of the patent), isn't AntiSniff (released by DilDog of L0pht in 1999) using this technique? (Slashdot article, Aug '99)

Original tech paper was on l0pht.com (now defunct) - looks like archive.org doesn't have a mirror, here's the best copy I could find in Google: http://servv89pn0aj.sn.sourcedns.com/~gbpprorg/l0pht/antisniff/tech-paper.html

Is it possible to create an *unsecure* remote shell so that I can give my home computer commands while away?

Yeah, I helped knock up a C implementation of this ages ago : SmS (I'm "Bob"). It's passworded, but I make no guarantees that it's secure ... in particular CJK made the max password length 5 for some reason, that really should be changed.

A similar method of attack, layer 1 hijacking has been around at least 10 years now.

They can't patent this. I claim prior art.

http://packetstormsecurity.org/unix-humor/awesome.unix.chdir.program.html

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

"Check the percentage of pwned IIS servers and the uptime of Apache on Linux" - by Technician (215283) on Wednesday June 20, @01:12AM (#19574975)

I tell you what, I will use the # of vulnerabilities found in BOTH webservers, because I could find it easily enough!

Bookmark this page;
http://isc.sans.org/ The SANS Internet Storm Center keeps track of data swarms caused by worms, bots, and other out of control threats. When they occur, pay attention to what machines are exploited. It's not always workstations on cable modems.

http://news.yahoo.com/s/ap/20070620/ap_on_go_ca_st _pe/dhs_computer_security

Care to guess the OS exploited?

Nice try.
IIS (first URL) shows less bugs/vulnerabilities than Apache (2nd URL) does (and less critical ones) & in fact, 10 TIMES LESS!

They tested Apache version 2.0.x. The current versions are 2.2.x. I can declare Windows 98 full of unpatched problems.. and be right.

IIS secure? Apache secure?
They both have exploits. The number of exploits is one thing. The number of exploited machines is another.
http://www.google.com/search?hl=en&q=IIS+exploits& btnG=Search
http://www.google.com/search?hl=en&q=Apache+exploi ts

To make you feel good, here is a current Linux exploit;
http://www.scanit.be/uploads/php-file-upload.pdf
And Windows exploits
http://www.symantec.com/enterprise/security_respon se/weblog/2007/05/mpack_packed_full_of_badness.htm l
http://isc.sans.org/diary.html?storyid=2994
http://isc.sans.org/diary.html?storyid=2985
http://isc.sans.org/diary.html?storyid=2979
http://isc.sans.org/diary.html?storyid=2976

A Safari exploit;
http://isc.sans.org/diary.html?storyid=2982 (It's on Windows, not Apple)

To be fair some Linux worms and exploits;
http://www.packetstormsecurity.org/unix-exploits/l inux-exploits/

For workstations which visit the web, I avoid Windows. Just seeing the headlines is enough.
http://news.bbc.co.uk/2/hi/technology/6465833.stm

I know they were nice and didn't bother to mention the OS, but I think it's very likely the monoculture OS. If you have any data on the number of non Windows bots in the herds, let me know. I'm looking for any data on the breakdown of OS on exploited bots.

Current June 2007 exploit list... http://www.packetstormsecurity.org/0706-exploits/
From the list.. 06072007-CVE-2007-2237.zip
Description:
Microsoft Windows GDI+ ICO file remote denial of service exploit.

comicsense-sql.txt
Description:
Comicsense suffers from a SQL injection vulnerability in index.php.

CVE-2007-2815.txt
Description:
Exploit that takes advantage of the Microsoft IIS5 NTLM and basic authentication bypass vulnerability. I wonder if this is one of the patched MS ones?

Many of the exploits are php / SQL exploits. I don't think MSSQL is immune.

Feel free to resear

I am the first to admit that Microsoft has problems with security, but it's a problem that plagues the entire industry. Linux, Unix, Windows, Mac, websites, forms, applications, EVERYTHING. It's a problem in how the industry approaches security. It goes far beyond Microsoft. The entire industry has this "Get it working now, patch it later" mentality. It's the "Default Allow" instead of "Default Deny" approach. There is NO reason Buffer Overflow attacks should work... EVER. Period. How hard is it to check your buffers, and make sure you're handling them properly? Very sloppy. Microsoft certainly isn't the best, but they're far from the worst. Don't believe me? Check that website, and all the security advisories for the past few years, and you will notice and interesting trend.

I find it pretty interesting that security advisories over the last several months have been on primarily non-MS platforms. Mac, Linux, Solaris, etc. have had many more security advisories than MS Windows has had to endure, and Microsoft, while certainly not leading that pack for response time, also isn't dead last. I invite you all to check This site which is April's list of security advisories. I remember seeing a review on security a short time ago dealing with response time from various OS Vendors, and while MS wasn't leading the pack in anything, they weren't dead last in anything either.

I personally think Linux has a lot of potential, and is a pretty decent OS. But it's not ready for primetime just because of the average user. Windows has a tough enough time with security because of the user (let's face it, 90% of problems are the user's fault). Sure, exploits exist, but you have to DO something. Users don't download patches. Users click on anything with an OK box. Same applies here. How many "users" running Linux are even going to know about this vulnerability, let alone patch it. Ok, if they've auto-updates on, perhaps they will fetch it in their next batch? In which case, good, and kudos to the distro for making that part painless for the user.

I've always wondered about Linux's wifi security, but that was primarily because of having to wrap up the driver of most wifi cards. Just seemed to me like a door just begging to be broken down. Apparently I wasn't the only one.

I'm sure we all remember how well things went for the U.S.S. Yorktown; an Aegis Class missile destroyer that ended up dead in the water after a crew member entered a zero into a database. Obviously, this was caused by the fact that the Yorktown's control software was of a really bad design. Critical systems should have never been so tightly linked that a failure in one area would cause a cascading failure across the ship. Still, it raised a lot of questions about the wisdom of using consumer software for life and death situations.

Two years after that, the Navy had still not learned their lesson. The flagship of the seventh fleet, the USS Blue Ridge, was deployed in 1999 with Windows-based Command and Control systems. The result? The ship was infected with the Melissa Macro Virus. (Source - Section 12.4)

I'm sorry, but when you're taking men into combat, you want equipment that has been designed to do what needs to be done, not pretty features that let the GIs open their email attachments. There's a reason why the current military setup in the US is for the crew to have their own laptops for personal use. Using a consumer OS in a battle-critical system is nothing but a recipe for disaster. It's too bad that Her Majesty's Navy has failed to learn from the mistakes of others.

http://www.packetstormsecurity.org/0610-advisories /Practical_Onion_Hacking.pdf

the ON [Original Nerd (C)] Netmaster 10baseT?

So what? I find exploit code all the time, week, months, years after the fact. It's called Packet Storm Security or elsewhere.

Hell, google.com cache pages are great for shit like this.

That's a pretty pitiful attempt at a dodge.

An operating system (OS) is a software program that manages the hardware and software resources of a computer. A key component of system software, the OS performs basic tasks, such as controlling and allocating memory, prioritizing the processing of instructions, controlling input and output devices, facilitating networking, and managing files.

...

Security
Security as it pertains to the operating system is the ability to authenticate users prior to access, categorize the level of access the user has, and limit access based on a policy placed by administration. Typically an operating system offers (hosts) various services to other network computers and users. These services are usually provided through ports or numbered access points beyond the operating systems network address. Typically services include offerings such as file sharing, print services, email, web sites, and file transfer protocols.

At the front line of security are hardware devices known as firewalls. At the operating system level there are various software firewalls. A software firewall is configured to allow or deny traffic to a service running on top of the operating system. Therefore one can install and be running an insecure service, such as telnet or ftp, and not have to be threatened by a security breach because the firewall would deny all traffic trying to connect to the service on that port.
-- Operating System, Wikipedia

Dodge? I simply asked you to inform yourself of the basic definitions of the discussion--something you should have already familiarized yourself with if you want to have a productive discussion. An anti-virus clearly plays no role in the purpose of an OS, nor is it a key component in building a secure OS--unless perhaps you have a different definition of an OS that you'd like to share?

There's a hell of a lot of people on Slashdot who seem to think it can, however.

Are you familiar with ARGUMENTUM AD NUMERAM? You can't seem to build a logically sound argument as to why not packaging an anti-virus with Vista would make the OS inherently less secure. OS X does not come with a pre-packaged AV, nor do most Linux distros, FreeBSD, NetBSD, Solaris, nor pretty much all other OSes. The fact that it is something that would be packaged along side the operating system suggests that it's not an integral part of the OS or OS security.

So what is the definition of a secure operating system ? What OSes meet it ? What OSes don't ?

There's no such thing as a perfectly secure OS, but there are relatively secure OS's--these are operating systems that are secure by design (rational security policies), have relatively few exploitable bugs (few system vulnerabilities), and have secure default configurations (easy to secure by the average user). This doesn't entail protecting the user from himself. If an AV detects a virus, then chances are the OS has already been infected. If anything, AV's encourage users to be stupid about what they download since they think the AV will pick up all viruses and they will be more likely to proceed downloading and executing suspicious attachments. You can't build a foolproof system, the trick is to educate the user so they don't act foolishly.

What outstanding remote exploits of that nature are there in Windows ?

http://www.google.com/search?q=windows+exploits http://attrition.org/security/advisory/ http://packetstormsecurity.org/alladvisories/advis ories/ ...or did you think e-mail attachments were the only threat to Windows? The constant stream of updates and patches tha

Let's face it, the ONLY platform vulnerable to attacks of any kind, is MS. As seen in this article.

Hmmm.... oh yes, let's not forget that there aren't ANY kind of security notices concerning anything on linux.

Nope, definitely NOTHING about linux, or Mac OSX for that matter.

Nope, all those systems, in fact, antyhing but Windows is absolutely bulletproof. Yeap.

So, who's going to jump on the bandwagon with me and bash Microsoft because it's cool? Nevermind that these other products have flaws too, we'll just bash MS so much that no one will ever know we have problems over here with *nix systems and with MacOSX.

/sarcasm OFF

Let's face it, the ONLY platform vulnerable to attacks of any kind, is MS. As seen in this article.

Hmmm.... oh yes, let's not forget that there aren't ANY kind of security notices concerning anything on linux.

Nope, definitely NOTHING about linux, or Mac OSX for that matter.

Nope, all those systems, in fact, antyhing but Windows is absolutely bulletproof. Yeap.

So, who's going to jump on the bandwagon with me and bash Microsoft because it's cool? Nevermind that these other products have flaws too, we'll just bash MS so much that no one will ever know we have problems over here with *nix systems and with MacOSX.

/sarcasm OFF

Let's face it, the ONLY platform vulnerable to attacks of any kind, is MS. As seen in this article.

Hmmm.... oh yes, let's not forget that there aren't ANY kind of security notices concerning anything on linux.

Nope, definitely NOTHING about linux, or Mac OSX for that matter.

Nope, all those systems, in fact, antyhing but Windows is absolutely bulletproof. Yeap.

So, who's going to jump on the bandwagon with me and bash Microsoft because it's cool? Nevermind that these other products have flaws too, we'll just bash MS so much that no one will ever know we have problems over here with *nix systems and with MacOSX.

/sarcasm OFF

This one: http://packetstormsecurity.org/0512-exploits/firef ox-1.5.txt

Is this the same thing as this

It is a buffer overflow on IE but on Firefox it just completely freezes up the browser/potentially opens tons of windows.

There is no security breach involved here at all. It's not even a very bad bug. Clicking an infected link (as I've done) doesn't crash your browser, it doesn't keep it from reopening, it doesn't cause a buffer overflow. All it does is make Firefox take a unusually long time to open the next time. Admittedly, an inexperienced or impatient person might think this is a crash , but it's really not.

P.S. The original code is found at http://packetstormsecurity.org/0512-exploits/firef ox-1.5-buffer-overflow.txt (note that this is a text file. It needs to be changed to HTML and have a link clicked to work.)

P.P.S. I'm using Firefox 1.5 on Windows XP SP2, both of them fully updated.

What about kernel level rootkits such as Knark?

I'm not entirely sure why you would use a RootKit(legitimally) other than for limiting access on machines under your control, something that could surely be done with proper account setups.

Andrew Jaquith, senior analyst with The Yankee Group in Boston. "There is really no good, consistent source for security information on the Internet," he said.

There are already a handful of really good sites out there. How will ATT compete with the likes of: The Internet Storm Center, Security Focus, Packet Storm, and Security Peline which are current and relevant.

Also in the TFA, there were statements that the news serviecs will be offered to ATT customers. Will non-customers also have access to the site for free? If not, how does this compare to other managed services offerings from the likes of Symantec, ISS, and others?

When I was 13, I used to be in a hacking group known as ViRii on Undernet.

Around that time (early to mid 90s), there were several hacker group wars going on Undernet. I remember the +++ATH0 exploit among many dozens of other exploits at the time.

In mIRC, you could do: //raw NOTICE VictimsNick : $+ $chr(1) $+ PING +++ATH0 $+ $chr(1)

And their modem would hangup/reset.

There was a guy name VallaH i knew in my hacker group. He was the one who original discovered The Ping of Death in Windows 95. He also wrote jolt.c and many others. He was among the first people to find remote exploits in Windows 95. (Microsoft actually hired him that year to work on Windows NT network security, I was quite jealous at the time). The funny thing is, he only designed it to nuke Windows, but it also worked on early Linux 2.0 kernels, solaris and mac (since they all used mainly the same BSD tcpip code i'm guessing)

Vallah later lost his job at Microsoft due to his hacking past/present i'm guessing.

Quoted from this archived email:

"My friend, I will call him Vallah. Lost his job at Microsoft working on network interoperability(sp?) for Windows 2000 when the FBI showed up with a warrent for the files on his machine at work. He has still not been charged with anything and most likely wont be... again, mainly becuase he hasn't done anything. Guilty by association and an infamous past."

I wasnt a hacker myself, more of a wannabe (script kiddie) hacker. I mainly just nuked other people on IRC and did channel takeovers, etc.. The fun lasted until I was around 15 (i'm now 22). Alot of the more serious hackers I was associated with ended up getting caught by the FBI. I have literally hundreds of old hacking stories from my early days with IRC. (Note that i'm now into computer security, not destructive behaviours like hacking).

I have one other story about a guy I knew around my age by the name of XaiL. He was 13 at the time, and he hacked nasa.gov using an old phf exploit. I used to talk to him on the phone long distance, he was a funny guy, sounded like a girl, he hadn't even started puberty by the sound of his voice. I do admit that the only hacking I ever did was using this same phf technique, long since patched. I'm not proud of my early days as a destructive script kiddie hacker, but at the time, it was so much fun.

I also had a very small part in writing the mIRC script known as 7th Sphere (my code was included in the last release, version 3.0, not the previous 2.666). At the time it was a hugely popular "war" script used by script kiddies to nuke, flood, do channel takeovers and many other evil deeds on IRC servers. It came with programs made by Rhad using VB, most notably was "click.exe", a program that let you instantly "nuke" any victim. If you do a google search for click.exe or "Rhadware", you will get the idea of how evil his programs were.

...and his advancement of network security.

This will probably get modded flamebait, but I'd like to point out Theo doesn't exactly have an outstanding reputation in the security community.

"OpenBSD kernel: the first remotely exploitable kernel in history." -GOBBLES Security (defcon 2002)

What difference is there between sites like slashdot that have the RSS icon (in FF) and other sites that have an RSS page that is xml? ie: http://www.packetstormsecurity.org/whatsnew20.xml

the itunes trojan isn't the same thing right?

is it just me or are there more than one of this current rootkit thing by different authors. there is one at the link on macintouch and another at http://www2.packetstormsecurity.org/cgi-bin/search /search.cgi?searchvalue=osxrk&type=archives&%5Bsea rch%5D.x=0&%5Bsearch%5D.y=0

Good times, good times...

It's really normal to notice a huge increase in attacks this time of year. With the passing of defcon and black hat this month, a lot of new security vunerabilities have been released, and all of the 'script kiddies' are eager to try them out. The best thing to do is make sure all your software is up to date, and get familiar with the new vunerabilities that are out so you can protect yourself.

As far as reporting them, you could try all day and not be able to report all of them, and even if you did, they're most likely attacking from someone else's vunerable machine. The only thing you can really do is watch out for anyone who's aggressivly attacking you (i.e. one person who's running lots of attacks on you trying desperately to break into your machine at any cost), and report those ones, or if you can find a way to contact that person, tell them to stop before you report them to their isp and/or authorities, this will usually scare most people off.

Once you do start paying some decent attention to security releases, a lot of these stupid things people try won't surprise you, like the ssh root attempt is because some tool came out recently that just scans netblocks for anyone running ssh and try's logging in as two different users with no password, root being one of them. If your not familiar with where to find security releases, here's some good places to start:

packetstorm security
Security Focus

Here

Another good rootkit checker, which seems to have a more active development cycle, is Rootkit Hunter. Here's a Newsforge article on it, with a few more details.

A few other comments:

Virus scanners won't help on jot against a custom hack (as Valve found out, for instance). They can be helpful, but don't put full reliance on them.

Running an Intrustion Detection/Prevention System such as Snort, Samhain, Prelude, etc. will help you manage the monitoring side of things; more than a few machines becomes a pain without additional help. Also take a look centralising all your logs on a syslogng server or something similar, if you don't already (note that there are various solutions out there to get Windows boxes to log to a syslog server).

A honeypot may distract the hacker from your production servers for long enough for you to identify that there's a problem.

Also take a look at "HoneyTokens": specifically created database records that trigger alarms if they're accessed - usually high profile fictious targets that would make excellent trophy hacks - there's more info on this over at SecurityFocus.

If you suspect that a machine has been compromised, as other have said, the ONLY WAY TO BE SURE is to rebuild the box from scratch. While this may be a real pain, hopefully it'll help you get the procedures in place to make this as painless as possible, so it's not all bad.

Perform security audits/pentests every now and again. Tools like Nessus help: here's a good series on using Nessus (part 2, part 3).

Get familiar with security tools such as the top 75 recommendations at Insecure.org (home of Nmap).

Remember that security is a PROCESS, so be thorough; get an entire plan together and cover all the bases that you can, taking special care to identify and cover the weak points. Your company's security is only as good as its weakest link; for instance, priviledge escalation of weak user account passwords is a good one.

Read SecurityFocus, PacketStorm, CERT and the like, and try to get involved in their communities; they can be invaluable! They're also got a lot of good tutorials, such as how to lock down Apache, IIS; securing PHP, ASP; etc.

According to lots of people you don't know what you are talking about.

There are two issues here and the IE compromise that infected IIS servers are serving to browsers is an UNPATCHED ADODB.STREAM bug coupled with an UNPATCHED CODE IN CHM FILES EXECUTING IN THE LOCAL SECURITY ZONE bug. "patch it with MS04-11" really doesn't cut it.

You may wish to make sure MS04-013 is installed and look at this for some registry settings which supposedly fix the exploit. BUT. As others have said the only real fix is to use a different browser as it is not 100% guaranteed that these are the unpatched IE flaws which are being exploited in all cases.

Call Your Reps For Free

A toll free number has been set up for the US Senate and Congress at +1-800-839-5276. They immediately answer "Capitol" and will happily transfer you to your congressional representatives. Call during business hours and feel free to speak your mind, asking them not to expand the Patriot act, repeal the DMCA, push through donotcall.gov, etc.

#1: Learn to love the hourglass icon, 'cos you're going to be seeing a lot of it from now on.

#2: Get used to extension-based file typing, and remember that not everything ending in .scr is a screensaver.

#3: Develop a healthy sense of paranoia - they are out to get you, especially the ones that send e-mail with subjects like "Hello"

#4: Give thanks for the guys who develop Win32 ports of Perl, Python, Apache etc because they are the thin geek line that stands between you and Visual Basic, Windows Scripting Host and (ugh) Internet Information Services.

#5: Get hold of Mozilla, Evolution, and OpenOffice. Man cannot live on IE, Outlook and Office alone.

#6: Head on over to PacketStorm and stock up on some local admin exploits and the excellent Cain&Abel so you can take back the rights these no-good dirt-farming MCSE's are going to try to take away from you.

That should get you started.

My guess is they will create another fud attack by studying its weaknesses and then pay someone like the Gartner group to set for the same results under a limited condition and boom. Instand fud, WIndows2k3 can do this but Linux can't.


This could be easily accomplished by visiting packetstorm. They wouldn't even have to set up the lab.

Of course, packetstorm works both ways.

~Will

Go visit Packet Storm. It's a pretty good site to grab admin tools. And a good place to read about what exploits you need to keep your eyes open for.
Not sure how much you'll pick up for just your webserver, but it's a good starting point to pick up from.

Malk

What are some of the 'other' newest hacker 'tools' out there

Newest Hacker Tools

Now all we need is for someone to hurry up and port some spyware to the Mac, so this product will have something useful to do.

It is not so funny as it may sound. This is exactly my attitude when I installed Debian stable release few years ago and never minded checking security updates. I laughed at my Windows-using friends every time there was a new worm or virus, telling them that it's not fair that GNU/Linux is not supported by all of this malware, until someone exploited my old bind buffer overflow and installed a kernel level rootkit.

Remember that Darwin, the base of Mac OS X, is based on FreeBSD. chkrootkit, a tool to locally check for signs of a rootkit, is constantly tested on FreeBSD 2.2.x, 3.x and 4.x, not without a reason.

Read the paper Attacking FreeBSD with Kernel Modules: The System Call Approach written by pragmatic/THC on June 1999 to have some idea on how well those issues were understood three and a half years ago. This is only one paper, the first thing about FreeBSD rootkits I just found.

So, of course it's funny what you said, of course your Mac is indeed much more secure than an average Wintel box out there, but it doesn't mean there's no spyware. Your Mac is not a toy, it's a powerful Unix box under the hood, which may mean that it's harder to exploit than Windows box, but it also means that when it's exploited, it's probably easier to write and install spyware there (like a simple kernel module which would intercept read syscall, for example). Never forget about that.

Um, no. Many operating systems were affected by that, including OpenBSD, FreeBSD, NetBSD, and Linux. Observe.

Yeah this really is depressing. However, another site I like in case any of you are unaware is Packetstorm. I like it a lot and so far it hasn't sold out. :-(

I think we'll all find that this ends up being less of a problem than it seems to be, and certainly one unworthy of Declan's attention. The first thing to consider is that of the couple of security/crypto archives out there (Wiretapped, munitions.vipul.net, the old zedz.net site, Packetstorm), the crypto.radiusnet.net one is the only one of the group that is out of date, disorganised and discourages mirroring. Look over the site, and you'll see what I mean. The second thing to consider is that (as another poster has already mentioned) PGPi.org has the explicitly freeware versions of the software available on a number of mirrors worldwide, and does not appear to have been made a target here.

Conspiracy theories aside, if they were mirroring commercial versions of the product, NAI is well within their rights to pursue them, and I'm sure the other legitimate crypto/security archive sites will be glad to see crypto.radiusnet.net stop sullying their good names by association.