Crackers Preparing Massive DDoS?

Tairan writes: "Crackers are using two exploits to ready another distributed Denial of Service attack. MSNBC.com is reporting there are at least 560 computers infected. CERT claims it 'poses a significant threat to Internet sites and the Internet infrastructure.'"

Re:Three Letter Acronym

[phutureboy]

TLA == Three Letter Acronym (ie, CIA, FBI, NSA, DEA, etc.) alternatively, They Liberate America. ;-)

Ah. Now I understand, although I can't think of what they liberate us from, except our hard-earned money...

--

Re:We'll Never Know

[Chuq+Roast]

Well, CERT doesn't seem to be be taking this lightly in any case. I've seen a few posts about there being only 560 compromised hosts and how that isn't enough to perform a decent DDoS on anything but a tin can and strings. Uh, not quite: that's 560 hosts in one incident that has been reported. There have been around a hundred incidents reported, and while I'm sure that 560 hosts weren't compromised in each incident, I would bet you that the number is a lot greater than one for more than a few of them.

CERT seems to be following up on most every lead they can and contacting everyone they believe to have been compromised and urging them to take measures to protect their systems and networks where possible. I am personally aware of a few hosts (which have since been secured as well as possible) which I do not control, but which were involved in a separate incident involving another rather large volume of hosts that CERT followed up on.

So it would seem to me that the folks at CERT, at the very least, are just being careful. As the old saying goes, an ounce of prevention is worth a pound of cure -- and it's no different with computer security.

Re:Personal experience with crackers

[Inoshiro]

As the 'security guy' for my home, Kuro5hin.org, and other firewalls I've setup for people I know, I can tell you that:

"after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server. "

Is wrong! It's very simple: you need three things to lock down a box from remote root: nmap, lsof, and kill. Find what's open (nmap scan TCP), find out what 'owns' the port (lsof), and kill it. Then set your system to not run it. The RPC services should be turned off without even bothering to check if they're running -- every distro has them one by default (why!?). ps -ax|grep rpc .. kill. Then go and chmod -x all those binaries. No remote root. Simple, effective. You could probably have perl scripts do it :-)

Otherwise, it's just watch bugtraq, watch your box, and be suspicous. Oh, and don't run Washington University code ;-)
--

Re:Sys Admin ignorance is the main reason

[d^2b]

One thing nmap does not seem to check for
is TCP wrappers; it reports a port open,
but TCP wrappers may drop all connects to that
port.

Re:Only 560

[Naikrovek]

Its not that simple. One user on one 56k modem can completely saturate a T3 if he knows what he's doing. 560 machines on higher connectivity boxes can not only fill one T3, but hundreds. Thousands.

If I have a one machine that can access the net, I can ping spoof thousands of boxes, (this is still a problem) who in return all reply the ping to hostX. hostX feels the punch of 100's of boxes pinging it, even though those pings all came from one machine. Now imagine 560 machines doing the same.

If hackerX can find 560 machines to compromize, he can find thousands of hosts who's routers are not configured to block ping spoofs.

Its not the 560 machines that will be the ammunition, its the incorrectly configured subnets that will actually do the pipe choking.

OT: Re:Revive the demo scene

[KodaK]

"...no one from the DOS demoscene ever releases source code!"

As an aside, most demos "back in the day" were written in assembly language, it was sort of a given that you'd have access to a disassembler and be able to reverse engineer algorithims, if that was your thing. That's how I learned pretty much everything about coding on my Amiga (well, that and the rom manuals...)

Wow, that brings back a lot of memories of DOS/Amiga demoscene flamewars:

"Yeah, DOS demos can be good, if you have
an Orchid and a Soundblaster, but the hardware's
standard on an Amiga!"

Re:Wow, you are brilliant!

[criticalrealist]

When are we going to learn? Sysadmins are treated like peasants in any organization, corporate, educational, or other. As the net increases in importance, the more it looks to me like the most despised members of society (geeks) are responsible for keeping everything working. Can you say exploitation? I speak as a former sysadmin who is now in law school.

Onward, revolution.

Another victim here

[Gene77]

I went down for a bit about two months ago. I had just gotten a DSL connection and had installed Red Hat 6.2. While I was working on my firewall, I ran an errand for my wife (note to self: bring down interface when no firewall is present). I came back from the errand, finished the firewall, updated my software (oh my! I think I need this WuFTP update!), built my md5 database and was good to go.

I started getting a DoS on myself as I noticed that I could hardly get *anywhere*. So much so that I kept dropping off my ISP's network (of course I was suspicious of my new ISP). When I checked the logs, it was clear that I was in the process of "attacking" other people. Only, here's the irony, my firewall was working well enough that I (being anal, as I am) was not actually succeeding in doing so (all the packets were being denied, and my logs were flooding). A look at my process table showed "t0rn" taking the bulk of my CPU power and basically just spitting and sputtering, not being able to do much more than be a pain in my butt. Still, I had to rebuild my machine since I determined that /bin/ls had been ovewritten and I had no idea what else they had done.

I would like to note that OpenBSD was installed later that evening. Funny how your experiences influence your platform decisions, eh? :-)

Re:Don't use NFS...

[CvD]

Yeah, I'm getting to see that now. I was thinking of just using SMB shares under Linux. I need some form of network filesystem. Coda sounds good too, but I haven't had the time to look into it. Thanks for your suggestion.

Cheers,

Costyn.

Re:Victim Report

[CvD]

I am aware of this, but since the hacking work I saw in my computer looked pretty amateuristic, I assume that there was no root kit nor did there seem to be any strange open files (unless 'lsof' was replaced too). Of course, one could say that this is just a cover. I'm installing a serious firewall at the moment. I will see how it goes. A clean install is not something I have time for at the moment, and neither is my box that important.

Cheers,

Costyn.

Re:Victim Report

[CvD]

There are some good articles out there. Check out Armoring Linux which has some really nice tips & tricks on how to start out securing your box. Of course, I hadn't done it yet, cause I wasn't that paranoid... however, minds change. :-)

Cheers,

Costyn.

Re:false alarm

[ryanr]

They were also worried about a DDoS attack about 3 months before the first ones actually happened. There were some BoF sessions in November, December, and January. The big DDoS attack hit in February.

Not too PC

Don't call them "crackers" -- Call them "Caucasians" or at least "White Folk".

Re:Mommy...where do root kits come from?

[ryanr]

http://www.rootkit.com

Re:Must be time for another round of Funding...

[dalraun]

Just out of curiosity, what kind of hardware do the root servers run? Is each root server actually a cluster or are they each just a Really Big Machine?

This came up in a slashdot article some months ago called "Sun no longer the dot in .com".

The answer is, the a.root server used to be a Sun Enterprise 10000, but was replaced by an IBM RS/6000 S80. Both would qualify as "Really Big Machines" in my opinion...

There are several root nameservers, in disparate locations...

- B.ROOT-SERVERS.NET
128.9.0.107

- J.ROOT-SERVERS.NET
198.41.0.10

- K.ROOT-SERVERS.NET
193.0.14.129

- L.ROOT-SERVERS.NET
198.32.64.12

- M.ROOT-SERVERS.NET
202.12.27.33

- I.ROOT-SERVERS.NET
192.36.148.17

- E.ROOT-SERVERS.NET
192.203.230.10

- D.ROOT-SERVERS.NET
128.8.10.90

- A.ROOT-SERVERS.NET
198.41.0.4

- H.ROOT-SERVERS.NET
128.63.2.53

I take this seriously

[craw]

I kind of surprise by the lack seriousness displayed by some of the posts. Well maybe I shouldn't be surprise. But the rpc exploit is well known and has been a real source of concern as displayed by the various CERT advisories/current activity reports. Keep in mind that CERT is not a TLA.

Last week I downloaded some code, from a popular security web site, which demonstrated this exploit. I was trying to convince somebody that he had to immediately apply the RH patch. So I compiled and ran the program. What the program essential did was: cd /;ls -alF;id

Nice, user id 0, group 0.

BTW, if you do run nfs/portmap, then please use a firewall to block port 111. Furthermore, it also very highly educational to run some net logging software. You'll get a sense of what the script kiddies are looking for.

Re:Revive the demo scene

[tracktwo]

Three cheers for that idea! I've been wishing the demo scene would find some life even without the extra incentive of deterring script kiddies--demos are just plain cool!

I've been hoping for this too, but I fear it might be impossible. I don't mean we can never have a demoscene again, but we can't ever have a similar demoscene again.

A lot of the fun, for me anyway, was in the bare-metal coding. That's exceedingly difficult today. There was a certain charm to working directly with the VGA, it was a lot of fun, and a great learning experience. You can't really do the same thing these days, with the huge variety of video cards on the market. Besides, the reason it was fun was also because it was very primative :) Making a cube that rotated around with nifty plasma backgrounds was cool in '94, but nowadays....

Writing a demo in OpenGL, with "put a cube here, rotate it this much" isn't as appealing to me as the old way. It allows you to do way cooler effects, much easier, but its just not the same. There's something about doing the math for your own 3d effects that makes it more rewarding, IMO. But, I'm just a tired old crank who's sick of programming anyway. Less API, More Math!

The problem with this is that the public will not

[eclectro]

look at this with a critical eye. It's just another story that tells the public that anybody that programs a computer is a cracker. And they accept it blindly.

In the MSNBC article, they have a box 'The history of Hacking', which has Emmanuel Goldstein as starting 2600 as a clearinghouse for hackers, and the last page Masters of Reverse Engineering (MORE) noting the DeCSS player.

Forget that we wanted to play DVDs on linux. Forget that we have a right to reverse engineer. Forget free speech.

We're nothing but a bunch of outlaw hackers.

Personal experience with crackers

[rngadam]

Due to my own laziness, one of my personal Linux home server was rootkit'ed and was so for at least a month before I discovered it by accident while investigating why top crashed (utmp was corrupted). It seemed that someone was running what looked like a covert IRC channel on my computer.

Once I reinstalled and locked it down (tcpwrapper, ipchains, scanlogd, disabling of services, packages updates, etc) I still got an awful lots of unexplained connections to port 40118:40120 (I still do, two months after, if someone can tell me what it is I'd be happy). I also warned any owner of those IP that did that, but they didn't seem to care too much.

I don't have an hard time believing that a very large number of Linux servers out there are compromised: after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server.

I always thought that RedHat (prime culprit because it is the largest deployed distribution out there) doesn't take network security seriously, especially now that RH can be installed and configured to offer various network services by virtual newbies.

Things that could be done by RH (and others) IMO:

1) Create a single reference called security.redhat.com where you could register to receive updates and/or have one of your server registered to be regurlarly and automatically evaluated (nmap'd for example) from a security standpoint.

2) Automatically install some of the pretty good detection and prevention tools!!

Re:Personal experience with crackers

[rngadam]

> 3.) Stop being so Lazy

Obviously, yes, but are you going some of the people installing Linux out there wouldn't even be able to secure their box even if they WEREN'T lazy...

With 24hours/day Net connectivity and Linux install widespread, this is a real problem.

Re:Red Hat

[n3rd]

You're correct about "solid default security configuration", but what *NIX OS (besides OpenBSD) comes with a good default security configuration?

As people have stated many times, in hundereds of posts before, it's the admins job to secure the box. I don't care if the *NIX I'm installing has a default root password of "password" and a 5 year old version of sendmail running on it. It's up to me to fix those things before I put it on a network.

Now, it can be argued that the vendor should fix these things. Sure, *NIX vendors should always put the latest versions of software in their distributions in order to prevent security breaches, but there are always exploits that come out after the CDs have been pressed and shipped. In which case (and it always is the case), it's up to the admin to apply the appropriate security patches.

So, no matter how good, bad or indifferent the default configuration of a machine is, it's up to the person who admins and/or installs the box to secure it for real.

False sense of security

[elbuddha]

...configure ipchains and ntsysv and hosts.allow, and you're secure.

In a word, no. That false sense of security is what gets a lot of machines compromised.

Security is a process, not a state.

false alarm

[adpowers]

I remember that they were afraid of a DDoS attack about 6 months ago. Nothing came of it. I don't think anything will happen with this either.

Re:It isn't Sys Admin ignorance; UNIX is flawed.

[YoJ]

I agree. The plethora of buffer overruns that allow arbitrary code to execute is a fault in Linux (and Unix). The i386 allows separate code, data, and stack segments. This means that the operating system can set up hardware locking to prevent execution of arbitrary code, or stack smashing. I'm sure there are other ways to cause unexpected behavior in programs, but if you remove buffer overruns and stack smashing that allow execution of arbitrary code, you've removed more than half of all security bugs. (I don't know if other chips have that feature).

Re:Wow, you are brilliant!

[mother_superius]

I agree. But the teachers are generally idiots when it comes to computers, and the classes at my schools have done NOTHING. I wish I could at least just sit at a computer for 1 hour a day learning from an O'Reilly book and get school credit. It's tougher to learn at home - I have a lot of homework (see paragraph 4 for more). Now, if I had a class, I could learn much faster a part I can't understand from a teacher, have him/her analyze the algorithms, etc. Drools...

At a private school K-2 grades, 1990- 1992, we had "computer class" every other day. We used this "logo" program that was supposed to teach you how to use computers or something. You moved a triangle around a screen using arrow keys to draw lines. It was totally useless and we learned nothing.

In elementary school 3-6 grades, 1993- 1996, there was a computer in every classroom. It was an Apple IIe (or however it is spelled). But there wasn't a class for those, they were to just play Oregon Trail during playtime. We did have a computer class once a week on some older Macs. They tried (and failed) to teach us how to type. I still don't have my fingers in the right place as I am typing this.

In middle school, 1997- 1998, Classes offered were typing and computer graphics. My older sister took the graphics class, and it appeared to involve combining cheesy pre- drawn graphics with text, then printing it out on a dot matrix printer.

In high school, (I'm in 10th grade now), I am in the IB program, which is a lot of work. The classes teach a lot, if ou're willing to learn, and cut a lot of the BS and the teachers are mostly good, especially English. I have 2 problems with the school: too many MTV loving preppies (I'm not going into that), and poor computer classes. For underclassmen, the classes taught are: HTML and Java website. This involves learning how to format text with Frontpage Express and (gasp) a scarce amount of Java. Typing - obvious. Graphics - probably only a little better than the class in middle school. For upperclassmen: C++, finally. Unfortunately, I'd much rather learn Perl, C, and Linux. Fortunately, Juniors/Seniors can take PSOP, which means I can take College classes.

My conclusion: public schools should do as the StarFace suggests, although it might be better to teach Linux or BSD, since its better with PC's.

They could give out a copy of the OS so kids could use it at home. In grade school, teach kids how to write some simple scripts. In middle school, teach how computers and the Internet work in general. Do some light Linux/BSD stuff, and maybe C programming. In high school, go into the configs, the kernel, and more deeply into hardware. I don't see any school teaching anything complicated about hardware. It could be partially integrated into other subjects, esp. math. Write algorithms to do some complicated problems, and some simpler ones. (who can find prime numbers 1- 100000? Make it as fast as possible.) In any case, the school system definately needs more in the area of computers.

Point

[cerulean_blue]

...and your point is what?

vi
i
"Enter your comments here!"
ESC
:q!

Re:Where can we report compromised computers?

[apsmith]

One reply mentioned the SANS GIAC - we haven't actually used it, though it looks like they do have good advice. But I'm not sure they actually do what you suggest, which I think could help a lot. As soon as we installed our firewall a few years back we noticed apparently coordinated scanning attempts from a wide variety of hosts - contacting any of them (even including copies of log info) gave us either no response or a "you must be mistaken, we've checked and we've never been compromised" responses. We basically quit there not knowing who else to report the problems too - at least with the firewall we could monitor things and feel smugly that we were much better off than we had been before it went in...

But a centralized reporting service like the Spam Realtime BlackHole list etc could make a big difference...

Re:Only 560

[Twiles]

A point is being missed here. There are 560 known compromised systems (there have shurely been cleaned). My guess is that there are at least 10 undetected compromised systems for every one that has been detected. If a DDos attack is being co-ordinated, we are looking at 6000 machines not 560 and most of these machines will be on T1 lines or better. The threat of a well co-ordinated attack looks very real to me.

A few points

- Many posters appear to be responding to the slightly misleading summary instead of the actual article. This is a general summary of known hacker activity since May (!)

- It indicates a pattern of scanning, exploitation of those two vulnerabilities, and installation of various flavors of r00tkits.

- This indicates that Red Hat sells software with an insecure default configuration. (In fact, many distros do. Red Hat probably earns its mention in the article by being the most commonly used, not the least secure. Each time I've installed a new distro, I've had to blip around the system manually stopping network services I don't need.)

- This problem could be minimized if distros simply came with non-critical services disabled, forcing you to manually enable the ones you want. This means the many, many clueless (who probably don't even know what security patches are) won't be running all the insecure stuff - in contrast to today, where the clueless run it *all*.

- This needs to be done *now*. It's in the distros' business interest to do so. If things continue as they are, this issue will remain a persistent threat to both the stability of the Internet and the reputation of the otherwise nifty Linux phenomenon.

Crackers? Terminology is all messed up.

[dmacon]

Since when did crackers do distributed denial of service attacks? OK, I understand slashdot's unwillingness to use the term hackers....but in this case it would be more correct, but not totally ofcourse because hacking and cracking are both legitimate activities as long as you don't break the law.....WHY NOT CALL THESE GUYS TERRORISTS, a MENACE TO SOCIETY or just plain CRIMINALS?

You don't need to crack anything to do a DoS attack!

Re:Crackers? Terminology is all messed up.

[isaac_akira]

Well, they did crack (gain unauthorized root-level access to) all the 560 boxes on this DoS network, correct? And since they so far have not actually BEGUN a DoS attack on anyone, the only crime they've committed so far is cracking.

- Isaac =)

Re:Wow, you are brilliant!

[jrockway]

I have to say that not ALL kids just use GUIs. I'm in high school and _hate+ GUIs...they waste time. Slashdot looks fine in w3m!

Re:Fresh RH6.2 Install

[flikx]

Last time I installed redhat (and mandrake), I recall the choice being left up to the user as to which services to run at start up. (the dialog was presented near the end of the install.) This may be available if you choose the "custom" option, as opposed to workstation/server/etc.

A quick run of linuxconf, and going to control service activity should present a simple interface for beginners to close things down. (provided that they at least start to RTFM.)

On mandrake, a quick msec 5 should lock things down like a prison. I may be wrong, but it seems that even a newbie should not have a hard time making a clean install reasonably secure.


Of course, no matter how much I brag about how secure my linux machines are, and how much time I spend securing them ... I'm sure that there's some prick out there who could bring my whole network down.

Re:It isn't Sys Admin ignorance; UNIX is flawed.

[jpowers]

No, instead, he uses Red Hat, with a spiffy GUI tool, and has no clue what on earth is going on his system.

Sure... if Joe User is installing it for a desktop. I've only been running RedHat and SuSE servers for about three years now, and I've yet to see one work right off the CD. I always need to configure something. The packages set up a default configuration-but that doesn't make the app work. You still need to edit, say, httpd.conf to get apache to run as a webserver.

Eh, it's more that you need to understand inetd, inetd.conf and whatever way your OS/distribution runs the bootscripts to turn the services off. (Not that that is enough to close all the ports). That is, if you can figure out which services you really need.

...or you can shut them all off at install and turn them on later very easily (with YaST). RedHat takes more work, but it's work you have to do anyway just to get the fscking thing installed.

How is "that's the way MS shipped it to us" different from "that's the way Red Hat shipped it to us" or "that's the way Sun Microsystems shipped it to us"?

Thanks for completely ignoring half of what I said. The answer is the expectation of ease. RedHat has none. M$ does. M$ writes its software for ease if install, and the install gui presents the end SA with the illusion that everything is taken care of for him. You should see the fscking mess we found on the NT box, and that was with someone we PAID to make it secure. I sat right there and watched the guy install it (never seen it before, you see) and talked to him about how it worked, etc. I've put it on a few other machines to see how it worked, it was like installing a game.

With the SuSE server, I had installed it as a desktop (by choosing single user, so no security) for someone to use and then had to switch it over to use as a server when one crashed, so it was wide open, and that was my fault.

The other linux box I set up with the server choice to begin with. I had to tweak a few apps to get them to work, and as I read the manuals(apache, etc), I watched for "if you want to be secure, do this" notes and followed them. That box passed. It's still probably an easy target for someone who knows what they're doing, but at least the hobbyists will have a hard time getting in.

So I reiterate what I said in my first post: The difference between linux and NT is that linux SAs are expected to do some work to get their server up and running, at the same time they should be making it relatively secure, which is not that much more time consuming. NT SAs are expected to slap the CD in, install IIS or whatever, and get back to their jobs as (in my mother's case) Tax Accountant.

I can't speak to your point about buffer overflows. If you're suggesting that NT is more secure for protecting against it, more power to you (and M$). Doesn't do much good once the end user installs Outlook, does it? Oh wait, that's in there by default.

-jpowers

Well duh

[LowneWulf]

So a great many boxes are getting DDoS tools installed on them these days. How does this indicate in any way that Internet Armageddon in on it's way? So they take down Yahoo for a day or something... it'd take one hell of an organized attack to bring down more than a few sites...

Re:Only 560

[Platypii]

also, most cable i've seen (including my own) is 128KB/s, i wouldn't be -pay $50/mo. for a mere 16KB/sec... Flemer's, Read This: yes, i know the difference between Kb and KB!

Using Portsentry to screw stuff up...

[Chris+Croome]

I one thing that worries me is the potential of crackers using Portsentry's use of ipchains to fsck stuff up -- for example in the UK a hell of a lot of HTTP traffic comes from the Planet Online cache in Leeds (cache.pol.co.uk) as ISP's such as Freeserve use them.... now what happens when someone spoofs this host connecting to a port that triggers Portsentry and your box vanishes for a tonne of people....


--

Re:Using Portsentry to screw stuff up...

[Parity]

Read the docs. The author says yes, this is a possibility, but he has had zero complaints about it actually happening in the real world so far.

Also, portsentry is entirely configurable. You can drop attacking hosts into hosts.deny, or block them with ipchains, or block them with route reject, or not block them at all and just dump a message to /dev/lp0 so you have a hardcopy log of the attack. Whatever. It's up to you.

If you -are- using IPchains and you know what you're doing, you should be able to set it up so that port 80 -always- answers and is -always- exposed to the whole world. This means the attacker can still read your web pages, yes, but hopefully your web server is secure. (Okay, maybe it's the least-likely to be secure thing on your box, but then, an attacker that wants in through your webserver can go to some host that hasn't yet been portsentried and attack the webserver, being careful not to trigger portsentry this time... )

Also, maybe some people are using tcpd only and not ipchains at all; so the host is still 'live' to the 'net but the service ports get closed leaving only pinging and other ICMP packets up.

Do whatever you think is best for your box. There is -no- best practice for this, because heterogenity of implementation is key to preventing predictable DoS exploints by turning your own security against you.

Anyway, I don't care if my home box disappears from half the net for six hours until I can manually rework things when I'm sure it was a spoof - OTOH, if you're a major e-commerce site, yeah, you'd better make sure your portsentry isn't going to close off your http!


--Parity

Re:locking down box

[josepha48]

If you read the article they said that wuftpd had been comprimized by the crackers. It is not that proftpd is better, it is that they know how to hack into wuftpd and have already exploited it. (At least taht was my understanding from the the other documentation that they had links to). This is mute anyway since my ipchaines are set up to deny port 21 from ppp and log requests to those ports.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:Wow, you are brilliant!

[CoughDropAddict]

Your brother may be smart, but he's obviously not a computer geek. I have plenty of smart friends who don't know the first thing about the mechanics of computers. On the other hand, I suck at swimming, even though I like the water.

I was a high school senior three months ago, and I assure you I can chain IDE devices. I even manually short circuited the internal battery on my computer once when someone set a BIOS password and then forgot it (how's that for resourcefulness?). We are not extinct.

--

Only 560

[Scrag]

560 computers infected is not enough for a massive DDoS. Unless of course they were targetting someone on a dialup, which wouldnt matter anyway.
What was the problem again?

Re:Only 560

[Cramer]

Oh h*** yes you can. The source address of the packet (where you want the spoofed reply to go) is not within the ISPs network, so throw it away. Many large providers at meet-points started checking that years ago and threatened to stop peering with those that hadn't blocked it. I don't know that anyone still does that anymore.

(This is also necessary to prevent misconfigured multi-homed customers from sending you the wrong traffic or acting as a transit point.)

Re:Only 560

[iCEBaLM]

If I have a one machine that can access the net, I can ping spoof thousands of boxes, (this is still a problem) who in return all reply the ping to hostX. hostX feels the punch of 100's of boxes pinging it, even though those pings all came from one machine. Now imagine 560 machines doing the same.

I'm well aware of smurf attacks, I was just illustrating that 560 machines on "slow" connections coordinated make for a formidable foe. Of course using a smurf attack amplifies that, however I know trinoo doesn't support that kind of attack, I'm not sure about tribes. (assuming the cracker is a typical skript kiddie who wouldn't write his own "tools")

If hackerX can find 560 machines to compromize, he can find thousands of hosts who's routers are not configured to block ping spoofs.

The way ICMP works you will *never* be able to block "ping spoofs", the problem is blocking them on broadcast addresses (1 packet turns into many just by sending it to a broadcast address) which is the whole basis of smurf.

-- iCEBaLM

Re:Only 560

[Cramer]

People pay 10-20$ for 4KB/s (modem) or 7KB/s (ISDN)... most dual channel ISDN connections run in the 40$ range (and most are metered)

I'm out of range for DSL (I'm certainly not paying 100+$ for IDSL) and I cannot get a subnet via cable modem. (40$/month for a single static IP is ripoff.)

Re:Only 560

[iCEBaLM]

A full T1 is 1.54 megaBIT per second, which is 192.5 kiloBYTES per second.

-- iCEBaLM

Re:Only 560

[iCEBaLM]

Would 560 computers with cable modems (capped at 128 Kb/sec upstream) be enough for a DDoS? Probably not.

Lets take a bigger look at this...
(128Kb/s == 16KB/s) * 560 == 8960KB/s or 8 megabytes/s

That will take out a T3 or an OC-1 pretty handily.

560 dialup machines with 56k modems would be enough to flood a few dialup connections, or perhaps a cable modem or DSL line.

Again, a closer look (56k's only get 33.6Kb/s up):
(33.6Kb/s == 4KB/s) * 560 == 2240KB/s or 2 megabytes/s.

Enough to take out 10x T1's.

Don't dismiss the power of 560 machines so easily.

-- iCEBaLM

Re:Only 560

[n3rd]

Sorry, but I cannot agree with you.

Would 560 computers with OC3's attached to each one be enough for a DDoS? You bet it would.

Would 560 computers with cable modems (capped at 128 Kb/sec upstream) be enough for a DDoS? Probably not.

Also, keep in mind, this all depends on the target of the DDoS. 560 dialup machines with 56k modems would be enough to flood a few dialup connections, or perhaps a cable modem or DSL line.

Thus, as for the question "is is enough for a DDoS?" the answer is "it depends on the connections that the infected computers have and the target."

Re:MSNBC Headline: "Hackers amass new zombie army"

[ptbrown]

Yeah, I first saw that headline in a slashbox and thought, "Gee, I don't remember moving SegFault this high on the page?". (It was actually SecurityFocus)

Well, this explains why Al Gore wants to sell :)

[weston]

After all, what good is the internet going to be after this?

Re:Victim Report

[OA]

I have cable connection and use Linux as my gateway. Since I set almost all (except ssh) server port closed by ipchains, i did not get infected. (But have log to look at.)

Looking at my log, I had several funny ftp, rpc, snmp, http (111, 53, 80, 21, 161) attacks last one week. Since their connections are denyed, I do not know how serious attack was. But pattern and frequency proves it serious.

Some ftp attack seems to be spoofing their source IP as local net IP (192.1268.1.13).

(FYI: I use debian and my modified ipmasq setting is on my web.)

Re:Stupid Netscape Question Marks!

[RobNich]

You're right, I meant that, not Unicode. By the way, I write all of my pages using a text editor (emacs, notepad, or Edit Plus, my fav.), and I never leave any of the following chars in plaintext: ' " < > &

I use PHP, and if I have a form that lets the user input text, I make sure to use htmlentities() on it before displaying it. Why?

(A) It keeps weird characters from being displayed incorrectly. Hell, they could be using a Mac or an AS/400 to display the page. The browser knows better than I do that they are using ASCII, Unicode, EPCDIC, or whatever.

(B) It keeps them from embedding tags that would screw up my formatting and layout. The most important tag to keep out is <SCRIPT>.

Right now I'm working on a function that will allow only certain tags and make sure that they enter matching pairs of them. /. does this correctly (I think...). Check out an ebay listing to see how they take care of it:
"</blockquote>
</blockquote></blockquote></center></center></st rong></pre></em></font></dl></ul></li></h1 ></h2></h3></h4></h5></h6>"

No shit.

We'll Never Know

[n3rd]

There really isn't much to say about this article execpt for good old rampant Slashdot speculation.

So some people found some trojans that could be used for DDoS attacks on a few hundered machines. Does this mean a DDoS is "brewing" or ready to be launched? Hardly.

In order to know if something was coming, we would actually have to talk to whomever put those trojans on the machines to see what their motivation is, and when they plan to use them. Unfortunatly, this will more than likely never happen.

For all we know, this could just be some script kiddies person cache of trojans to take over IRC channels, not DDoS a large site such as Yahoo! or Ebay. Heck, maybe is the BOFH Users Group out for revenge on companies that have had enought of their antics and fired them. Who knows?

So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.

Re:We'll Never Know

[_deviant]

[...] So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.

Still, even if this one might not pose a threat, their will be one in the future.
It is good to think about that because, if such a scheme will work, hell, they can destroy the internet

Re:An attempt was made on my box...

[Gurlia]

A word of warning, unless you're running NFS stuff, and you use Debian, just remove the nfs-common package from your system...I've simply been turning portmap off (the service that's attacked), but running an update of the system always seems to get it turned back on.

I don't trust apt-get upgrade at all: sometimes it installs unneeded packages or stuff that you need to baby-sit (like a libc or Perl upgrade) to make sure everything goes OK. What I do is to run it in debug (no action) mode to find out what packages would be upgraded, and then manually select what I need or know is safe:

apt-get -s upgrade | grep -v Conf
apt-get install <explicit pkg list>

---

Media BS

This is no big deal. Hasn't anyone been on irc? Practically every kiddie on irc has his/her own dosnet, most with hundreds of hosts. People create them everyday, and have been doing so for years. Yes, years. This is nothing new, and its no big threat. If someone really wanted to 'take down the net', they would have already done so. But, a person like that has only one life, and that would be his/her life on the net, and why would he/she want to destroy their life? Point being, I am tired of seeing the media hype up stupid findings of 500 or 600 infected boxes, and calling it 'the end of the internet.' Every second a thousand boxes get owned and infected by some script kid. Does it really matter? No. Why not? a.) They don't know how to 'take down the entire net' b.) They're too busy packeting people on irc. End of story. Get over it media whores. No more dumb ddos stories, please!

Re:Media BS

[iramkumar]

They post , We discuss and the share prices of virus companies go up ...

Time to learn

Cool...

[cbwsdot]

Cool...
I hope my linux box is "infected".
I also hope the bank of new york gets attacked. I really cant stand those bastards.

Re:redhat is able to be compromised..

[trog]

As a sysadmin who specializes in security, I have to take issue with your statements. NO machine is ever secure, regardless of OS. Any machine can be compromised.

First on OpenBSD: ever run nmap on a fresh install of OpenBSD? Both sendmail and portmap are happily running BY DEFAULT. Two of the most insecure applications ever written. All OpenBSD really does is give it's users a false sence of security.

Secondly, on Red Hat: It is my opinion that the reason that Red Hat is getting this attention is that it is by far the most used Linux distro. I often build systems based on Red Hat, because I know what I am doing.

You can spend hours and hours of time, securing a box, and if someone can use social engineering to get a username and password, it's all for nothing. This is the biggest issue when it comes to security.

(As an aside: I recently taught a seminar to a company on social engineering. They had never even heard of the concept before. Do you know what they do? Provide customer service for over a dozen banks. Scary.)

Re:Victim Report

[happystink]

Here is what confuses me: I have an account on my friend's box running RH6.2 , but rpc is not in inetd.conf and inetd is not even running (no use for it), but you can still telnet to port 111 from any host. I don't understand how to turn it off, what's up with that?

sig:

Re:Please read!!!

[alpha317]

And a hacker is someone who breaks into computer systems. As I said, the word has been manuplated by the media to mean something it's not. Pedophiles are not stupid, we understand that sex at too young an age can harm a child. Parents aren't any better, I saw a father and a girl who looked about 4 in the store the other day, and he kept yelling at her to shut up.

Re:redhat is able to be compromised..

[TheGratefulNet]

Both sendmail and portmap are happily running BY DEFAULT.

I don't believe this is true on 2.6 or later.

but I never said 'y' to sendmail or portmapper - its been a while since I've installed my obsd box but I don't believe sendmail as a daemon runs. and when you install qmail, it does wipe out any 'badness' that sendmail (the pkg) might have done.

All OpenBSD really does is give it's users a false sence of security.

troll. backup your assertion: name any significant security issue of obsd 2.6 or later. even in the default install. I've checked its buglist - have you? or are you just blowing smoke (which I suspect).

I often build systems based on Red Hat, because I know what I am doing.

anyone who knows what they're doing can secure a unix box; the point is that linux attracts a lot of inexperienced unix users (who have little or no admin background). as such, if linux is to stay viable in the server market, it must protect its image. you cannot do this if your default install is very insecure by default - that's all I'm saying. and redhat, even though its the most popular, is one of the most insecure distros.

--

Re:Wow, you are brilliant!

[Tower]

Hey - I started on a C-64 in BASIC (I was 6yro), and then I managed to work my way to machine code on the 64 and 128... By middle school (gr. 6-8) I realized that coding apps wasn't really all that fun, and I yearned for lower levels of understanding... Heck, if you can't figure out how to put two drives on one IDE chain, you need to spend a little more time reading the labels on the drives, and soon you'll get it... if you really can't figure it out, check darwinawards.com and learn from them, or get a job laying asphalt. Really, with a few hours of training, anyone with half a brain should be able to read a PCI trace, much less figure out how to attach some IDE devices.

I ran GeOS on my C-64. GUI with a drawing pad and a little joystick for a mouse... it was then that I turnd against GUIs... NT4 (with the 95 GUI) almost won me back (along with KDE/GNOME), but there are just too many reasons to have a command line (if nothing else) available. GUIs are great - I'd hate to have to type 'netscape -install' on my workstation every time - it's much easier to click the KDE icon for the scraper. It is *much* easier to form a decent grep command than to use any 'find' GUI that has been invented yet. Faster, easier, etc.... Each has their own advantages, and (at the risk of sounding like management) we should leverage the synergy of these two paradigms to enhance our productivity by empowering oursleves, since without putting forth this initiative, we cannot attain the productivity we could achieve otherwise (ick).

You get the point.
--

Re:Knock knock, reality check

[Freedent]

And out comes the overreacter, bent on showing us how off the wall I am *L*.

You obviously have no idea how a govt. bureaucracy works. Try changing the pencil brand at the FBI. See how many levels of approval and form-filling that takes.

You're wrong actually, I have a decent idea of how gov't works, having worked there before. However, Not all branches of the government are so slow and ponderous, the SEALs are a good example of this. Besides, if the attack was done by the gov't, it wouldn't have to be (and probably couldn't be) something that was done on the spur of the moment, lots of planning went into those attacks, be it by a TLA, your neighbourhood script kiddy or someone else.

A DoS attack secretly engineered by the FBI is neither monitoring nor controlling, it's just rabid paranoia. The fact that crap like this gets moderated to 5 simply makes /. the haunt of hyper-caffeinated conspiracy theorists.

As of this time my post is still at 1, what are you talking about? Simply because you call it rabid paranoia, doesn't lessen the fact that it's quite possible that something like this can happen, or has happened. The fact that you seem to refuse to consider even the possibility of something like this makes it all the more likely that something like this could happen without "common" people knowing about it.

Well, you can't just point to X and say Y is true.

Not surprisingly, I didn't do that at all. I pointed to X and said that Y is possible. Read my post before engaging the auto-flame next time Mr. AC, thanks.

When govt. does things like carnivore, the people doing it make sure it is legal.

Absolutely wrong. Go read "A Gift of Fire" by Sara Baase. Specifically, check out chapter 3 (if I recall) which deals with the illegal wiretapping done by the FBI. The fact that wiretapping has subsequently become legal does not mitigate the fact that they did intentionally break the law for years.

Breaking the law doesn't hurt your career when your superiors see nothing wrong with it.

You're right in saying that evidence is required to prove that something is actually happening, but you don't need hard evidence to consider the possibility of a thing happening. If your mind is so closed that you refuse to even gauge the possiblities, I feel sorry for you.

NASA/E.ROOT-SERVERS.NET was attacked last week

[toastyman]

According to a few of posts on NANOG (North American Network Operators Group - see www.merit.edu for info), NASA's Ames facility was attacked on Friday, knocking it down for most of the day. NASA hosts E.ROOT-SERVERS.NET, which having it down is a "bad thing".

Re:NASA/E.ROOT-SERVERS.NET was attacked last week

[Detritus]

I was told that the problems were caused by a fiber cut, AKA backhoe fade.

Re:It isn't Sys Admin ignorance; UNIX is flawed.

[Abigail]

If you're suggesting that NT is more secure for protecting against it

No, I am not. I said that UNIX had a basic design flaw. I didn't compare UNIX with anything else.

-- Abigail

Re:Where can we report compromised computers?

[LiNT_]

You can try the incidents mailing list at security focus. I just recently subscribed myself but there is some pretty interesting information on there.

Incidents Mailing List FAQ

LiNT

Re:redhat is able to be compromised..

[trog]

Both sendmail and portmap are happily running BY DEFAULT.

I don't believe this is true on 2.6 or later.

Last time I installed 2.6, it was true. I have not played with 2.7 yet, so this may no longer be the case.

troll. backup your assertion: name any significant security issue of obsd 2.6 or later. even in the default install. I've checked its buglist - have you? or are you just blowing smoke (which I suspect).

Significant security issue: Sendmail and portmap are installed, by default, in 2.6 (I am unaware of 2.7). inetd is enabled by default (even though I believe everything is commented out). Better practice would be to default to tcpdaemon instead of inetd, and qmail instead of sendmail. Or to install neither by default.

(Try suggesting this to Theo. Enjoy the flames that follow.)

Are you so much a zealot that you believe that the only bugs that can ever exist in OpenBSD are the one's that appear on a buglist? This is not a troll; it just runs counter to your beliefs. This is what will get your systems compromised; complacency.

OpenBSD does have the right idea when it comes to security (compared to other free *nix), but you have to remember that you cannot ever prove anything secure. All you can honestly say is that, to the best of your knowlege, there are no known security issues. Security cannot be proven, but insecurity can.

It has been my experience that it is best to assume all machines can be compromised. A security syadmin then sets about the task of making things more and more difficult to exploit.

Besides, sucessful application of social engineering will foil the best system security ALWAYS. Thieves don't always pick a lock to get into a home; they break windows as well.

the point is that linux attracts a lot of inexperienced unix users (who have little or no admin background). as such, if linux is to stay viable in the server market, it must protect its image.

I agree with this stance, and am doing something about it. I am in the process of making security documentation that I have written available under an open documentation license (It is currently owned by my employer, so this takes a little convincing). I intend to submit this documentation to friends at Red Hat, in the hopes that it can be put to good use.

What are you doing?

..../

[linuxgod]

Its time to hire the lawyers.
If you get attacked get your $ and
your lawyers. You will be seuing someone.

Re:Victim Report

[Bill+Barth]

It seems to me rather than not installing NFS (as some have suggested to you), you might use ipchains to disable NFS access from all but your trusted systems. I.e. just drop the NFS request packets from systems that aren't yours. You should probably do this for any of the other ports that you have open, too.

General Question: Is it just me, or shouldn't a well secured distribution behave like this out of the box?

--

Are you nuts?

[ca1v1n]

I used to T.A. for my High School CS teacher's Pascal class. These were kids who wanted to learn. They were really, truly interested. The problem is, they just didn't have the talent. (Otherwise they would have been in the AP class, doing C++). The point is, some people don't have the talent. There are people in this world who are destined to be the ones who fix our cars and serve our food. THEY ARE GOOD PEOPLE. Many of them are highly motivated for self-improvement, but just because a system seems intuitive to you and I, doesn't mean the same is true for everyone else.

It's very true that there are many people who don't learn because they are lazy, but there's also a huge population that simply doesn't think the same way.

Crackers?

[Bohemoth2]

who is this "Crackers" and why is he doing this? ;->

Re:Victim Report

[ryanr]

They got me too... they didn't install a root kit either. I checked my packages with MD5 sums and all my binaries checked out.

You're aware that there are rootkits that will get around the checksums, right? They will hand over the original binaries when you request a read, but will serve up the modified binary when the OS requests an execute.

You can't be sure they don't have anything else on your box until you reinstall clean from known-good media. (And maybe re-flash the BIOS, though we haven't seen that trick used yet.)

Re:Wow, you are brilliant!

[mikael_j]

I'm not trying to sound mean or anything, but shorting out the battery is hardly complicated, most of the time it's even mentioned in the manual (or maybe I just need to get some newer motherboards)

Mikael Jacobson

Must be the UFOs

Do you seriously believe that these agencies orchestrated a DoS attack?

It's easy to come up with crap like this - maybe the Oklahoma bombings were done by the FBI to allow them to search u-haul trucks. Maybe all the plane crashes are sabotages from the FAA to get them extra funding. Heck, maybe all the car crashes are engineered by the highway safety administration.

While conspiracy theories are incredibly popular on /., consider what this involves - convincing hundreds of govt. programmers/mgrs/officials to launch an illegal strike against billion dollar businesses. These people get paid low salaries. Would you lay your career on the line and take the risk of going to prison if discovered, all for the sake of increasing funding for an agency that pays you $60K (after numerous performance reviews and a shitload of paperwork)? Please try to live in the real world and think of what it would involve.

It's stuff like this which makes /. look like the haunt of paranoid nutcases incapable of a level-headed, realistic analysis.

Some people seem to think the X-files is a documentary. Well, it's not. Most govt. officials (yes, even sysadmins) have homes, families, and a regular life. They don't take bullets for their boss.

There's one big flaw in your theory - the US govt. is funded by business. It would never do anything to destroy it.

Re:Must be the UFOs

[Freedent]

I don't think you have to convince a whole shwack of people to do the work it would take to set up and execute a DDoS attack. If it wasn't the gov't (I'm not saying either way), how many skr1pt kiddi3s do you think it took to set this up? A small handful I bet. Why wouldn't it work the same with some kind of weird covert computer ops inside an american TLA? It's not like breaking the law is new to them, how many illegal wiretaps were performed in the US in the 20th century... lots.

As far as it not being a benefit to businesses, I think you're looking at the short term at the expense of the more important long term. An increasingly monitered and controled internet (be it by coporations or by the gov't, which some would argue is just proxy for corps) makes it easier to do the things that make money, like user profiling and strict content access controls.

One thing I think that people forget when they say stuff like you did about X-Files and gov't employees, is that despite the fact that most gov't employees are regular people, some aren't. It doesn't take to whole lot of people to do covert type things, look at Echelon. Talk to any regular joe on the street and they'll tell you they'd never work in such a place, yet there's a whole bunch of people who actually do.

If even say 5% of the stuff that "paranoid" people believe is true, that's still pretty damn scary. The best way to ignore something like that is to turn off your brain and stick a label on them.

Re:Revive the demo scene

[Gurlia]

The problem with this is that today's philosophy is the Feed-Me-I-Want-Instant-Gratification philosophy. The so-called "user-friendliness" of GUIs like Windows just reinforce this. (Sorry, I know this sounds like rabid anti-M$ zealot rant, but this applies to today's GUI design in general.)

I'm not saying we should go back to the "good ole days" with only a bare command-line prompt, but IMNSHO software should not be designed to try to be everything. (Wizards, anyone?) Software should be designed to provide the necessary tools to get things done, but it should never attempt to be smarter than the user. The user needs to learn how to use the tools.

Why are script kiddies so abundant these days? 'cos they're so used to the click-on-button-and-it-does-everything way that computers work these days. A friend once joked with me that World War III might be started by a kid pressing a single wrong button on the nuclear launch controls...

What we need IMNSHO is a change in philosophy. Yes I know easy GUI's are good and perhaps even necessary for people who want to get things done without worrying about manpages and editing conf files. But for teenagers? Give 'em a bare command prompt and let them figure out how to configure X manually. Kids these days need to learn that the world isn't an instant gratification vending machine. You need effort if you want value.
---

Re:Sys Admin ignorance is the main reason

[ackthpt]

Or, considering who M$NBC is... it's FUD.

Vote Naked 2000

Tried Slackware?

[Arker]

Well, yeah, anyone putting a stock RedHat box on the net is an idiot. Anyone putting a stock *anything* box on the net is probably an idiot too. ;^)

However it's true that RedHat is particularly bad - that doesn't mean Linux is bad - RedHat != Linux. If you want a Linux distro that is reasonably secure by default, give Slack a try. I know it gets a bad rap for supposedly being hard to install, but 1) if you are using OBSD already that's surely not a concern for you and 2) when I finally gave it a try, I found it to be little if any harder to install than RedHat or Mandrake were anyway. The selection of packages available with the native package management system is smaller than the RPM collection, of course, but it usually includes all the important stuff and is very up to date - check out LinuxMafia if you need something that isn't included. Plus you can always compile yourself, use the included rpm conversion tools (rpms usually but not always will work fine after a quick conversion) or even install RPM if you want to. YMMV, but I've found Slack to provide a very nice middle ground between OBSD and RedHat.

Re:Tried Slackware?

[TheGratefulNet]

agreed, sw is about middle between obsd and redhat.

I use sw on my 'embedded' systems (mp3 players mostly) its a nice minimal install and yets its easy to install to (ie, it has gcc) ;-)

but still, there's something about the development model (ie, chaos) in linux that isn't there in the bsd world - at least as much as linux. and obsd has security -first-. I just really like that for public dmz boxes.

--

Re:Tried Slackware?

[tzanger]

If you want a Linux distro that is reasonably secure by default, give Slack a try.

Now I am a big Slack fan, been using it since it was still Yggdrasil (or something), bug are you mad?! Slack has some pretty big problems, too. Think RPC, wu-FTPd, sendmail, telnet, pop3d, all the small servers, etc., etc.

When I install a Slack7/7.1 system, I don't install any internet apps. No sendmail, no apache, no DNS. I then install the following (as necessary): qmail/nullmail, daemontools, BIND (I'm starting to take a closer look at DJB's DNS implementation), Apache (+mod_perl/PHP/SSL, etc.), OpenSSH, proFTPd and probably a half dozen others. I usually install stuff into /opt since I can then nuke or update it without worrying about it leaving bits and pieces around my filesystem; I just create softlinks to move binaries into the path as necessary.

Then I go through and pretty much nuke inetd (the only thing I usually leave is auth). I'm really liking svscan... D. J. Bernstein is a hell of a coder but why the hell can't he comment or write decent documentation? <sigh> I also set up multimail with most of the important logs, since syslog tends to run a lot of CPU if it gets too much data and also tends to drop messages on me.

Slack rox muh sox, but it sure as hell ain't secure on a default install.

Victim Report

[the_quark]

Ok, they got me. My main personal mailserver/web server/MP3 server got compromised. I upgraded the system (which had 390 days of uptime, woo-hoo!) in late August to Redhat 6.2. Due to the high quality of crack I've been smoking, I FORGOT to turn off rpc in inetd.conf. Whoops! I noticed this last week and fixed it, but I'd already been gotten by the rcp.statd. Interestingly, what tipped me off was the fact that the DDOS software essentially caused a denial of service against ME. I have a DSL connection, and the DOS software flooded my network so badly I started investigating why my network performance was so slow.

I have to rant a little bit, here - Redhat, is it SO HARD to make the default install be BASICALLY SECURE? Don't turn RPC on by default, for God's sake! The first thing I have to remember to do is to remove the really obvious security holes as soon as I install!

One nice thing about this DDOS activity - now, the script kiddies want my network bandwith. Used to be they didn't know what to do when they got in. The same system was compromised three years ago while I was on vacation, and the script kiddies involved did an "rm -rf /" as root. Ouch. This time was pretty easy to clean up from, by comparison.

But, whomever pointed out that the connections of the hosts are important - absolutely. I'm sure my puny 384kbps upstream didn't cause whoever the victim was any real trouble.

Tips for people who may be having the same experience:

First, I was tipped off by the very large numbers of collisions on my hub, and the massive traffic. I'd installed a bunch of new hardware and software, and, at first, thought something was broken. Additionally, I was running mrtg against my router, and the traffic saturation broke SNMP connections, so cron kept complaining.

Once I figured out the host the traffic was coming from, I started looking around. First of all, a command representing itself as "lpsched" was running with a very low PID (like 120) and had a child process representing itself as in.telne (I believe these were actually the same program). When I killed them, the traffic ended. After some research, I realized that the attackers had installed a trojan in /usr/sbin/init (which was then changing its program name as represented in ps after execution). /usr/sbin/init was being executed by /etc/rc.d/rc.sysinit, at the end of the file (placed here very nicely with a check to make sure /etc/rc.d/rc.sysinit existed).

Interestingly, they did NOT install a rootkit - I used SHA1 hashing and some custom scripts I wrote to compare the compromised host with a clean install of RedHat 6.2. All they did was modify /etc/rc.d/rc.sysinit and install the Trojan (they may also have edited log files at the time of intrusion). rpc.statd did spew a "I'm executing this obvious buffer overflow attack" in /var/log/messages; "grep rcp.statd /var/log/*" should give you some idea if you have a problem. In the rpc buffer overlow, they echoed to /tmp/m:

9088 stream tcp nowait root /bin/sh -i

and then, executed "/usr/sbin/inetd /tmp/m", essentially giving themselves a root shell on port 9088. What they did from there I have no record of, but, obviously, they installed the Trojan and moved onto the next one.

Good luck, out there...

Re:Victim Report

[CvD]

They got me too... they didn't install a root kit either. I checked my packages with MD5 sums and all my binaries checked out.

I installed the patch that Red Hat had made available, but you mention commenting out RPC all toghether. Wouldn't that toast NFS completely, which I use a lot? In my case they added two lines to /etc/passwd, one user with uid 0 and another normal one... they then logged into using telnet and left a 'backdoor' by setting up another telnet port on port 10023 (just in case I would switch off telnet but be too stupid to see the new entry at the bottom).

They also changed my root passwd. THis is how I discovered it. Of course, the rpc.statd nicely reported it was being buffer overflowed in /var/log/messages like in your case. Getting my root passwd was pretty simple, just reboot the machine into single user mode and change the passwd. I haven't found any other visible damage... No root kit, no trojans, no ddos tools. Who knows what they wanted my system for.

Hope this info can be of some use to someone somewhere when landed in a similar situation.

Cheers,

Costyn.

Re:Victim Report

[duffbeer703]

Wow... an informative post. Just wanted to point out that if you are used to Redhat Linux Mandrake is actually a pretty decent dist to think about for your next upgrade. It is essentially the same thing as redhat, except it generally takes less time for me to customize the system to where I want it. The nice thing about the installer is that it allows you to select a security level from "Welcome to hackers" to "Super-Paranoid". This security feature is not perfect, but it helps stop the careless mistakes we all make from time to time.

Re:Victim Report

[the_quark]

Well, in my personal case, almost all my systems have very few services - ssh, http on some, sendmail and named on one. I think most people these days don't use the rsh commands (or I certainly HOPE not) and it would be nice if the default install didn't leave stuff like finger, talk, etc. running. You should have to turn that stuff ON (IMHO). It was, of course, my fault. Just a little frustrated by it. As I said, it was certainly easier to recover from than my LAST cracking...

Re:Revive the demo scene

[SurfsUp]

I think the solution to script-kiddy wankerism is a revival of the demo scene.

How about fixing the holes? It's not like we haven't known about the problems with wu-ftp since forever.
--

Re:Sys Admin ignorance is the main reason

[__aanonl8035]

Being someone who has setup some Redhat servers for various companies I would like to make a few comments in reply to your post.

Many times a company does not have a concept of System Administrator. For instance where I work now I am a programmer. The company wants something done such as mail services or DNS and they come to you and say we need this and this and this. And so you give them options and they say "Oh, but we dont want to spend any money" So you setup a linux box and you go back to what you are suppose to be doing (in my case programming).

In on of my previous incarnations I was a Internet Technician for an ISP. Most of my days were spent battling with Sprint and TW Telecom. Setting up routers and trying to setup reporting. I had to monitor updates and potential exploits for a vast array of operating systems and equipment. Keeping up with BSDi, Redhat Linux, Windows NT, FreeBSD, Cisco IOS... blah blah blah... ate away at my time. And the company saw it as unproductive time because in the end the upper management did not see anything different.

I would also like to point out some personal experience that may not apply to everyone or everything in the Internet universe. It felt to me like Redhat Linux constantly needed updating and patching. The BSD derivatives seemed to require less work. And NT's exploits seemed trivial in comparison to a root exploit. Of course, NT was pathetic on handling loads or multiple services and needed to be rebooted once every week.

I just wanted to provide a perspective from the other side of the fence so to speak.

Re:It isn't Sys Admin ignorance; UNIX is flawed.

[Parity]

Alternatively, you could argue that it's libc that's flawed by making it so easy to create buffer overruns, as what's his name at http://cr.yp.to does, and so he uses instead a bunch of 'safe' functions to do 'String' functionality instead of using the unsafe libc str* functions.
Of course, lots of Unix people don't want to switch from C to C++ or Java where this kind of thing is the standard way of working, but a libsafeCarrays or something going into common usage would reduce this kind of thing drastically.

Though separating code and data pages is an elegant solution, though perhaps not a complete one. I'm not sure how many programs there are that have legitimate reason to modify executing code, but it's conceivable. I suppose we could just say that self-modifying code is too perverse an abberation to be permitted to live.


--Parity

Re:Three Letter Acronym

[Cramer]

BiT: But NNTP is four letters.
BOFH: <pause> Inflation.

(BiT == BOFH in Training)

Ok smart guy, how?

[xant]

Software should be designed to provide the necessary tools to get things done, but it should never attempt to be smarter than the user. The user needs to learn how to use the tools.

"I hereby declare a change in philosophy!"

These things don't just happen. I'm not going to go into whether they SHOULD happen - I just hate to see post after post of people declaring the way things should be with nary a word about how to make it work. At least the parent post had a suggestion - revive the demo scene.

With no further ado, I therefore present my own suggestions for "fixing the kids these days".

(1) The kids these days aren't the problem. Neither is the government, nor the corporations. You (my illustrious reader) are the problem. Get off your duff and learn a language, write some code, write some documentation, make something work that didn't. If you don't like the way computers work, if you see things that need fixing, do something to fix them. And try to throw something original in while you're doing it - too many programs out there now where people simply didn't check to see if someone had already written something to do exactly the same thing.

(2) In that vein, vote goddammit. (If you live in a country where you can't vote, move goddammit.) Bitching about throwing away your vote doesn't cut it any more - if you don't like the mainstream candidates, vote for one of the smaller candidates. Your vote will count for MORE; if Ralph Nader got 2 votes in the last election, and your vote makes it 4 in the next election, the pundits will be able to say his following doubled between elections. Political advocacy aside, your political activism will put pressure to change the things that cause script kiddiez, whatever you believe them to be. (Unless you believe the FBI is orchestrating the DDoS attacks--if so, I can't help you.)

(3) Finally, teach someone how to use a computer. If you say 'rtfm' on a regular basis, I have an acronym for you: 'uyfps' (use your fucking people skills). Don't wave your hands about how people aren't using computers creatively/constructively -- show someone how to use computers constructively, and teach them why. Give them some of your enthusiasm. A teenager whom you've taught to write a database app isn't going to try and bring down eBay, cuz he knows that'll hurt his job offers when he gets out of college.

Xant, maintainer of packet2sql, author of Repairlix, writer of documentation. (Not bragging, just doing a preemptive strike against accusations of hypocrisy.)

It isn't Sys Admin ignorance; UNIX is flawed.

[Abigail]

Linux is a different animal. It takes some work to configure one of these things. SendMail, Apache, Samba, X, whatever you need, you configure, and unlike NT, everything is "off" until you turn it "on", and not only by running YaST, but by endlessly tweaking relevant app.conf files.

One typically doesn't install "Linux", but a distribution. And what is installed by default varies from distribution to distribution, but most of them install much more (or make it trivially to install much more) than necessary. And there's no tweaking of config files - the packages do that for you. Joe R. User who comes from Windows would be utterly lost if he had to select everything (but nothing more) from Debian's dselect. No, instead, he uses Red Hat, with a spiffy GUI tool, and has no clue what on earth is going on his system.

You basically need to know the inner workings of the programs just to get them to run.

Eh, it's more that you need to understand inetd, inetd.conf and whatever way your OS/distribution runs the bootscripts to turn the services off. (Not that that is enough to close all the ports). That is, if you can figure out which services you really need.

forces the *nix admins to take all the responsibility for their systems while NT can just say "that's the way MS shipped it to us"

How is "that's the way MS shipped it to us" different from "that's the way Red Hat shipped it to us" or "that's the way Sun Microsystems shipped it to us"?

Consequently, the security audit my single-purpose linux ftp server failed last Thursday is my fault, but the NT guy gets to blame the MS-approved consultant who installed his fileserver.

Are you suggesting that if you had a Red Hat-approved consultant installing your ftp server, and the NT guy installed the fileserver himself, you were still to blame, and the NT guy could still blame MS?

Sysadmins of all stripes deserve SOME of the flak for the spread of viruses and the DDOS attacks from their exploited servers,

Sysadmins deserve blames SOMETIMES, but they shouldn't be blamed for the gazillion of holes Unix utilities have had over the past 3 decades, with no end in sight. Remember, sysadmins DO NOT write those utilities. Don't blame the sysadmin for being 20 minutes late in installing the latest security fixes. It's a never ending stream of holes, and sysadmins also need to do other things, like making backups, reading Usenet, drinking coffee and LARTing lusers.

But then, are utility writers at fault? Partially. 30 years of experience would suggest they know better, but the same bugs (buffer overflows) happen again and again and again. However, the biggest share of the blame has to be taken by the OS (and hence, its designers). It's a fundamental design flaw that the kernel does not separate code and data pages, and hence that buffer overflow errors can lead to execution of arbitrary code. That flaw disqualifies UNIX as being a secure OS.

And the sad, sad thing is, that a now popular Unix-like OS, which was written from scratch after more than 20 years of UNIX evolution into a wild variety of sub species makes exactly the same fundamental design flaw.

Don't blame the sysadmins for not being able to keep up with the never ending stream of buffer overflows. Fix the OS!

-- Abigail

Re:Revive the demo scene

[phutureboy]

Hell yeah - those were the days... at least on the Amiga they were...

Silents, Razor 1911, Complex, Cryptoburners, Melon Dezign, Fairlight, Crusaders, Skid Row, Kefrens, Andromeda... those cats flexed furious audiovisual skills on the Amiga's dedicated coprocessors. Most of them are working at game and 3D companies now, I imagine.

If anyone's interested, there's a very cool research paper called "The Hacker Demo Scene and it's Cultural Artifacts" at http://www.curti n.edu.au/conference/cybermind/papers/borzysko.html ...

--

Re:Sysadmins? You must be joking...

[jtev]

Well, it realy depends on the situation of the boxes in question. If the Windows 98 boxes are behind a corporate firewall and used as workstations for accountants or secretaries, then yes it is the system administrators fault. if they are in a home, then it is the owners fault, but the owner is acting as the system administrator, so still it's the system administrators fault. the fewer boxes one has to monitor the more closly one can monitor them the more boxes one has to monitor the more securly one should set up ones firewall.

Re:Revive the demo scene

[Abigail]

How about fixing the holes? It's not like we haven't known about the problems with wu-ftp since forever.

Yes! Let's fix the holes. But let's fix them once and for all: At the OS level. Fix the OS such that a buffer overflow cannot result in executing arbitrary code. Or else, for each hole in an application you close, 10 new ones spring up.

Here's a scary thought. How long till crackers and script kiddies start sending patches and/or become active developers for well used open source projects, intentionally introducing holes. Even if 99 out of 100 of such attempts get removed before the product becomes "stable", the few that make it to the next Red Hat or Debian CD make it a hax0rs delight.

-- Abigail

Re:Wow, you are brilliant!

[CoughDropAddict]

Not complicated, but resourceful I'd say. It's not as if someone said "look, there's the battery, short it out," it was a case of someone screwing with my BIOS and me needing to find a way to fix it.

I didn't have a manual, I just figured that the battery-looking thing probably was responsible for storing the time and all the other BIOS settings, so I figured shorting it out would solve the problem. Not bad for 15, or however old I was at the time.

--

Re:Revive the demo scene

[phutureboy]

Haha. Awesome links, especially the Linux demo ones. Optimum has some killer FX (w/ source of course) including one of Bill Gates morphing into Evil Gates

--

I can just see the interview...

[Carnage4Life]

CNN Reporter: I am reporting live from the offices of [insert TLA here] where news of the devastating Denial of Services [sic] attack has just been heard. Oh my God, What can we do? What does FBI think?

FBI spokesdroid:Like I said, if only they had let us install Carnivore in every ISPs server room, we could have stopped this.

NSA spokesdroid:Shutup fool, if only Echelon funding hadn't been stopped we would have nipped this in the bud.

Right-wing spokesdroid::Liars, liars, only installing censorware which blocks out images of "hacking" and "cranking" [sic] could have stopped this...

RIAA spokesfiend:Copy protection, ban Napster, steal consumer rights, kill, murder, hahahahaah.

CNN Reporter: Riiiiiiight. I guess we'll get nothing useful here. Back to the newsroom.

Re:Red Hat

[T-Punkt]

You're correct about "solid default security configuration", but what *NIX OS (besides OpenBSD) comes with a good default security configuration?

E.g. NetBSD.

stupid distros

[inciteful]

The real problem here is that most popular distros (read: redhat) have default configs designed for hackers. I set up a redhat 6.2 box as an ipmasq server... 2 days before it was compromised.

Re:Portsentry

PortSentry Homepage

Re:Must be time for another round of Funding...

[Animephiend]

if you think the government did the attacks... you are a giant flaming idiot.

Portsentry

[Eric+Green]

If everybody ran 'portsentry' and had no open ports listening on the Internet, things would be much better. Script kiddies could not know whether there was no computer at that address or if it was instead running 'portsentry' ('portsentry' tosses that host into ipchains so that no ACK is even sent), and thus would not be able to exploit the undesirable denial-of-service possibilities of 'portsentry'.

I am waiting for a distribution to come set up that way out-of-box... yeah, right.

-E

Re:Portsentry

[Prolog-X]

If you're using BSD, see the Deploying Portsentry article on BSD Today.

Re:Wow, you are brilliant!

[Woody77]

I agree with him, for a simple reason.

I started with a commodore, using the command-prompt, and moved up to a PC with a prompt, and that's how I learned computers, in elementary school. Probably not uncommon for the people on this site.

Now, my little brother never used anything other than 95. Loves computers, mainly games, but couldn't use a command-prompt to save his life, and can't even setup Master/Salves correctly on an IDE chain. Called me to try and help over the phone...

He's a smart kid, too.

He's a Senior and high-school, and can get into any school in the nation, from his test-scores and grades.

So why can't he figure out why the new game he installed whacked windows? Why can't he install a new HD? Because all he's ever used is point-click. He's never actually learned how things work.

One of my proffessors once made a statement about "experts", one I've also heard from a few now-retired computing columnists.

Essentially: A real expert does not know how to do 100 neat things (tweaks) with a piece of software (or other product). Instead, they understand fundamentally how it works. From that, they know how to do the same 100 "neat things", but they also know why those "neat things" do what they do.

Sorry, enough ranting on "kids these days...."

Re:just about every Unix!

Folks, this is not just a Red Hat problem; it's a problem that can affect just about every other Unix/Linux/*BSD (except OpenBSD) in its default configuration upon install.

It seems that every Unix/Linux/*BSD installs wu-ftpd and leaves portmapper wide open with a "server" configuration option... WHY?

And note that if you did the same on OpenBSD (rpc.*, wu-ftpd) you'd have the same vulnerabilities.

What is needed is education of sys admins to SHUT OFF port 111 and use scp instead of ftp; otherwise, put the server behind a packet filtering firewall...

The last thing we need is more distro wars and pissing contests :-/

~AC

locking down box

[josepha48]

I knew there was a reason that I started locking down my box this year. After reading a few articles here is what I suggest as a minimum.

First I dont run wuftpd, I use proftpd. That eliminates one of the areas of problems.

The second is I use ipchains to log on my ports taht might be scanned. This means that if someone scans my machines I have a log of the originating IP. Although this is probably not there ip it is a starting point atleast and can lead to other machines that they have comprimized.

Next I have a script that parses the system log, to check for things that came from a possible scan this run every 15 seconds. So that basically gives them 15 seconds to hack my machine. I hope they can do that other wise I hear festival go off saying I am being scanned. It needs som e work to be perfected, but it is a start at seeing if I am being scanned an dhacked. I am lucky though it is just one machines.

I am more worried about my machine at work. Several days ago someone else used my machine and they said they gave there password out to someone else who may have use the machine. This is total stupiditiy on that persons part for handing out her password, and yes I reported her to our security. If my machine is use in DDOS then I know who is going to get in serious trouble for it.

I don't want a lot, I just want it all!
Flame away, I have a hose!

Re:locking down box

[Dom]

First I dont run wuftpd, I use proftpd. That eliminates one of the areas of problems.

You really think that proftpd is inherently more secure than wu-ftpd? As far as I can make out, that's bullshit. If you really care about security have a look at stackguard.

Point being nothing can make a system absolutely secure but using invalid assumptions like that will get you nowhere.

Re:Wow, you are brilliant!

Or it could be that he never really found it important to learn.

Not everyone has your priorities.

Re:Wow, you are brilliant!

[Woody77]

Good point. He really doesn't try to learn. But he's very typical of the people that don't want to learn.

They complain that things don't work, but they don't want to learn how to make them work. In a word, lazy.

They are the same people that amaze me when they don't know why you're supposed to change the oil every so often in your car...

Re:redhat is able to be compromised..

[hedley]

I got hacked about a month ago and my machine (a RH 6.0 box) was made some hax0rs bitch for an mstream DDoS. I caught the problem about one 1/2 day after the attack. I now use the TrinityOS ipchains script on a RH 6.2 installation with the rpc.stats patch (enven though it is not needed) and have had no problems since with only ssh and AUTH open. I get probed all the time on these ports 21 23 111 137 139 143 27343. Interestingly
the hax0rs left behind their 3l337 script that copied over a compromised sshd etc and the server for the mstream agent.

Hedley

Re:I can just see the interview...(OT)

[MrNixon]

A quick comment on your .sig.

It is completely ... in opposition with the rest of your post. The "slashdot collective" couldn't made a more concise summation of all it's problems than your post. Interesting how that works.

Re:Wow, you are brilliant!

[Woody77]

Excellently groomed hair.... Impeccable dresser. Too bad he doesn't know a damn thing about our company's technology any more. (He manages support).

Re:Sys Admin ignorance is the main reason

[Garpenlov]

Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:

turmoil# nmap -sS -O 206.173.xxx.xxx

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh

TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds

That's it. Imagine that, a secure Linux box. What a novel concept.

Wow. You made a secure terminal. Congratulations. Now why not make a secure server?

Re:Wow, you are brilliant!

[Woody77]

He said he's in law school now, so he obviously stopped putting up with it... Hmm. Geek with a law degree. Now that's usefull!

Crackers Preparing Massive DDoS?

[8bahl]

Correct me if I'm wrong... Couldn't a server for example Yahoo.com who is receiving a DDoS attack set up a block on their routers from the IP address that is flooding them? (Not having too much networking experience may be very apparent in this comment, but it was just a thought.)

Re:Crackers Preparing Massive DDoS?

[verbatim]

I think your routers would still end up getting gummed up with excessive traffic. Yeah, your internal network will survive and your servers won't go down, but you'll still get flooded off the net.

It would be like barricading the doors to a walmart when you're selling furbies for $1.99/ea because of too many customers trying to get through the door. Your tellers will be at peak effenciency, but no legitamite traffic can get through.

Oh well... thats why we have co-locations people ;).

Re:Three Letter Acronym

[Goonie]

In this case, though, Mr 4Life is probably referring to Three Letter Agencies, such as the CIA and NSA, and more broadly the FBI, KGB, and similar agencies around the world.

Re:/. Generalizations make me sick

[Crass+Spektakel]

Why do I need a driving-licence but no education-licence?

Every amoebian may produce bloodthirsty maniacs and educate em by locking them up into a box in front of the TV.

I guess, children are just not worth it.

Ah, btw, I am definitly not a very religious person.

Re:Wow, you are brilliant!

[TobyWong]

Jesus, are you some kind of progressive omish order?

No, Jesus is down the street with the protestants, you must be thinking of brother klaussen from the amish order.

Re:Wow, you are brilliant!

[grahammm]

You should not have to always do it the hard way, but you should be taught/learn the hard way first. It is often more important to understand the 'why' rather than just know the 'how'.

For many people the computer is an important tool and they just want to get on and use it. However this is the wrong attitude and approach. As the computer is an important tool, people should learn how to use and maintain it properly. Users of other tools are taught how how they work, how to correctly use them and often day-to-day maintenance and elementary fault finding. So why should computer users be different?

Re:Lazy admins...

[Omar]

Maybe I wasn't really clear... I was referring to the hack itself, not the DDoS software. Oh well, not like it matters now :)

Wrong !

I recently installed my first Debian server install (and actually am still in the process of confugring it), but I learned some interesting things by doing that.
One of them is that it's the OS vendor's fault that linux distro's have such weak default installs. Debian is pretty decent securitywise in and of themselves, but even they do outright weird things like going with a firewall without rules and ACCEPT policies on all the rulechains.
The default should be completely locked up from outside to inside, opening up only ssh. If a user wants a service, he needs to not only install it, but activate it too.
If you do a regular install of, for example, red hat you get dozens of services running, from named to apache, to TELNET !!! Some of them useless and ancient history (telnet, r protocols), and some of them don't ever run on the same system. pop3 and smtp and apache and ftp. Show me a real professional server that runs all those, I dare you.
Now if you want to make an install that installs all these services then go right ahead, but please don't offer it as the default. Linux newbies will always pick the default, and when offered with the choice: install (y/n), they WILL pick "y", because that's the windows way of doing things, install everything, even if you don't know if you'll need it.
It's actually possible to make a default install that doesn't have a firewall and still doesn't open up ports to the internet. Imagine how solid it can be made when you add a decently configured firewall. I'm not asking for a default deny policy, just some common sense. Leaving ports 6000 and up open to the internet is EVIL.
So, to restate my opinion, it's redhat's fault that boxes get hacked. Because you don't need suid root stuff (yes, you can build a complete linux install where daemons have no access to suid root programs), and you don't need daemons running as root (check out tcpserver on cr.yp.to).

Re:Must be time for another round of Funding...

[Wariac]

Strange that this is Marked Funny...unless you mean its funny how paranoid this guy is, that would fit.

I would ask the CEO and shareholders of Yahoo how meaningless those attacks were. Not everyone forgets to take thier meds :)

What an "amazing" "Coincidence"...

[Dr.Dubious+DDQ]

At the same time as the dire warnings of the imminent doom of the internet due to DDOS attacks from compromised Unix machines, MicroSoft-NBC is apparently also sponsoring a "stuffed" poll (whether MSNBC is doing the stuffing or someone else I don't know), according to This story on Linuxtoday.com

Is there anyone but me that finds this to be an amazing coincidence that the Microsoft FUD machines are cranked up to full throttle the weekend after Microsoft ME is released (and is being thoroughly disapproved of according to the various reviews and "will you buy Windows ME?" polls around the net)?

Perhaps some rival news agencies would like to get some mileage out of MSNBC's activities? ...

Joe Sixpack is dead!

MSNBC

[gunner800]

I had never bothered to watch MSNBC before, and I hadn't checked out their web site either. After reading this report (and, of course, their "History of Hacking"), I'm not going to bother again.


My mom is not a Karma whore!

Re:Revive the demo scene

[JordanH]

• I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology.

A lot more potential crackers are involved today in the Linux scene than were ever involved in the demo scene. But, maybe you have a point, maybe these guys need something palpable to show for all their midnight hacking.

Seems like doing demos on Linux would be pretty cool. One problem. It's a lot harder to impress these days.

-Jordan Henderson

Re:Stupid Netscape Question Marks!

[Yath]

The likelihood that CT is using a browser that doesn't understand Unicode is remote. MSNBC is using a character set called Windows code page 1252, which is like the standard Latin-1 character set, except that it uses reserved positions for characters like smart quotes.

Modern browsers accept &#8220; and &#8221; for smart quotes, but Frontpage hasn't caught up yet...

windows character set

Re:Revive the demo scene

[Miriku+chan]

Future crew - 2nd unreality

A real Stacheldraht DDoS network discovered

[wzc]

For those of you who don't believe in DDoS attacks or just don't want to believe in them, please check out http://wzc.dhs.org/home/news/index.html and the news post dated 6th September 2000. This is a linux server which I run... it has been DDoSed many times this summer, each time, taking out the ISP on which it is hosted. I managed to log all the networks involved using tcpdump and other such tools. The reason for it being dossed? It runs an eggdrop on IRC hence the hackers DDoS the server to make the bot ping timeout, and take over the channel.... how sad.... So ppl, these attacks are for real.... we better suss them out... this is exactly what I did.... With help from one of my mates, I managed to determine the protocol used by the packetting agents (the agents which actually cause the garbage traffic) and wrote a little C program which makes them packet; if you care to visit wzc.dhs.org's news section, you will see that the server was setup to perform a scan of all the networks which I had logged (the scan was done by sending control packets to each potentially infected host on each network telling it to packet my server for exactly 1 second... if the host packetted my server, I knew it was hacked and running a packetting agent). The list has now been submitted to cyberabuse.org and CERT have also been notified about them (which is, I assume how this posting got onto here in the first place). I don't claim to be "Mr Expert" of DDoS attacks, but I did the scan due to my general anger against the hackers which were orchastrating these attacks against my server during this summer. If anyone would like to know more about how the protocol works, or would even like a copy of the C program which causes these packetting agents to packet, then contact me via the email on wzc.dhs.org's news page..... maybe I should post it publically so everyone can do their own DDoS attacks, and then... the admin of the compromised hosts might fix their hacked systems. Thank you for listening. ----- Mark Hedges (admin of http://wzc.dhs.org)

Re:Pssst! Everyone drop your pencils at 2:37pm!

[[egal]]

Agreed, 500 plus is easily enough to do some trouble. But then, 500 is nothing compared to the networks you can manage with +1 generation tools. They are however not ready to use and are mostly custom made (hence kiddis won't get thier greedy fingers on them), so, probably the real threat will be hidden behinde the lines. You will never know ! So, please, get back to work and FIX this very very very old bugs, its just not worth so many attation !

Re:Three Letter Acronym

[Prolog-X]

Here's the Jargon File entry:

TLA /T-L-A/ n.

[Three-Letter Acronym] 1. Self-describing abbreviation for a species with which computing terminology is infested. 2. Any confusing acronym. Examples include MCA, FTP, SNA, CPU, MMU, SCCS, DMU, FPU, NNTP, TLA. People who like this looser usage argue that not all TLAs have three letters, just as not all four-letter words have four letters. One also hears of `ETLA' (Extended Three-Letter Acronym, pronounced /ee tee el ay/) being used to describe four-letter acronyms. The term `SFLA' (Stupid Four-Letter Acronym) has also been reported. See also YABA.

The self-effacing phrase "TDM TLA" (Too Damn Many...) is often used to bemoan the plethora of TLAs in use. In 1989, a random of the journalistic persuasion asked hacker Paul Boutin "What do you think will be the biggest problem in computing in the 90s?" Paul's straight-faced response: "There are only 17,000 three-letter acronyms." (To be exact, there are 26^3 = 17,576.) There is probably some karmic justice in the fact that Paul Boutin subsequently became a journalist.

Re:Where can we report compromised computers?

Drop notes to intrusion@sans.org and read what other folks have found at SANS Global Incident Advisory Center

Re:Sys Admin ignorance is the main reason

[halbritt]

Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:

turmoil# nmap -sS -O 216.17.xxx.xxx

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql

TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds

Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:

turmoil# nmap -sS -O 206.173.xxx.xxx

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh

TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds

That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.

Fresh RH6.2 Install

[smnolde]

I just did an install of RH6.2 this evening for a friend of mine. It was amazing how much crap gets activated when you select 'everything' during the installation! He wanted everything, so he got it.

Needless to say, I turned off all listening daemons and promptly installed OpenSSH.

I see absolutely no need whatsoever to run telnet or ftp servers anymore. And my friend didn't need to have them running anyway on a dialup connection so I got rid of them. And even if he wasn't on the 'net, he still didn't need telnet, ftp, nfs, etc... running.

I agree that a good half hour of cleanup is required after any linux installation. Even if RH is a 'newbie-ized' linux distro, all the NFS, rpc, apmd, pcmcia, sendmail, etc... services should be turned off until the sysadmin turns them on.

I like the idea that I have a fully configurable, highly powered, and fully functional (free) OS. but dammit(!) let me turn the stuff on!

No newbie should be faced with NFS or identd on their first day. Let them learn the power of GNU/Linux. Don't blind them like a deer in the headlights, but give them turn up the dimmer switch.

eof

Re:Sys Admin ignorance is the main reason

[halbritt]

It is a secure server, what you missed was hlds_l (half-life dedicated server for linux) running on port 27015. Nmap doesn't scan that high by default. Hlds_l is not running as root and is as secure as I can make it in this environment. The point that I'm trying to make is that I'm only explicitly running the services that are needed, I understand what services are needed, and what the security implications are by running those services.

Re:Stupid Netscape Question Marks!

[RobNich]

Actually, it's because CmdrTaco was using a browser that displayed question marks instead of the punctuation marks that are in the article. It's because MSNBC was using Unicode characters to write the article, probably Frontpage or Word.

Mozilla is 'working out'. I use it about half the time (and I test every one of my pages on _all_ browsers).

Crackers are always up to no good.

[Richard+Stalinuxman]

Ask de homeys from da hood! De only good cracker be a dead cracker!

Must be time for another round of Funding...

[Robert+Hayden]

Remember a few months back when the DDOS attacks happened? Just before that, the FBI and CIA and a whole bunch of other TLA departments sent out huge warnings about "cyber-terrorists". Then *POOF* out of nowhere come these DDOS attacks. However, they aren't aimed at any important infrastructure (like the root name servers, for example!!!), but instead at a few well-known and public e-commerce sites.

OH NO! See, the evil cyber-terrorists have attacked and the TLAs must get their funding to stop it.

Suddenly....*POOF* the attacks _END_. No "bad guys {tm}" were caught, but the problem goes away.

Ooops, here come the FUD and scare tactics again! Time to eliminate some more civil rights to protect us from "cyber-terrorists" and make sure those TLAs charged with fighting this dragon are properly funded!

Maybe this time the feds will attack something on the net that really is meaningful instead of ebay and yahoo. Otherwise, I just ain't buying it.

Re:Must be time for another round of Funding...

[phutureboy]

What exactly does TLA stand for?

--

Re:Must be time for another round of Funding...

[tzanger]

um... good luck DDOS'ing the root servers. hope you have a couple million computers.

Just out of curiosity, what kind of hardware do the root servers run? Is each root server actually a cluster or are they each just a Really Big Machine?

Re:Must be time for another round of Funding...

[Spock+the+Vulcan]

TLA is a TLA for TLA.

Re:Must be time for another round of Funding...

[Mr+Z]

• TLA -- Three Letter Acronym.
• ETLA -- Extended Three Letter Acronym.
• VETLA -- Very Extended Three Letter Acronym.

Got that?

--Joe
--

Re:Must be time for another round of Funding...

[dirty]

Three Letter Agency/Acronym, or the Theater of Living Arts if you live in/around Philadelphia, PA.

Sys Admin ignorance is the main reason

[cOdEgUru]

MSNBC report states that most of the systems which are compromised are Red Hat systems,using a recent exploit, for which patches are available. These compromised systems are surely systems whose admins are either ignorant or crackheads who believes Linux or Red Hat is too secure to be compromised.

This again brings to light the eternal question which begs an answer. Is it the fault of the company behind the OS or the Sys admins who forgets to apply the newly released patches who are responsible for these attacks. My opinion would be the latter.

Any piece of code is liable to exploits, including Windows and *nix, and its quite obvious that the script kiddies behind these attacks do not envisage new exploits, rather piggyback on existing exploits for which users or admins might not have applied the patch. The fault I must say lies with the Admins.

As long as there are systems liable for attack, whether they might be open source or closed, there would be kids who take advantages of the exploits that arise from these systems. Rather than crying foul everytime a new exploit is released, the geek community should make sure to plug these holes, rather than pointing fingers.

As long as we dont plug the holes in the Internet Infrastructure which allows these kind of DDOS attacks, that would be the sanest thing to do.

My two cents

Re:Sys Admin ignorance is the main reason

[jerdenn]

I find it particularly interesting that if it is a Linux exploit, it is the fault of the "ignorant Sys Admin".

If it is an NT exploit, it is the fault of the OS manufacturer, even if there is a 'hotfix' or patch available.

I enjoy Linux as much as the next geek, but sometimes I'm disappionted by all the FUD coming from the same community that claims that they are the greatest FUD victims...

-jerdenn

redhat is able to be compromised..

[TheGratefulNet]

so when the hell is redhat going to even come close to the level of security that openbsd has??

I love linux and I wish it was more secure. I do tend to use redhat for my desktop boxes (it supports a lot of hardware and is the most well-known distro around, mostly). but I'd NEVER put it 'bare' on the net - for all to play with. that's lunacy.

for my public box, its openbsd. I got tired of my linux boxen getting hacked ;-( behind the firewall, linux is very nice - but just don't put it in its DEFAULT config on the public net. if you do, well, its just a matter of time before you're hacked.

but if redhat at least made the default config totally locked down, they'd enjoy a much better rep. and linux, as a whole, would take less abuse about security issues.

--

Re:redhat is able to be compromised..

[Karmageddon]

but what doesn't make sense about your post: if you like redhat so much, and are so knowledgable about locking down a box, why don't you use redhat on the net? It takes about 30 minutes to configure ipchains and ntsysv and hosts.allow, and you're secure. I too wish that RedHat would ship in a more protected configuration, but I don't let it stop me.

Re:/. Generalizations make me sick

[Freedent]

Yes, generalizations like:

- The masses of America are brainwashed.
- That it's by the "liberal" media.
- The media is all "liberal" in the first place.
- All liberals are cool with free speech as long as they can moniter it (wtf are you thinking here??)

I guess it's only childish and ignorant if you're not the one doing it.

Revive the demo scene

[YoJ]

I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology. That's what these dumb kids should be doing, actually improving their skills and learning something, rather than being destructive and 31337. I'm gonna wager than many Slashdotters know at least a couple kids that are probably warez dudes or 31337-haxors at night. Be a force for good in their lives; show them how they can create with a computer as well as cause problems.

Re:Revive the demo scene

[CoughDropAddict]

Three cheers for that idea! I've been wishing the demo scene would find some life even without the extra incentive of deterring script kiddies--demos are just plain cool!

A few links that are pertanent:

• www.scene.org - sort of a ground central for the demoscene today, the way I guess the Hornet archive used to be, though I didn't even know what a demo was when hornet was in business.
• Orange Juice, the self-proclaimed "demoscene information center, though I've never found anything useful there. Mostly pertanent to Europe, I think.
• The famous hornet archive, which shut down in 1998 but still seems to host something of an archive.
• A few budding Linux demo sites:
  
  • optimum.sourceforge.net
  • linux.scene.org
    
  
  

Personally, I'd love to see growth in the Linux demoscene, because even though there are lots of great (and recent!) demos out there, no one from the DOS demoscene ever releases source code! I'd really love to learn some of the tricks of the trade, and it's hard to even know where to start without being able to look at the work of the masters.

In case any of you have never seen a demo and happen to be running Windows, my personal favorite is Bakkslide Seven, made by the group Omnicolor. Even more impressive is the fact that it is 64kb in its entirety: music, graphics, and everything!

--

Re:Revive the demo scene

[cowbutt]

cd /mnt/cdrom ; find * -printf "%s\t %AH:%AM:%AS %Ac %p\n" | gzip -9 >/usr/local/doc/newcontents/cdname.txt.gz ; cd / ; umount /mnt/cdrom ; eject

Works for me. I just zgrep -i for a word that's likely to turn up in the file/dir name and it gives me a list of all the files that match and the names of the CDs they're on.

Re:Revive the demo scene

[tzanger]

Future crew - 2nd unreality

That's second reality, dude. And yes that was a cool demo, but there were many other cool groups out there. I've got most of them on one of my many "checkpoint" burned CDs. Basically whenever my hard drive gets full from my information packrat nature (N64, Z64, C64, electronics, RF, C, exploits, backdoors, cracks, satellite, acrobat files, email, packet mail (.QWK), my own software and hardware, etc., etc.) I burn the data out to CD and wipe the drive. Then I make a duplicate copy and keep it in a different physical location. It makes me feel good that I've still got the data and that if one copy gets destroyed that I haven't lost something I likely won't find for a long LONG time, if at all. URLs disappear, iformation gets lost. All I needs is a really great way to index it all (file_id.diz anyone?) and I should be able to pull out info from anytime from the early '90s on.

Re:/. Generalizations make me sick

[Paradise_Pete]

1) Liberals are just as bad if not worse. They want free speech but at the same time want to make darn sure that they can monitor all of it and get you on every little bit of it.

2) Slashdot posters need to stop mass-labeling many groups of people.

Nope, no contradictions there....

-Pete

Not the first

[led_belly]

This is not a new story...
it was first posted on ZDNet and was commented on by Geek Solutions. New Styles of DDoS will continue to pop up as the web continues to progress. It is up to SysAdmins to keep current.

Re:What for?

[cHiphead]

Idiot Mentality:
Comparing a Hacker Mentality to driving an 18 wheeler into the middle of the street and letting people wreck and not caring when people die.

Thats the brainwashing the government and corporate powers that be want you to have, so they can easily and without questions of rights gain jurisdiction against anybody *they* deem offensive to the people of the United States. Hackers are just people too. And of course, like in the real world, some of them are idiot assholes, but most of them are good people with good intentions. Don't punish an entire group of people just because there are a few bad ones.. Do you throw out an entire dozen eggs when just one or two are cracked? NO, you get rid of the cracked ones, you don't smash all twelve.


-=Gargoyle_sNake
-=-=-=-

Re:We'll Never Know - MOD HIM UP!

[BrynM]

This is a very good response. It deserves a better score than the sensational post it responded to, IMHO.

bm :)-~

Wow, you are brilliant!

[FunOne]

You're soo right! Kids today need more hard labor! They've been so used to instand gratification thats its NO WONDER that they've started this sort of thing. All kids are perfect unless something likes this takes them away from their chores. I know that only those TEMPTED BY THE DEVIL ever STRAY FROM THE PATH OF RIGHTOUSNESS!
[/sarcasm]

Jesus, are you some kind of progressive omish order?

FunOne

Re:Wow, you are brilliant!

[StarFace]

Yes! Going back and saying "well we had to do it the hard way." and using that as some sort of meter for crowds of people isn't really fair.

There is the same ratio of lazy people to motivated people today that there was yesterday. If you look around you see a lot of people on computers, but don't forget that when we were learning on computers that you booted on a floppy since harddrives didn't exist, the ones who were NOT motivated, simply didn't use computers.

Now, it is different, they use computers because they are practically a necessity, they still don't want to learn them though. If you look around, there are still plenty of people willing, and even anxious to learn things the hard way and understand the fundamentals of how they work. Same ratio, different set of parameters.

Re:Wow, you are brilliant!

[StarFace]

You are correct, I should have puts quotes around the second usage of "hard way" it was my intention.

This is why I think they should teach *NIX in the classrooms instead of just teaching you how to use word processors and spreadsheets. Some would argue that it would be learning the wrong environment since everybody uses MS products in the workplace, but I disagree. Since I've started using Linux I have learned far more about the fundamentals of a computer than I ever learned under DOS and Win32. I'm able to take that knowledge and use it in the Win32 environment easily.

The problem starts with the lack of education in the area of computers. As a regular highschool curiculum, you should take basic *nix fundamentals, basic C programming, maybe Perl, and a hardware course. Fourth year should then move to MS products, VBS and system maintence. Once you can accomplish tasks of this nature, you can very easily learn the simple programs such as making spreadsheets and typing research papers on a computer. It would be second nature at that point.

This isn't going to happen any time soon though. The computer market has way too much inertia in creating software for the dummies. This only leads people to take an increasingly 'dumb' approach to computing.

So, things are still as I have outlined in the original post. You have a division between the people who want to get their fingers dirty and those who don't. As you put it, they see it as a tool. It isn't the way it should be, I never meant to convey that.

Re:Wow, you are brilliant!

[HeghmoH]

Maybe your little brother simply isn't that interested in how they work, either. If he travelled the same path you did, maybe he would have gotten sick of them all and done something else instead. There are plenty of people who started out with GUIs and still managed to learn many deep things about how their computers worked. There are also plenty of people who started out with C64s and still can't properly chain IDE hard drives.

Sysadmins? You must be joking...

[Flat5]

RedHat is a consumer product. The vast majority of RedHat installs have no "sysadmin." They have a person who clicks a few buttons to install the damn thing and that's that.

When a Win98 box is exploited, is it the syadmin's fault? That question doesn't even make sense. And neither does it make sense to say that poor sysadmins are at fault for RedHat exploits.

Sys Admin ignorance is the main reason

[jpowers]

While none of us really need to get in another fight over which OS is better, I have to ask you to give your own post a second look and consider that your view of this situation may be too simple to be accurate: configuring and operating a linux server is different than doing the same with an NT box. For most NT servers, NT installs right off the CD, you fill out the networking info, and start making user logins. All services are either switched on from the control panel or by installing it off another CD with "autorun".

Linux is a different animal. It takes some work to configure one of these things. SendMail, Apache, Samba, X, whatever you need, you configure, and unlike NT, everything is "off" until you turn it "on", and not only by running YaST, but by endlessly tweaking relevant app.conf files. You basically need to know the inner workings of the programs just to get them to run. Of course, you get some pretty exact control in return, but it really does take a degree of effort just to think the program's configuration through. Not that you couldn't put the same time and effort into tweaking an NT box, but the distribution and marketing of NT don't encourage it. It doesn't make NT admins' sloth any less wrong than *nix admins', but the truth is that the culture and attitude that has developed around the two (NT is great because I slap a M$-approved CD in the drive, then sit in my big comfy chair all day and wait for it to crash v. Linux is great because I tweak the hell out of Apache to get it compatible with my perlcgi style then set hosts.allow to all:all because I'm too lazy to map my fscking users) forces the *nix admins to take all the responsibility for their systems while NT can just say "that's the way MS shipped it to us".

Sysadmins of all stripes deserve SOME of the flak for the spread of viruses and the DDOS attacks from their exploited servers, but M$, by taking some of the control over the system away from NT SAs, also must take a proportional share of the responsibility. Consequently, the security audit my single-purpose linux ftp server failed last Thursday is my fault, but the NT guy gets to blame the MS-approved consultant who installed his fileserver.

-jpowers

Don't use NFS...

[Svartalf]

NFS is grotesquely insecure. If you have to use NFS, use it behind a seriously locked down firewall box. If you can avoid using it, use anything other than it. SMB is also less desirable than others but it's design won't leave you open for these attacks. I suggest using AFS or Coda at this point.

MSNBC Headline: "Hackers amass new zombie army"!!

[Smack]

Can you believe that? Those evil hackers have figured out how to raise the dead and have them fight for them as a zombie army. Man, this is almost as bad as copying DVD's.

please mod parent up

[jpowers]

my personal favorite is Bakkslide Seven

That was beautiful. Thanks.

-jpowers

Re:Lazy admins...

[n3rd]

Yes, lazy admins are the problem, but just to clarify, this isn't an "exploit".

These machines were hacked (in ways that any other machine would be hacked DNS, rpc.statd, sendmail, etc). The person that hacked the machine then put the DDoS software on the machine for later use.

Lazy admins are the issue since they did not take the appropriate measures to secure their boxes (applying patches, setting up a firewall, etc), but the actual DDoS software was installed as a result of the boxes being hacked. Hence, the DDoS software is the result and not the cause of the hacking.

An attempt was made on my box...

[levl289]

I got a syslog mesage very similar to the one in t his usnet entry.

From what it looks like fo far, nothing was compomised, but it certainly makes you more aware of security issues...

A word of warning, unless you're running NFS stuff, and you use Debian, just remove the nfs-common package from your system...I've simply been turning portmap off (the service that's attacked), but running an update of the system always seems to get it turned back on.

Q: What do you think about American Culture?
A: I think it's a good idea.

Always need to be on the lookout

[mu_cow]

Wide-spread problems like these are happening all the time. This Register article from today has another exploit (not a bug, but very common misconfiguration) that has recently been used to compromise 160+ sites in the UK. A full explanation was helpfully dumped on one of the compromised sites, and they still haven't noticed (source www.ntk.net). If you read the explanation of the exploit it could have been used for any purpose including DDOS.

It is amazing how many computers can go down in one blow. As the hacker left in his explanation: "If you think education is expensive, then try ignorance"

Red Hat

[CentrX]

Red Hat is the least secure of the non-crappy distros (things like Corel, Caldera, or any UMSDOS distro are all crappy distros). Consequently, anyone who knows what they're doing, isn't going to use Red Hat if what they want is a solid default security configuration. Consequently, you can't base the "security of Linux" on Red Hat. Also, this whole thing is off-topic.

Chris Hagar

Re:What for?

[webrunner]

Unfortunately "Throwing out all the eggs" is a very common way of dealing with problems. Remember in grade school? One or two kids is loud, and then th eteacher says "One more word, and you'll all have to stay after class" anmd then one of those students says something screwing everyone else in the process
----

Basic securing

[digitalhermit]

This is a really basic way to check what ports are open on a Linux box:
Open /etc/inetd.conf and look for lines that do not begin with a hash (#). These are the services that inetd is listening for. Do not use the "grep -v '^#' inetd.conf" way of checking , as this won't alert you if the # is not the absolute first character on the line.
Ideally you should run nmap against your machine. Inetd will listen on the ports configured in the inetd.conf file. Other services may be listening directly to the port (apache, for example). There is a front end called nmapfe that automates the procedure. Run it against your local machine.
You could also try looking at https://grc.com then doing the scan network tests. This site is geared to Windows services but the probe is useful. Do not trust what the guy says in his FAQ because it's meant to sell his firewall product. He has some wrong information in there.
Once you realize that your machine is wide open, how do you disable those services? First, edit the inetd.conf file and then comment out the lines for services you don't need. Then restart inetd by doing a killall -HUP inetd. Go into LinuxConf and disable the other services. For now I'd suggest completely disabling wu-ftpd and rpc.statd until the fixes have been tested for a while.
As for any security, don't trust your box to this minimal information. There are lots of other ports open that I didn't address here. Do some reading!

Mommy...where do root kits come from?

[Sabalon]

Just a curiousity thing - I'm not activly looking. I'm just curious where root kits come from and how they get around. I have one or two that a few years old that I removed from another departments hacked machine.

Do they make their rounds via IRC? Usenet?

Expertise

[mce]

Regarding being an expert, I have the quote from some party unknown hanging on the wall of my office:

Be warned that being an expert requires more than understanding how a system works or is supposed to work. Real expertise is gained by investigating why a system does not work.

--

Where can we report compromised computers?

[stab]

I've been scanning the bait logs on my machine (I run a simple tcp listener on port 111, 23 and others to report scans), and over the last four weeks the rate of scans against the machine has gone up orders of magnitude.

Probes to port 111 come about twice a day, from a large range of IPs. These boxes could all be compromised, and being used as part of a worm attack, but I dont have time to track down the postmaster of each of the ip addresses and mail him/her.

Does anyone know if there's a service run by CERT or anyone to report possibly compromised hosts that turn up in our logs too?

If not, it would be pretty useful to have ...

Three Letter Acronym

[Anonymous+Coed]

TLA == Three Letter Acronym (ie, CIA, FBI, NSA, DEA, etc.) alternatively, They Liberate America. ;-)