Slashdot Mirror
Crackers Preparing Massive DDoS?
Tairan writes: "Crackers are using two exploits to ready another distributed Denial of Service attack. MSNBC.com is reporting there are at least 560 computers infected. CERT claims it 'poses a significant threat to Internet sites and the Internet infrastructure.'"
CERT seems to be following up on most every lead they can and contacting everyone they believe to have been compromised and urging them to take measures to protect their systems and networks where possible. I am personally aware of a few hosts (which have since been secured as well as possible) which I do not control, but which were involved in a separate incident involving another rather large volume of hosts that CERT followed up on.
So it would seem to me that the folks at CERT, at the very least, are just being careful. As the old saying goes, an ounce of prevention is worth a pound of cure -- and it's no different with computer security.
As the 'security guy' for my home, Kuro5hin.org, and other firewalls I've setup for people I know, I can tell you that:
.. kill. Then go and chmod -x all those binaries. No remote root. Simple, effective. You could probably have perl scripts do it :-)
;-)
"after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server. "
Is wrong! It's very simple: you need three things to lock down a box from remote root: nmap, lsof, and kill. Find what's open (nmap scan TCP), find out what 'owns' the port (lsof), and kill it. Then set your system to not run it. The RPC services should be turned off without even bothering to check if they're running -- every distro has them one by default (why!?). ps -ax|grep rpc
Otherwise, it's just watch bugtraq, watch your box, and be suspicous. Oh, and don't run Washington University code
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Its not that simple. One user on one 56k modem can completely saturate a T3 if he knows what he's doing. 560 machines on higher connectivity boxes can not only fill one T3, but hundreds. Thousands.
If I have a one machine that can access the net, I can ping spoof thousands of boxes, (this is still a problem) who in return all reply the ping to hostX. hostX feels the punch of 100's of boxes pinging it, even though those pings all came from one machine. Now imagine 560 machines doing the same.
If hackerX can find 560 machines to compromize, he can find thousands of hosts who's routers are not configured to block ping spoofs.
Its not the 560 machines that will be the ammunition, its the incorrectly configured subnets that will actually do the pipe choking.
"...no one from the DOS demoscene ever releases source code!"
As an aside, most demos "back in the day" were written in assembly language, it was sort of a given that you'd have access to a disassembler and be able to reverse engineer algorithims, if that was your thing. That's how I learned pretty much everything about coding on my Amiga (well, that and the rom manuals...)
Wow, that brings back a lot of memories of DOS/Amiga demoscene flamewars:
"Yeah, DOS demos can be good, if you have
an Orchid and a Soundblaster, but the hardware's
standard on an Amiga!"
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
I went down for a bit about two months ago. I had just gotten a DSL connection and had installed Red Hat 6.2. While I was working on my firewall, I ran an errand for my wife (note to self: bring down interface when no firewall is present). I came back from the errand, finished the firewall, updated my software (oh my! I think I need this WuFTP update!), built my md5 database and was good to go.
/bin/ls had been ovewritten and I had no idea what else they had done.
:-)
I started getting a DoS on myself as I noticed that I could hardly get *anywhere*. So much so that I kept dropping off my ISP's network (of course I was suspicious of my new ISP). When I checked the logs, it was clear that I was in the process of "attacking" other people. Only, here's the irony, my firewall was working well enough that I (being anal, as I am) was not actually succeeding in doing so (all the packets were being denied, and my logs were flooding). A look at my process table showed "t0rn" taking the bulk of my CPU power and basically just spitting and sputtering, not being able to do much more than be a pain in my butt. Still, I had to rebuild my machine since I determined that
I would like to note that OpenBSD was installed later that evening. Funny how your experiences influence your platform decisions, eh?
"Man has always been his own most vexing problem." --Reinhold Niebuhr, "The Nature and Destiny of Man"
They were also worried about a DDoS attack about 3 months before the first ones actually happened. There were some BoF sessions in November, December, and January. The big DDoS attack hit in February.
http://www.rootkit.com
This came up in a slashdot article some months ago called "Sun no longer the dot in
The answer is, the a.root server used to be a Sun Enterprise 10000, but was replaced by an IBM RS/6000 S80. Both would qualify as "Really Big Machines" in my opinion...
There are several root nameservers, in disparate locations...
- B.ROOT-SERVERS.NET
128.9.0.107
- J.ROOT-SERVERS.NET
198.41.0.10
- K.ROOT-SERVERS.NET
193.0.14.129
- L.ROOT-SERVERS.NET
198.32.64.12
- M.ROOT-SERVERS.NET
202.12.27.33
- I.ROOT-SERVERS.NET
192.36.148.17
- E.ROOT-SERVERS.NET
192.203.230.10
- D.ROOT-SERVERS.NET
128.8.10.90
- A.ROOT-SERVERS.NET
198.41.0.4
- H.ROOT-SERVERS.NET
128.63.2.53
Last week I downloaded some code, from a popular security web site, which demonstrated this exploit. I was trying to convince somebody that he had to immediately apply the RH patch. So I compiled and ran the program. What the program essential did was: cd /;ls -alF;id
Nice, user id 0, group 0.
BTW, if you do run nfs/portmap, then please use a firewall to block port 111. Furthermore, it also very highly educational to run some net logging software. You'll get a sense of what the script kiddies are looking for.
Due to my own laziness, one of my personal Linux home server was rootkit'ed and was so for at least a month before I discovered it by accident while investigating why top crashed (utmp was corrupted). It seemed that someone was running what looked like a covert IRC channel on my computer.
Once I reinstalled and locked it down (tcpwrapper, ipchains, scanlogd, disabling of services, packages updates, etc) I still got an awful lots of unexplained connections to port 40118:40120 (I still do, two months after, if someone can tell me what it is I'd be happy). I also warned any owner of those IP that did that, but they didn't seem to care too much.
I don't have an hard time believing that a very large number of Linux servers out there are compromised: after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server.
I always thought that RedHat (prime culprit because it is the largest deployed distribution out there) doesn't take network security seriously, especially now that RH can be installed and configured to offer various network services by virtual newbies.
Things that could be done by RH (and others) IMO:
1) Create a single reference called security.redhat.com where you could register to receive updates and/or have one of your server registered to be regurlarly and automatically evaluated (nmap'd for example) from a security standpoint.
2) Automatically install some of the pretty good detection and prevention tools!!
In a word, no. That false sense of security is what gets a lot of machines compromised.
Security is a process, not a state.
I remember that they were afraid of a DDoS attack about 6 months ago. Nothing came of it. I don't think anything will happen with this either.
I agree. The plethora of buffer overruns that allow arbitrary code to execute is a fault in Linux (and Unix). The i386 allows separate code, data, and stack segments. This means that the operating system can set up hardware locking to prevent execution of arbitrary code, or stack smashing. I'm sure there are other ways to cause unexpected behavior in programs, but if you remove buffer overruns and stack smashing that allow execution of arbitrary code, you've removed more than half of all security bugs. (I don't know if other chips have that feature).
At a private school K-2 grades, 1990- 1992, we had "computer class" every other day. We used this "logo" program that was supposed to teach you how to use computers or something. You moved a triangle around a screen using arrow keys to draw lines. It was totally useless and we learned nothing.
In elementary school 3-6 grades, 1993- 1996, there was a computer in every classroom. It was an Apple IIe (or however it is spelled). But there wasn't a class for those, they were to just play Oregon Trail during playtime. We did have a computer class once a week on some older Macs. They tried (and failed) to teach us how to type. I still don't have my fingers in the right place as I am typing this.
In middle school, 1997- 1998, Classes offered were typing and computer graphics. My older sister took the graphics class, and it appeared to involve combining cheesy pre- drawn graphics with text, then printing it out on a dot matrix printer.
In high school, (I'm in 10th grade now), I am in the IB program, which is a lot of work. The classes teach a lot, if ou're willing to learn, and cut a lot of the BS and the teachers are mostly good, especially English. I have 2 problems with the school: too many MTV loving preppies (I'm not going into that), and poor computer classes. For underclassmen, the classes taught are: HTML and Java website. This involves learning how to format text with Frontpage Express and (gasp) a scarce amount of Java. Typing - obvious. Graphics - probably only a little better than the class in middle school. For upperclassmen: C++, finally. Unfortunately, I'd much rather learn Perl, C, and Linux. Fortunately, Juniors/Seniors can take PSOP, which means I can take College classes.
My conclusion: public schools should do as the StarFace suggests, although it might be better to teach Linux or BSD, since its better with PC's.
They could give out a copy of the OS so kids could use it at home. In grade school, teach kids how to write some simple scripts. In middle school, teach how computers and the Internet work in general. Do some light Linux/BSD stuff, and maybe C programming. In high school, go into the configs, the kernel, and more deeply into hardware. I don't see any school teaching anything complicated about hardware. It could be partially integrated into other subjects, esp. math. Write algorithms to do some complicated problems, and some simpler ones. (who can find prime numbers 1- 100000? Make it as fast as possible.) In any case, the school system definately needs more in the area of computers.
One reply mentioned the SANS GIAC - we haven't actually used it, though it looks like they do have good advice. But I'm not sure they actually do what you suggest, which I think could help a lot. As soon as we installed our firewall a few years back we noticed apparently coordinated scanning attempts from a wide variety of hosts - contacting any of them (even including copies of log info) gave us either no response or a "you must be mistaken, we've checked and we've never been compromised" responses. We basically quit there not knowing who else to report the problems too - at least with the firewall we could monitor things and feel smugly that we were much better off than we had been before it went in...
But a centralized reporting service like the Spam Realtime BlackHole list etc could make a big difference...
Energy: time to change the picture.
No, instead, he uses Red Hat, with a spiffy GUI tool, and has no clue what on earth is going on his system.
...or you can shut them all off at install and turn them on later very easily (with YaST). RedHat takes more work, but it's work you have to do anyway just to get the fscking thing installed.
Sure... if Joe User is installing it for a desktop. I've only been running RedHat and SuSE servers for about three years now, and I've yet to see one work right off the CD. I always need to configure something. The packages set up a default configuration-but that doesn't make the app work. You still need to edit, say, httpd.conf to get apache to run as a webserver.
Eh, it's more that you need to understand inetd, inetd.conf and whatever way your OS/distribution runs the bootscripts to turn the services off. (Not that that is enough to close all the ports). That is, if you can figure out which services you really need.
How is "that's the way MS shipped it to us" different from "that's the way Red Hat shipped it to us" or "that's the way Sun Microsystems shipped it to us"?
Thanks for completely ignoring half of what I said. The answer is the expectation of ease. RedHat has none. M$ does. M$ writes its software for ease if install, and the install gui presents the end SA with the illusion that everything is taken care of for him. You should see the fscking mess we found on the NT box, and that was with someone we PAID to make it secure. I sat right there and watched the guy install it (never seen it before, you see) and talked to him about how it worked, etc. I've put it on a few other machines to see how it worked, it was like installing a game.
With the SuSE server, I had installed it as a desktop (by choosing single user, so no security) for someone to use and then had to switch it over to use as a server when one crashed, so it was wide open, and that was my fault.
The other linux box I set up with the server choice to begin with. I had to tweak a few apps to get them to work, and as I read the manuals(apache, etc), I watched for "if you want to be secure, do this" notes and followed them. That box passed. It's still probably an easy target for someone who knows what they're doing, but at least the hobbyists will have a hard time getting in.
So I reiterate what I said in my first post: The difference between linux and NT is that linux SAs are expected to do some work to get their server up and running, at the same time they should be making it relatively secure, which is not that much more time consuming. NT SAs are expected to slap the CD in, install IIS or whatever, and get back to their jobs as (in my mother's case) Tax Accountant.
I can't speak to your point about buffer overflows. If you're suggesting that NT is more secure for protecting against it, more power to you (and M$). Doesn't do much good once the end user installs Outlook, does it? Oh wait, that's in there by default.
-jpowers
-jpowers
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
Your brother may be smart, but he's obviously not a computer geek. I have plenty of smart friends who don't know the first thing about the mechanics of computers. On the other hand, I suck at swimming, even though I like the water.
I was a high school senior three months ago, and I assure you I can chain IDE devices. I even manually short circuited the internal battery on my computer once when someone set a BIOS password and then forgot it (how's that for resourcefulness?). We are not extinct.
--
560 computers infected is not enough for a massive DDoS. Unless of course they were targetting someone on a dialup, which wouldnt matter anyway.
What was the problem again?
After all, what good is the internet going to be after this?
Tweet, tweet.
There really isn't much to say about this article execpt for good old rampant Slashdot speculation.
So some people found some trojans that could be used for DDoS attacks on a few hundered machines. Does this mean a DDoS is "brewing" or ready to be launched? Hardly.
In order to know if something was coming, we would actually have to talk to whomever put those trojans on the machines to see what their motivation is, and when they plan to use them. Unfortunatly, this will more than likely never happen.
For all we know, this could just be some script kiddies person cache of trojans to take over IRC channels, not DDoS a large site such as Yahoo! or Ebay. Heck, maybe is the BOFH Users Group out for revenge on companies that have had enought of their antics and fired them. Who knows?
So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.
This is no big deal. Hasn't anyone been on irc? Practically every kiddie on irc has his/her own dosnet, most with hundreds of hosts. People create them everyday, and have been doing so for years. Yes, years. This is nothing new, and its no big threat. If someone really wanted to 'take down the net', they would have already done so. But, a person like that has only one life, and that would be his/her life on the net, and why would he/she want to destroy their life? Point being, I am tired of seeing the media hype up stupid findings of 500 or 600 infected boxes, and calling it 'the end of the internet.' Every second a thousand boxes get owned and infected by some script kid. Does it really matter? No. Why not? a.) They don't know how to 'take down the entire net' b.) They're too busy packeting people on irc. End of story. Get over it media whores. No more dumb ddos stories, please!
As a sysadmin who specializes in security, I have to take issue with your statements. NO machine is ever secure, regardless of OS. Any machine can be compromised.
First on OpenBSD: ever run nmap on a fresh install of OpenBSD? Both sendmail and portmap are happily running BY DEFAULT. Two of the most insecure applications ever written. All OpenBSD really does is give it's users a false sence of security.
Secondly, on Red Hat: It is my opinion that the reason that Red Hat is getting this attention is that it is by far the most used Linux distro. I often build systems based on Red Hat, because I know what I am doing.
You can spend hours and hours of time, securing a box, and if someone can use social engineering to get a username and password, it's all for nothing. This is the biggest issue when it comes to security.
(As an aside: I recently taught a seminar to a company on social engineering. They had never even heard of the concept before. Do you know what they do? Provide customer service for over a dozen banks. Scary.)
I don't believe this is true on 2.6 or later.
but I never said 'y' to sendmail or portmapper - its been a while since I've installed my obsd box but I don't believe sendmail as a daemon runs. and when you install qmail, it does wipe out any 'badness' that sendmail (the pkg) might have done.
All OpenBSD really does is give it's users a false sence of security.
troll. backup your assertion: name any significant security issue of obsd 2.6 or later. even in the default install. I've checked its buglist - have you? or are you just blowing smoke (which I suspect).
I often build systems based on Red Hat, because I know what I am doing.
anyone who knows what they're doing can secure a unix box; the point is that linux attracts a lot of inexperienced unix users (who have little or no admin background). as such, if linux is to stay viable in the server market, it must protect its image. you cannot do this if your default install is very insecure by default - that's all I'm saying. and redhat, even though its the most popular, is one of the most insecure distros.
--
--
"It is now safe to switch off your computer."
According to a few of posts on NANOG (North American Network Operators Group - see www.merit.edu for info), NASA's Ames facility was attacked on Friday, knocking it down for most of the day. NASA hosts E.ROOT-SERVERS.NET, which having it down is a "bad thing".
No, I am not. I said that UNIX had a basic design flaw. I didn't compare UNIX with anything else.
-- Abigail
Both sendmail and portmap are happily running BY DEFAULT.
I don't believe this is true on 2.6 or later.
Last time I installed 2.6, it was true. I have not played with 2.7 yet, so this may no longer be the case.
troll. backup your assertion: name any significant security issue of obsd 2.6 or later. even in the default install. I've checked its buglist - have you? or are you just blowing smoke (which I suspect).
Significant security issue: Sendmail and portmap are installed, by default, in 2.6 (I am unaware of 2.7). inetd is enabled by default (even though I believe everything is commented out). Better practice would be to default to tcpdaemon instead of inetd, and qmail instead of sendmail. Or to install neither by default.
(Try suggesting this to Theo. Enjoy the flames that follow.)
Are you so much a zealot that you believe that the only bugs that can ever exist in OpenBSD are the one's that appear on a buglist? This is not a troll; it just runs counter to your beliefs. This is what will get your systems compromised; complacency.
OpenBSD does have the right idea when it comes to security (compared to other free *nix), but you have to remember that you cannot ever prove anything secure. All you can honestly say is that, to the best of your knowlege, there are no known security issues. Security cannot be proven, but insecurity can.
It has been my experience that it is best to assume all machines can be compromised. A security syadmin then sets about the task of making things more and more difficult to exploit.
Besides, sucessful application of social engineering will foil the best system security ALWAYS. Thieves don't always pick a lock to get into a home; they break windows as well.
the point is that linux attracts a lot of inexperienced unix users (who have little or no admin background). as such, if linux is to stay viable in the server market, it must protect its image.
I agree with this stance, and am doing something about it. I am in the process of making security documentation that I have written available under an open documentation license (It is currently owned by my employer, so this takes a little convincing). I intend to submit this documentation to friends at Red Hat, in the hopes that it can be put to good use.
What are you doing?
It seems to me rather than not installing NFS (as some have suggested to you), you might use ipchains to disable NFS access from all but your trusted systems. I.e. just drop the NFS request packets from systems that aren't yours. You should probably do this for any of the other ports that you have open, too.
General Question: Is it just me, or shouldn't a well secured distribution behave like this out of the box?
--
Yes...I am a rocket scientist.
I used to T.A. for my High School CS teacher's Pascal class. These were kids who wanted to learn. They were really, truly interested. The problem is, they just didn't have the talent. (Otherwise they would have been in the AP class, doing C++). The point is, some people don't have the talent. There are people in this world who are destined to be the ones who fix our cars and serve our food. THEY ARE GOOD PEOPLE. Many of them are highly motivated for self-improvement, but just because a system seems intuitive to you and I, doesn't mean the same is true for everyone else.
It's very true that there are many people who don't learn because they are lazy, but there's also a huge population that simply doesn't think the same way.
WARNING: there is a trojan on your
They got me too... they didn't install a root kit either. I checked my packages with MD5 sums and all my binaries checked out.
You're aware that there are rootkits that will get around the checksums, right? They will hand over the original binaries when you request a read, but will serve up the modified binary when the OS requests an execute.
You can't be sure they don't have anything else on your box until you reinstall clean from known-good media. (And maybe re-flash the BIOS, though we haven't seen that trick used yet.)
I'm not saying we should go back to the "good ole days" with only a bare command-line prompt, but IMNSHO software should not be designed to try to be everything. (Wizards, anyone?) Software should be designed to provide the necessary tools to get things done, but it should never attempt to be smarter than the user. The user needs to learn how to use the tools.
Why are script kiddies so abundant these days? 'cos they're so used to the click-on-button-and-it-does-everything way that computers work these days. A friend once joked with me that World War III might be started by a kid pressing a single wrong button on the nuclear launch controls...
What we need IMNSHO is a change in philosophy. Yes I know easy GUI's are good and perhaps even necessary for people who want to get things done without worrying about manpages and editing conf files. But for teenagers? Give 'em a bare command prompt and let them figure out how to configure X manually. Kids these days need to learn that the world isn't an instant gratification vending machine. You need effort if you want value.
---
mikre he sophia he tou Mikrosophou.
Well, yeah, anyone putting a stock RedHat box on the net is an idiot. Anyone putting a stock *anything* box on the net is probably an idiot too. ;^)
However it's true that RedHat is particularly bad - that doesn't mean Linux is bad - RedHat != Linux. If you want a Linux distro that is reasonably secure by default, give Slack a try. I know it gets a bad rap for supposedly being hard to install, but 1) if you are using OBSD already that's surely not a concern for you and 2) when I finally gave it a try, I found it to be little if any harder to install than RedHat or Mandrake were anyway. The selection of packages available with the native package management system is smaller than the RPM collection, of course, but it usually includes all the important stuff and is very up to date - check out LinuxMafia if you need something that isn't included. Plus you can always compile yourself, use the included rpm conversion tools (rpms usually but not always will work fine after a quick conversion) or even install RPM if you want to. YMMV, but I've found Slack to provide a very nice middle ground between OBSD and RedHat.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I have to rant a little bit, here - Redhat, is it SO HARD to make the default install be BASICALLY SECURE? Don't turn RPC on by default, for God's sake! The first thing I have to remember to do is to remove the really obvious security holes as soon as I install!
One nice thing about this DDOS activity - now, the script kiddies want my network bandwith. Used to be they didn't know what to do when they got in. The same system was compromised three years ago while I was on vacation, and the script kiddies involved did an "rm -rf /" as root. Ouch. This time was pretty easy to clean up from, by comparison.
But, whomever pointed out that the connections of the hosts are important - absolutely. I'm sure my puny 384kbps upstream didn't cause whoever the victim was any real trouble.
Tips for people who may be having the same experience:
First, I was tipped off by the very large numbers of collisions on my hub, and the massive traffic. I'd installed a bunch of new hardware and software, and, at first, thought something was broken. Additionally, I was running mrtg against my router, and the traffic saturation broke SNMP connections, so cron kept complaining.
Once I figured out the host the traffic was coming from, I started looking around. First of all, a command representing itself as "lpsched" was running with a very low PID (like 120) and had a child process representing itself as in.telne (I believe these were actually the same program). When I killed them, the traffic ended. After some research, I realized that the attackers had installed a trojan in /usr/sbin/init (which was then changing its program name as represented in ps after execution). /usr/sbin/init was being executed by /etc/rc.d/rc.sysinit, at the end of the file (placed here very nicely with a check to make sure /etc/rc.d/rc.sysinit existed).
Interestingly, they did NOT install a rootkit - I used SHA1 hashing and some custom scripts I wrote to compare the compromised host with a clean install of RedHat 6.2. All they did was modify /etc/rc.d/rc.sysinit and install the Trojan (they may also have edited log files at the time of intrusion). rpc.statd did spew a "I'm executing this obvious buffer overflow attack" in /var/log/messages; "grep rcp.statd /var/log/*" should give you some idea if you have a problem. In the rpc buffer overlow, they echoed to /tmp/m:
and then, executed "/usr/sbin/inetd
Good luck, out there...
I think the solution to script-kiddy wankerism is a revival of the demo scene.
How about fixing the holes? It's not like we haven't known about the problems with wu-ftp since forever.
--
Life's a bitch but somebody's gotta do it.
Being someone who has setup some Redhat servers for various companies I would like to make a few comments in reply to your post.
Many times a company does not have a concept of System Administrator. For instance where I work now I am a programmer. The company wants something done such as mail services or DNS and they come to you and say we need this and this and this. And so you give them options and they say "Oh, but we dont want to spend any money" So you setup a linux box and you go back to what you are suppose to be doing (in my case programming).
In on of my previous incarnations I was a Internet Technician for an ISP. Most of my days were spent battling with Sprint and TW Telecom. Setting up routers and trying to setup reporting. I had to monitor updates and potential exploits for a vast array of operating systems and equipment. Keeping up with BSDi, Redhat Linux, Windows NT, FreeBSD, Cisco IOS... blah blah blah... ate away at my time. And the company saw it as unproductive time because in the end the upper management did not see anything different.
I would also like to point out some personal experience that may not apply to everyone or everything in the Internet universe. It felt to me like Redhat Linux constantly needed updating and patching. The BSD derivatives seemed to require less work. And NT's exploits seemed trivial in comparison to a root exploit. Of course, NT was pathetic on handling loads or multiple services and needed to be rebooted once every week.
I just wanted to provide a perspective from the other side of the fence so to speak.
Read the docs. The author says yes, this is a possibility, but he has had zero complaints about it actually happening in the real world so far.
/dev/lp0 so you have a hardcopy log of the attack. Whatever. It's up to you.
Also, portsentry is entirely configurable. You can drop attacking hosts into hosts.deny, or block them with ipchains, or block them with route reject, or not block them at all and just dump a message to
If you -are- using IPchains and you know what you're doing, you should be able to set it up so that port 80 -always- answers and is -always- exposed to the whole world. This means the attacker can still read your web pages, yes, but hopefully your web server is secure. (Okay, maybe it's the least-likely to be secure thing on your box, but then, an attacker that wants in through your webserver can go to some host that hasn't yet been portsentried and attack the webserver, being careful not to trigger portsentry this time... )
Also, maybe some people are using tcpd only and not ipchains at all; so the host is still 'live' to the 'net but the service ports get closed leaving only pinging and other ICMP packets up.
Do whatever you think is best for your box. There is -no- best practice for this, because heterogenity of implementation is key to preventing predictable DoS exploints by turning your own security against you.
Anyway, I don't care if my home box disappears from half the net for six hours until I can manually rework things when I'm sure it was a spoof - OTOH, if you're a major e-commerce site, yeah, you'd better make sure your portsentry isn't going to close off your http!
--Parity
--Parity
'Card carrying' member of the EFF.
Alternatively, you could argue that it's libc that's flawed by making it so easy to create buffer overruns, as what's his name at http://cr.yp.to does, and so he uses instead a bunch of 'safe' functions to do 'String' functionality instead of using the unsafe libc str* functions.
Of course, lots of Unix people don't want to switch from C to C++ or Java where this kind of thing is the standard way of working, but a libsafeCarrays or something going into common usage would reduce this kind of thing drastically.
Though separating code and data pages is an elegant solution, though perhaps not a complete one. I'm not sure how many programs there are that have legitimate reason to modify executing code, but it's conceivable. I suppose we could just say that self-modifying code is too perverse an abberation to be permitted to live.
--Parity
--Parity
'Card carrying' member of the EFF.
"I hereby declare a change in philosophy!"
These things don't just happen. I'm not going to go into whether they SHOULD happen - I just hate to see post after post of people declaring the way things should be with nary a word about how to make it work. At least the parent post had a suggestion - revive the demo scene.
With no further ado, I therefore present my own suggestions for "fixing the kids these days".
(1) The kids these days aren't the problem. Neither is the government, nor the corporations. You (my illustrious reader) are the problem. Get off your duff and learn a language, write some code, write some documentation, make something work that didn't. If you don't like the way computers work, if you see things that need fixing, do something to fix them. And try to throw something original in while you're doing it - too many programs out there now where people simply didn't check to see if someone had already written something to do exactly the same thing.
(2) In that vein, vote goddammit. (If you live in a country where you can't vote, move goddammit.) Bitching about throwing away your vote doesn't cut it any more - if you don't like the mainstream candidates, vote for one of the smaller candidates. Your vote will count for MORE; if Ralph Nader got 2 votes in the last election, and your vote makes it 4 in the next election, the pundits will be able to say his following doubled between elections. Political advocacy aside, your political activism will put pressure to change the things that cause script kiddiez, whatever you believe them to be. (Unless you believe the FBI is orchestrating the DDoS attacks--if so, I can't help you.)
(3) Finally, teach someone how to use a computer. If you say 'rtfm' on a regular basis, I have an acronym for you: 'uyfps' (use your fucking people skills). Don't wave your hands about how people aren't using computers creatively/constructively -- show someone how to use computers constructively, and teach them why. Give them some of your enthusiasm. A teenager whom you've taught to write a database app isn't going to try and bring down eBay, cuz he knows that'll hurt his job offers when he gets out of college.
Xant, maintainer of packet2sql, author of Repairlix, writer of documentation. (Not bragging, just doing a preemptive strike against accusations of hypocrisy.)
It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
One typically doesn't install "Linux", but a distribution. And what is installed by default varies from distribution to distribution, but most of them install much more (or make it trivially to install much more) than necessary. And there's no tweaking of config files - the packages do that for you. Joe R. User who comes from Windows would be utterly lost if he had to select everything (but nothing more) from Debian's dselect. No, instead, he uses Red Hat, with a spiffy GUI tool, and has no clue what on earth is going on his system.
You basically need to know the inner workings of the programs just to get them to run.
Eh, it's more that you need to understand inetd, inetd.conf and whatever way your OS/distribution runs the bootscripts to turn the services off. (Not that that is enough to close all the ports). That is, if you can figure out which services you really need.
forces the *nix admins to take all the responsibility for their systems while NT can just say "that's the way MS shipped it to us"
How is "that's the way MS shipped it to us" different from "that's the way Red Hat shipped it to us" or "that's the way Sun Microsystems shipped it to us"?
Consequently, the security audit my single-purpose linux ftp server failed last Thursday is my fault, but the NT guy gets to blame the MS-approved consultant who installed his fileserver.
Are you suggesting that if you had a Red Hat-approved consultant installing your ftp server, and the NT guy installed the fileserver himself, you were still to blame, and the NT guy could still blame MS?
Sysadmins of all stripes deserve SOME of the flak for the spread of viruses and the DDOS attacks from their exploited servers,
Sysadmins deserve blames SOMETIMES, but they shouldn't be blamed for the gazillion of holes Unix utilities have had over the past 3 decades, with no end in sight. Remember, sysadmins DO NOT write those utilities. Don't blame the sysadmin for being 20 minutes late in installing the latest security fixes. It's a never ending stream of holes, and sysadmins also need to do other things, like making backups, reading Usenet, drinking coffee and LARTing lusers.
But then, are utility writers at fault? Partially. 30 years of experience would suggest they know better, but the same bugs (buffer overflows) happen again and again and again. However, the biggest share of the blame has to be taken by the OS (and hence, its designers). It's a fundamental design flaw that the kernel does not separate code and data pages, and hence that buffer overflow errors can lead to execution of arbitrary code. That flaw disqualifies UNIX as being a secure OS.
And the sad, sad thing is, that a now popular Unix-like OS, which was written from scratch after more than 20 years of UNIX evolution into a wild variety of sub species makes exactly the same fundamental design flaw.
Don't blame the sysadmins for not being able to keep up with the never ending stream of buffer overflows. Fix the OS!
-- Abigail
Hell yeah - those were the days... at least on the Amiga they were...
Silents, Razor 1911, Complex, Cryptoburners, Melon Dezign, Fairlight, Crusaders, Skid Row, Kefrens, Andromeda... those cats flexed furious audiovisual skills on the Amiga's dedicated coprocessors. Most of them are working at game and 3D companies now, I imagine.
If anyone's interested, there's a very cool research paper called "The Hacker Demo Scene and it's Cultural Artifacts" at http://www.curti n.edu.au/conference/cybermind/papers/borzysko.html ...
--
Yes! Let's fix the holes. But let's fix them once and for all: At the OS level. Fix the OS such that a buffer overflow cannot result in executing arbitrary code. Or else, for each hole in an application you close, 10 new ones spring up.
Here's a scary thought. How long till crackers and script kiddies start sending patches and/or become active developers for well used open source projects, intentionally introducing holes. Even if 99 out of 100 of such attempts get removed before the product becomes "stable", the few that make it to the next Red Hat or Debian CD make it a hax0rs delight.
-- Abigail
Not complicated, but resourceful I'd say. It's not as if someone said "look, there's the battery, short it out," it was a case of someone screwing with my BIOS and me needing to find a way to fix it.
I didn't have a manual, I just figured that the battery-looking thing probably was responsible for storing the time and all the other BIOS settings, so I figured shorting it out would solve the problem. Not bad for 15, or however old I was at the time.
--
CNN Reporter: I am reporting live from the offices of [insert TLA here] where news of the devastating Denial of Services [sic] attack has just been heard. Oh my God, What can we do? What does FBI think?
FBI spokesdroid:Like I said, if only they had let us install Carnivore in every ISPs server room, we could have stopped this.
NSA spokesdroid:Shutup fool, if only Echelon funding hadn't been stopped we would have nipped this in the bud.
Right-wing spokesdroid::Liars, liars, only installing censorware which blocks out images of "hacking" and "cranking" [sic] could have stopped this...
RIAA spokesfiend:Copy protection, ban Napster, steal consumer rights, kill, murder, hahahahaah.
CNN Reporter: Riiiiiiight. I guess we'll get nothing useful here. Back to the newsroom.
The real problem here is that most popular distros (read: redhat) have default configs designed for hackers. I set up a redhat 6.2 box as an ipmasq server... 2 days before it was compromised.
I am waiting for a distribution to come set up that way out-of-box... yeah, right.
-E
Send mail here if you want to reach me.
I agree with him, for a simple reason.
I started with a commodore, using the command-prompt, and moved up to a PC with a prompt, and that's how I learned computers, in elementary school. Probably not uncommon for the people on this site.
Now, my little brother never used anything other than 95. Loves computers, mainly games, but couldn't use a command-prompt to save his life, and can't even setup Master/Salves correctly on an IDE chain. Called me to try and help over the phone...
He's a smart kid, too.
He's a Senior and high-school, and can get into any school in the nation, from his test-scores and grades.So why can't he figure out why the new game he installed whacked windows? Why can't he install a new HD? Because all he's ever used is point-click. He's never actually learned how things work.
One of my proffessors once made a statement about "experts", one I've also heard from a few now-retired computing columnists.
Essentially: A real expert does not know how to do 100 neat things (tweaks) with a piece of software (or other product). Instead, they understand fundamentally how it works. From that, they know how to do the same 100 "neat things", but they also know why those "neat things" do what they do.
Sorry, enough ranting on "kids these days...."
First I dont run wuftpd, I use proftpd. That eliminates one of the areas of problems.
The second is I use ipchains to log on my ports taht might be scanned. This means that if someone scans my machines I have a log of the originating IP. Although this is probably not there ip it is a starting point atleast and can lead to other machines that they have comprimized.
Next I have a script that parses the system log, to check for things that came from a possible scan this run every 15 seconds. So that basically gives them 15 seconds to hack my machine. I hope they can do that other wise I hear festival go off saying I am being scanned. It needs som e work to be perfected, but it is a start at seeing if I am being scanned an dhacked. I am lucky though it is just one machines.
I am more worried about my machine at work. Several days ago someone else used my machine and they said they gave there password out to someone else who may have use the machine. This is total stupiditiy on that persons part for handing out her password, and yes I reported her to our security. If my machine is use in DDOS then I know who is going to get in serious trouble for it.
I don't want a lot, I just want it all!
Flame away, I have a hose!
Only 'flamers' flame!
Good point. He really doesn't try to learn. But he's very typical of the people that don't want to learn.
They complain that things don't work, but they don't want to learn how to make them work. In a word, lazy.
They are the same people that amaze me when they don't know why you're supposed to change the oil every so often in your car...
In this case, though, Mr 4Life is probably referring to Three Letter Agencies, such as the CIA and NSA, and more broadly the FBI, KGB, and similar agencies around the world.
Any sufficiently advanced technology is indistinguishable from a rigged demo
--Andy Finkel (J. Klass?)
I recently installed my first Debian server install (and actually am still in the process of confugring it), but I learned some interesting things by doing that.
One of them is that it's the OS vendor's fault that linux distro's have such weak default installs. Debian is pretty decent securitywise in and of themselves, but even they do outright weird things like going with a firewall without rules and ACCEPT policies on all the rulechains.
The default should be completely locked up from outside to inside, opening up only ssh. If a user wants a service, he needs to not only install it, but activate it too.
If you do a regular install of, for example, red hat you get dozens of services running, from named to apache, to TELNET !!! Some of them useless and ancient history (telnet, r protocols), and some of them don't ever run on the same system. pop3 and smtp and apache and ftp. Show me a real professional server that runs all those, I dare you.
Now if you want to make an install that installs all these services then go right ahead, but please don't offer it as the default. Linux newbies will always pick the default, and when offered with the choice: install (y/n), they WILL pick "y", because that's the windows way of doing things, install everything, even if you don't know if you'll need it.
It's actually possible to make a default install that doesn't have a firewall and still doesn't open up ports to the internet. Imagine how solid it can be made when you add a decently configured firewall. I'm not asking for a default deny policy, just some common sense. Leaving ports 6000 and up open to the internet is EVIL.
So, to restate my opinion, it's redhat's fault that boxes get hacked. Because you don't need suid root stuff (yes, you can build a complete linux install where daemons have no access to suid root programs), and you don't need daemons running as root (check out tcpserver on cr.yp.to).
For those of you who don't believe in DDoS attacks or just don't want to believe in them, please check out http://wzc.dhs.org/home/news/index.html and the news post dated 6th September 2000. This is a linux server which I run... it has been DDoSed many times this summer, each time, taking out the ISP on which it is hosted. I managed to log all the networks involved using tcpdump and other such tools. The reason for it being dossed? It runs an eggdrop on IRC hence the hackers DDoS the server to make the bot ping timeout, and take over the channel.... how sad.... So ppl, these attacks are for real.... we better suss them out... this is exactly what I did.... With help from one of my mates, I managed to determine the protocol used by the packetting agents (the agents which actually cause the garbage traffic) and wrote a little C program which makes them packet; if you care to visit wzc.dhs.org's news section, you will see that the server was setup to perform a scan of all the networks which I had logged (the scan was done by sending control packets to each potentially infected host on each network telling it to packet my server for exactly 1 second... if the host packetted my server, I knew it was hacked and running a packetting agent). The list has now been submitted to cyberabuse.org and CERT have also been notified about them (which is, I assume how this posting got onto here in the first place). I don't claim to be "Mr Expert" of DDoS attacks, but I did the scan due to my general anger against the hackers which were orchastrating these attacks against my server during this summer. If anyone would like to know more about how the protocol works, or would even like a copy of the C program which causes these packetting agents to packet, then contact me via the email on wzc.dhs.org's news page..... maybe I should post it publically so everyone can do their own DDoS attacks, and then... the admin of the compromised hosts might fix their hacked systems. Thank you for listening. ----- Mark Hedges (admin of http://wzc.dhs.org)
Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:
turmoil# nmap -sS -O 216.17.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:
turmoil# nmap -sS -O 206.173.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds
That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.
I just did an install of RH6.2 this evening for a friend of mine. It was amazing how much crap gets activated when you select 'everything' during the installation! He wanted everything, so he got it.
Needless to say, I turned off all listening daemons and promptly installed OpenSSH.
I see absolutely no need whatsoever to run telnet or ftp servers anymore. And my friend didn't need to have them running anyway on a dialup connection so I got rid of them. And even if he wasn't on the 'net, he still didn't need telnet, ftp, nfs, etc... running.
I agree that a good half hour of cleanup is required after any linux installation. Even if RH is a 'newbie-ized' linux distro, all the NFS, rpc, apmd, pcmcia, sendmail, etc... services should be turned off until the sysadmin turns them on.
I like the idea that I have a fully configurable, highly powered, and fully functional (free) OS. but dammit(!) let me turn the stuff on!
No newbie should be faced with NFS or identd on their first day. Let them learn the power of GNU/Linux. Don't blind them like a deer in the headlights, but give them turn up the dimmer switch.
eof
OH NO! See, the evil cyber-terrorists have attacked and the TLAs must get their funding to stop it.
Suddenly....*POOF* the attacks _END_. No "bad guys {tm}" were caught, but the problem goes away.
Ooops, here come the FUD and scare tactics again! Time to eliminate some more civil rights to protect us from "cyber-terrorists" and make sure those TLAs charged with fighting this dragon are properly funded!
Maybe this time the feds will attack something on the net that really is meaningful instead of ebay and yahoo. Otherwise, I just ain't buying it.
MSNBC report states that most of the systems which are compromised are Red Hat systems,using a recent exploit, for which patches are available. These compromised systems are surely systems whose admins are either ignorant or crackheads who believes Linux or Red Hat is too secure to be compromised.
This again brings to light the eternal question which begs an answer. Is it the fault of the company behind the OS or the Sys admins who forgets to apply the newly released patches who are responsible for these attacks. My opinion would be the latter.
Any piece of code is liable to exploits, including Windows and *nix, and its quite obvious that the script kiddies behind these attacks do not envisage new exploits, rather piggyback on existing exploits for which users or admins might not have applied the patch. The fault I must say lies with the Admins.
As long as there are systems liable for attack, whether they might be open source or closed, there would be kids who take advantages of the exploits that arise from these systems. Rather than crying foul everytime a new exploit is released, the geek community should make sure to plug these holes, rather than pointing fingers.
As long as we dont plug the holes in the Internet Infrastructure which allows these kind of DDOS attacks, that would be the sanest thing to do.
My two cents
Rapid Nirvana
I love linux and I wish it was more secure. I do tend to use redhat for my desktop boxes (it supports a lot of hardware and is the most well-known distro around, mostly). but I'd NEVER put it 'bare' on the net - for all to play with. that's lunacy.
for my public box, its openbsd. I got tired of my linux boxen getting hacked ;-( behind the firewall, linux is very nice - but just don't put it in its DEFAULT config on the public net. if you do, well, its just a matter of time before you're hacked.
but if redhat at least made the default config totally locked down, they'd enjoy a much better rep. and linux, as a whole, would take less abuse about security issues.
--
--
"It is now safe to switch off your computer."
I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology. That's what these dumb kids should be doing, actually improving their skills and learning something, rather than being destructive and 31337. I'm gonna wager than many Slashdotters know at least a couple kids that are probably warez dudes or 31337-haxors at night. Be a force for good in their lives; show them how they can create with a computer as well as cause problems.
RedHat is a consumer product. The vast majority of RedHat installs have no "sysadmin." They have a person who clicks a few buttons to install the damn thing and that's that.
When a Win98 box is exploited, is it the syadmin's fault? That question doesn't even make sense. And neither does it make sense to say that poor sysadmins are at fault for RedHat exploits.
While none of us really need to get in another fight over which OS is better, I have to ask you to give your own post a second look and consider that your view of this situation may be too simple to be accurate: configuring and operating a linux server is different than doing the same with an NT box. For most NT servers, NT installs right off the CD, you fill out the networking info, and start making user logins. All services are either switched on from the control panel or by installing it off another CD with "autorun".
Linux is a different animal. It takes some work to configure one of these things. SendMail, Apache, Samba, X, whatever you need, you configure, and unlike NT, everything is "off" until you turn it "on", and not only by running YaST, but by endlessly tweaking relevant app.conf files. You basically need to know the inner workings of the programs just to get them to run. Of course, you get some pretty exact control in return, but it really does take a degree of effort just to think the program's configuration through. Not that you couldn't put the same time and effort into tweaking an NT box, but the distribution and marketing of NT don't encourage it. It doesn't make NT admins' sloth any less wrong than *nix admins', but the truth is that the culture and attitude that has developed around the two (NT is great because I slap a M$-approved CD in the drive, then sit in my big comfy chair all day and wait for it to crash v. Linux is great because I tweak the hell out of Apache to get it compatible with my perlcgi style then set hosts.allow to all:all because I'm too lazy to map my fscking users) forces the *nix admins to take all the responsibility for their systems while NT can just say "that's the way MS shipped it to us".
Sysadmins of all stripes deserve SOME of the flak for the spread of viruses and the DDOS attacks from their exploited servers, but M$, by taking some of the control over the system away from NT SAs, also must take a proportional share of the responsibility. Consequently, the security audit my single-purpose linux ftp server failed last Thursday is my fault, but the NT guy gets to blame the MS-approved consultant who installed his fileserver.
-jpowers
-jpowers
There is the same ratio of lazy people to motivated people today that there was yesterday. If you look around you see a lot of people on computers, but don't forget that when we were learning on computers that you booted on a floppy since harddrives didn't exist, the ones who were NOT motivated, simply didn't use computers.
Now, it is different, they use computers because they are practically a necessity, they still don't want to learn them though. If you look around, there are still plenty of people willing, and even anxious to learn things the hard way and understand the fundamentals of how they work. Same ratio, different set of parameters.
V
NFS is grotesquely insecure. If you have to use NFS, use it behind a seriously locked down firewall box. If you can avoid using it, use anything other than it. SMB is also less desirable than others but it's design won't leave you open for these attacks. I suggest using AFS or Coda at this point.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Can you believe that? Those evil hackers have figured out how to raise the dead and have them fight for them as a zombie army. Man, this is almost as bad as copying DVD's.
my personal favorite is Bakkslide Seven
That was beautiful. Thanks.
-jpowers
-jpowers
Yes, lazy admins are the problem, but just to clarify, this isn't an "exploit".
These machines were hacked (in ways that any other machine would be hacked DNS, rpc.statd, sendmail, etc). The person that hacked the machine then put the DDoS software on the machine for later use.
Lazy admins are the issue since they did not take the appropriate measures to secure their boxes (applying patches, setting up a firewall, etc), but the actual DDoS software was installed as a result of the boxes being hacked. Hence, the DDoS software is the result and not the cause of the hacking.
This is a really basic way to check what ports are open on a Linux box: /etc/inetd.conf and look for lines that do not begin with a hash (#). These are the services that inetd is listening for. Do not use the
"grep -v '^#' inetd.conf" way of checking , as this won't alert you if the # is not the absolute first character on the line.
Open
Ideally you should run nmap against your machine. Inetd will listen on the ports configured in the inetd.conf file. Other services may be listening directly to the port (apache, for example). There is a front end called nmapfe that automates the procedure. Run it against your local machine.
You could also try looking at https://grc.com then doing the scan network tests. This site is geared to Windows services but the probe is useful. Do not trust what the guy says in his FAQ because it's meant to sell his firewall product. He has some wrong information in there.
Once you realize that your machine is wide open, how do you disable those services? First, edit the inetd.conf file and then comment out the lines for services you don't need. Then restart inetd by doing a killall -HUP inetd. Go into LinuxConf and disable the other services. For now I'd suggest completely disabling wu-ftpd and rpc.statd until the fixes have been tested for a while.
As for any security, don't trust your box to this minimal information. There are lots of other ports open that I didn't address here. Do some reading!
This is why I think they should teach *NIX in the classrooms instead of just teaching you how to use word processors and spreadsheets. Some would argue that it would be learning the wrong environment since everybody uses MS products in the workplace, but I disagree. Since I've started using Linux I have learned far more about the fundamentals of a computer than I ever learned under DOS and Win32. I'm able to take that knowledge and use it in the Win32 environment easily.
The problem starts with the lack of education in the area of computers. As a regular highschool curiculum, you should take basic *nix fundamentals, basic C programming, maybe Perl, and a hardware course. Fourth year should then move to MS products, VBS and system maintence. Once you can accomplish tasks of this nature, you can very easily learn the simple programs such as making spreadsheets and typing research papers on a computer. It would be second nature at that point.
This isn't going to happen any time soon though. The computer market has way too much inertia in creating software for the dummies. This only leads people to take an increasingly 'dumb' approach to computing.
So, things are still as I have outlined in the original post. You have a division between the people who want to get their fingers dirty and those who don't. As you put it, they see it as a tool. It isn't the way it should be, I never meant to convey that.
V
Just a curiousity thing - I'm not activly looking. I'm just curious where root kits come from and how they get around. I have one or two that a few years old that I removed from another departments hacked machine.
Do they make their rounds via IRC? Usenet?
Maybe your little brother simply isn't that interested in how they work, either. If he travelled the same path you did, maybe he would have gotten sick of them all and done something else instead. There are plenty of people who started out with GUIs and still managed to learn many deep things about how their computers worked. There are also plenty of people who started out with C64s and still can't properly chain IDE hard drives.
Mod down posts with a "Free Mac Mini/iPod" sig, they're spam!
I've been scanning the bait logs on my machine (I run a simple tcp listener on port 111, 23 and others to report scans), and over the last four weeks the rate of scans against the machine has gone up orders of magnitude.
...
Probes to port 111 come about twice a day, from a large range of IPs. These boxes could all be compromised, and being used as part of a worm attack, but I dont have time to track down the postmaster of each of the ip addresses and mail him/her.
Does anyone know if there's a service run by CERT or anyone to report possibly compromised hosts that turn up in our logs too?
If not, it would be pretty useful to have