Slashdot Mirror
Crackers Preparing Massive DDoS?
Tairan writes: "Crackers are using two exploits to ready another distributed Denial of Service attack. MSNBC.com is reporting there are at least 560 computers infected. CERT claims it 'poses a significant threat to Internet sites and the Internet infrastructure.'"
CERT seems to be following up on most every lead they can and contacting everyone they believe to have been compromised and urging them to take measures to protect their systems and networks where possible. I am personally aware of a few hosts (which have since been secured as well as possible) which I do not control, but which were involved in a separate incident involving another rather large volume of hosts that CERT followed up on.
So it would seem to me that the folks at CERT, at the very least, are just being careful. As the old saying goes, an ounce of prevention is worth a pound of cure -- and it's no different with computer security.
As the 'security guy' for my home, Kuro5hin.org, and other firewalls I've setup for people I know, I can tell you that:
.. kill. Then go and chmod -x all those binaries. No remote root. Simple, effective. You could probably have perl scripts do it :-)
;-)
"after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server. "
Is wrong! It's very simple: you need three things to lock down a box from remote root: nmap, lsof, and kill. Find what's open (nmap scan TCP), find out what 'owns' the port (lsof), and kill it. Then set your system to not run it. The RPC services should be turned off without even bothering to check if they're running -- every distro has them one by default (why!?). ps -ax|grep rpc
Otherwise, it's just watch bugtraq, watch your box, and be suspicous. Oh, and don't run Washington University code
--
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
Its not that simple. One user on one 56k modem can completely saturate a T3 if he knows what he's doing. 560 machines on higher connectivity boxes can not only fill one T3, but hundreds. Thousands.
If I have a one machine that can access the net, I can ping spoof thousands of boxes, (this is still a problem) who in return all reply the ping to hostX. hostX feels the punch of 100's of boxes pinging it, even though those pings all came from one machine. Now imagine 560 machines doing the same.
If hackerX can find 560 machines to compromize, he can find thousands of hosts who's routers are not configured to block ping spoofs.
Its not the 560 machines that will be the ammunition, its the incorrectly configured subnets that will actually do the pipe choking.
"...no one from the DOS demoscene ever releases source code!"
As an aside, most demos "back in the day" were written in assembly language, it was sort of a given that you'd have access to a disassembler and be able to reverse engineer algorithims, if that was your thing. That's how I learned pretty much everything about coding on my Amiga (well, that and the rom manuals...)
Wow, that brings back a lot of memories of DOS/Amiga demoscene flamewars:
"Yeah, DOS demos can be good, if you have
an Orchid and a Soundblaster, but the hardware's
standard on an Amiga!"
--J(K) DOS is like Unix in exactly the same way that a pinto is like an aircraft carrier.
http://www.rootkit.com
Due to my own laziness, one of my personal Linux home server was rootkit'ed and was so for at least a month before I discovered it by accident while investigating why top crashed (utmp was corrupted). It seemed that someone was running what looked like a covert IRC channel on my computer.
Once I reinstalled and locked it down (tcpwrapper, ipchains, scanlogd, disabling of services, packages updates, etc) I still got an awful lots of unexplained connections to port 40118:40120 (I still do, two months after, if someone can tell me what it is I'd be happy). I also warned any owner of those IP that did that, but they didn't seem to care too much.
I don't have an hard time believing that a very large number of Linux servers out there are compromised: after all, a bunch of them are probably not even very much up-to-date and it takes a lots of time and experience to secure properly a Linux server.
I always thought that RedHat (prime culprit because it is the largest deployed distribution out there) doesn't take network security seriously, especially now that RH can be installed and configured to offer various network services by virtual newbies.
Things that could be done by RH (and others) IMO:
1) Create a single reference called security.redhat.com where you could register to receive updates and/or have one of your server registered to be regurlarly and automatically evaluated (nmap'd for example) from a security standpoint.
2) Automatically install some of the pretty good detection and prevention tools!!
I agree. The plethora of buffer overruns that allow arbitrary code to execute is a fault in Linux (and Unix). The i386 allows separate code, data, and stack segments. This means that the operating system can set up hardware locking to prevent execution of arbitrary code, or stack smashing. I'm sure there are other ways to cause unexpected behavior in programs, but if you remove buffer overruns and stack smashing that allow execution of arbitrary code, you've removed more than half of all security bugs. (I don't know if other chips have that feature).
Your brother may be smart, but he's obviously not a computer geek. I have plenty of smart friends who don't know the first thing about the mechanics of computers. On the other hand, I suck at swimming, even though I like the water.
I was a high school senior three months ago, and I assure you I can chain IDE devices. I even manually short circuited the internal battery on my computer once when someone set a BIOS password and then forgot it (how's that for resourcefulness?). We are not extinct.
--
560 computers infected is not enough for a massive DDoS. Unless of course they were targetting someone on a dialup, which wouldnt matter anyway.
What was the problem again?
After all, what good is the internet going to be after this?
Tweet, tweet.
There really isn't much to say about this article execpt for good old rampant Slashdot speculation.
So some people found some trojans that could be used for DDoS attacks on a few hundered machines. Does this mean a DDoS is "brewing" or ready to be launched? Hardly.
In order to know if something was coming, we would actually have to talk to whomever put those trojans on the machines to see what their motivation is, and when they plan to use them. Unfortunatly, this will more than likely never happen.
For all we know, this could just be some script kiddies person cache of trojans to take over IRC channels, not DDoS a large site such as Yahoo! or Ebay. Heck, maybe is the BOFH Users Group out for revenge on companies that have had enought of their antics and fired them. Who knows?
So, is a new, massive DDoS brewing? Unless one of the people who planted these trojans tells us, or a DDoS actually happens, we'll never know.
This is no big deal. Hasn't anyone been on irc? Practically every kiddie on irc has his/her own dosnet, most with hundreds of hosts. People create them everyday, and have been doing so for years. Yes, years. This is nothing new, and its no big threat. If someone really wanted to 'take down the net', they would have already done so. But, a person like that has only one life, and that would be his/her life on the net, and why would he/she want to destroy their life? Point being, I am tired of seeing the media hype up stupid findings of 500 or 600 infected boxes, and calling it 'the end of the internet.' Every second a thousand boxes get owned and infected by some script kid. Does it really matter? No. Why not? a.) They don't know how to 'take down the entire net' b.) They're too busy packeting people on irc. End of story. Get over it media whores. No more dumb ddos stories, please!
As a sysadmin who specializes in security, I have to take issue with your statements. NO machine is ever secure, regardless of OS. Any machine can be compromised.
First on OpenBSD: ever run nmap on a fresh install of OpenBSD? Both sendmail and portmap are happily running BY DEFAULT. Two of the most insecure applications ever written. All OpenBSD really does is give it's users a false sence of security.
Secondly, on Red Hat: It is my opinion that the reason that Red Hat is getting this attention is that it is by far the most used Linux distro. I often build systems based on Red Hat, because I know what I am doing.
You can spend hours and hours of time, securing a box, and if someone can use social engineering to get a username and password, it's all for nothing. This is the biggest issue when it comes to security.
(As an aside: I recently taught a seminar to a company on social engineering. They had never even heard of the concept before. Do you know what they do? Provide customer service for over a dozen banks. Scary.)
According to a few of posts on NANOG (North American Network Operators Group - see www.merit.edu for info), NASA's Ames facility was attacked on Friday, knocking it down for most of the day. NASA hosts E.ROOT-SERVERS.NET, which having it down is a "bad thing".
They got me too... they didn't install a root kit either. I checked my packages with MD5 sums and all my binaries checked out.
You're aware that there are rootkits that will get around the checksums, right? They will hand over the original binaries when you request a read, but will serve up the modified binary when the OS requests an execute.
You can't be sure they don't have anything else on your box until you reinstall clean from known-good media. (And maybe re-flash the BIOS, though we haven't seen that trick used yet.)
I'm not saying we should go back to the "good ole days" with only a bare command-line prompt, but IMNSHO software should not be designed to try to be everything. (Wizards, anyone?) Software should be designed to provide the necessary tools to get things done, but it should never attempt to be smarter than the user. The user needs to learn how to use the tools.
Why are script kiddies so abundant these days? 'cos they're so used to the click-on-button-and-it-does-everything way that computers work these days. A friend once joked with me that World War III might be started by a kid pressing a single wrong button on the nuclear launch controls...
What we need IMNSHO is a change in philosophy. Yes I know easy GUI's are good and perhaps even necessary for people who want to get things done without worrying about manpages and editing conf files. But for teenagers? Give 'em a bare command prompt and let them figure out how to configure X manually. Kids these days need to learn that the world isn't an instant gratification vending machine. You need effort if you want value.
---
mikre he sophia he tou Mikrosophou.
I have to rant a little bit, here - Redhat, is it SO HARD to make the default install be BASICALLY SECURE? Don't turn RPC on by default, for God's sake! The first thing I have to remember to do is to remove the really obvious security holes as soon as I install!
One nice thing about this DDOS activity - now, the script kiddies want my network bandwith. Used to be they didn't know what to do when they got in. The same system was compromised three years ago while I was on vacation, and the script kiddies involved did an "rm -rf /" as root. Ouch. This time was pretty easy to clean up from, by comparison.
But, whomever pointed out that the connections of the hosts are important - absolutely. I'm sure my puny 384kbps upstream didn't cause whoever the victim was any real trouble.
Tips for people who may be having the same experience:
First, I was tipped off by the very large numbers of collisions on my hub, and the massive traffic. I'd installed a bunch of new hardware and software, and, at first, thought something was broken. Additionally, I was running mrtg against my router, and the traffic saturation broke SNMP connections, so cron kept complaining.
Once I figured out the host the traffic was coming from, I started looking around. First of all, a command representing itself as "lpsched" was running with a very low PID (like 120) and had a child process representing itself as in.telne (I believe these were actually the same program). When I killed them, the traffic ended. After some research, I realized that the attackers had installed a trojan in /usr/sbin/init (which was then changing its program name as represented in ps after execution). /usr/sbin/init was being executed by /etc/rc.d/rc.sysinit, at the end of the file (placed here very nicely with a check to make sure /etc/rc.d/rc.sysinit existed).
Interestingly, they did NOT install a rootkit - I used SHA1 hashing and some custom scripts I wrote to compare the compromised host with a clean install of RedHat 6.2. All they did was modify /etc/rc.d/rc.sysinit and install the Trojan (they may also have edited log files at the time of intrusion). rpc.statd did spew a "I'm executing this obvious buffer overflow attack" in /var/log/messages; "grep rcp.statd /var/log/*" should give you some idea if you have a problem. In the rpc buffer overlow, they echoed to /tmp/m:
and then, executed "/usr/sbin/inetd
Good luck, out there...
I am waiting for a distribution to come set up that way out-of-box... yeah, right.
-E
Send mail here if you want to reach me.
I agree with him, for a simple reason.
I started with a commodore, using the command-prompt, and moved up to a PC with a prompt, and that's how I learned computers, in elementary school. Probably not uncommon for the people on this site.
Now, my little brother never used anything other than 95. Loves computers, mainly games, but couldn't use a command-prompt to save his life, and can't even setup Master/Salves correctly on an IDE chain. Called me to try and help over the phone...
He's a smart kid, too.
He's a Senior and high-school, and can get into any school in the nation, from his test-scores and grades.So why can't he figure out why the new game he installed whacked windows? Why can't he install a new HD? Because all he's ever used is point-click. He's never actually learned how things work.
One of my proffessors once made a statement about "experts", one I've also heard from a few now-retired computing columnists.
Essentially: A real expert does not know how to do 100 neat things (tweaks) with a piece of software (or other product). Instead, they understand fundamentally how it works. From that, they know how to do the same 100 "neat things", but they also know why those "neat things" do what they do.
Sorry, enough ranting on "kids these days...."
For those of you who don't believe in DDoS attacks or just don't want to believe in them, please check out http://wzc.dhs.org/home/news/index.html and the news post dated 6th September 2000. This is a linux server which I run... it has been DDoSed many times this summer, each time, taking out the ISP on which it is hosted. I managed to log all the networks involved using tcpdump and other such tools. The reason for it being dossed? It runs an eggdrop on IRC hence the hackers DDoS the server to make the bot ping timeout, and take over the channel.... how sad.... So ppl, these attacks are for real.... we better suss them out... this is exactly what I did.... With help from one of my mates, I managed to determine the protocol used by the packetting agents (the agents which actually cause the garbage traffic) and wrote a little C program which makes them packet; if you care to visit wzc.dhs.org's news section, you will see that the server was setup to perform a scan of all the networks which I had logged (the scan was done by sending control packets to each potentially infected host on each network telling it to packet my server for exactly 1 second... if the host packetted my server, I knew it was hacked and running a packetting agent). The list has now been submitted to cyberabuse.org and CERT have also been notified about them (which is, I assume how this posting got onto here in the first place). I don't claim to be "Mr Expert" of DDoS attacks, but I did the scan due to my general anger against the hackers which were orchastrating these attacks against my server during this summer. If anyone would like to know more about how the protocol works, or would even like a copy of the C program which causes these packetting agents to packet, then contact me via the email on wzc.dhs.org's news page..... maybe I should post it publically so everyone can do their own DDoS attacks, and then... the admin of the compromised hosts might fix their hacked systems. Thank you for listening. ----- Mark Hedges (admin of http://wzc.dhs.org)
Well, I had a user at one of my sites today get DDoS'd of the Internet. As a matter of fact, we were receiving so much traffic my firewall at that site choked. I got a couple of packet traces. Basically it was a bunch of tcp syn packets going to random port numbers. I started nmapping the source addresses to determine if they were real or spoofed (spoofed source addresses typically consist of a lot of invalid addresses that don't actually exist on the Internet). It turns out that 80% of the source addresses in question responded to ping. After nmapping a few of them I came to realize that they were all Linux boxes. Here's the results of one:
turmoil# nmap -sS -O 216.17.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on xxx.dsl.frii.net (216.17.xxx.xxx):
(The 1506 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
79/tcp open finger
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
113/tcp open auth
143/tcp open imap2
511/tcp open passgo
514/tcp open shell
515/tcp open printer
1023/tcp open unknown
1024/tcp open kdm
3306/tcp open mysql
TCP Sequence Prediction: Class=random positive increments
Difficulty=1200108 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 54 seconds
Now, I don't know how you would assess the skills of this particular administrator, but as for me, I would say that he is a completely and totally ignorant and most likely stupid to boot. What kind of kneebiter actually puts a box like this in the wild? Ok, here's a little contrast. I'm running a counterstrike server on a generic install of Redhat 6.2. Here's the results of an nmap:
turmoil# nmap -sS -O 206.173.xxx.xxx
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on ahl (206.173.xxx.xxx):
(The 1522 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
TCP Sequence Prediction: Class=random positive increments
Difficulty=2103891 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 22 seconds
That's it. Imagine that, a secure Linux box. What a novel concept. The key difference between *nix administrators and NT administrators is that *nix is designed to be remotely accessible thereby making it more subject to remote attacks. It is also possible to secure *nix. NT on the other hand is traditionally not as remotely accessible, which I think prevents it from being more of a platform for this sort of behaviour. However, if there's a security weakness, it's usually in there for a good long while and on top of that, it's difficult as hell to secure.
I just did an install of RH6.2 this evening for a friend of mine. It was amazing how much crap gets activated when you select 'everything' during the installation! He wanted everything, so he got it.
Needless to say, I turned off all listening daemons and promptly installed OpenSSH.
I see absolutely no need whatsoever to run telnet or ftp servers anymore. And my friend didn't need to have them running anyway on a dialup connection so I got rid of them. And even if he wasn't on the 'net, he still didn't need telnet, ftp, nfs, etc... running.
I agree that a good half hour of cleanup is required after any linux installation. Even if RH is a 'newbie-ized' linux distro, all the NFS, rpc, apmd, pcmcia, sendmail, etc... services should be turned off until the sysadmin turns them on.
I like the idea that I have a fully configurable, highly powered, and fully functional (free) OS. but dammit(!) let me turn the stuff on!
No newbie should be faced with NFS or identd on their first day. Let them learn the power of GNU/Linux. Don't blind them like a deer in the headlights, but give them turn up the dimmer switch.
eof
OH NO! See, the evil cyber-terrorists have attacked and the TLAs must get their funding to stop it.
Suddenly....*POOF* the attacks _END_. No "bad guys {tm}" were caught, but the problem goes away.
Ooops, here come the FUD and scare tactics again! Time to eliminate some more civil rights to protect us from "cyber-terrorists" and make sure those TLAs charged with fighting this dragon are properly funded!
Maybe this time the feds will attack something on the net that really is meaningful instead of ebay and yahoo. Otherwise, I just ain't buying it.
MSNBC report states that most of the systems which are compromised are Red Hat systems,using a recent exploit, for which patches are available. These compromised systems are surely systems whose admins are either ignorant or crackheads who believes Linux or Red Hat is too secure to be compromised.
This again brings to light the eternal question which begs an answer. Is it the fault of the company behind the OS or the Sys admins who forgets to apply the newly released patches who are responsible for these attacks. My opinion would be the latter.
Any piece of code is liable to exploits, including Windows and *nix, and its quite obvious that the script kiddies behind these attacks do not envisage new exploits, rather piggyback on existing exploits for which users or admins might not have applied the patch. The fault I must say lies with the Admins.
As long as there are systems liable for attack, whether they might be open source or closed, there would be kids who take advantages of the exploits that arise from these systems. Rather than crying foul everytime a new exploit is released, the geek community should make sure to plug these holes, rather than pointing fingers.
As long as we dont plug the holes in the Internet Infrastructure which allows these kind of DDOS attacks, that would be the sanest thing to do.
My two cents
Rapid Nirvana
I love linux and I wish it was more secure. I do tend to use redhat for my desktop boxes (it supports a lot of hardware and is the most well-known distro around, mostly). but I'd NEVER put it 'bare' on the net - for all to play with. that's lunacy.
for my public box, its openbsd. I got tired of my linux boxen getting hacked ;-( behind the firewall, linux is very nice - but just don't put it in its DEFAULT config on the public net. if you do, well, its just a matter of time before you're hacked.
but if redhat at least made the default config totally locked down, they'd enjoy a much better rep. and linux, as a whole, would take less abuse about security issues.
--
--
"It is now safe to switch off your computer."
I think the solution to script-kiddy wankerism is a revival of the demo scene. Everyone uses GUIs now, so it's harder to program to the metal to make cool demos that cut the edge of technology. That's what these dumb kids should be doing, actually improving their skills and learning something, rather than being destructive and 31337. I'm gonna wager than many Slashdotters know at least a couple kids that are probably warez dudes or 31337-haxors at night. Be a force for good in their lives; show them how they can create with a computer as well as cause problems.
While none of us really need to get in another fight over which OS is better, I have to ask you to give your own post a second look and consider that your view of this situation may be too simple to be accurate: configuring and operating a linux server is different than doing the same with an NT box. For most NT servers, NT installs right off the CD, you fill out the networking info, and start making user logins. All services are either switched on from the control panel or by installing it off another CD with "autorun".
Linux is a different animal. It takes some work to configure one of these things. SendMail, Apache, Samba, X, whatever you need, you configure, and unlike NT, everything is "off" until you turn it "on", and not only by running YaST, but by endlessly tweaking relevant app.conf files. You basically need to know the inner workings of the programs just to get them to run. Of course, you get some pretty exact control in return, but it really does take a degree of effort just to think the program's configuration through. Not that you couldn't put the same time and effort into tweaking an NT box, but the distribution and marketing of NT don't encourage it. It doesn't make NT admins' sloth any less wrong than *nix admins', but the truth is that the culture and attitude that has developed around the two (NT is great because I slap a M$-approved CD in the drive, then sit in my big comfy chair all day and wait for it to crash v. Linux is great because I tweak the hell out of Apache to get it compatible with my perlcgi style then set hosts.allow to all:all because I'm too lazy to map my fscking users) forces the *nix admins to take all the responsibility for their systems while NT can just say "that's the way MS shipped it to us".
Sysadmins of all stripes deserve SOME of the flak for the spread of viruses and the DDOS attacks from their exploited servers, but M$, by taking some of the control over the system away from NT SAs, also must take a proportional share of the responsibility. Consequently, the security audit my single-purpose linux ftp server failed last Thursday is my fault, but the NT guy gets to blame the MS-approved consultant who installed his fileserver.
-jpowers
-jpowers
NFS is grotesquely insecure. If you have to use NFS, use it behind a seriously locked down firewall box. If you can avoid using it, use anything other than it. SMB is also less desirable than others but it's design won't leave you open for these attacks. I suggest using AFS or Coda at this point.
I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
Can you believe that? Those evil hackers have figured out how to raise the dead and have them fight for them as a zombie army. Man, this is almost as bad as copying DVD's.
I've been scanning the bait logs on my machine (I run a simple tcp listener on port 111, 23 and others to report scans), and over the last four weeks the rate of scans against the machine has gone up orders of magnitude.
...
Probes to port 111 come about twice a day, from a large range of IPs. These boxes could all be compromised, and being used as part of a worm attack, but I dont have time to track down the postmaster of each of the ip addresses and mail him/her.
Does anyone know if there's a service run by CERT or anyone to report possibly compromised hosts that turn up in our logs too?
If not, it would be pretty useful to have