Cracking All The Live Long Day & RH6/7 Worms

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.

RH Crack

[wiredog]

It's in rpc.statd and wu-ftp. More info at CERT

Download Site / Comments

[marks]

LinuxSecurity.com is offering bandwith to download the images at http://honeynet.linuxsecurity.com/

A project such as this does such a good job of exposing users to the methodologies of the black hat community. This is a great project for anyone who has even been hacked or might be hacked in the future. Its an excellent idea to play with a compromised system to see what one looks like, what gets "messed with" and what needs to be fixed.

-mark

Analysis of Ramen worm

[fizbin]

This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.

It's basically a bunch of existing tools snapped together by some brute-force driver scripts.

My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!

Hypocritical?

[Ringwraith]

If this was a story about MS2000 or something, it would be full of comments about how crappy it is. Now it's a story on Linux, and all anyone can talk about is how "it really isn't that bad" and "worms happen." It "really isn't that bad" because it wasn't made to destroy anything--odds are, the next one will be.

Off by default

[e_n_d_o]

I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.

AFAIK, any normal RH Linux box needs these system services:

crond
keytable
random
syslogd
xfs (if running X)

A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).

The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.

The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---

Sloppy sys admins

[Rudeboy777]

It's pretty sloppy for RH to leave security fixes for these holes out of 7.0, but anyone running a server on a high-bandwidth line should probably know enough to get security updates frequently. Nobody deserves to get hacked, but you need to expect the worse as a sys admin. Leaving the default install on a server is absolutely amateurish.

Under the rug?

[Speare]

I expect this'll get modded down, but...

It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.

Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.

Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?