Cracking All The Live Long Day & RH6/7 Worms

← Back to Stories (view on slashdot.org)

Cracking All The Live Long Day & RH6/7 Worms

Posted by Hemos on Wednesday January 17, 2001 @06:36AM from the carrot-juice-and-get-yourself-a-new-tatoo dept.

BoomMike writes "While the popular media drools over eWEEK magazine's contrived Open Hack Challenge, which offers modest cash prizes for cracking a carefully arranged network, real geeks can compete in the Honeynet Project's new Forensic Challenge, and pick up the trail of a hacker who cracked one of the project's Linux-based honeypots last November. Mount the file system images and pour through the IDS logs to figure out the who, what, where, when, why and how of the attack, and you can win a book. SecurityFocus has the story." In a much related vein to the Honeynet crack RH6.2/7 there's a story on C|Net concerning the "worm" that's a new popular exploit set with the script kiddies on RH 6/7 servers.

4 of 120 comments (clear)

Min score:

Reason:

Sort:

RH Crack by wiredog · 2001-01-17 01:45 · Score: 5

It's in rpc.statd and wu-ftp. More info at CERT

--

Best Slashdot Co
Analysis of Ramen worm by fizbin · 2001-01-17 01:57 · Score: 5

This worm has been being discussed on the incidents (not bugtraq, as C|Net says) mailing list.

It's basically a bunch of existing tools snapped together by some brute-force driver scripts.

My analysis is at http://members.home.net/dtmartin24/ramen_worm.txt. Fifteen minutes of fame, here I come!
Off by default by e_n_d_o · 2001-01-17 03:45 · Score: 5

I still don't understand why every network service isn't turned off by default. If you need it, you better know how to keep it secure. If you know how to keep it secure, chances are you know how to turn it on.

AFAIK, any normal RH Linux box needs these system services:

crond
keytable
random
syslogd
xfs (if running X)

A box with this config will produce the following "netstat -l" has no externally open ports except echo. The only exception to this is when running X, port 6000 will be opened (personally I firewall this).

The only thing that MIGHT want to be turned on by default is SSH. But there's really no reason that the user shouldn't have to do event this themselves.

The problem is obviously the entry-level Unix/mid-level MS users who are starting to use Linux. They need their hands held. So put a $!@#$ memo in the installer that says to read "services.txt" or something to get your system services going. Or, perhaps RH should open a web browser with a "Configuring Services" FAQ when you login to X as root (most people do this, annoying enough).
---
Under the rug? by Speare · 2001-01-17 04:12 · Score: 5

I expect this'll get modded down, but...
It seems that the RedHat exploit is at least as big a story as the Honeypot project. While they're both 'cracker' related, one is an opt-in research project and one is an advisory news item.
Don't they deserve separate top-level stories to clear it up? This isn't some downgraded Slashback or quickies thing. Both deserve their own thread.
Or is it just negative news about a pet issue, getting swept into a little dark corner at the end of something else?

--
[ .sig file not found ]