Slashdot Mirror
The Reverse Challenge: Winners Announced
asqui writes: "The Reverse Challenge was a contest from The Honeynet Project to essentially reverse engineer a binary captured in the wild running on a compromised honeypot. The contest ran during May of this year and the submissions have been judged and the winners announced. Dion Mendel took first place with 43.4 points out of a possible 50. The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11. This binary is currently being used in the wild but there is little reported activity, probably because sysadmins are focused on the other more dominant protocols."
Another first post, another song.
Postive Karma = Love of the cock.
You have just caused an evil-grin to appear on the faces of many trojan writers. They now have another 'cunning' trick to add to their arsenal.
Primus - Jerry Was A Race Car Driver
Jerry was a race car driver
And he drove so goddamned fast
He never did win no checkered flag
But he never did come in last
Jerry was a race car driver
He'd say "El solo number one"
With a bocephus sticker
On his 442 he'd light 'em up
Just for fun
Captain Pierce was a fireman
Richmond engine #3
I'll be a wealthy man when I get
A dime for all the things that
Man taught to me
Captain Pierce was a strong man
Strong as any man alive
It stuck in his craw that they
Made him retire at the age of 65
Jerry was a race car driver
22 years old
Had too many cold beers one night
And wrapped himself around a telephone pole.
Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!
Don't anthropomorphize computers, they don't like it.
I have a cunning plan, Lord Blackadder.
...for saving the honeypot, your own poohbear doll
Jesus saves souls and redeems them for valuable cash prizes
This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here. There was also much discussion of this contest recently on various security-related mailing lists.
Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
I don't understand. What is IP protocol 11?
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
Of course without these slashdot.org posts I would be out of a job..so I guess hey bring on more slashdot.org posts!
Don't Tread on OpenSource
How can we tell if some of the contestants were not the same group of persons using that binary?
:)
:)
If this was the case then reverse engineering it might be pretty straight forward.
Just wonder, not accusation made.
*checks /etc/protocols* What the hell is protocol 11?
Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.
Hmm.......
!skcor todhsalS !tsetnoC esreveR eht si ti esuaceb esrever ni tnemmoc a gnivael ma I
Actually, the winner cheated. They used a 2. Oh man, i kill myself.
The results link posted above (http://project.honeynet.org/reverse/results/) is wonderfully tortured HTML ... with
the pleasing side-effect of triggering
a mouseover color change for over half
the text in the opening paragraph when
rendered with Mozilla.
Hey, I found it interesting...
What does protocol do? Would it be harmful if I block it off?
How may I do that with ipchains and iptables?
In response to the people criticizing the information about the protocol used...
Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?
We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
Pooh has got his head stuck in the honeypot!
I have been pwned because my
The Art of Licking Butt
I lick girls' rumps. I like to lick girls' rumps. Girls like to have their rumps licked. Most girls won't admit they've had their rump licked, let alone enjoyed having their rump licked. But believe you me, if you lick a girl's rump, she'll love you for life. In fact, that was my high school yearbook quote.
My conviction to "slurping the brown pucker" doesn't stem from some traumatic experience I encountered during my anal stage of Freudian development. I mean, sure mommy dearest used to administer the "Burning Knitting Needle Catheter Punishment" when I would accidentally "makey poo-poo in me diap-diaps," but I knew that mommy dearest's austere methods of discipline were only an expression of her unconditional maternal love. No, my affinity for heiney hole spelunking was motivated and fostered by my anatomical, not psychological, irregularities.
You see, I have a small penis.
Forget about the penile deficiency that cruelly yet so naturally accompanies the average Anglo-Saxon male, it's much worse than that. For instance, after a cold shower I look like a seven year old. Girl. I often wish I were hung like a black guy. No, not from a poplar tree. I mean "hung" in terms of having a penis the size of an enraged Ugandan spitting cobra and testicles that resemble an immigrant Italian mother's Christmas dinner meatballs.
"What fuck wrong you? That where poop come from!"
So, long before I convinced that first girl (without the use of Thunderbird wine or a cast-iron mallet) that I wasn't so repulsive when compared to Rocky Dennis of Mask fame, I knew I would have to go the extra mile down Aretha (Urethra) Franklin's "Freeway of Love." Yes, I would have to go down like ValuJet.
On one of my first G-spot mining expeditions I struck climactic gold. While I observed a slight twitching as my tongue found my attractive victim's tinkle hole (as it is technically known), I noticed an almost epileptic reaction when I accidentally lapped her greasy donut. From that moment on, my cheese curl of a penis was not an issue, for I had found a way to fill the void, and it was by filling the void with my tongue. Black hole tongue won't you come?
After a cold shower I look like a seven year old. Girl.
When I divulge to other guys that I French kiss the devil's onion ring, their reaction is usually, "What fuck wrong you? That where poop come from!" First I ask them why they're talking like Cro-Magnon men, then I explain that there is a significant difference between a female's buttocks and the buttocks of her male counterparts. A guy's ass is a fecal cavern of pooplagtites and pooplagmites formed when ass broth continuously smothers and cakes sweaty mounds of bung fur. Dung dreadlocks if you will. In other words, it would be comparable to making out with a pet store's garbage can in mid-July. In contrast, it is imperative that a female maintain a high level of rectal cleanliness to safeguard her vagina from infection. In general, girls' sphincters are cleaner than boys' mouths. But let me warn you perspective stool munchers. Excremation point! On one occasion, I looked like I had just eaten a Snickers bar. They have peanuts in them, you know.
In general, performing analingus will prove to be a pleasurable experience for both you and your female companion. So don't kiss your girlfriend's ass, eat it. If you want her as a soul mate, be an ass soul mate. Because much like this article, true love is tongue and cheek.
look at it here.
My life in the land of the rising sun.
What is the use of protocol 11?
Would it be harmful if I just block it off?
How may I do the blocking with ipchains and iptables?
Thanks
This is great. From the source: /*
* dns queries:
* SOA queries for
* com
* net
* de malformed packet
* edu
* org
* usc.edu
All of these dumbass machines (mostly in Australia) kept hitting my primaries with questions for those! I couldn't figure it out, and no amount of searching on Usenet turned up any help. Now at least I know it's due to some idiot worm drilling me.
Now I get to convert my IP addresses to hex and see what else is up there in that table. Blah.
Feb 22 09:16:46 dns1 named[58]: denied query from [203.134.113.201].4763 for "usc.edu" IN
Did anyone else see this?
Swoop down on your head they shall. Look out, there is no time for you to run. Not that it would matter. They are fast. And fly through walls. You will be subverted and will follow their philosophies as they are your own. Thanks a lot governor.
http://www.ietf.org/rfc/rfc741.txt
Barred gates enclosing the compound. Monkeyus fall around me. I sip on a drink, then throw it at the bossman. Fuck that. AAAaaa. Time to axboodle the norlombard. P'neesnash.
The important design objectives of the Network Voice Protocol (NVP) are:
- Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
- Design such that no system can tie up the resources of another system unnecessarily.
- Avoidance of end-to-end retransmission.
- Separation of control signals from data traffic.
- Separation of vocoding-dependent parts from vocoding-independent parts.
- Adaptation to the dynamic network performance.
- Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
- Independence from lower level protocols.
From the bonus questions:
Summary
The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.
Please see subject line. I win. All praise to your deity of personal choice.
"This protocol goes to eleven."
"And like that
I've been reading this site for the last few years. In the last few days, I realized that I only read it out of habit, and I've been frantically trying to find any reason to continue reading. I want some reason to justify my behaviour all this time -- something to prove that I haven't been wasting my time. I've found no reason. It seems to me that all the technically capable people have long ago left or stopped posting, and all that remain are a bunch of dumb-ass losers with no real skills or insight.
The stories where never the reason to read this site -- CmdrTaco and the rest are not stupid, but they are pretty damned smug, not nearly as smart as they think they are, and simply don't have anything very interesting to say. Their stories were interesting only as long as they were able to generate interesting replies. They no longer do. I don't know if SlashDot has simply imploded on its own popularity, or if abuses of the Moderation system have driven off the sensible posters, or if my own standards have changed. But I do know I'm no longer interested in reading anything on this site.
See you all on the dark side.
What a fabulous troll your post was.... or how fabulously stupid you are. It's impossible to tell.
Well, what I've pulled from websites and the RFC:
/etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.
1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in
2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.
While trolling takes on many forms, many of them merely being nuisances (crapflooding, goat links, page widening, etc) you'll find the vast majority of trolling occurring in posts similar to posts such as your original. On Slashdot, well-thought out and reasoned posts have become indistinguishable from trolls. This is made all the more obvious by the dimness of the moderators who would mod you down -1 in a heartbeat if not for the length of your post (as if that were the measure of an argument).
I too am a troll, much along the lines as you (though perhaps you don't realize yourself as such yet). I used to post, IMO, well argued posts and was consistently modded down by the Slashdot groupthink moderators. This is not to say that I didn't eventually hit the karma cap, but that along the way it was painfully obvious that my pro-Windows, anti-GPL opinion was not tolerated here.
Upon the realization of that I had my epiphany that pearls are not to be given to swine (this seems to be the same satori experience you are having now). Pigs deserve slop, and now that is all they get from me.
In any case, I'm not one of the nuisance trolls as I listed above, but one of the provocative trolls such as yourself (please do not take offense, this is not an insult as it may first appear). The Slashdot feeding frenzy that follows any post that attempts to support Microsoft or attack Linux or posit Creationism is a wondrous thing to watch, much like a thunderstorm or a supernova. The one difference is that you, the troll, have total control over the experience, much like a god who views his masterpiece from another dimension.
This is not to say that Slashdot is void of intellectual content. On the contrary, you'll find quite a bit of interesting information in the Science and Developer sections. You will find *no* intellectual content in the YRO section.
It's a travesty that a good idea like Slashdot, allowing users to create their own content, has succumbed to the mindless pursuit of mental masturbation of FSF zealots.
So while this may be the end of your Slashdot infancy, I think you will find your maturation into a Slashdot provocateur quite fulfilling and fun. Isn't that why you joined the technology revolution in the first place?
Oh The Irony Of It All
/. effect..... Do I win?
tool for performing remote DoS attacks
So here's my question... since everybody is calling this protocol NVP..
Most machines are not configured to handle NVP. Windows, I don't even know if it has such support. So why did the writer choose NVP? Who is listening to it?
Or is it more correct to say that the writer simply happened to tag his IP packets with #11 as the protocol, which just HAPPENS to be NVP? His implementation may really have nothing to do with NVP except that it uses the same protocol #.
Of course, the source has been DoSed (or slashdotted, however you want to put it) so I can't really look at it.
[n/t]
Proof of the gay-linux conspiracy!
I participated in the contest, and to answer a few questions:
1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...
2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.
3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.
4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks
I hope that helps
Chris
Cack: A reflection into absurdity.
By: YourMissionForToday.
Cack: Cack cack cack cack!
Liberate your mind in two clicks or less.
Haha suck it trolls I 0wn you I got the frosty DDOS pist or for you nonl33t trolls and mods, the first DDOS post! haha who 0wnz j00? I 0wnz j00!
There have been two responses to this post so far, not counting this one. Let's look at the moderations.
First we have this one which is entitled "On Trolls". It seems to be a nicely worded treatise on the personal conversion of the author from productive member of Slashdot society to trolldom. There is no flaming, no swearing, nothing at all that one would normally consider offensive. It is marked down to -1 Offtopic.
Next, let's look at the second response to the original post. It is filled with flames and vulgar language. It is neither well thought out nor well worded. It is crass and pedestrian. Yet it has yet to be moderated.
It is difficult to extrapolate solid conclusions from this data, but the analysis at face value shows that random flaming and swearing is more valuable than well considered arguments. More data is needed on this topic, but the preliminary findings clearly point towards the aforementioned hypothesis as true.
I start out with ...
echo " Deny and Reject Everything"
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
Will the above block out all protocols or do I have to DENY them one at a time.
OSDN | Our Network | Newsletters | Advertise | Shop Slashdot All OSDN Sites freshmeat Linux.com LinuxGram NewsForge OSDN.com Slashcode SourceForge.net X
:)
:)
/etc/protocols . The protocol specification is in the header of the 20 byte beginning part of the IPv4 datagram. It's a 8 bit field.
/etc/protocols* What the hell is protocol 11?
/etc/protocols for mysterious acronyms.
...for saving the honeypot, your own poohbear doll
... with the pleasing side-effect of triggering a mouseover color change for over half the text in the opening paragraph when rendered with Mozilla.
:11
/. effect..... Do I win?
/*
...
The Reverse Challenge: Winners Announced | Log in/Create an Account | Top | 85 comments | Search Discussion
Threshold: -1: 85 comments 0: 68 comments 1: 46 comments 2: 19 comments 3: 11 comments 4: 5 comments 5: 2 comments Flat Nested No Comments Threaded Oldest First Newest First Highest Scores First Oldest First (Ignore Threads) Newest First (Ignore Threads)
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
About the binary (Score:5, Informative)
by eaglesnax on Monday July 08, @12:13AM (#3839660)
(User #238705 Info)
I participated in the contest, and to answer a few questions:
1) Protocol 11 is used in this tool simply as a messaging protocol. No attempt was made by the author to adhere to the published NVP RFC. The author simply sticks 11 in the protocol field of the IP header. Think of each packet as a UDP packet, no handshake, etc...
2) Protocol 11 is not used to perform any of the DoS attacks. The attacks are fairly standard DoS attacks like TCP SYN, and ICMP echo floods.
3) Protocol 11 get through many firewalls because sysadmins only set up rules to block unwanted TCP, UDP, and ICMP packets.
4) Single incoming protocol 11 packets are used to trigger compromised hosts to perform selected DoS attacks
I hope that helps
Chris
[ Reply to This | Parent ]
Re:About the binary by pmineiro (Score:1) Monday July 08, @01:39AM
Oh c'mon... (Score:4, Informative)
by stirfry714 on Sunday July 07, @10:53PM (#3839358)
(User #410701 Info)
In response to the people criticizing the information about the protocol used...
Now someone can't even mention general characteristics of a hack without being criticized for giving information to "script kiddies" or "trojan writers"?
We know that security through obscurity is a poor excuse. I'd rather have this stuff out in the open so I and others can deal with it, than have it known only to a few...
[ Reply to This | Parent ]
Fascinating (Score:3, Informative)
by SpatchMonkey (what's that?) on Sunday July 07, @10:43PM (#3839322)
(User #300000 Info)
This really is fascinating stuff. Note that most of the entrants used the disassembler known as IDA, available here [datarescue.com]. There was also much discussion of this contest recently on various security-related mailing lists. [securityfocus.com]
Hopefully they will be doing a similar contest again next year. In the meantime, I guess we'll just have the Scan of the Month to analyse.
[ Reply to This | Parent ]
I should have asked before the contest but (Score:3, Funny)
by jsse on Sunday July 07, @10:50PM (#3839347)
(User #254124 Info | http://slashdot.org/ | Last Journal: Wednesday May 22, @09:55AM)
How can we tell if some of the contestants were not the same group of persons using that binary?
If this was the case then reverse engineering it might be pretty straight forward.
Just wonder, not accusation made.
[ Reply to This | Parent ]
Re:I should have asked before the contest but by alphaCoward (Score:1) Monday July 08, @01:23AM
Protocol 11 information (Score:3, Informative)
by lingqi on Sunday July 07, @10:56PM (#3839383)
(User #577227 Info)
P. 11 is RFC 741 - NVP (network voice protocol)
look at it here [networksorcery.com].
[ Reply to This | Parent ]
Re:Protocol 11 information Sunday July 07, @11:07PM
Re:Protocol 11 information Sunday July 07, @11:17PM
Re:Protocol 11 information Monday July 08, @12:24AM
Re:Protocol 11 information by ctar (Score:1) Monday July 08, @12:40AM
Explanation of "Protocol 11" (Score:3, Informative)
by josh crawley on Sunday July 07, @11:27PM (#3839516)
(User #537561 Info)
Well, what I've pulled from websites and the RFC:
1:It's a protocol. In IP speak, It's under the same secion that TCP(6), UDP(17), ICMP(1), and others fit under. On unix boxen, it can be found in
2: It was created specifically for voice transfers, along with "telephone emulation" (just the way you interface with the tele). I believe that many, if not all, webphones use this IP protocol. I also think that GSM and US telephones(that use IP networks) use this protocol to transfer voice data.
Some were asking how this could flood your system.... Well, what's the difference TCP and UDP? Or how about ping floods??? Well, it's all data being sent to you. Doesnt matter what 8 bit field is switched... It's still garbage data (if you didnt request it). It fills up your receving connection.
Hopefully I've explained what this is. I'll probably be modded redundant as somebody probably wrote a better "explanation" while I wrote mine. Oh well.
[ Reply to This | Parent ]
Re:Explanation of "Protocol 11" by Frater 219 (Score:2) Monday July 08, @12:21AM
Re:Explanation of "Protocol 11" by jareds (Score:2) Monday July 08, @12:21AM
Re:Explanation of "Protocol 11" by meanman (Score:1) Monday July 08, @12:13AM
this one goes to eleven (Score:2)
by Dr. Awktagon on Sunday July 07, @10:50PM (#3839348)
(User #233360 Info | http://slashdot.org/)
*checks
Do routers even route protocol 11? Would it make it to its DoS destination? Interesting. Per usual slashdot behaviour, I haven't read the articles yet, but I hope they discuss this a little more.
Hmm.......
[ Reply to This | Parent ]
Re:this one goes to eleven by maunleon (Score:3) Sunday July 07, @11:16PM
Re:this one goes to eleven by MavEtJu (Score:3) Monday July 08, @12:34AM
Re:this one goes to eleven by Anonymous Coward (Score:1) Sunday July 07, @11:23PM
Forgive my naiveness but (Score:2)
by jsse on Sunday July 07, @10:58PM (#3839388)
(User #254124 Info | http://slashdot.org/ | Last Journal: Wednesday May 22, @09:55AM)
What is the use of protocol 11?
Would it be harmful if I just block it off?
How may I do the blocking with ipchains and iptables?
Thanks
[ Reply to This | Parent ]
Re:Forgive my naiveness but (Score:4, Informative)
by elandal on Sunday July 07, @11:47PM (#3839585)
(User #9242 Info | http://slashdot.org/)
It's Network Voice Protocol, and it's safe to block unless You use it (and You should know if You do).
I have default DENY, and specific ACCEPT rules. As everything I do ACCEPT contains a protocol, this means that unknown protocols are denied. For as long as You run only IPv4, no multicast, and so on (like most people do - although IPv6 is gaining), You only need icmp, igmp, tcp, and udp. Read
If You default to ACCEPT, or have very broad ACCEPT rules based on just eg. the IP addresses, You can, with ipchains, deny as follows:
ipchains -A input -j DENY -p nvp
Not tested, but should work.
[ Reply to This | Parent ]
Re:Forgive my naiveness but by Craig Davison (Score:1) Monday July 08, @12:08AM
Re:Forgive my naiveness but by catbutt (Score:1) Monday July 08, @01:42AM
ObSpinalTapRef (Score:2)
by tswinzig on Sunday July 07, @11:16PM (#3839484)
(User #210999 Info | http://teddy-swinzig.com/)
"This protocol goes to eleven."
[ Reply to This | Parent ]
achtung! (Score:1)
by eyegor on Sunday July 07, @10:42PM (#3839316)
(User #148503 Info)
Quickly!!! Arrest the winners!!! They have obviously violated the DMCA!!!
[ Reply to This | Parent ]
Re:achtung! by Anonymous Coward (Score:1) Monday July 08, @12:01AM
MmmmmMMm (Score:1)
by Eidolon909 on Sunday July 07, @10:42PM (#3839317)
(User #589869 Info)
I have a cunning plan, Lord Blackadder.
[ Reply to This | Parent ]
the prize... (Score:1)
by skydude_20 on Sunday July 07, @10:42PM (#3839319)
(User #307538 Info)
[ Reply to This | Parent ]
Re:the prize... Sunday July 07, @11:01PM
Bad joke (Score:1)
by KlippoKlondike on Sunday July 07, @10:50PM (#3839350)
(User #558812 Info)
Actually, the winner cheated. They used a 2. Oh man, i kill myself.
[ Reply to This | Parent ]
Reverse-Engineering Their HTML (Score:1)
by great throwdini on Sunday July 07, @10:52PM (#3839354)
(User #118430 Info)
The results link posted above (http://project.honeynet.org/reverse/results/) is wonderfully tortured HTML
Hey, I found it interesting...
[ Reply to This | Parent ]
Re:Reverse-Engineering Their HTML by Com2Kid (Score:1) Sunday July 07, @11:01PM
Re:Reverse-Engineering Their HTML Sunday July 07, @11:04PM
Re:Reverse-Engineering Their HTML by neuroticia (Score:1) Monday July 08, @01:45AM
Re:Reverse-Engineering Their HTML Sunday July 07, @11:43PM
Forgive my naiveness but (Score:1)
by jsse on Sunday July 07, @10:53PM (#3839357)
(User #254124 Info | http://slashdot.org/ | Last Journal: Wednesday May 22, @09:55AM)
What does protocol do? Would it be harmful if I block it off?
How may I do that with ipchains and iptables?
[ Reply to This | Parent ]
Re:Forgive my naiveness but (Score:5, Informative)
by GigsVT on Sunday July 07, @10:58PM (#3839393)
(User #208848 Info | Last Journal: Sunday July 07, @08:25PM)
"Network Voice Protocol"
Your guess is as good as mine, as usual, someone who had no previous clus about nvp will google it and make a +5 informative post, so just wait for that.
As far as blocking it in ipchains,
-A input -s 0/0 -d 0/0 -p 11 -j DROP
[ Reply to This | Parent ]
Re:Forgive my naiveness but by jsse (Score:1) Sunday July 07, @11:01PM
Re:Forgive my naiveness but (Score:4, Informative)
by mamba-mamba on Sunday July 07, @11:51PM (#3839593)
(User #445365 Info)
I suggest you read the info on the pages referenced in the top-level post. Here is an excerpt.
Detection
=========
Any network traffic using an unusual protocol should be suspect. This tool
uses protocol 11, but could easily be recompiled to use another protocol.
As protocol 11 is not currently used, any network traffic using this
protocol should be assumed to be communication between handlers and agents
of this tool. The signature for detecting agent / handler communication
was described in the previous section.
Note that the source address of a packet from handler -> agent should not
be assumed to be the actual address of the handler. The source address in
the IP header is most likely to be spoofed. Similarly, data from agent ->
handler is often faked to increase the difficulty of tracing the attacker's
whereabouts.
To hide from casual detection, the agent changes its process name to
[mingetty].
This is the standard getty for RedHat, and Slackware versions pre 7.0.
To detect a running agent on a system, netstat can be used to determine
if any processes are using protocol 11. The following command and
response shows a running agent process.
# netstat -pan | grep raw | grep
raw 0 0 0.0.0.0:11 0.0.0.0:* 7 5226/[mingetty]
If found, all instances of mingetty should be killed (to ensure that
children are caught as well). This will kill valid mingetty processes
as well, but they will be respawned by the init process.
# ps ax | grep mingetty | grep -v grep | awk '{print $1}' | xargs kill -9
The system should immediately be taken off the network and analysed to
determine how the attacker gained root access.
I don't believe it would do you any harm to block protocol 11. I would recommend that you block all protocols except for udp, icmp, and tcp, while you are at it. In fact, you can probably allow TCP and UDP only if you are a home user. I would just allow ICMP for the hell of it. Just set up a default incoming policy for all packets of "DROP," then accept all TCP packets, or all TCP packets meeting certain criteria, as desired. iptables allows you to specify protocols by number or name in a rule, using the "-p" parameter.
You should be able to block everything except TCP with something like:
iptables -F INPUT
iptables -P INPUT DROP
iptables -A INPUT -p TCP -j ACCEPT
if you also want to accept UDP (you do), then add this:
iptables -A INPUT -p UDP -j ACCEPT
for ICMP:
iptables -A INPUT -p ICMP -j ACCEPT
Note that ping, and a variety of other things, use ICMP, so I reccommend that you enable it.
Proper firewall configuration is a complex topic (and I'm not an expert at it). What I have posted above is not intended to create a safe firewall. I am hoping that you can figure the rest out yourself, or modify the above to suit your needs.
I have to run, so good luck.
MM
--
[ Reply to This | Parent ]
Re:Forgive my naiveness but by CoolVibe (Score:2) Monday July 08, @12:35AM
Re:Forgive my naiveness but by SpatchMonkey (Score:1) Sunday July 07, @11:07PM
Re:Forgive my naiveness but by SpatchMonkey (Score:2) Sunday July 07, @11:10PM
Re:Forgive my naiveness but by Meowing (Score:1) Monday July 08, @01:50AM
Re:Forgive my naiveness but by maunleon (Score:1) Sunday July 07, @11:20PM
Re:Forgive my naiveness but by maunleon (Score:1) Sunday July 07, @11:22PM
Re:Forgive my naiveness but Sunday July 07, @10:55PM
Interesting summary (Score:1)
by Anonymous Coward on Sunday July 07, @11:15PM (#3839480)
From the bonus questions [honeynet.org]:
Summary
The program was written in 2000, being inspired by the media attention of the trinoo and TFN DDOS tools. The programmer is most likely young with limited personal resources. The programmer has a low skill level and resorts to the "cut and paste" style of programming. The programmer possibly resides in Europe and socialises with other blackhat style programmers. The programmer is male, overweight and has no social life other than his computer. He wears glasses and was bullied throughout school. He uses computers as a way of getting back at the world which has maligned him. You decide where reality steps aside and Hollywood takes over.
[ Reply to This | Parent ]
Re:Interesting summary Sunday July 07, @11:42PM
Arg... (Score:1)
by Peridriga on Sunday July 07, @11:35PM (#3839539)
(User #308995 Info)
Oh The Irony Of It All
tool for performing remote DoS attacks
[ Reply to This | Parent ]
Re:Arg... by damiam (Score:2) Sunday July 07, @11:45PM
Is it really NVP? (Score:1)
by maunleon on Sunday July 07, @11:42PM (#3839566)
(User #172815 Info)
So here's my question... since everybody is calling this protocol NVP..
Most machines are not configured to handle NVP. Windows, I don't even know if it has such support. So why did the writer choose NVP? Who is listening to it?
Or is it more correct to say that the writer simply happened to tag his IP packets with #11 as the protocol, which just HAPPENS to be NVP? His implementation may really have nothing to do with NVP except that it uses the same protocol #.
Of course, the source has been DoSed (or slashdotted, however you want to put it) so I can't really look at it.
[ Reply to This | Parent ]
Re:Is it really NVP? by mamba-mamba (Score:1) Sunday July 07, @11:58PM
Re:Is it really NVP? by Anonymous Coward (Score:1) Monday July 08, @12:06AM
$28,000 (Score:1)
by tek_hed on Monday July 08, @01:40AM (#3839924)
(User #123623 Info | http://slashdot.org/ | Last Journal: Saturday February 02, @08:10PM)
From the results page [honeynet.org]:
The cost to contract out this analysis would most likely run at least $350 a hour. At that rate, the average cost for analyzing this binary would have been $28,000.
This must be good news for the participants, not to mention the winners!
[ Reply to This | Parent ]
d'oh! (Score:0, Troll)
by Jucius Maximus (j13moh@nOsPAm.netscape.net) on Sunday July 07, @10:41PM (#3839307)
(User #229128 Info | http://slashdot.org/ | Last Journal: Saturday July 06, @04:34PM)
"The binary turned out to be a tool for performing remote DoS attacks from compromised hosts, with its instructions being cunningly supplied via the lesser known IP protocol 11."
You have just caused an evil-grin to appear on the faces of many trojan writers. They now have another 'cunning' trick to add to their arsenal.
[ Reply to This | Parent ]
Re:d'oh! by Anonymous Coward (Score:-1) Monday July 08, @12:26AM
I am a big fat dumb idiot. (Score:0)
by Anonymous Coward on Sunday July 07, @10:43PM (#3839323)
I don't understand. What is IP protocol 11?
[ Reply to This | Parent ]
a smart Sysadmin (Score:0, Troll)
by linuxislandsucks on Sunday July 07, @10:45PM (#3839333)
(User #461335 Info | http://www.diaries.com/ShareMe/)
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
Of course without these slashdot.org posts I would be out of a job..so I guess hey bring on more slashdot.org posts!
[ Reply to This | Parent ]
tnemmoC esreveR (Score:0)
by Smelly Jeffrey on Sunday July 07, @10:50PM (#3839349)
(User #583520 Info)
!skcor todhsalS !tsetnoC esreveR eht si ti esuaceb esrever ni tnemmoc a gnivael ma I
[ Reply to This | Parent ]
Re:tnemmoC esreveR by Anonymous Coward (Score:-1) Sunday July 07, @11:17PM
Re:tnemmoC esreveR by Anonymous Coward (Score:-1) Sunday July 07, @11:24PM
Need help! (Score:0, Offtopic)
by ObviousGuy (ObviousGuy@hotmail.com) on Sunday July 07, @10:53PM (#3839359)
(User #578567 Info | Last Journal: Monday June 10, @01:15AM)
Pooh has got his head stuck in the honeypot!
[ Reply to This | Parent ]
Re:Need help! Sunday July 07, @11:07PM
This has been annoying the hell out of me (Score:0)
by Anonymous Coward on Sunday July 07, @11:03PM (#3839424)
This is great. From the source:
* dns queries:
* SOA queries for
* com
* net
* de malformed packet
* edu
* org
* usc.edu
All of these dumbass machines (mostly in Australia) kept hitting my primaries with questions for those! I couldn't figure it out, and no amount of searching on Usenet turned up any help. Now at least I know it's due to some idiot worm drilling me.
Now I get to convert my IP addresses to hex and see what else is up there in that table. Blah.
Feb 22 09:16:46 dns1 named[58]: denied query from [203.134.113.201].4763 for "usc.edu" IN
Did anyone else see this?
[ Reply to This | Parent ]
Here's the RFC straight from the horse's mouth. (Score:0)
by tim0thy on Sunday July 07, @11:10PM (#3839459)
(User #585890 Info)
http://www.ietf.org/rfc/rfc741.txt [ietf.org]
[ Reply to This | Parent ]
Usefulness of NVM/Port 11 (Score:0)
by tim0thy on Sunday July 07, @11:13PM (#3839473)
(User #585890 Info)
The important design objectives of the Network Voice Protocol (NVP) are:
- Recovery of loss of any message without catastrophic effects. Therefore all answers have to be unambiguous, in the sense that it must be clear to which inquiry a reply refers.
- Design such that no system can tie up the resources of another system unnecessarily.
- Avoidance of end-to-end retransmission.
- Separation of control signals from data traffic.
- Separation of vocoding-dependent parts from vocoding-independent parts.
- Adaptation to the dynamic network performance.
- Optimal performance, i.e. guaranteed required bandwidth, and minimized maximum delay.
- Independence from lower level protocols.
[ Reply to This | Parent ]
What the Fuck? (Score:0, Troll)
by You'reAFuckingMoron on Sunday July 07, @11:25PM (#3839514)
(User #587707 Info)
I've been reading this site for the last few years. In the last few days, I realized that I only read it out of habit, and I've been frantically trying to find any reason to continue reading. I want some reason to justify my behaviour all this time -- something to prove that I haven't been wasting my time. I've found no reason. It seems to me that all the technically capable people have long ago left or stopped posting, and all that remain are a bunch of dumb-ass losers with no real skills or insight.
The stories where never the reason to read this site -- CmdrTaco and the rest are not stupid, but they are pretty damned smug, not nearly as smart as they think they are, and simply don't have anything very interesting to say. Their stories were interesting only as long as they were able to generate interesting replies. They no longer do. I don't know if SlashDot has simply imploded on its own popularity, or if abuses of the Moderation system have driven off the sensible posters, or if my own standards have changed. But I do know I'm no longer interested in reading anything on this site.
See you all on the dark side.
[ Reply to This | Parent ]
Re:What the Fuck? Sunday July 07, @11:34PM
A comparison and notes on moderation Monday July 08, @01:08AM
On Trolls by Anonymous Coward (Score:-1) Sunday July 07, @11:33PM
FROST DDOSED PIST (Score:0)
by Anonymous Coward on Monday July 08, @12:42AM (#3839750)
Haha suck it trolls I 0wn you I got the frosty DDOS pist or for you nonl33t trolls and mods, the first DDOS post! haha who 0wnz j00? I 0wnz j00!
[ Reply to This | Parent ]
An ipchains question (Score:0)
by Anonymous Coward on Monday July 08, @01:47AM (#3839952)
I start out with
echo " Deny and Reject Everything"
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
Will the above block out all protocols or do I have to DENY them one at a time.
[ Reply to This | Parent ]
First musical post! (Score:-1)
by Mr F J Musical-Troll on Sunday July 07, @10:39PM (#3839297)
(User #582606 Info)
Another first post, another song [hypermart.net].
[ Reply to This | Parent ]
I PLEDGE ALLEGIANCE TO YOUR FP by L.Torvalds (Score:-1) Sunday July 07, @10:40PM
Re:I PLEDGE ALLEGIANCE TO YOUR FP by Big_Ass_Spork (Score:-1) Sunday July 07, @10:45PM
Ahhhh!!! by Anonymous Coward (Score:-1) Sunday July 07, @11:10PM
IAWTP by Big_Ass_Spork (Score:-1) Sunday July 07, @11:53PM
I did salvia by YourMissionForToday (Score:-1) Monday July 08, @12:17AM
Re:I PLEDGE ALLEGIANCE TO YOUR FP by Anonymous Coward (Score:-1) Sunday July 07, @11:19PM
Giant Flaming Pigeons!! by Anonymous Coward (Score:-1) Sunday July 07, @11:05PM
Re:First musical post! by Anonymous Coward (Score:-1) Sunday July 07, @11:21PM
Re:First musical post! by Mr F J Musical-Troll (Score:-1) Sunday July 07, @11:24PM
Jerry Was A Race Car Driver (Score:-1)
by The Lyrics Guy on Sunday July 07, @10:42PM (#3839315)
(User #539223 Info)
Primus - Jerry Was A Race Car Driver
Jerry was a race car driver
And he drove so goddamned fast
He never did win no checkered flag
But he never did come in last
Jerry was a race car driver
He'd say "El solo number one"
With a bocephus sticker
On his 442 he'd light 'em up
Just for fun
Captain Pierce was a fireman
Richmond engine #3
I'll be a wealthy man when I get
A dime for all the things that
Man taught to me
Captain Pierce was a strong man
Strong as any man alive
It stuck in his craw that they
Made him retire at the age of 65
Jerry was a race car driver
22 years old
Had too many cold beers one night
And wrapped himself around a telephone pole.
[ Reply to This | Parent ]
Analingus (Score:-1, Troll)
by Anonymous Coward on Sunday July 07, @10:53PM (#3839367)
The Art of Licking Butt
I lick girls' rumps. I like to lick girls' rumps. Girls like to have their rumps licked. Most girls won't admit they've had their rump licked, let alone enjoyed having their rump licked. But believe you me, if you lick a girl's rump, she'll love you for life. In fact, that was my high school yearbook quote.
My conviction to "slurping the brown pucker" doesn't stem from some traumatic experience I encountered during my anal stage of Freudian development. I mean, sure mommy dearest used to administer the "Burning Knitting Needle Catheter Punishment" when I would accidentally "makey poo-poo in me diap-diaps," but I knew that mommy dearest's austere methods of discipline were only an expression of her unconditional maternal love. No, my affinity for heiney hole spelunking was motivated and fostered by my anatomical, not psychological, irregularities.
You see, I have a small penis.
Forget about the penile deficiency that cruelly yet so naturally accompanies the average Anglo-Saxon male, it's much worse than that. For instance, after a cold shower I look like a seven year old. Girl. I often wish I were hung like a black guy. No, not from a poplar tree. I mean "hung" in terms of having a penis the size of an enraged Ugandan spitting cobra and testicles that resemble an immigrant Italian mother's Christmas dinner meatballs.
"What fuck wrong you? That where poop come from!"
So, long before I convinced that first girl (without the use of Thunderbird wine or a cast-iron mallet) that I wasn't so repulsive when compared to Rocky Dennis of Mask fame, I knew I would have to go the extra mile down Aretha (Urethra) Franklin's "Freeway of Love." Yes, I would have to go down like ValuJet.
On one of my first G-spot mining expeditions I struck climactic gold. While I observed a slight twitching as my tongue found my attractive victim's tinkle hole (as it is technically known), I noticed an almost epileptic reaction when I accidentally lapped her greasy donut. From that moment on, my cheese curl of a penis was not an issue, for I had found a way to fill the void, and it was by filling the void with my tongue. Black hole tongue won't you come?
After a cold shower I look like a seven year old. Girl.
When I divulge to other guys that I French kiss the devil's onion ring, their reaction is usually, "What fuck wrong you? That where poop come from!" First I ask them why they're talking like Cro-Magnon men, then I explain that there is a significant difference between a female's buttocks and the buttocks of her male counterparts. A guy's ass is a fecal cavern of pooplagtites and pooplagmites formed when ass broth continuously smothers and cakes sweaty mounds of bung fur. Dung dreadlocks if you will. In other words, it would be comparable to making out with a pet store's garbage can in mid-July. In contrast, it is imperative that a female maintain a high level of rectal cleanliness to safeguard her vagina from infection. In general, girls' sphincters are cleaner than boys' mouths. But let me warn you perspective stool munchers. Excremation point! On one occasion, I looked like I had just eaten a Snickers bar. They have peanuts in them, you know.
In general, performing analingus will prove to be a pleasurable experience for both you and your female companion. So don't kiss your girlfriend's ass, eat it. If you want her as a soul mate, be an ass soul mate. Because much like this article, true love is tongue and cheek.
[ Reply to This | Parent ]
I have the first post assgoblins. (Score:-1, Troll)
by Anonymous Coward on Sunday July 07, @11:15PM (#3839481)
Please see subject line. I win. All praise to your deity of personal choice.
[ Reply to This | Parent ]
Appendix: A portion of a book, for which nobody yet has discovered any use.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2002 OSDN.
[ home | awards | contribute story | older articles | OSDN | advertise | self serve ad system | about | terms of service | privacy | faq ]
I spent a little time reading the solutions of the winner, and of the #9 guy who won the $200 gift certificate for the most concise answer. I clicked on the "cost estimate" link for the winner.
I thought it would be one of those vaporous confabulations of how many BILLIONS of dollars' worth of corporate man hours would be lost to this exploit. Surprise! It's an estimate of what he would charge you to do this, if you were paying him ~$70k a year. If you don't want to click, it was about $3500 for the winner, and about $850 for the 9th place guy.
Then I started clicking a couple at random, and I noticed that the various cost analyses of various teams seem to cluster between $2500 and $4000 or so.
The Italian team are the clear outliers, claiming that they would bill over $10,000 JUST for the RE team and the analysis write-up. They included a full day's billing to cover "meeting, discussion, and coffee time."
the conclusions? a) one dutch kid can do the work of 8 Italian professionals in about 1/40th the time, and b) i need to get a job in Italy.
Humpty Dumpty was pushed.
Other than to be obscure, there's no good reason to use an unused IP protocol number rather than an unused UDP protocol number. This attack could equally well have used an UDP port.
It's worth checking servers to see if there's anything configured to listen to obsolete protocol numbers and unused UDP ports. Many UNIX servers still have a vast number of obsolete Berkeley daemons running. Some, like "biff", have known vulnerabilities. And it's worth checking for traffic on obsolete protocol numbers to see if some spyware is using them.
For the DNS attack, SOA queries for the following domains are made
com
net
edu
org
de Germany
usc.edu University of Southern California
es Spain
gr Greece
ie Ireland
Why the contrast between country codes for countries in Europe, and an US university? A theory on this is that the programmer resides in Europe, hence the familiarity with the European country codes, and has friends studying at usc.edu.
Having just graduated from USC.... I am more inclined to think that coder is(was) a student here, or at a big rival school (such as UCLA). I would be more likely then that the country codes were the first ones that came to his head, or that they were the countries that his friends (or enemies) originate from. (USC and UCLA both have unordinately large populations of foreign students compared to other US universities)
I'm out of my mind right now, but feel free to leave a message.....
It is amazing how confidently people spout wrong information, analogies and all. I wish there were a (-1, wrong) moderation available.
IP has no concept of port numbers - it is a network layer protocol and its job is to deliver packets from one IP address to another. It acts as a "carrier" for other protocols like TCP, UDP, or in this case NVP. To identify this super-protocol, the IP packet has a field for the protocol number. TCP = 6, UDP = 17, NVP = 11. So if an incoming packet says protocol #6, it is passed up to the TCP handler; if it says 17, it is passed to UDP.
Now the TCP/UDP/whatever protocol is free to use whatever means it finds fit to identify the actual process that is the destination of the packet - this is what port numbers are used for. So IP delivers the packet to a certain host, and then the next-level protocol looks at the port number in that packet to figure out which process it should be fed to.
It should be clear now that port numbers have nothing to do with protocol numbers.
I've downloaded the binary and immediatly after decompressing (I could not even decompress) was notified has a virus!
So, all the firewall stuff we've been reading, all the recommendations can be avoidable if a good anti-virus is acting on the system.
Bonus question: explain why this attack had so many valid originating IP addresses.
karma capped
with its instructions being cunningly supplied via the lesser known IP protocol 11.
Instructions being "hey, dos this". It doesn't use nvp to flood the target, just to get it's orders from its master kiddie.
Will all the cloobies please log off now. Thank you.
I just wasted your mod points! HA!
The summary said "IP protocol 11", which I for one interpeted as IPv11 (and was very confused by that as you probably can imagine). The thing is, ICMP, TCP, UDP and "Protocol 11" are *not* IP-protocols, they are transport protocols that run ontop of IP. IPv4 and IPv6 are the obvious examples of IP-protocols.
We all know that reverse engineering without the permission of the copyright holder is a violation of the DMCA, and doing so "willfully and for purposes of commercial advantage or private financial gain," such as to win a contest like this one is a criminal offense. Since it's a criminal offense, the victim (the copyright holder) doesn't even have to step up and admit that s/he's the copyright holder.
Sounds like a good test case.
Introduction Every day, incident handlers across the globe are faced with compromised systems, running some set of unknown programs, providing some kind of unintended service to an intruder who has taken control of someone else's -- YOUR, or your client's, or customer's -- computers. To most, the response is a matter of "get it back online ASAP and be done with it." This usually leads to an inadequate and ineffective response, not even knowing what hit you, with a high probability of repeated compromise. On the law enforcement side, they are hampered by a flood of incidents and a lack of good data. A victim trying to keep a system running or doing a "quickie" job of cleanup usually means incidents are underreported and inadequate handling of the evidence leads to no evidence, or tainted evidence. There has to be a better way to meet the needs of incident handlers and system administrators, as well as law enforcement, if Internet crime is going to be managed and not run amok. One possible answer is effective analysis skills -- widespread knowledge of tools and techniques -- to preserve data, analyze it, and produce meaningful reports to your organization's management, to other incident response teams and system administrators, and to law enforcement. Enter the Honeynet Project. One of the primary goals of the Honeynet Project is to find order in chaos by letting the attackers do their thing, and allowing the defenders to learn from the experience and improve. The latest challenge is the Reverse Challenge. Just like the Forensic Challenge, we're opening it up to anyone who wants to join in.
Thanks.
(And I also wish there was a "-1, wrong" moderation so that my post could find its way into the bowels of negativeness more quickly).
you mean port 11?
I always knew slashdot was a buncha tards' but this is ridiculous haha.
Woah nellie script kiddy modifies trojan to use port 11! holy shit!
If you look at the story the guy calls it protocol 11 but then he tells you to grep netstat output for anything using port 11.
That's mighty gay i say.
This is just a trojan binding port 11, not "protocol 11"..
Talk about getting it twisted, heh.
This is why people with half a brain write firewall rules that block everything and then open the port you need to have open...
This tool was already using it, so we already have to upgrade our detection tools (where necessary) to deal with odd protocol numbers. If many other trojan writers start using the same trick, then it will just make them that much easier to detect.
that was one of the best trolls for a while. or so i thought: then you go post apologies and stuff. where is the world going to? sigh.
he write the tool (something most people here couldn't do), and then rooted the you'd-think-at-least-it-would-be-secure honeynet server..
A samrt Sysadmin knows to check slashdot.org once per day to see what irreposnible hints you are giving to script kiddies..
:)
From The Art Of War by Sun Tzu:
"The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not
on the chance of his not attacking, but rather on the fact that we have
made our position unassailable."
So a sysadmin relying on the attackers inability is if fact the irresponible one! neener neener
FRA: STFU GTFO
i went to school with this guy :)
:) overall a great guy - met him in march this year back in perth (australia). nice to see someone finally recognises some of his talent.
one hell of a smart guy; although strange at times (not at all bad). married to tiki swain - also another "unfound" talent. many would not see him as a "computer nerd" *g* - he is short, thin, hates working, hates wearing shoes - and, likes to live in the "wild". mcdonalds, coke, all other commercial stuff just isn't his cue - he prefers finding food in the wild
kudo's dion!
Routers absolutely route it. IT's still IP. It's not something strange or wonderful; it's just an IP packet with the protocol ID field set to '11'.
/etc/protocols on your favorite unix system, or just google for ip protocol IDs to see.
Have a look at
It's just something you don't usually hear about because we tend to only use TCP, UDP, and ICMP, and maybe GRE. (protocols 6, 17,1,and 47, respectively).
You can generate IP packets of whatever protocol ID you want and routers SHOULD route them.
Now that this binary has been well publicized and the source code released, we will see many spinoffs and improvements of this protocol 11 DoS tool...kinda backfires in a way doesn't it? Sure the tool was poorly programmed but it does have some nifty features, especially the widely undetected communications protocol.
Why? Why get rid of Lindows?
The way I see it, publicizing this tool will have the opposite effect. Firewall admins all over will be smacking themselves on the forehead, saying "Protocol 11? We only need TCP, UDP and ICMP. Better block everything else."
Because it is so easily blocked, this will neutralize an entire class of attacks (ie. ones that use anything but TCP, UDP and ICMP). I suspect that, since it is now well-publicized, we will see this show up in security seminars, documents, HOW-TOs, etc: 'Be sure to block any protocols that your company isn't using because tools have been discovered in the wild that use protocols other than TCP, UDP and ICMP'.
If this doesn't convice people that security flaws are better exposed than hidden, I don't know what will. This tools was written two years ago. Where else is it, or it's derivitives, being used?
People have been doing that since firewalls where invented...it's called a defualt deny policy...pretty standard stuff...
Then again maybe you're just a troll...
But this is slashdot so you probably just have no clue...
What better way of demonstrating this than by looking at the hidden messages contained within the names of some of Linux's most outspoken advocates:
I'm sure that Eric S. Raymond, composer of the satanic homosexual propaganda diatribe The Cathedral and the Bizarre, is probably an anagram of something queer, but we don't need to look that far as we know he's always shoving a gun up some poor little boy's rectum. Update: Eric S. Raymond is actually an anagram for secondary rim and cord in my arse. It just goes to show you that he is indeed queer.
Update the Second: It is also documented that Evil Sicko Gaymond is responsible for a nauseating piece of code called Fetchmail, which is obviously sinister sodomite slang for 'Felch Male' -- a disgusting practise. For those not in the know, 'felching' is the act performed by two perverts wherein one sucks their own post-coital ejaculate out of the other's rectum. In fact, it appears that the dirty Linux faggots set out to undermine the good Republican institution of e-mail, turning it into 'e-male.'
As far as Richard 'Master' Stallman goes, that filthy fudge-packer was actually quoted on leftist commie propaganda site Salon.com as saying the following: 'I've been resistant to the pressure to conform in any circumstance,' he says. 'It's about being able to question conventional wisdom,' he asserts. 'I believe in love, but not monogamy,' he says plainly.
And this isn't a made up troll bullshit either! He actually stated this tripe, which makes it obvious that he is trying to politely say that he's a flaming homo slut!
Speaking about 'flaming,' who better to point out as a filthy chutney ferret than Slashdot's very own self-confessed pederast Jon Katz. Although an obvious deviant anagram cannot be found from his name, he has already confessed, nay boasted of the homosexual perversion of corrupting the innocence of young children. To quote from the article linked:
'I've got a rare kidney disease,' I told her. 'I have to go to the bathroom a lot. You can come with me if you want, but it takes a while. Is that okay with you? Do you want a note from my doctor?'
Is this why you were touching your penis in the cinema, Jon? And letting the other boys touch it too?
We should also point out that Jon Katz refers to himself as 'Slashdot's resident Gasbag.' Is there any more doubt? For those fortunate few who aren't aware of the list of homosexual terminology found inside the Linux 'Sauce Code,' a 'Gasbag' is a pervert who gains sexual gratification from having a thin straw inserted into his urethra (or to use the common parlance, 'piss-pipe'), then his homosexual lover blows firmly down the straw to inflate his scrotum. This is, of course, when he's not busy violating the dignity and copyright of posters to Slashdot by gathering together their postings and publishing them en masse to further his twisted and manipulative journalistic agenda.
Sick, disgusting antichristian perverts, the lot of them.
In addition, many of the Linux distributions (a 'distribution' is the most common way to spread the faggots' wares) are run by faggot groups. The Slackware distro is named after the 'Slack-wear' fags wear to allow easy access to the anus for sexual purposes. Furthermore, Slackware is a close anagram of claw arse, a reference to the homosexual practise of anal fisting. The Mandrake product is run by a group of French faggot satanists, and is named after the faggot nickname for the vibrator. It was also chosen because it is an anagram for dark amen and ram naked, which is what they do.
Another 'distro,' (abbrieviated as such because it sounds a bit like 'Disco,' which is where homosexuals preyed on young boys in the 1970s), is Debian, an anagram of in a bed, which could be considered innocent enough (after all, a bed is both where we sleep and pray), until we realise what other names Debian uses to describe their foul wares. 'Woody' is obvious enough, being a term for the erect male penis, glistening with pre-cum. But far sicker is the phrase 'Frozen Potato' that they use. This filthy term, again found in the secret homosexual 'Sauce Code,' refers to the solo homosexual practice of defecating into a clear polythene bag, shaping the turd into a crude approximation of the male phallus, then leaving it in the freezer overnight until it becomes solid. The practitioner then proceeds to push the frozen 'potato' up his own rectum, squeezing it in and out until his tight young balls erupt in a screaming orgasm.
And Red Hat is secret homo slang for the tip of a penis that is soaked in blood from a freshly violated underage ringpiece.
The fags have even invented special tools to aid their faggotry! For example, the 'supermount' tool was devised to allow deeper penetration, which is good for fags because it gives more pressure on the prostate gland. 'Automount' is used, on the other hand, because Linux users are all fat and gay, and need to mount each other automatically.
The depths of their depravity can be seen in their use of 'mount points.' These are, plainly speaking, the different points of penetration. The main one is obviously
More evidence is in the fact that Linux users say how much they love `man`, even going so far as to say that all new Linux users (who are in fact just innocent heterosexuals indoctrinated by the gay propaganda) should try out `man`. In no other system do users boast of their frequent recourse to a man.
Other areas of the system also show Linux's inherit gayness. For example, people are often told of the 'FAQ,' but how many innocent heterosexual Windows users know what this actually means. The answer is shocking: Faggot Anal Quest: the voyage of discovery for newly converted fags!
Even the title 'Slashdot' originally referred to a homosexual practice. Slashdot of course refers to the popular gay practice of blood-letting. The Slashbots, of course are those super-zealous homosexuals who take this perversion to its extreme by ripping open their anuses, as seen on the site most popular with Slashdot users, the depraved work of Satan, http://www.eff.org/.
The editors of Slashdot also have homosexual names: 'Hemos' is obvious in itself, being one vowel away from 'Homos.' But even more sickening is 'Commander Taco' which sounds a bit like 'Commode in Taco,' filthy gay slang for a pair of spreadeagled buttocks that are caked with excrement. (The best form of lubrication, they insist.) Sometimes, these 'Taco Commodes' have special 'Salsa Sauce' (blood from a ruptured rectum) and 'Cheese' (rancid flakes of penis discharge) toppings. And to make it even worse, Slashdot runs on Apache!
The Apache server, whose use among fags is as prevalent as AIDS, is named after homosexual activity -- as everyone knows, popular faggot band, the Village People, featured an Apache Indian, and it is for him that this gay program is named.
And that's not forgetting the use of patches in the Linux fag world -- patches are used to make the anus accessible for repeated anal sex even after its rupture by a session of fisting.
To summarise: Linux is gay. 'Slash -- Dot' is the graphical description of the space between a young boy's scrotum and anus. And BeOS is for hermaphrodites and disabled 'stumpers.'
FEEDBACK
Well, the only reason I know all about this is because I had the misfortune to read the Linux 'Sauce code' once. Although publicised as the computer code needed to get Linux up and running on a computer (and haven't you always been worried about the phrase 'Monolithic Kernel'?), this foul document is actually a detailed and graphic description of every conceivable degrading perversion known to the human race, as well as a few of the major animal species. It has shocked and disturbed me, to the point of needing to shock and disturb the common man to warn them of the impending homo-calypse which threatens to engulf our planet.
Doesn't it give you a hard-on to imagine your thick strong poker ramming it's way up my most sacred of sphincters? You're beyond help, my friend, as the only thing you can imagine is the foul penetrative violation of another man. Are you sure you're not Eric Raymond? The government, being populated by limp-wristed liberals, could never stem the sickening tide of homosexual child molesting Linux advocacy. Hell, they've given NAMBLA free reign for years!
Thank you for your kind words of support. However, this document shall only ever be posted anonymously. This is because the 'Open Sauce' movement is a sham, proposing homoerotic cults of hero worshipping in the name of freedom. I speak for the common man. For any man who prefers the warm, enveloping velvet folds of a woman's vagina to the tight puckered ringpiece of a child. These men, being common, decent folk, don't have a say in the political hypocrisy that is Slashdot culture. I am the unknown liberator.
We shouldn't hate them, we should pity them for the misguided fools they are... Fanatical Linux zeal-outs need to be herded into camps for re-education and subsequent rehabilitation into normal heterosexual society. This re-education shall be achieved by forcing them to watch repeats of Baywatch until the very mention of Pamela Anderson causes them to fill their pants with healthy heterosexual jism.
Well, it just goes to show that even the holy Linux 'sauce code' is riddled with bugs that need fixing. (The irony of Jon Katz not even being able to inflate his scrotum correctly has not been lost on me.) The Linux pervert elite already acknowledge this, with their queer slogan: 'Given enough arms, all rectums are shallow.' And anyway, the PS2 sucks major cock and isn't worth the money. Intellivision forever!
For one thing, whilst Linux is a cavalcade of queer propaganda masquerading as the future of computing, NT is used by people who think nothing better of encasing their genitals in quick setting plaster then going to see a really dirty porno film, enjoying the restriction enforced onto them. Remember, a wasted arousal is a sin in the eyes of the Catholic church. Clearly, the only god-fearing Christian operating system in existence is CP/M -- The Christian Program Monitor. All computer users should immediately ask their local pastor to install this fine OS onto their systems. It is the only route to salvation.
Secondly, this message is for every man. Computers know no colour. Not only that, but one of the finest websites in the world is maintained by a Black Man . Now fuck off you racist donkey felcher.
Although there is nothing unholy about the fine heterosexual act of ejaculating between a woman's breasts, squirting one's load up towards her neck and chin area, it should be noted that Perl (standing for Pansies Entering Rectums Locally) is also close to 'Pearl Monocle,' 'Pearl Nosering,' and the ubiquitous 'Pearl Enema.'
One scary thing about Perl is that it contains hidden homosexual messages. Take the following code: LWP::Simple -- It looks innocuous enough, doesn't it? But look at the line closely: There are two colons next to each other! As Larry 'Balls to the' Wall would openly admit in the Perl Documentation, Perl was designed from the ground up to indoctrinate it's programmers into performing unnatural sexual acts -- having two colons so closely together is clearly a reference to the perverse sickening act of 'colon kissing,' whereby two homosexual queers spread their buttocks wide, pressing their filthy torn sphincters together. They then share small round objects like marbles or golfballs by passing them from one rectum to another using muscle contraction alone. This is also referred to in programming 'circles' as 'Parameter Passing.'
And PHP stands for Perverted Homosexual Penetration. Didn't you know?
Well, I don't know about terraforming Mars, but I do know that homosexual Linux Advocates have been probing Uranus for years.
*sniff* That brings a tear to my eye. Thank you once more for your kind support. I have taken faith in the knowledge that I am doing the Good Lord's work, but it is encouraging to know that I am helping out the common man here.
However, I should be cautious about revealing your name 'Cerberus' on such a filthy den of depravity as Slashdot. It is a well known fact that the 'Kerberos' documentation from Microsoft is a detailed manual describing, in intimate, exacting detail, how to sexually penetrate a variety of unwilling canine animals; be they domesticated, wild, or mythical. Slashdot posters have taken great pleasure in illegally spreading this documentation far and wide, treating it as an 'extension' to the Linux 'Sauce Code,' for the sake of 'interoperability.' (The slang term they use for nonconsensual intercourse -- their favourite kind.)
In fact, sick twisted Linux deviants are known to have LAN parties, (Love of Anal Naughtiness, needless to say.), wherein they entice a stray dog, known as the 'Samba Mount,' into their homes. Up to four of these filth-sodden blasphemers against nature take turns to plunge their erect, throbbing, uncircumcised members, conkers-deep, into the rectum, mouth, and other fleshy orifices of the poor animal. Eventually, the 'Samba Mount' collapses due to 'overload,' and needs to be 'rebooted.' (i.e., kicked out into the street, and left to fend for itself.) Many Linux users boast about their 'uptime' in such situations.
If only indeed. You can help our brave cause by moderating this message up as often as possible. I recommend '+1, Underrated,' as that will protect your precious Karma in Metamoderation. Only then can we break through the glass ceiling of Homosexual Slashdot Culture. Is it any wonder that the new version of Slashcode has been christened 'Bender'???
If we can get just one of these postings up to at least '+1,' then it will be archived forever! Others will learn of our struggle, and join with us in our battle for freedom!
I am compelled to document the foulness and carnal depravity that is Linux, in order that we may prepare ourselves for the great holy war that is to follow. It is my solemn duty to peel back the foreskin of ignorance and apply the wire brush of enlightenment.
I could make an arrogant, childish comment along the lines of 'Every time someone asks for 2.0, I won't release it for another 24 hours,' but the truth of the matter is that I'm quite nervous of releasing a 'number two,' as I can guarantee some filthy shit-slurping Linux pervert would want to suck it straight out of my anus before I've even had chance to wipe.
I sincerely hope you're Natalie Portman.
What the fuck?
Well bugger me!
Fuck right off!
IMPORTANT: This message needs to be heard (Not HURD, which is an acronym for 'Huge Unclean Rectal Dilator') across the whole community, so it has been released into the Public Domain. You know, that licence that we all had before those homoerotic crypto-fascists came out with the GPL (Gay Penetration License) that is no more than an excuse to see who's got the biggest feces-encrusted cock. I would have put this up on Freshmeat, but that name is known to be a euphemism for the tight rump of a young boy.
Come to think of it, the whole concept of 'Source Control' unnerves me, because it sounds a bit like 'Sauce Control,' which is a description of the homosexual practice of holding the base of the cock shaft tightly upon the point of ejaculation, thus causing a build up of semenal fluid that is only released upon entry into an incision made into the base of the receiver's scrotum. And 'Open Sauce' is the act of ejaculating into another mans face or perhaps a biscuit to be shared later. Obviously, 'Closed Sauce' is the only Christian thing to do, as evidenced by the fact that it is what Cathedrals are all about.
Contributors: (although not to the eternal game of 'soggy biscuit' that open 'sauce' development has become) Anonymous Coward, Anonymous Coward, phee, Anonymous Coward, mighty jebus, Anonymous Coward, Anonymous Coward, double_h, Anonymous Coward, Eimernase, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward, Anonymous Coward. Further contributions are welcome.
Current changes: This version sent to FreeWIPO by 'Bring BackATV' as plain text. Reformatted everything, added all links back in (that we could match from the previous version), many new ones (Slashbot bait links). Even more spelling fixed. Who wrote this thing, CmdrTaco himself?
Previous changes: Yet more changes added. Spelling fixed. Feedback added. Explanation of 'distro' system. 'Mount Point' syntax described. More filth regarding `man` and Slashdot. Yet more fucking spelling fixed. 'Fetchmail' uncovered further. More Slashbot baiting. Apache exposed. Distribution licence at foot of document.
- Trolling