First off, you can go to jail. This is very much like the stunt that got Max Butler, a.k.a. Max Vision, 18 months in Federal stir. Too bad, because he is an IDS wizard, as well as a pretty decent guy, from all reports. But if I were a DOD investigator working on this case, I'd probably want to see him in the slam myself.
Secondly, you cannot audit the actions of a worm. And when you close a hole like the one Code Red exploits, you want the actions to leave an audit trail.
Thirdly, a anti-worm-worm is not certain to infect, and thus patch, the systems that you want patched.
Better in all ways to just suck it in and patch the systems you own, yourself. And email the poor schmucks who just don't know their W2K boxes have IIS servers running, unpatched, and which have thus been hit, that their systems are infected and infectious. I fired off an email to uunet two days ago about an infected box scanning the networks I monitor. The worm's scans shut down just three hours later. Coincidence?
Thanks, weave. I am much more Unix-centric than MS-centric, and hence did not know this. I have done exactly one W2K install in my life.:-)
Hundreds of thousands of W2K boxes are hooked up to 24/7 broadband connections right now. Default installs, with IIS running, you bet. Not in server rooms, but in people's homes. And most of these folks don't know Jack about security. Yet.
Last week, we learned here about the writeup the Honeynet.org people put together on the fantastic aggressiveness of modern "blackhats". About how an unhardened RedHat 6.2 box, connected to the Internet without any publicity or announcement, gets root compromised in about 3 days on average.
Well, folks, what Lance Spitzner and friends are also doing is simulating your average non-technical American with a shiny, new 24/7 connection. You recall, the Honeynet is set up in Mr. Spitzner's home, at the end of a DSL connection. Without firewalls or host-hardening.
You know, early this week, I went through firewall log data which was clearly the traces of three reconnaissance probes against my company's networks. Now I'm not going to tell you who we are, or what netblocks we use. But it is not saying too much to relate that what I monitor (today) consists of a/26 and a/27 netblock. The/26 has 64 IPs. Throw away the first and last IP (network wire and broadcast address) gives you 62 IPs for boxes. The/27 has 32, the same exercise yields 30 IPs for boxes. The two netblocks are close in IP space. So I expect competent attackers to sweep anywhere from 92 to 97 (adding in the external firewall interface) IPs when they check us out.
These probes sucked. One tried for 35 of our IPs, another for 55, the third for 93 (and missed 3 IPs actual boxes might have lived on). What script kiddy could be so dense? I quipped to my boss about "script infants", and he laughed.
Interesting thing is, all three attacks showed up in the same day's logs. And they all came from IPs owned by broadband providers. Hell, one IP was specifically spelled out, right there in the "whois" output, to live in a netblock reserved for cable modem customers.
weave's post leaves me with a wonder and a speculation.
My wonder is: were those incompetently executed sweeps the result of worm activity?
My speculation is simply this: CodeRed behaves precisely like the Honeynet Project's "blackhats", and what others, such as myself, call "script kiddies". They simply probe and probe and probe. And when they find a box that may be vulnerable, they fire off their exploit. Sometimes, compromising and then infecting the target box, which then replicates the same essentially mindless behavior. Where is such a strategy going to make the biggest splash? Easy answer: America's dens and living rooms, where, more often than not, nobody in the family has even heard of a firewall, and "hackers" are evil phantoms that the media depicts as targeting big outfits like Microsoft, Yahoo, and eBay. The attitude is "Hack US? Never, we're insignificant small fry. Where are the bragging rights in that?"
I've been worrying about this for almost two years, now. I swear, there are times when I almost want to wear a sandwich board when I walk down the street to work, which announces something like "REPENT, SINNERS! FIREWALL YOUR BROADBAND CONNECTIONS OR GOD WILL PUNISH YOU WITH ETERNAL HELLFIRE!".:-)
The fellow who wrote the CodeRed worm failed in his primary goal (DDoS against www.whitehouse.gov) mostly because he was a moron. He hardcoded the target by IP, not by FQDN. So the feds kept moving whitehouse.gov from one IP to another, updating DNS records all the while. BUWAHAHAHAHA!
The assh@le who writes CodeRed-II will probably not be such a knuckle-dragging dimbulb.
And he will produce a highly successful infector, if Ramen, Lion, and now, CodeRed are any indication.
In which case, the DDoS could very well succeed.
This will scare a lot of people badly. Including congresscritters.
Next thing you know, laws will begin their trip through Capitol Dung^H^H^H^HHill requiring that folks who purchase 24/7 connections register their IP addresses (or, perhaps their boxes, assuming DHCP-based IP allocation by ISPs survives the panic) by location. So that whatever constabulary organization(s) ultimately get tasked can verify (by use of nmap or something similar) that said IPs are properly firewalled, and write citations to serve to the folks whose IPs are not. Or a summons. Or just seize the box as a "menace".
And the next thing you know, the existing registration structure will lead to calls to use it to defray enforcement costs, on the local or national level. Holy shit, an Internet PC tax!
And heightened logging requirements imposed on ISPs will make it trivial for the self-appointed Guardians Of Public Morality to Save The Children by tracking porn downloads to their ultimate destination much more easily. Using rich data sources, legal compulsion mechanisms, and automated analysis tools these vermin only dream about today.
Of course, the next little item would be some real TEETH in DMCA enforcement.
Not to mention the disappearance of anonymity in chat boards, as multiple-terabyte ISP log partitions nab not only packet headers, but much of the packet body as well.
GODDAM! I've just GOT to get my lazy ass out to Home Depot! TOMORROW! Let's see.. 2 24"x36" pieces of plywood.. two 12" pieces of strapping to hold the upper edges together.. a couple of sheets of 24"x36" pasteboard.. an extra-large magic marker.. maybe I should have the lettering done by a print shop.....
Actually, its alive and *quite* well. You just have to be *PICKY*!
Poul has left us.. DAMMIT. But some of the field's very best practitioners are not only writing today, but are at (or reaching) the height of their powers.
If you like strong storytelling (priority 1), historical insight and gritty realism (priority 2), mixed with more than a dash of beautiful wordsmithing (priority 3), I unreservedly commend David Drake to your attention. Who but Drake could describe the experience of a car chase.. from the point of view (in a manner of speaking) of the *CAR* ("Skyripper"). Drake has been known to use the same basic plot in two novels, but turn it *inside* *out*. In "Skyripper, the hero is a political conservative, the aliens are the real enemy, and the nominal human foe (Soviet Union) produces the key ally. In "Fortress", the hero is a political liberal, the aliens are the allies, and the nominal human foe (Nazis) are the real enemy. Other than that, same basic plot elements. Drake just *loves* to do stuff like that. "Redliners" brought me closer to tears than any story I read since Eric Frank Russell's "Dear Devil". And as for wordsmithing.. in "Redliners", he takes three sentences to describe (beautifully) an energy weapon's discharge hitting a structural member of a tractor. And makes the reader love it. Well, at least this reader.:-) Drake understands that the old storys that still live do so for a reason. So he'll re-use them, without any attempt to fool the reader. "Ulysses" -> "Cross the Stars". The story of the Czech Legion -> "Forlorn Hope" (with the roles of the Russians and the Czechs swapped:-). When Drake does research for a story, BTW, he takes along a lunch!
Orson Scott Card reverses Drake's priorities. Which is why Card's stuff isn't always a "must buy / must read" for me. But, oh, Lord, what a strong, intellectually and emotionally compelling tale "Ender's Game" was. Though the last two books in the Ender teratology pissed me off.. too many Deus ex Machina pulled out of the author's hat. Like I said, storytelling not as strong as Drake's. But, again, oh Lord, what a magnificent story "Ender's Shadow" was! And shortstories like "King's Meat"!
Then there is Leo Frankowski. Opinionated, irreverent, but a rollicking good storyteller, and as technically savvy as the best of the old engineer/storytellers like Clarke and Heinlein. And just as funny as hell. The passage in "A Boy and His Tank" where the history of the matter transmitter is revealed had me laughing for a full half-hour. I still get a giggle remembering it.
And how about Steve Stirling. Another writer *strongly* grounded in history, not to mention anthropology and martial arts. His "Draka" teratology is a lot better thought out than the fan community gives it credit for. Basically, he took Sparta, at about 500 BC, and transplanted it to South Africa. Then wrote a trilogy (with a fourth book as a coda). With the Pelliponesian War played out in the late 20'th century. His Draka are a real 3-dimensional culture, caught in a historical trap, with striking virtues (unflinching honesty and courage) as well as appalling vices (slavery and appalling cruelty towards the vanquished). With the crowning irony that the Draka who best understood his culture's flaws (and most hated them) had no choice but to be the man who Pushed The Button.
Then there is Donald Kingsbury. Probably the most intellectually challenging writer practicing these days. "Courtship Rite" contains the most carefully detailed, yet *different* human society I have seen in SF. Herbert's "Dune" look amateurish, in that regard, compared to "Courtship Rite". Consider a culture in which, for perfectly good reasons, a man who is told his body will *NOT* be eaten by his fellows after he dies has just heard his worst nightmare spelled out. Out of print, dammit.. but it sold poorly (not enough of a "MacBook"), so copies show up in used bookshops in surprisingly good shape (ie., new:-). I wish he wrote more than one novel a decade!:-((
There is Eric Flint, another student of history, whose studies *strongly* inform his fiction. Eric Flint's work, besides its strong historical grounding, has one distinguishing characteristic, which you may find either cool or off-putting, depending on mood. Eric's major characters fall into two categories: white-hat goodguys and black-hat badguys. And there is little doubt about what is going to happen. The goodguys are going to win. The badguys are going to lose, and the goodguy types who find themselves working for the badguys are going to be manipulated away to the side of the goodguys or defeated and drafted by the goodguys. But before the badguys Get Theirs, they get *SCREWED*. "Humiliations Galore!" I agree, life is not like this. But it does make a damned good story!
Harry Turtledove, another not-so-amateur historian. Ph.D. in Byzantine history, no less. If you are not reading his stuff, give it a spin. Especially the "Invasion" series, where aliens interrupt the course of WWII by invading Earth. Unlike Flint's characters, Turtledove's are all across the spectrum. His aliens in the "Invasion" series, for instance, are *noticeably* more punctilious about observing treaty terms than humans.
I could go on.
Suffice to say, the boom in the SF market sparked by the late 60's "Star Trek" series has left us with a legacy of commercialized crap. But it has also allowed quite a number of genuinely inspired craftsmen make a living doing work of a quality which easily matches the best of what we saw from the Great Old Ones.:-) You just have to pass the crap by, and look for the writers that educate, challenge, move, or all three. They *are* writing these days. And doing as good work as anything we've ever seen.
I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives.:-)
Once a vulnerable box is found, exploitation is swift. 0wned.
And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.
The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail.. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was.. you guessed it.. wuftpd. The banner gave up the branding and version.. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?
That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.
Its the Wild West out there folks. Really.
BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this:-), then its bloody well good enough for others. And the price is right.:-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.
"Let's stay safe out there."
BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity.:P
Slashdot Mirror
First off, you can go to jail. This is very much like the stunt that got Max Butler, a.k.a. Max Vision, 18 months in Federal stir. Too bad, because he is an IDS wizard, as well as a pretty decent guy, from all reports. But if I were a DOD investigator working on this case, I'd probably want to see him in the slam myself.
Secondly, you cannot audit the actions of a worm. And when you close a hole like the one Code Red exploits, you want the actions to leave an audit trail.
Thirdly, a anti-worm-worm is not certain to infect, and thus patch, the systems that you want patched.
Better in all ways to just suck it in and patch the systems you own, yourself. And email the poor schmucks who just don't know their W2K boxes have IIS servers running, unpatched, and which have thus been hit, that their systems are infected and infectious. I fired off an email to uunet two days ago about an infected box scanning the networks I monitor. The worm's scans shut down just three hours later. Coincidence?
Hundreds of thousands of W2K boxes are hooked up to 24/7 broadband connections right now. Default installs, with IIS running, you bet. Not in server rooms, but in people's homes. And most of these folks don't know Jack about security. Yet.
Last week, we learned here about the writeup the Honeynet.org people put together on the fantastic aggressiveness of modern "blackhats". About how an unhardened RedHat 6.2 box, connected to the Internet without any publicity or announcement, gets root compromised in about 3 days on average.
Well, folks, what Lance Spitzner and friends are also doing is simulating your average non-technical American with a shiny, new 24/7 connection. You recall, the Honeynet is set up in Mr. Spitzner's home, at the end of a DSL connection. Without firewalls or host-hardening.
You know, early this week, I went through firewall log data which was clearly the traces of three reconnaissance probes against my company's networks. Now I'm not going to tell you who we are, or what netblocks we use. But it is not saying too much to relate that what I monitor (today) consists of a /26 and a /27 netblock. The /26 has 64 IPs. Throw away the first and last IP (network wire and broadcast address) gives you 62 IPs for boxes. The /27 has 32, the same exercise yields 30 IPs for boxes. The two netblocks are close in IP space. So I expect competent attackers to sweep anywhere from 92 to 97 (adding in the external firewall interface) IPs when they check us out.
These probes sucked. One tried for 35 of our IPs, another for 55, the third for 93 (and missed 3 IPs actual boxes might have lived on). What script kiddy could be so dense? I quipped to my boss about "script infants", and he laughed.
Interesting thing is, all three attacks showed up in the same day's logs. And they all came from IPs owned by broadband providers. Hell, one IP was specifically spelled out, right there in the "whois" output, to live in a netblock reserved for cable modem customers.
weave's post leaves me with a wonder and a speculation.
My wonder is: were those incompetently executed sweeps the result of worm activity?
My speculation is simply this: CodeRed behaves precisely like the Honeynet Project's "blackhats", and what others, such as myself, call "script kiddies". They simply probe and probe and probe. And when they find a box that may be vulnerable, they fire off their exploit. Sometimes, compromising and then infecting the target box, which then replicates the same essentially mindless behavior. Where is such a strategy going to make the biggest splash? Easy answer: America's dens and living rooms, where, more often than not, nobody in the family has even heard of a firewall, and "hackers" are evil phantoms that the media depicts as targeting big outfits like Microsoft, Yahoo, and eBay. The attitude is "Hack US? Never, we're insignificant small fry. Where are the bragging rights in that?"
I've been worrying about this for almost two years, now. I swear, there are times when I almost want to wear a sandwich board when I walk down the street to work, which announces something like "REPENT, SINNERS! FIREWALL YOUR BROADBAND CONNECTIONS OR GOD WILL PUNISH YOU WITH ETERNAL HELLFIRE!". :-)
The fellow who wrote the CodeRed worm failed in his primary goal (DDoS against www.whitehouse.gov) mostly because he was a moron. He hardcoded the target by IP, not by FQDN. So the feds kept moving whitehouse.gov from one IP to another, updating DNS records all the while. BUWAHAHAHAHA!
The assh@le who writes CodeRed-II will probably not be such a knuckle-dragging dimbulb.
And he will produce a highly successful infector, if Ramen, Lion, and now, CodeRed are any indication.
In which case, the DDoS could very well succeed.
This will scare a lot of people badly. Including congresscritters.
Next thing you know, laws will begin their trip through Capitol Dung^H^H^H^HHill requiring that folks who purchase 24/7 connections register their IP addresses (or, perhaps their boxes, assuming DHCP-based IP allocation by ISPs survives the panic) by location. So that whatever constabulary organization(s) ultimately get tasked can verify (by use of nmap or something similar) that said IPs are properly firewalled, and write citations to serve to the folks whose IPs are not. Or a summons. Or just seize the box as a "menace".
And the next thing you know, the existing registration structure will lead to calls to use it to defray enforcement costs, on the local or national level. Holy shit, an Internet PC tax!
And heightened logging requirements imposed on ISPs will make it trivial for the self-appointed Guardians Of Public Morality to Save The Children by tracking porn downloads to their ultimate destination much more easily. Using rich data sources, legal compulsion mechanisms, and automated analysis tools these vermin only dream about today.
Of course, the next little item would be some real TEETH in DMCA enforcement.
Not to mention the disappearance of anonymity in chat boards, as multiple-terabyte ISP log partitions nab not only packet headers, but much of the packet body as well.
GODDAM! I've just GOT to get my lazy ass out to Home Depot! TOMORROW! Let's see .. 2 24"x36" pieces of plywood .. two 12" pieces of strapping to hold the upper edges together .. a couple of sheets of 24"x36" pasteboard .. an extra-large magic marker .. maybe I should have the lettering done by a print shop .....
Actually, its alive and *quite* well. You just have to be *PICKY*!
.. DAMMIT. But some of the field's very best practitioners are not only writing today, but are at (or reaching) the height of their powers.
.. from the point of view (in a manner of speaking) of the *CAR* ("Skyripper"). Drake has been known to use the same basic plot in two novels, but turn it *inside* *out*. In "Skyripper, the hero is a political conservative, the aliens are the real enemy, and the nominal human foe (Soviet Union) produces the key ally. In "Fortress", the hero is a political liberal, the aliens are the allies, and the nominal human foe (Nazis) are the real enemy. Other than that, same basic plot elements. Drake just *loves* to do stuff like that. "Redliners" brought me closer to tears than any story I read since Eric Frank Russell's "Dear Devil". And as for wordsmithing .. in "Redliners", he takes three sentences to describe (beautifully) an energy weapon's discharge hitting a structural member of a tractor. And makes the reader love it. Well, at least this reader. :-) Drake understands that the old storys that still live do so for a reason. So he'll re-use them, without any attempt to fool the reader. "Ulysses" -> "Cross the Stars". The story of the Czech Legion -> "Forlorn Hope" (with the roles of the Russians and the Czechs swapped :-). When Drake does research for a story, BTW, he takes along a lunch!
.. too many Deus ex Machina pulled out of the author's hat. Like I said, storytelling not as strong as Drake's. But, again, oh Lord, what a magnificent story "Ender's Shadow" was! And shortstories like "King's Meat"!
.. but it sold poorly (not enough of a "MacBook"), so copies show up in used bookshops in surprisingly good shape (ie., new :-). I wish he wrote more than one novel a decade! :-((
:-) You just have to pass the crap by, and look for the writers that educate, challenge, move, or all three. They *are* writing these days. And doing as good work as anything we've ever seen.
Poul has left us
If you like strong storytelling (priority 1), historical insight and gritty realism (priority 2), mixed with more than a dash of beautiful wordsmithing (priority 3), I unreservedly commend David Drake to your attention. Who but Drake could describe the experience of a car chase
Orson Scott Card reverses Drake's priorities. Which is why Card's stuff isn't always a "must buy / must read" for me. But, oh, Lord, what a strong, intellectually and emotionally compelling tale "Ender's Game" was. Though the last two books in the Ender teratology pissed me off
Then there is Leo Frankowski. Opinionated, irreverent, but a rollicking good storyteller, and as technically savvy as the best of the old engineer/storytellers like Clarke and Heinlein. And just as funny as hell. The passage in "A Boy and His Tank" where the history of the matter transmitter is revealed had me laughing for a full half-hour. I still get a giggle remembering it.
And how about Steve Stirling. Another writer *strongly* grounded in history, not to mention anthropology and martial arts. His "Draka" teratology is a lot better thought out than the fan community gives it credit for. Basically, he took Sparta, at about 500 BC, and transplanted it to South Africa. Then wrote a trilogy (with a fourth book as a coda). With the Pelliponesian War played out in the late 20'th century. His Draka are a real 3-dimensional culture, caught in a historical trap, with striking virtues (unflinching honesty and courage) as well as appalling vices (slavery and appalling cruelty towards the vanquished). With the crowning irony that the Draka who best understood his culture's flaws (and most hated them) had no choice but to be the man who Pushed The Button.
Then there is Donald Kingsbury. Probably the most intellectually challenging writer practicing these days. "Courtship Rite" contains the most carefully detailed, yet *different* human society I have seen in SF. Herbert's "Dune" look amateurish, in that regard, compared to "Courtship Rite". Consider a culture in which, for perfectly good reasons, a man who is told his body will *NOT* be eaten by his fellows after he dies has just heard his worst nightmare spelled out. Out of print, dammit
There is Eric Flint, another student of history, whose studies *strongly* inform his fiction. Eric Flint's work, besides its strong historical grounding, has one distinguishing characteristic, which you may find either cool or off-putting, depending on mood. Eric's major characters fall into two categories: white-hat goodguys and black-hat badguys. And there is little doubt about what is going to happen. The goodguys are going to win. The badguys are going to lose, and the goodguy types who find themselves working for the badguys are going to be manipulated away to the side of the goodguys or defeated and drafted by the goodguys. But before the badguys Get Theirs, they get *SCREWED*. "Humiliations Galore!" I agree, life is not like this. But it does make a damned good story!
Harry Turtledove, another not-so-amateur historian. Ph.D. in Byzantine history, no less. If you are not reading his stuff, give it a spin. Especially the "Invasion" series, where aliens interrupt the course of WWII by invading Earth. Unlike Flint's characters, Turtledove's are all across the spectrum. His aliens in the "Invasion" series, for instance, are *noticeably* more punctilious about observing treaty terms than humans.
I could go on.
Suffice to say, the boom in the SF market sparked by the late 60's "Star Trek" series has left us with a legacy of commercialized crap. But it has also allowed quite a number of genuinely inspired craftsmen make a living doing work of a quality which easily matches the best of what we saw from the Great Old Ones.
They _do_ use your system.
:-)
.. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?
:-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.
:P
In _exactly_ the way Restil speculates.
I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives.
Once a vulnerable box is found, exploitation is swift. 0wned.
And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.
The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail
That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.
Its the Wild West out there folks. Really.
BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this
"Let's stay safe out there."
BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity.