[LINK] Security of old RedHat systems

[Adam Todd]

>or just look in your bash history file and notice that the command-line
>arguments to some strange program called /somewhere/really/sneaky/wiretrip
>looked suspiciously similar to tripwire arguments.

Unless he doesn't use bash :)

>of course, that's still asking a lot from the average moron 
>script-kiddie...but you might be unlucky and get one of the rare non-moron 
>varieties.

Are there many of those non-moron types?  And in all seriousness, they'd 
have to be pretty "non-moron" to gain access to a system that was of little 
importance, located in Australia (excluding Robin's LA server) and probably 
on a low bandwidth connection.

I can't see a reason, in this day and age, why a non-moron hacker would go 
to the trouble of cracking a unix box for any purpose.  It's far easier to 
crack 50 windows machines, install redirectors and bounce them back to a 
unix box you can properly control.

Even easier to crack 50 boxes, have 25 point to the other 25 and have that 
group run back to you're control..

There is way too much "cleanup" on a unix system for a non-moron type to 
consider these days, unless it's their target, even if the system was run 
by a moron-type user, I doubt very much that any serious hacker is going to 
still target a unix box.

Script kiddies will go for all the published exploits looking for unpatched 
and unmanaged machines of any type.  But their abilities to use these 
machines are generally limited to work and viral styled processes and 
little else.  To them, it's "a rush" to get in.  I watch my honeypot hacked 
time and time again (it's a RO system loaded to RAM to look like a live 
server with lots of MS example databases and rubbish!)

They get all excited, you can easily track their traffic back to their 
machine, which I do via broadcast IP's and all kinds of weird "non-moron" 
methods, then pop into their IRC chats and see then yacking.

It's weekend sports, nothing exciting.

Send a few buffer overflow packets or a Nuke or two and they get all 
excited about being attacked themselves.  It's not hard to send spoofed 
packets between two of the "chatters" making them think they are attacking 
each other.

As I said, good weekend sports, but something I don't have much time for 
these days.

Most (not all) Unix platforms are safe from serious hackers - unless they 
are a target, or being attacked by a script, which means they aren't being 
managed properly in the first place.

Let me ask the sensible questions:

1. All Unix users on Link, who has been hacked in the last 3 years?
2. Who's has a script or worm installed on a system in the last three years?

3. All Windows users on Link, who's been hacked in the last 3 years?
4. Who's has a script or worm installed on their machines?

I can assure you, a serious hack for Q1 would be "none, or unknown."   If 
you were hacked, you'd know.  If an attempt was made, you probably wouldn't 
know, nor care.

As to Q2, not too many I suspect, but hands up :)

As to Q3, you'd probably never know until you got your Telstra Cable or DSL 
bill and it was over $1500.

As to Q4, I doubt there are many who can honestly say they haven't had an 
attempted, noticed and clean up instance.

>even if you don't run these services, block the ports anyway.  you never know
>what you might want to install in the future....

Good advice in general.

Although now I'm working on a redirected port firewall, blocking isn't so 
important, but it still doesn't hurt.  Packets can be "bounced" and 
redirected from external sources.

It's better to block everything and unblock it if you need to (use an 
insert command if it's a temp access whilst remote, then delete at end of 
session.)

>and you never know what gets installed and enabled by default in some 
>future release of RH or Debian or *BSD or whatever.

Errrr, I'd hope that Unix admins weren't blind installing things they 
didn't know were running or active on ports.

If I see a port active, I know what it's for.

>and block these if you run any windows clients with either MS SQL or any 
>of the end-user apps that include a subset of MS SQL.  or if you just get 
>bored of ancient windows worms probing your system.

Wouldn't it be better if many of these were blocked at the international 
borders?

God, we go on about blocking porn and stuff yet we can't be bothered to 
legislate or regulate the issue of making major service providers block 
ports KNOWN to cause losses and disruption to business.

I'll bet the losses caused by known port exploits and attacks and probes, 
the management of these, the clean up from bad administration and the loss 
of bandwidth, far exceeds the level of porn access by children and the 
costs involved in the ABA managing this.

I just wonder if any serious survey has been done to find the cost of major 
providers NOT blocking known problems at the borders, has been done?