[LINK] Security of old RedHat systems
link at todd.inoz.com
Mon Dec 13 21:03:21 EST 2004
>or just look in your bash history file and notice that the command-line
>arguments to some strange program called /somewhere/really/sneaky/wiretrip
>looked suspiciously similar to tripwire arguments.
Unless he doesn't use bash :)
>of course, that's still asking a lot from the average moron
>script-kiddie...but you might be unlucky and get one of the rare non-moron
Are there many of those non-moron types? And in all seriousness, they'd
have to be pretty "non-moron" to gain access to a system that was of little
importance, located in Australia (excluding Robin's LA server) and probably
on a low bandwidth connection.
I can't see a reason, in this day and age, why a non-moron hacker would go
to the trouble of cracking a unix box for any purpose. It's far easier to
crack 50 windows machines, install redirectors and bounce them back to a
unix box you can properly control.
Even easier to crack 50 boxes, have 25 point to the other 25 and have that
group run back to you're control..
There is way too much "cleanup" on a unix system for a non-moron type to
consider these days, unless it's their target, even if the system was run
by a moron-type user, I doubt very much that any serious hacker is going to
still target a unix box.
Script kiddies will go for all the published exploits looking for unpatched
and unmanaged machines of any type. But their abilities to use these
machines are generally limited to work and viral styled processes and
little else. To them, it's "a rush" to get in. I watch my honeypot hacked
time and time again (it's a RO system loaded to RAM to look like a live
server with lots of MS example databases and rubbish!)
They get all excited, you can easily track their traffic back to their
machine, which I do via broadcast IP's and all kinds of weird "non-moron"
methods, then pop into their IRC chats and see then yacking.
It's weekend sports, nothing exciting.
Send a few buffer overflow packets or a Nuke or two and they get all
excited about being attacked themselves. It's not hard to send spoofed
packets between two of the "chatters" making them think they are attacking
As I said, good weekend sports, but something I don't have much time for
Most (not all) Unix platforms are safe from serious hackers - unless they
are a target, or being attacked by a script, which means they aren't being
managed properly in the first place.
Let me ask the sensible questions:
1. All Unix users on Link, who has been hacked in the last 3 years?
2. Who's has a script or worm installed on a system in the last three years?
3. All Windows users on Link, who's been hacked in the last 3 years?
4. Who's has a script or worm installed on their machines?
I can assure you, a serious hack for Q1 would be "none, or unknown." If
you were hacked, you'd know. If an attempt was made, you probably wouldn't
know, nor care.
As to Q2, not too many I suspect, but hands up :)
As to Q3, you'd probably never know until you got your Telstra Cable or DSL
bill and it was over $1500.
As to Q4, I doubt there are many who can honestly say they haven't had an
attempted, noticed and clean up instance.
>even if you don't run these services, block the ports anyway. you never know
>what you might want to install in the future....
Good advice in general.
Although now I'm working on a redirected port firewall, blocking isn't so
important, but it still doesn't hurt. Packets can be "bounced" and
redirected from external sources.
It's better to block everything and unblock it if you need to (use an
insert command if it's a temp access whilst remote, then delete at end of
>and you never know what gets installed and enabled by default in some
>future release of RH or Debian or *BSD or whatever.
Errrr, I'd hope that Unix admins weren't blind installing things they
didn't know were running or active on ports.
If I see a port active, I know what it's for.
>and block these if you run any windows clients with either MS SQL or any
>of the end-user apps that include a subset of MS SQL. or if you just get
>bored of ancient windows worms probing your system.
Wouldn't it be better if many of these were blocked at the international
God, we go on about blocking porn and stuff yet we can't be bothered to
legislate or regulate the issue of making major service providers block
ports KNOWN to cause losses and disruption to business.
I'll bet the losses caused by known port exploits and attacks and probes,
the management of these, the clean up from bad administration and the loss
of bandwidth, far exceeds the level of porn access by children and the
costs involved in the ABA managing this.
I just wonder if any serious survey has been done to find the cost of major
providers NOT blocking known problems at the borders, has been done?
More information about the Link