Re: Newbie Questions

From: Ben Okopnik (fuzzybear@pocketmail.com)
Date: 08/08/01 

Date: Wed, 8 Aug 2001 10:38:18 -0400
From: Ben Okopnik <fuzzybear@pocketmail.com>
To: security-basics@securityfocus.com
Subject: Re: Newbie Questions
Message-ID: <20010808103818.A365@pocketmail.com>

On Tue, Aug 07, 2001 at 06:27:08AM -0600, Joe Warner wrote:
>
> >these sorts of attack get people by
> > scanning, for example, from 192.168.0.1 to 192.168.255.254. If you
> > happen to be in that range, you get caught.
>
> That sounds logical. I'm assuming that most crackers would incorporate
> the use of some sort of utility for this? A utility that would allow them
> to input a specified range of addresses and then just let it run. I've
> heard that crackers using a broadband connection can obtain the
> IP addresses of a small country in a matter of minutes this way.

No, you still don't get the point. You can "obtain the IP addresses of
a small country" without any specialized utility - there's nothing
difficult, illegal, or even unusual in "obtaining" IP addresses. An IP
address is _required_ for any two machines to communicate on the Net.
It's pretty much the same as a junk mailer looking up business addresses
in the White/Yellow Pages - if he couldn't get them, neither could that
businesses' prospective customers! IP availability isn't really a
security concern any more than the availability of White Pages is an
FBI concern. IOW, it's not.
 
> >If I was going to get a dial-up user, I would
> > install a backdoor that advertised their presence on the net every time
> > they connected.
>
> Interesting...How can you tell if your system has been compromised this way?
> Can you give me an example of what to look for, say on a BSD/UNIX system?

There's a list of things... unfortunately, none of them will help if
whoever's cracked your system is any good. As an example, they might
have broken in, cracked root in your "/etc/passwd" or "/etc/shadow",
cleaned up the logs and used a utmp editor, and replaced (for example)
your "pppd" binary with a rootkit version that does exactly what you've
been warned about.

In other words, after the horse has been stolen, you can look in every
corner of the barn, just as assiduously as you care to; he ain't
*there*. Security is NOT a process of reacting to events.

What can you do? If you have even the slightest suspicion that you may
have been cracked, back up your data and reinstall from scratch. Hell,
do it _anyway_ if you haven't been excercising any security: unless
you do, your box is a big blinking yellow question mark. Harden your
box(en) to whatever degree you find necessary - it usually comes down
to a compromise between security and user needs/accessibility - and
only *then* connect it to the network ("NEVER re-use passwords" is a
key piece of advice here.) Now, move your data back using extreme care
not to reintroduce whatever may have been planted; this generally
requires sweating over individual files, one at a time. Don't forget
that in Unix, even a text file can be a Trojan - and doesn't even need
to have the 'execute bit' set:

. ./Letter_to_Grandma.txt

I'll leave you to guess what Little Red Riding Hood put in that bugger
(hint: it probably starts with "#!/bin/sh"...)

Ben Okopnik
-=-=-=-=-=-

Quantcast