Re: Grim's ping defense
From: Karl Levinson [x y] \(MVP\) (levinson_k@excite.com)
Date: 10/11/02
- Next message: kong: "Services Are Not Listed in the Security Configuration and Analysis Snap-in"
- Previous message: Tony Tachev: "Re: Restrict access via MMC"
- In reply to: Charles K. MacKay: "Grim's ping defense"
- Next in thread: Consultant®: "Re: Grim's ping defense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] \(MVP\)" <levinson_k@excite.com> Date: Fri, 11 Oct 2002 09:30:04 -0400
"Charles K. MacKay" <ckmackay@ptdprolog.net> wrote in message
news:enBVCYScCHA.1700@tkmsftngp08...
> We have a server under serious Grim's ping attack. No firewall, primitive
> security arrangements for entire network.
>
> What's the best quick defense?
What's a serious Grim's Ping attack? I think Grim's Ping should either be
successful or unsuccessful in less than a second. If it's unsuccessful,
further attacks shouldn't be much of a problem.
Unless you've got an FTP server, I'm not sure you're at any risk. [With
Windows 2000 / XP, you could have IIS FTP services installed and not know
it, which is not good, you should remove IIS under Start, Settings, Control
Panel, Add/Remove Programs, Add/Remove Windows Components.] Any computers
without FTP services installed should be safe from Grim's Ping. [I'm
guessing you've got FTP services there somewhere, or else Grim's ping should
move on to the next victim network.]
Even if you have FTP services, I believe disabling anonymous access, or
denying the Anonymous user write permissions, or even making sure the
anonymous user doesn't have both read and write access to any one folder
should help. If you haven't already done this, your machines are probably
missing other security features. Start by downloading and running MBSA from
www.microsoft.com/download to look for vulnerabilities and missing patches,
rolling out all Microsoft service packs and security patches, then read and
follow the checklists at www.microsoft.com/security for hardening Windows
and IIS.
[Note that if internet-visible servers or computers are missing patches,
they may already be compromised, and a compromised computer is hard or
impossible to re-secure without formatting and reinstalling Windows and all
the other software then restoring files from a backup.]
Also, get antivirus and a firewall. There are free or cheap ones out there,
so there's no good excuse for not having one. Sygate is free for
non-commercial use, Linksys and Netgear sell devices for around $70 US,
Smoothwall and IPcop are linux firewalls that run on an old 486 PC.
However, if this is an FTP server that needs to be seen from the network, an
entry level firewall won't be much help, except that you'll be able to see
and log the source IPs and traffic hitting your server, and you can probably
block certain hostile source IPs AFTER an attack has occurred.
It appears Grim's Ping by default tries to log in as anonymous with the
password Xgpuser@home.com If you can get your FTP server to block this
password, that may help some. Not sure if IIS can do this, but third party
FTP server software like Serv-U may.
I"m not sure you'll have much luck in blocking incoming Grim's Ping
connections, so whatever software you have that is telling you there's a
Grim's ping attack is probably always going to alarm no matter what. The
best you can do is probably to make sure your FTP servers are configured
securely, especially the permissions on the Anonymous account. [For best
results, you want your FTP folders to be on an NTFS partition.]
PS if you have trouble deleting certain FTP folders that the hackers may
have created on your computer, search www.google.com/groups or this
newsgroup for something like "FTP posix delete RM.EXE"
here's the info I found on Grim's Ping by searching google:
http://cert.uni-stuttgart.de/archive/forensics/2002/06/msg00013.html
http://grimsping.cjb.net/
- Next message: kong: "Services Are Not Listed in the Security Configuration and Analysis Snap-in"
- Previous message: Tony Tachev: "Re: Restrict access via MMC"
- In reply to: Charles K. MacKay: "Grim's ping defense"
- Next in thread: Consultant®: "Re: Grim's ping defense"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
